ci: secure fork PR workflows with environment protection

[osmman]

• Use pull_request_target with secure-build environment for container builds
• Add PR validation workflow for immediate feedback without secrets
• Require manual approval for forked PRs accessing organization secrets

Summary by Sourcery

Secure forked PR workflows by using pull_request_target and protected environments, enable manual dispatch for arbitrary PR testing, and introduce a lightweight PR validation workflow for immediate feedback without secrets.

New Features:

• Add PR validation workflow for basic build, test, vet, and manifest checks without requiring secrets

Enhancements:

• Switch main CI workflow to pull_request_target with protected secure-build environment requiring manual approval for forked PRs
• Add workflow_dispatch trigger with optional PR number for on-demand testing
• Adjust checkout steps to select PR head or specified dispatch ref
• Standardize podman-login actions to @v1 across container build jobs

CI:

• Introduce pr-validation.yml and update main.yml

[sourcery-ai]

Reviewer's Guide

This PR migrates the main workflow to pull_request_target with optional manual dispatch, secures all build/test jobs under a protected “secure-build” environment requiring manual approval for forked PRs, standardizes the Podman login action to v1, and adds a new lean PR validation workflow that runs without secrets for immediate feedback.

Sequence diagram for forked PRs requiring manual approval to access secrets

sequenceDiagram
  actor Contributor
  participant "GitHub Actions"
  participant "secure-build environment"
  Contributor->>"GitHub Actions": Open PR from fork
  "GitHub Actions"->>"secure-build environment": Request access for build/test jobs
  "secure-build environment"-->>"GitHub Actions": Wait for manual approval
  Note over "GitHub Actions": Jobs do not run until approved
  "secure-build environment"->>"GitHub Actions": Approval granted
  "GitHub Actions"->>Contributor: Build/test jobs execute

Loading

Sequence diagram for PR validation workflow (immediate feedback, no secrets)

sequenceDiagram
  actor Contributor
  participant GitHubActionsPRValidationWorkflow as "GitHub Actions: PR Validation Workflow"
  Contributor->>GitHubActionsPRValidationWorkflow: Open PR
  GitHubActionsPRValidationWorkflow->>Contributor: Run validation steps (build, test, vet, manifests)
  GitHubActionsPRValidationWorkflow->>Contributor: Provide feedback (success/failure)
  Note over GitHubActionsPRValidationWorkflow: No secrets accessed

Loading

File-Level Changes

Change	Details	Files
Use pull_request_target trigger and add manual dispatch	Replace pull_request with pull_request_target Add workflow_dispatch input for optional PR number Update checkout ref logic to branch between pull_request_target, dispatch, and standard refs	.github/workflows/main.yml
Enforce protected environment for build and test jobs	Assign environment: secure-build to all container build and test jobs	.github/workflows/main.yml
Standardize Podman login action version	Change redhat-actions/podman-login usages from specific commit SHA to v1	.github/workflows/main.yml
Introduce PR validation workflow	Add pr-validation.yml defining checkout, Go setup, mod verify, build, tests, vet, manifest generation, and up-to-date checks	.github/workflows/pr-validation.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[qodo-merge-pro]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Unpinned action version Description: The action reference for redhat-actions/podman-login changed from a pinned commit SHA to a floating @v1 tag, which increases supply-chain risk as the resolved code can change without review. main.yml [498-511] Referred Code uses: redhat-actions/podman-login@v1 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} auth_file_path: /tmp/config.json - name: Log in to registry.redhat.io uses: redhat-actions/podman-login@v1 with: username: ${{ secrets.REGISTRY_USER }} password: ${{ secrets.REGISTRY_PASSWORD }} registry: registry.redhat.io auth_file_path: /tmp/config.json
	Privileged PR checkout Description: Using pull_request_target with a checkout ref of the PR head allows executing forked code in a privileged context; while mitigated by protected environment, ensure approval gating is strictly enforced and no secret-dependent steps run before environment approval. main.yml [39-41] Referred Code # For pull_request_target, checkout the PR head # For workflow_dispatch, checkout specified PR or current ref ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || (github.event_name == 'workflow_dispatch' && github.event.inputs.pr_number != '' && format('refs/pull/{0}/head', github.event.inputs.pr_number)) || github.ref }}
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No audit logs: The new workflow steps add build and test operations without any explicit audit logging of critical actions such as image builds or registry pushes, which may be acceptable for CI but lacks explicit audit trail entries in the new code. Referred Code run: make dev-images && cat config/default/images.env - name: Build operator container run: make docker-build docker-push build-bundle: name: Build-bundle-image runs-on: ubuntu-24.04 environment: name: "secure-build" permissions: contents: read packages: write steps: - name: Checkout source uses: actions/checkout@v4 with: ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || (github.event_name == 'workflow_dispatch' && github.event.inputs.pr_number != '' && format('refs/pull/{0}/head', github.event.inputs.pr_number)) || github.ref }} - name: Log in to GitHub Container Registry uses: redhat-actions/podman-login@v1 ... (clipped 20 lines)
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Weak error context: Several steps run commands that may fail without capturing and logging detailed context or artifacts, relying solely on default step failure behavior which may be insufficient for diagnosing edge cases. Referred Code - name: Verify dependencies run: go mod verify - name: Build project run: go build ./... - name: Run unit tests run: go test -v ./... - name: Run vet run: go vet ./... - name: Generate and validate manifests run: | make manifests generate fmt vet - name: Check if generated files are up to date run: | if ! git diff --exit-code; then echo "❌ Generated files are not up to date" echo "Please run 'make manifests generate fmt' and commit the changes" ... (clipped 6 lines)
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Possible secret echo: The workflow runs commands like image builds and registry logins where outputs (e.g., cat config/default/images.env) may be printed to logs, which could inadvertently expose sensitive values depending on file contents. Referred Code run: make dev-images && cat config/default/images.env - name: Build operator container run: make docker-build docker-push build-bundle: name: Build-bundle-image runs-on: ubuntu-24.04 environment: name: "secure-build" permissions: contents: read packages: write steps: - name: Checkout source uses: actions/checkout@v4 with: ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || (github.event_name == 'workflow_dispatch' && github.event.inputs.pr_number != '' && format('refs/pull/{0}/head', github.event.inputs.pr_number)) || github.ref }} - name: Log in to GitHub Container Registry uses: redhat-actions/podman-login@v1 ... (clipped 17 lines)
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: PR ref checkout risk: Using pull_request_target with a dynamic ref to checkout the PR head increases risk if any subsequent steps use secrets; while an environment gate is added, the new code does not itself enforce additional validation of the PR input or restrict commands after checkout. Referred Code # For pull_request_target, checkout the PR head # For workflow_dispatch, checkout specified PR or current ref ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || (github.event_name == 'workflow_dispatch' && github.event.inputs.pr_number != '' && format('refs/pull/{0}/head', github.event.inputs.pr_number)) || github.ref }} - name: Install Go uses: actions/setup-go@v5 with:
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

