chore: add remote branch check to workflows (#33525)

gracelu0 · web-flow · commit 241bda3c28d0 · 2025-02-20T19:30:12.000Z
### Issue # (if applicable) n/a ### Reason for this change Adhere to best security practices. ### Description of changes Fetch remote branch to check for any unapproved commits to the remote branch and only commit/push if there are not. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Tested the commands locally ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/.github/workflows/analytics-metadata-updater.yml b/.github/workflows/analytics-metadata-updater.yml
@@ -47,7 +47,14 @@ jobs:
         run: |
           git config --global user.name 'aws-cdk-automation'
           git config --global user.email 'aws-cdk-automation@users.noreply.github.com'
-          git checkout -B ${{ github.event.pull_request.head.ref }}
+
+          git fetch origin ${{ github.event.pull_request.head.ref }}
+
+          if [ "$(git rev-parse HEAD)" != "$(git rev-parse origin/${{ github.event.pull_request.head.ref }})" ]; then
+            echo "Remote branch updated since approved commit; aborting."
+            exit 1
+          fi
+
           git add .
           git commit -m "chore: update analytics metadata blueprints"
           git push origin ${{ github.event.pull_request.head.ref }}
diff --git a/.github/workflows/lambda-runtime-tests.yml b/.github/workflows/lambda-runtime-tests.yml
@@ -44,7 +44,14 @@ jobs:
         run: |
           git config --global user.name 'aws-cdk-automation'
           git config --global user.email 'aws-cdk-automation@users.noreply.github.com'
-          git checkout -B ${{ github.event.pull_request.head.ref }}
+
+          git fetch origin ${{ github.event.pull_request.head.ref }}
+
+          if [ "$(git rev-parse HEAD)" != "$(git rev-parse origin/${{ github.event.pull_request.head.ref }})" ]; then
+            echo "Remote branch updated since approved commit; aborting."
+            exit 1
+          fi
+
           git add .
           git commit -m "chore: update lambda runtime integration tests"
           git push origin ${{ github.event.pull_request.head.ref }}
