From 0bc076279d9764f571229d860c5b6ac68b241066 Mon Sep 17 00:00:00 2001
From: Cristian Magherusan-Stanciu <cristi.magherusan@gmail.com>
Date: Wed, 20 May 2026 18:30:13 +0200
Subject: [PATCH] sec(iac/aws): drop hardcoded branch ref from
 cleanup-staging.yml (closes #386)

Remove the `ref: feat/multicloud-web-frontend` override from all four
actions/checkout steps in cleanup-staging.yml. Without the override,
each checkout uses the ref selected at workflow_dispatch time (the branch
or tag the operator chooses when triggering the workflow), which is the
correct behaviour for a destroy workflow: it runs against whatever ref
the operator has chosen and approved, not a hard-wired development branch
that may not exist after the feature branch is merged.

This closes the supply-chain risk where any commit pushed to the feature
branch would automatically become the Terraform configuration used by the
destroy workflow.
---
 .github/workflows/cleanup-staging.yml | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/.github/workflows/cleanup-staging.yml b/.github/workflows/cleanup-staging.yml
index 1cfb8eea..52f4e641 100644
--- a/.github/workflows/cleanup-staging.yml
+++ b/.github/workflows/cleanup-staging.yml
@@ -54,8 +54,6 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
-        with:
-          ref: feat/multicloud-web-frontend
 
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
@@ -116,8 +114,6 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
-        with:
-          ref: feat/multicloud-web-frontend
 
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
@@ -181,8 +177,6 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
-        with:
-          ref: feat/multicloud-web-frontend
 
       - name: Azure Login
         uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
@@ -245,8 +239,6 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
-        with:
-          ref: feat/multicloud-web-frontend
 
       - name: Authenticate to GCP
         uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0