Blocking issues:

• An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `.github/workflows/main.yml:593` </location>
<code_context>
        uses: redhat-actions/podman-login@v1
</code_context>

<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

Source: opengrep

[qodo-merge-pro]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Fix incorrect GitHub Actions expression Fix the ref expression in checkout steps. The current use of && and || operators is incorrect for GitHub Actions and will result in a boolean value; use the if() function instead to correctly determine the checkout reference. .github/workflows/main.yml [41] -ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || (github.event_name == 'workflow_dispatch' && github.event.inputs.pr_number != '' && format('refs/pull/{0}/head', github.event.inputs.pr_number)) || github.ref }} +ref: ${{ (github.event_name == 'pull_request_target' && github.event.pull_request.head.sha) || (github.event_name == 'workflow_dispatch' && github.event.inputs.pr_number != '' && format('refs/pull/{0}/head', github.event.inputs.pr_number)) || github.ref }} Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a critical bug in the GitHub Actions workflow logic where the ref expression will evaluate to a boolean, causing the checkout step to fail. The fix is crucial for the workflow to function as intended.	High
High-level	Centralize duplicated workflow checkout logic The complex and security-critical checkout logic is duplicated in eight jobs within main.yml. To improve maintainability and consistency, this logic should be centralized into a reusable component like a composite action or a reusable workflow. Examples: .github/workflows/main.yml [37-41] uses: actions/checkout@v4 with: # For pull_request_target, checkout the PR head # For workflow_dispatch, checkout specified PR or current ref ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || (github.event_name == 'workflow_dispatch' && github.event.inputs.pr_number != '' && format('refs/pull/{0}/head', github.event.inputs.pr_number)) || github.ref }} .github/workflows/main.yml [72-74] uses: actions/checkout@v4 with: ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || (github.event_name == 'workflow_dispatch' && github.event.inputs.pr_number != '' && format('refs/pull/{0}/head', github.event.inputs.pr_number)) || github.ref }} Solution Walkthrough: Before: jobs: build-operator: steps: - name: Checkout source uses: actions/checkout@v4 with: ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || ... }} build-bundle: steps: - name: Checkout source uses: actions/checkout@v4 with: ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || ... }} # ... and 6 other jobs with the same duplicated checkout logic After: # In a new file, e.g., .github/actions/safe-checkout/action.yml name: 'Safe PR Checkout' runs: using: 'composite' steps: - uses: actions/checkout@v4 with: ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || ... }} # In .github/workflows/main.yml jobs: build-operator: steps: - name: Checkout source uses: ./.github/actions/safe-checkout build-bundle: steps: - name: Checkout source uses: ./.github/actions/safe-checkout Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies significant duplication of complex, security-critical checkout logic across eight jobs, and proposing centralization via a reusable component is a major improvement for maintainability and security.	Medium
General	Improve readability of git diff Improve the readability of workflow logs by replacing git diff with git diff --stat. This provides a concise summary of file changes instead of a full diff, making it easier to diagnose issues with out-of-date generated files. .github/workflows/pr-validation.yml [43-50] if ! git diff --exit-code; then echo "❌ Generated files are not up to date" echo "Please run 'make manifests generate fmt' and commit the changes" - git diff + echo "Summary of changes:" + git diff --stat exit 1 else echo "✅ Generated files are up to date" fi Apply / Chat Suggestion importance[1-10]: 4 __ Why: The suggestion proposes using git diff --stat instead of a full git diff to improve log readability, which is a valid but minor improvement to the developer experience.	Low
Update