From 066e75ae532a7d44fbebfe16a2b8b56dfedaac66 Mon Sep 17 00:00:00 2001
From: seongmo <48545752+s2ongmo@users.noreply.github.com>
Date: Tue, 28 Apr 2026 09:32:29 +0900
Subject: [PATCH] ci: gate call-check-tflite-files behind approval-gate

The Feb 10 hardening (PRs #3425/#3426/#3432) added the gatekeeper +
approval-gate dependency to the six call-* test jobs. The
call-check-tflite-files job follows the same pull_request_target +
checkout(head.sha) + script-execution pattern but was not gated in
that change. Adding the same dependency keeps the seven jobs
consistent.
---
 .github/workflows/pr_test.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/pr_test.yml b/.github/workflows/pr_test.yml
index 48a2d91a83b..2140cef71aa 100644
--- a/.github/workflows/pr_test.yml
+++ b/.github/workflows/pr_test.yml
@@ -64,6 +64,8 @@ jobs:
         run: echo "CI Authorized."
 
   call-check-tflite-files:
+    needs: [gatekeeper, approval-gate]
+    if: needs.gatekeeper.outputs.scope != 'none'
     uses: ./.github/workflows/check_tflite_files.yml
     with:
       trigger-sha: ${{ github.event.pull_request.head.sha }}