Skip to content

RHIDP-11072: update workflows to be more secure #1647

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
themr0c merged 8 commits into from
Jan 8, 2026
Merged

RHIDP-11072: update workflows to be more secure #1647

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
77fe616
chore: use secure script in gh actions
Zaperex Dec 9, 2025
371e9e5
Merge branch 'main' of github.com:redhat-developer/red-hat-developers…
Zaperex Dec 12, 2025
e29b59c
chore: update authorize job to check for rhdh team
Zaperex Dec 19, 2025
4b637c5
Merge branch 'redhat-developer:main' into secure-workflow
Zaperex Dec 19, 2025
b55a4c4
Merge branch 'main' into secure-workflow
Zaperex Jan 5, 2026
a0e1d65
chore: update team membership check to use github app instead of PAT
Zaperex Jan 7, 2026
f6473db
Merge branch 'secure-workflow' of github.com:Zaperex/red-hat-develope…
Zaperex Jan 7, 2026
b86f825
Merge branch 'main' of github.com:redhat-developer/red-hat-developers…
Zaperex Jan 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 48 additions & 9 deletions .github/workflows/pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,19 +33,48 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.event.pull_request.head.ref }}
cancel-in-progress: true

env:
GH_TEAM: rhdh
GH_ORGANIZATION: redhat-developer
jobs:
check-commit-author:
runs-on: ubuntu-latest
outputs:
is_authorized: ${{ steps.check-team-membership.outputs.is_active_member }}
steps:
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
with:
app-id: ${{ secrets.RHDH_GITHUB_APP_ID }}
private-key: ${{ secrets.RHDH_GITHUB_APP_PRIVATE_KEY }}
- name: Check team membership
uses: redhat-developer/rhdh/.github/actions/check-author@main
id: check-team-membership
with:
team: ${{ env.GH_TEAM }}
organization: ${{ env.GH_ORGANIZATION }}
gh_token: ${{ steps.app-token.outputs.token }}
author: ${{ github.event.pull_request.user.login }}

authorize:
# The 'external' environment is configured with the odo-maintainers team as required reviewers.
# All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks.
# see list of approvers in OWNERS file
# The 'external' environment is configured with the rhdh-content team as required reviewers.
# All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks outside of the rhdh team
needs: check-commit-author
environment:
${{ (github.event.pull_request.head.repo.full_name == github.repository ||
contains(fromJSON('["gazarenkov","jianrongzhang89","kadel","nickboldt","rm3l"]'), github.actor)) && 'internal' || 'external' }}
${{ (needs.check-commit-author.outputs.is_authorized == 'true' || github.event.pull_request.head.repo.full_name == github.repository) && 'internal' || 'external' }}
runs-on: ubuntu-latest
steps:
- name: approved
- name: Check if internal PR
id: check
run: |
echo "✓"
if [[ "${{ needs.check-commit-author.outputs.is_authorized }}" == "true" ]]; then
echo "✓ Commit author is in rhdh team - using internal environment"
elif [[ "${{ github.event.pull_request.head.repo.full_name }}" == "${{ github.repository }}" ]]; then
echo "✓ Internal PR (not from fork) - using internal environment"
else
echo "✓ External PR from fork from non-rhdh team member - using external environment for security"
fi

adoc_build:
name: Ccutil Build For PR branch preview
Expand All @@ -57,12 +86,19 @@ jobs:
pull-requests: write

steps:
- name: Checkout
- name: Checkout base branch to get trusted build script
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.base.ref }}
path: trusted-scripts

- name: Checkout PR branch for content to build
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
path: pr-content

- name: Setup environment
run: |
Expand All @@ -75,10 +111,13 @@ jobs:
- name: Build guides and indexes
run: |
echo "Building PR ${{ github.event.pull_request.number }}"
cp trusted-scripts/build/scripts/build-ccutil.sh pr-content/build/scripts/build-ccutil.sh
cd pr-content
build/scripts/build-ccutil.sh -b "pr-${{ github.event.number }}"

- name: Pull from origin before pushing (if possible)
run: |
cd pr-content
/usr/bin/git pull origin gh-pages || true

# repo must be public for this to work
Expand All @@ -89,7 +128,7 @@ jobs:
github_token: ${{ secrets.RHDH_BOT_TOKEN }}
publish_branch: gh-pages
keep_files: true
publish_dir: ./titles-generated
publish_dir: ./pr-content/titles-generated

- name: PR comment with doc preview, replacing existing comments with a new one each time
shell: bash
Expand Down