Merge origin/main: sync sandbox policy and workflow guards

Author: zemaj

.github/workflows/preview-build.yml

@@ -189,7 +189,13 @@ jobs:
   release:
     name: Publish prerelease (all targets)
     needs: [build]
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.ref != 'upstream-merge'
+    # Only publish for PRs from the main repo (not forks) to avoid permission failures.
+    # Fixes: https://github.com/just-every/code/issues/355
+    # Fixes: https://github.com/just-every/code/issues/356
+    if: >-
+      github.event_name == 'pull_request' &&
+      github.event.pull_request.head.ref != 'upstream-merge' &&
+      github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     steps:
       - name: Resolve slug and next tag
@@ -327,6 +333,11 @@ jobs:
   comment:
     name: Post Artifact Links
     needs: [build, release]
+    # Only run if release job ran (which is conditional on non-fork PRs)
+    if: >-
+      github.event_name == 'pull_request' &&
+      github.event.pull_request.head.ref != 'upstream-merge' &&
+      github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     steps:
       - name: Resolve slug and latest tag

code-rs/core/src/codex.rs

@@ -167,12 +167,13 @@ fn to_proto_sandbox_policy(policy: SandboxPolicy) -> ProtoSandboxPolicy {
             network_access,
             exclude_tmpdir_env_var,
             exclude_slash_tmp,
-            allow_git_writes: _,
+            allow_git_writes,
         } => ProtoSandboxPolicy::WorkspaceWrite {
             writable_roots,
             network_access,
             exclude_tmpdir_env_var,
             exclude_slash_tmp,
+            allow_git_writes,
         },
     }
 }

code-rs/protocol/src/protocol.rs

@@ -271,9 +271,16 @@ pub enum SandboxPolicy {
         /// writable roots on UNIX. Defaults to `false`.
         #[serde(default)]
         exclude_slash_tmp: bool,
+
+        /// When true, do not protect the top-level `.git` folder under a writable root.
+        /// Defaults to true to match historical behavior that permits Git writes.
+        #[serde(default = "default_true_bool")]
+        allow_git_writes: bool,
     },
 }
 
+const fn default_true_bool() -> bool { true }
+
 /// A writable root path accompanied by a list of subpaths that should remain
 /// read‑only even when the root is writable. This is primarily used to ensure
 /// top‑level VCS metadata directories (e.g. `.git`) under a writable root are
@@ -328,6 +335,7 @@ impl SandboxPolicy {
             network_access: false,
             exclude_tmpdir_env_var: false,
             exclude_slash_tmp: false,
+            allow_git_writes: true,
         }
     }
 
@@ -363,6 +371,7 @@ impl SandboxPolicy {
                 writable_roots,
                 exclude_tmpdir_env_var,
                 exclude_slash_tmp,
+                allow_git_writes,
                 network_access: _,
             } => {
                 // Start from explicitly configured writable roots.
@@ -400,9 +409,11 @@ impl SandboxPolicy {
                     .into_iter()
                     .map(|writable_root| {
                         let mut subpaths = Vec::new();
-                        let top_level_git = writable_root.join(".git");
-                        if top_level_git.is_dir() {
-                            subpaths.push(top_level_git);
+                        if !allow_git_writes {
+                            let top_level_git = writable_root.join(".git");
+                            if top_level_git.is_dir() {
+                                subpaths.push(top_level_git);
+                            }
                         }
                         WritableRoot {
                             root: writable_root,

code-rs/tui/src/lib.rs

@@ -325,7 +325,7 @@ pub async fn run_main(
     let (sandbox_mode, approval_policy) = if cli.full_auto {
         (
             Some(SandboxMode::WorkspaceWrite),
-            Some(AskForApproval::OnRequest),
+            Some(AskForApproval::OnFailure),
         )
     } else if cli.dangerously_bypass_approvals_and_sandbox {
         (