ci: secure fork PR workflows with environment protection

osmman · osmman · commit d7c22effa88a · 2025-11-05T15:07:32.000+01:00
- Use pull_request_target with secure-build environment for container builds
- Add PR validation workflow for immediate feedback without secrets
- Require manual approval for forked PRs accessing organization secrets

Signed-off-by: Tomas Turek &lt;tturek@redhat.com&gt;
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -3,8 +3,14 @@ on:
   push:
     branches: [ "main", "release*" ]
     tags: [ "*" ]
-  pull_request:
+  pull_request_target:
     branches: [ "main", "release*" ]
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'PR number to test (optional)'
+        required: false
+        type: string
 
 env:
   GO_VERSION: 1.24
@@ -20,12 +26,19 @@ jobs:
   build-operator:
     name: Build-operator
     runs-on: ubuntu-24.04
+    # Use protected environment for security - requires manual approval for forked PRs
+    environment:
+      name: "secure-build"
     permissions:
       contents: read
       packages: write
     steps:
       - name: Checkout source
         uses: actions/checkout@v4
+        with:
+          # For pull_request_target, checkout the PR head
+          # For workflow_dispatch, checkout specified PR or current ref
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || (github.event_name == 'workflow_dispatch' && github.event.inputs.pr_number != '' && format('refs/pull/{0}/head', github.event.inputs.pr_number)) || github.ref }}
 
       - name: Install Go
         uses: actions/setup-go@v5
@@ -49,12 +62,16 @@ jobs:
   build-bundle:
     name: Build-bundle-image
     runs-on: ubuntu-24.04
+    environment:
+      name: "secure-build"
     permissions:
       contents: read
       packages: write
     steps:
       - name: Checkout source
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || (github.event_name == 'workflow_dispatch' && github.event.inputs.pr_number != '' && format('refs/pull/{0}/head', github.event.inputs.pr_number)) || github.ref }}
 
       - name: Log in to GitHub Container Registry
         uses: redhat-actions/podman-login@v1
@@ -81,13 +98,17 @@ jobs:
   build-fbc:
     name: Build-fbc
     runs-on: ubuntu-24.04
+    environment:
+      name: "secure-build"
     permissions:
       contents: read
       packages: write
     needs: build-bundle
     steps:
       - name: Checkout source
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || (github.event_name == 'workflow_dispatch' && github.event.inputs.pr_number != '' && format('refs/pull/{0}/head', github.event.inputs.pr_number)) || github.ref }}
 
       - name: Log in to GitHub Container Registry
         uses: redhat-actions/podman-login@v1
@@ -179,6 +200,8 @@ jobs:
   test-kind:
     name: Test kind deployment
     runs-on: ubuntu-24.04
+    environment:
+      name: "secure-build"
     permissions:
       contents: read
       packages: read
@@ -188,6 +211,8 @@ jobs:
     steps:
       - name: Checkout source
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || (github.event_name == 'workflow_dispatch' && github.event.inputs.pr_number != '' && format('refs/pull/{0}/head', github.event.inputs.pr_number)) || github.ref }}
 
       - name: Install Go
         uses: actions/setup-go@v5
@@ -269,6 +294,8 @@ jobs:
   test-upgrade:
     name: Test upgrade operator
     runs-on: ubuntu-24.04
+    environment:
+      name: "secure-build"
     permissions:
       contents: read
       packages: read
@@ -279,6 +306,8 @@ jobs:
     steps:
       - name: Checkout source
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || (github.event_name == 'workflow_dispatch' && github.event.inputs.pr_number != '' && format('refs/pull/{0}/head', github.event.inputs.pr_number)) || github.ref }}
 
       - name: Install Go
         uses: actions/setup-go@v5
@@ -352,6 +381,8 @@ jobs:
   test-ha-install:
     name: Test with High Availability
     runs-on: ubuntu-24.04
+    environment:
+      name: "secure-build"
     permissions:
       contents: read
       packages: read
@@ -360,6 +391,8 @@ jobs:
     steps:
       - name: Checkout source
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || (github.event_name == 'workflow_dispatch' && github.event.inputs.pr_number != '' && format('refs/pull/{0}/head', github.event.inputs.pr_number)) || github.ref }}
 
       - name: Install Go
         uses: actions/setup-go@v5
@@ -443,6 +476,8 @@ jobs:
   test-custom-install:
     name: Test with custom operator installation
     runs-on: ubuntu-24.04
+    environment:
+      name: "secure-build"
     permissions:
       contents: read
       packages: read
@@ -451,6 +486,8 @@ jobs:
     steps:
       - name: Checkout source
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || (github.event_name == 'workflow_dispatch' && github.event.inputs.pr_number != '' && format('refs/pull/{0}/head', github.event.inputs.pr_number)) || github.ref }}
 
       - name: Install Go
         uses: actions/setup-go@v5
@@ -466,7 +503,7 @@ jobs:
           auth_file_path: /tmp/config.json
 
       - name: Log in to registry.redhat.io
-        uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1
+        uses: redhat-actions/podman-login@v1
         with:
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
@@ -519,6 +556,8 @@ jobs:
   test-e2e:
     name: Execute securesign/sigstore-e2e
     runs-on: ubuntu-24.04
+    environment:
+      name: "secure-build"
     permissions:
       contents: read
       packages: read
@@ -529,6 +568,8 @@ jobs:
     steps:
       - name: Checkout source
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || (github.event_name == 'workflow_dispatch' && github.event.inputs.pr_number != '' && format('refs/pull/{0}/head', github.event.inputs.pr_number)) || github.ref }}
       - name: Checkout test source repository
         uses: actions/checkout@v4
         with:
@@ -549,7 +590,7 @@ jobs:
           auth_file_path: /tmp/config.json
 
       - name: Log in to registry.redhat.io
-        uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1
+        uses: redhat-actions/podman-login@v1
         with:
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
@@ -0,0 +1,51 @@
+name: PR Validation
+
+on:
+  pull_request:
+    branches: [ "main", "release*" ]
+
+env:
+  GO_VERSION: 1.24
+
+jobs:
+  validate-pr:
+    name: Basic PR Validation
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Verify dependencies
+        run: go mod verify
+
+      - name: Build project
+        run: go build ./...
+
+      - name: Run unit tests
+        run: go test -v ./...
+
+      - name: Run vet
+        run: go vet ./...
+
+      - name: Generate and validate manifests
+        run: |
+          make manifests generate fmt vet
+
+      - name: Check if generated files are up to date
+        run: |
+          if ! git diff --exit-code; then
+            echo "❌ Generated files are not up to date"
+            echo "Please run 'make manifests generate fmt' and commit the changes"
+            git diff
+            exit 1
+          else
+            echo "✅ Generated files are up to date"
+          fi
+
