CSPL-4372: Enable triggering workflows from forks

.github/README.md

@@ -0,0 +1,53 @@
+# GitHub Workflows
+
+## PR Testing Strategy
+
+### Why Two Triggers?
+
+GitHub's `pull_request` event doesn't expose secrets to fork PRs (for security). But we need secrets to run integration tests. The `pull_request_target` event does expose secrets—but it sets `GITHUB_SHA` to the **base branch**, not the PR. This means the default checkout gets the wrong code, and creates security risks if not handled carefully.
+
+### How We Handle It
+
+| Trigger | Branch | Why |
+|---------|--------|-----|
+| `pull_request_target` | `develop` | Enables secrets for fork PRs; requires manual approval |
+| `pull_request` | All except `develop` | Standard trigger for trusted maintainers |
+
+### Security Requirements
+
+1. **Always use `approval-gate.yml`** as a dependency for jobs needing secrets
+2. **Always specify `with.ref`** on all `actions/checkout` steps (enforced by `lint-workflows.yml`)
+3. **Always pass the approval gate's `commit-sha`** to prevent testing unapproved code
+
+### Checkout Patterns
+
+**For workflows using approval-gate** (recommended for `pull_request_target`):
+
+```yaml
+jobs:
+  approval-gate:
+    uses: ./.github/workflows/approval-gate.yml
+
+  build:
+    needs: approval-gate
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.approval-gate.outputs.commit-sha }}
+```
+
+**For simpler workflows** (e.g., `pull_request` or `push` triggers):
+
+```yaml
+# Preferred: Define ref once at workflow level, reuse in all jobs
+env:
+  CHECKOUT_REF: ${{ github.ref }}
+jobs:
+  build:
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ env.CHECKOUT_REF }}
+```
+
+> ⚠️ Without these safeguards, a malicious commit could be added after approval but before execution.

.github/scripts/check-checkout-ref.py

@@ -0,0 +1,81 @@
+#!/usr/bin/env python3
+"""
+Check that all actions/checkout usages have 'with.ref' specified.
+
+This ensures consistent and explicit checkout behavior across all workflows.
+"""
+
+import sys
+from pathlib import Path
+
+import yaml
+
+
+def check_workflow_file(filepath: Path) -> list[dict]:
+    """
+    Check a workflow file for actions/checkout usages without 'with.ref'.
+
+    Returns a list of violations.
+    """
+    violations = []
+
+    with open(filepath, "r") as f:
+        try:
+            data = yaml.safe_load(f)
+        except yaml.YAMLError as e:
+            print(f"Warning: Failed to parse {filepath}: {e}")
+            return []
+
+    if not data or "jobs" not in data:
+        return []
+
+    for job_name, job in data["jobs"].items():
+        steps = job.get("steps", [])
+        for i, step in enumerate(steps):
+            uses = step.get("uses", "")
+            if "actions/checkout" in uses:
+                with_block = step.get("with", {})
+                has_ref = isinstance(with_block, dict) and "ref" in with_block
+
+                if not has_ref:
+                    violations.append({
+                        "file": str(filepath),
+                        "job": job_name,
+                        "step": i,
+                        "uses": uses,
+                    })
+
+    return violations
+
+
+def main():
+    workflows_dir = Path(".github/workflows")
+
+    if not workflows_dir.exists():
+        print("Error: .github/workflows directory not found")
+        sys.exit(1)
+
+    all_violations = []
+
+    for pattern in ("*.yml", "*.yaml"):
+        for workflow_file in sorted(workflows_dir.glob(pattern)):
+            all_violations.extend(check_workflow_file(workflow_file))
+
+    if all_violations:
+        print("❌ Found actions/checkout usages without 'with.ref' specified:\n")
+        for v in all_violations:
+            print(f"  {v['file']}")
+            print(f"    Job: {v['job']}, Step: {v['step']}")
+            print(f"    Uses: {v['uses']}\n")
+        print(f"Total violations: {len(all_violations)}")
+        print("\nAll actions/checkout steps should specify 'with.ref' to ensure")
+        print("consistent and explicit checkout behavior.")
+        print("\nSee .github/README.md for security requirements and examples.")
+        sys.exit(1)
+    else:
+        print("✅ All actions/checkout usages have 'with.ref' specified")
+        sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

.github/workflows/approval-gate.yml

@@ -0,0 +1,67 @@
+name: Approval Gate
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+    inputs:
+      environment-name:
+        description: 'Environment name for approval'
+        required: false
+        type: string
+        default: 'external-contributor-approval'
+    outputs:
+      commit-sha:
+        description: 'The commit SHA (PR head for PRs, pushed commit for push events)'
+        value: ${{ jobs.get-commit-info.outputs.commit-sha }}
+      commit-message:
+        description: 'The commit message'
+        value: ${{ jobs.get-commit-info.outputs.commit-message }}
+
+jobs:
+  # Get commit info from the PR head (not the base branch).
+  # This is necessary because with 'pull_request_target', GITHUB_SHA and the default
+  # checkout point to the BASE branch, not the PR's code. We explicitly use
+  # 'github.event.pull_request.head.sha' to get the actual PR commit info.
+  # For 'push' events, we fall back to 'github.sha' (the pushed commit).
+  get-commit-info:
+    runs-on: ubuntu-latest
+    outputs:
+      commit-sha: ${{ steps.get-sha.outputs.commit_sha }}
+      commit-message: ${{ steps.get-message.outputs.commit_message }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+      - name: Get commit SHA
+        id: get-sha
+        run: |
+          COMMIT_SHA="${{ github.event.pull_request.head.sha || github.sha }}"
+          echo "commit_sha=${COMMIT_SHA}" >> $GITHUB_OUTPUT
+          echo "Commit SHA: ${COMMIT_SHA}"
+      - name: Get commit message
+        id: get-message
+        run: |
+          COMMIT_MSG=$(git log -1 --pretty=%B)
+          echo "commit_message<<EOF" >> $GITHUB_OUTPUT
+          echo "$COMMIT_MSG" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+          echo "Commit message:"
+          echo "$COMMIT_MSG"
+  approval-gate:
+    needs: get-commit-info
+    runs-on: ubuntu-latest
+    environment: ${{
+            (github.event_name == 'pull_request_target' &&
+            !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), github.event.pull_request.author_association))
+            && inputs.environment-name
+            || ''
+        }}
+    steps:
+      - name: Approval status
+        run: |
+          echo "Event: ${{ github.event_name }}"
+          echo "Author association: ${{ github.event.pull_request.author_association }}"
+          echo "Approval granted or not required"
+

