When pull requests are done from private repos in a github organization, for example: A develop will fork a repo, commit some changes then submit a pull request from the forked repo. In that case the files will be taken from organization instead of developer, so the tests actually run on the wrong code, they pass and the pull request in github gets marked as passing even though it was never actually tested.

A way to know if the revision of the Jenkinsfile is not the same than the branch tip (a.k.a the Jenkinsfile comes from an untrusted brach) should be great.

https://github.com/jenkinsci/github-branch-source-plugin/blob/a10e869ec3b653b05eb188bd1e4054211d32294f/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSource.java#L421-L433