From 94a22912d74a9872a36b6bd40ebcac2d23cae5ac Mon Sep 17 00:00:00 2001
From: Harshita Gupta <harshita-gupta@users.noreply.github.com>
Date: Tue, 21 Apr 2026 16:20:41 -0700
Subject: [PATCH] workflows: check out v22.21.1 so Dockerfile.Packages is
 present
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When dispatched from main, `actions/checkout@v3` pulls main (the workflow's
trigger ref) — but Dockerfile.Packages only lives on the v22.21.1 branch, so
the Docker build step fails with "open Dockerfile.Packages: no such file or
directory". Pinning `ref: ${{ env.NODE_VERSION }}` on the checkout keeps
workflow_ref (OIDC subject claim) on main while giving the build access to
the v22.21.1 tree.

Does not expand the attack surface: the Node source already lives on the
unprotected v22.21.1 branch, so any collaborator capable of modifying
Dockerfile.Packages could already modify the binaries we ship. A follow-up
PR will propose a structural fix.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build-node-packages.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.github/workflows/build-node-packages.yml b/.github/workflows/build-node-packages.yml
index 1b01f2147b81e9..7e74f98ade567f 100644
--- a/.github/workflows/build-node-packages.yml
+++ b/.github/workflows/build-node-packages.yml
@@ -36,8 +36,24 @@ jobs:
       REPO: ${{ github.repository }}
 
     steps:
+      # Check out the v22.21.1 branch (not the workflow's default branch) so that
+      # Dockerfile.Packages and the Node source tree are present. The workflow YAML
+      # itself runs from whichever ref triggered it (main for workflow_dispatch, or
+      # v22.21.1 for workflow_run) — that's what the OIDC subject claim binds to,
+      # and it's how the IAM role's ref_patterns gate works. `ref:` here only
+      # controls which tree gets checked out into $GITHUB_WORKSPACE.
+      #
+      # Security note: v22.21.1 is not a protected branch, so in principle any of
+      # the repo's ~530 collaborators could push a malicious Dockerfile.Packages
+      # and have this workflow build+upload the resulting image. That same risk
+      # already existed for the Node source itself (which also lives on this
+      # branch), so this change does not expand the attack surface. A follow-up
+      # PR will propose a structural fix (branch protection, patch series, or
+      # submodule model) — tracked in our internal project notes.
       - name: Checkout repository
         uses: actions/checkout@v3
+        with:
+          ref: ${{ env.NODE_VERSION }}
 
       - name: Debug Matrix Values
         run: |