From 49a9af3d62fda735c7eee1edc9a3fa878280f580 Mon Sep 17 00:00:00 2001
From: Gerry Campion <gcampion@cdisc.org>
Date: Mon, 20 Apr 2026 16:35:52 -0400
Subject: [PATCH 1/2] make test suite more secure

---
 .github/workflows/test-suite.yml         | 22 +++++++++++++++++++---
 .github/workflows/upload-pr-artifact.yml | 19 +++++++++++++++++++
 2 files changed, 38 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/upload-pr-artifact.yml

diff --git a/.github/workflows/test-suite.yml b/.github/workflows/test-suite.yml
index 6c5e2c083..46c8e050e 100644
--- a/.github/workflows/test-suite.yml
+++ b/.github/workflows/test-suite.yml
@@ -1,26 +1,42 @@
 name: CORE Test Suite Validation
 on:
+  workflow_run:
+    workflows: ["Upload PR Artifact"]
+    types: [completed]
   workflow_dispatch:
     inputs:
       pr_number:
         description: "PR number to test (for forked repositories) (leave empty for current branch)"
         required: false
         type: string
-  pull_request_target:
   push:
     branches:
       - main
 
 env:
   DATASET_SIZE_THRESHOLD: 1000000000
+
 jobs:
   validate:
     runs-on: ubuntu-latest
+    # Only run if the workflow_run was successful or if manually triggered/pushed
+    if: |
+      github.event_name == 'push' || 
+      github.event_name == 'workflow_dispatch' || 
+      github.event.workflow_run.conclusion == 'success'
     steps:
-      - name: Get Engine Changes
+      - name: Download PR engine artifact
+        if: github.event_name == 'workflow_run'
+        uses: actions/download-artifact@v8
+        with:
+          name: pr-engine-${{ github.event.workflow_run.pull_requests[0].number }}
+
+      - name: Checkout current branch (for push/manual)
+        if: github.event_name != 'workflow_run'
         uses: actions/checkout@v6
         with:
-          ref: ${{ (inputs.pr_number && format('refs/pull/{0}/head', inputs.pr_number)) || github.event.pull_request.head.sha || github.ref }}
+          ref: ${{ (inputs.pr_number && format('refs/pull/{0}/head', inputs.pr_number)) || github.ref }}
+
       - name: Get Test Suite Repository
         uses: actions/checkout@v6
         with:
diff --git a/.github/workflows/upload-pr-artifact.yml b/.github/workflows/upload-pr-artifact.yml
new file mode 100644
index 000000000..75ba7d389
--- /dev/null
+++ b/.github/workflows/upload-pr-artifact.yml
@@ -0,0 +1,19 @@
+name: Upload PR Artifact
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build-engine:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout PR code
+        uses: actions/checkout@v6
+
+      - name: Upload engine artifact
+        uses: actions/upload-artifact@v7
+        with:
+          name: pr-engine-${{ github.event.pull_request.number }}
+          path: .
+          retention-days: 1

From c290c0787a7e945a55d8f54ca9f43a0a83a8dcd7 Mon Sep 17 00:00:00 2001
From: Gerry Campion <gcampion@cdisc.org>
Date: Mon, 20 Apr 2026 21:38:52 -0400
Subject: [PATCH 2/2] read permissions

---
 .github/workflows/upload-pr-artifact.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/upload-pr-artifact.yml b/.github/workflows/upload-pr-artifact.yml
index 75ba7d389..69ea21610 100644
--- a/.github/workflows/upload-pr-artifact.yml
+++ b/.github/workflows/upload-pr-artifact.yml
@@ -4,6 +4,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build-engine:
     runs-on: ubuntu-latest