.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml

@@ -5,16 +5,20 @@ permissions:
   id-token: write
   pull-requests: write
 on:
-  workflow_dispatch:  
+  workflow_dispatch:
     inputs:
       splunk_image_repository_tag:
         description: 'Splunk AL2023-based Docker Image repository and tag (e.g. repository-name:tag)'
         required: true
+env:
+  CHECKOUT_REF: ${{ github.ref }}
 jobs:
   check-formating:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v6
+      with:
+        ref: ${{ env.CHECKOUT_REF }}
     - name: Dotenv Action
       id: dotenv
       uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359
@@ -30,7 +34,9 @@ jobs:
    runs-on: ubuntu-latest
    needs: check-formating
    steps:
-     - uses: actions/checkout@v2
+     - uses: actions/checkout@v6
+       with:
+         ref: ${{ env.CHECKOUT_REF }}
      - name: Dotenv Action
        id: dotenv
        uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359
@@ -67,7 +73,9 @@ jobs:
     - name: Set up cosign
       uses: sigstore/cosign-installer@main
 
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v6
+      with:
+        ref: ${{ env.CHECKOUT_REF }}
     - name: Dotenv Action
       id: dotenv
       uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359
@@ -148,7 +156,9 @@ jobs:
       GRAVITON_TESTING: "true"
     steps:
       - name: Chekcout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ env.CHECKOUT_REF }}
       - name: Set Test Cluster Name
         id: set-cluster-name
         uses: ./.github/actions/set-cluster-name

.github/workflows/arm-AL2023-int-test-workflow.yml

@@ -10,6 +10,8 @@ on:
       splunk_image_repository_tag:
         description: 'Splunk AL2023-based Docker Image repository and tag (e.g. repository-name:tag)'
         required: true
+env:
+  CHECKOUT_REF: ${{ github.ref }}
 jobs:
   build-operator-image-arm-al2023:
     runs-on: ubuntu-latest
@@ -19,7 +21,9 @@ jobs:
       ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
       S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v6
+      with:
+        ref: ${{ env.CHECKOUT_REF }}
     - name: Dotenv Action
       id: dotenv
       uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359
@@ -101,7 +105,9 @@ jobs:
             echo "CLUSTER_NODES=2" >> $GITHUB_ENV
           fi
       - name: Checkcout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ env.CHECKOUT_REF }}
       - name: Set Test Cluster Name
         id: set-cluster-name
         uses: ./.github/actions/set-cluster-name

.github/workflows/arm-RHEL-build-test-push-workflow.yml

@@ -10,6 +10,8 @@ on:
           splunk_image_repository_tag:
             description: 'Splunk RHEL-based Docker Image repository and tag (e.g. repository-name:tag)'
             required: true
+env:
+  CHECKOUT_REF: ${{ github.ref }}
 jobs:
   build-operator-image-arm-rhel:
     runs-on: ubuntu-latest
@@ -19,7 +21,9 @@ jobs:
       ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
       S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v6
+      with:
+        ref: ${{ env.CHECKOUT_REF }}
     - name: Dotenv Action
       id: dotenv
       uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359
@@ -102,7 +106,9 @@ jobs:
             echo "CLUSTER_NODES=2" >> $GITHUB_ENV
           fi
       - name: Checkcout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ env.CHECKOUT_REF }}
       - name: Set Test Cluster Name
         id: set-cluster-name
         uses: ./.github/actions/set-cluster-name

.github/workflows/arm-RHEL-int-test-workflow.yml

@@ -10,6 +10,8 @@ on:
           splunk_image_repository_tag:
             description: 'Splunk RHEL-based Docker Image repository and tag (e.g. repository-name:tag)'
             required: true
+env:
+  CHECKOUT_REF: ${{ github.ref }}
 jobs:
   build-operator-image-arm-rhel:
     runs-on: ubuntu-latest
@@ -19,7 +21,9 @@ jobs:
       ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
       S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v6
+      with:
+        ref: ${{ env.CHECKOUT_REF }}
     - name: Dotenv Action
       id: dotenv
       uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359
@@ -101,7 +105,9 @@ jobs:
             echo "CLUSTER_NODES=2" >> $GITHUB_ENV
           fi
       - name: Checkcout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ env.CHECKOUT_REF }}
       - name: Set Test Cluster Name
         id: set-cluster-name
         uses: ./.github/actions/set-cluster-name