From f3fc8804684a81b10d48da4a4f01dac6f5838c85 Mon Sep 17 00:00:00 2001
From: Lawrence Chen <54008264+lawrencecchen@users.noreply.github.com>
Date: Mon, 23 Feb 2026 14:58:17 -0800
Subject: [PATCH] Guard self-hosted CI from fork pull requests

---
 .github/workflows/ci.yml           | 11 +++++++++++
 tests/test_ci_self_hosted_guard.sh | 29 +++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100755 tests/test_ci_self_hosted_guard.sh

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9e7bb8bc..cd3dc3a5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,15 @@ on:
   pull_request:
 
 jobs:
+  workflow-guard-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Validate self-hosted runner guards
+        run: ./tests/test_ci_self_hosted_guard.sh
+
   web-typecheck:
     runs-on: ubuntu-latest
     defaults:
@@ -26,6 +35,8 @@ jobs:
         run: bun tsc --noEmit
 
   ui-tests:
+    # Never run self-hosted jobs for fork pull requests.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     runs-on: self-hosted
     concurrency:
       group: self-hosted-build
diff --git a/tests/test_ci_self_hosted_guard.sh b/tests/test_ci_self_hosted_guard.sh
new file mode 100755
index 00000000..f046141c
--- /dev/null
+++ b/tests/test_ci_self_hosted_guard.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# Regression test for https://github.com/manaflow-ai/cmux/issues/385.
+# Ensures self-hosted UI tests are never run for fork pull requests.
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+WORKFLOW_FILE="$ROOT_DIR/.github/workflows/ci.yml"
+
+EXPECTED_IF="if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository"
+
+if ! grep -Fq "$EXPECTED_IF" "$WORKFLOW_FILE"; then
+  echo "FAIL: Missing fork pull_request guard for ui-tests in $WORKFLOW_FILE"
+  echo "Expected line:"
+  echo "  $EXPECTED_IF"
+  exit 1
+fi
+
+if ! awk '
+  /^  ui-tests:/ { in_ui_tests=1; next }
+  in_ui_tests && /^  [^[:space:]]/ { in_ui_tests=0 }
+  in_ui_tests && /runs-on: self-hosted/ { saw_self_hosted=1 }
+  in_ui_tests && /github.event.pull_request.head.repo.full_name == github.repository/ { saw_guard=1 }
+  END { exit !(saw_self_hosted && saw_guard) }
+' "$WORKFLOW_FILE"; then
+  echo "FAIL: ui-tests block must keep both self-hosted and fork guard"
+  exit 1
+fi
+
+echo "PASS: ui-tests self-hosted fork guard is present"