From 241bda3c28d0d140ce4097c862ff5aa407a53b2f Mon Sep 17 00:00:00 2001
From: Grace Luo <54298030+gracelu0@users.noreply.github.com>
Date: Thu, 20 Feb 2025 11:30:12 -0800
Subject: [PATCH] chore: add remote branch check to workflows (#33525)

### Issue # (if applicable)

n/a

### Reason for this change

Adhere to best security practices.

### Description of changes

Fetch remote branch to check for any unapproved commits to the remote branch and only commit/push if there are not.


### Describe any new or updated permissions being added

n/a


### Description of how you validated changes

Tested the commands locally

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .github/workflows/analytics-metadata-updater.yml | 9 ++++++++-
 .github/workflows/lambda-runtime-tests.yml       | 9 ++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/analytics-metadata-updater.yml b/.github/workflows/analytics-metadata-updater.yml
index 65afc31b2dd54..71d2fe47c2e1a 100644
--- a/.github/workflows/analytics-metadata-updater.yml
+++ b/.github/workflows/analytics-metadata-updater.yml
@@ -47,7 +47,14 @@ jobs:
         run: |
           git config --global user.name 'aws-cdk-automation'
           git config --global user.email 'aws-cdk-automation@users.noreply.github.com'
-          git checkout -B ${{ github.event.pull_request.head.ref }}
+
+          git fetch origin ${{ github.event.pull_request.head.ref }}
+
+          if [ "$(git rev-parse HEAD)" != "$(git rev-parse origin/${{ github.event.pull_request.head.ref }})" ]; then
+            echo "Remote branch updated since approved commit; aborting."
+            exit 1
+          fi
+
           git add .
           git commit -m "chore: update analytics metadata blueprints"
           git push origin ${{ github.event.pull_request.head.ref }}
diff --git a/.github/workflows/lambda-runtime-tests.yml b/.github/workflows/lambda-runtime-tests.yml
index 0b4c4340a764c..39a0b434159a1 100644
--- a/.github/workflows/lambda-runtime-tests.yml
+++ b/.github/workflows/lambda-runtime-tests.yml
@@ -44,7 +44,14 @@ jobs:
         run: |
           git config --global user.name 'aws-cdk-automation'
           git config --global user.email 'aws-cdk-automation@users.noreply.github.com'
-          git checkout -B ${{ github.event.pull_request.head.ref }}
+
+          git fetch origin ${{ github.event.pull_request.head.ref }}
+
+          if [ "$(git rev-parse HEAD)" != "$(git rev-parse origin/${{ github.event.pull_request.head.ref }})" ]; then
+            echo "Remote branch updated since approved commit; aborting."
+            exit 1
+          fi
+
           git add .
           git commit -m "chore: update lambda runtime integration tests"
           git push origin ${{ github.event.pull_request.head.ref }}