chore: convert unnecessary pull_request_target workflows to pull_request (#4095)

Zaperex · web-flow · commit 071c52c70ec6 · 2026-01-28T17:01:54.000-05:00
Signed-off-by: Frank Kong &lt;frkong@redhat.com&gt;

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
diff --git a/.github/workflows/auto-approve-bot-prs.yaml b/.github/workflows/auto-approve-bot-prs.yaml
@@ -37,9 +37,6 @@ jobs:
     if: github.event.pull_request.user.login == 'rhdh-bot'
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-
       - name: Check PR eligibility
         id: check-eligibility
         run: |
diff --git a/.github/workflows/pr-1.8.yaml b/.github/workflows/pr-1.8.yaml
@@ -18,7 +18,7 @@
 name: PR
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
     branches:
       - release-1.7
@@ -33,69 +33,18 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  check-commit-author:
-    # This job is used to check if the commit author is an active member of the rhdh team.
-    # It is used to determine if the PR should be run with the internal or external environment.
-    # The job is run on the main branch to ensure that the action is not tampered with.
-    runs-on: ubuntu-latest
-    outputs:
-      is_active_team_member: ${{ steps.team-check.outputs.is_active_member }}
-    steps:
-      - name: Generate GitHub App Token
-        id: app-token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-        with:
-          app-id: ${{ secrets.RHDH_GITHUB_APP_ID }}
-          private-key: ${{ secrets.RHDH_GITHUB_APP_PRIVATE_KEY }}
-      - name: Checkout main branch for secure version of check-author action
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-        with:
-          fetch-depth: 1
-          ref: main  # Always use main branch for security-critical action
-          persist-credentials: false
-      - name: Check if commit author is an active member of the team
-        id: team-check
-        uses: ./.github/actions/check-author
-        with:
-          author: ${{ github.actor }}
-          organization: redhat-developer
-          team: rhdh
-          gh_token: ${{ steps.app-token.outputs.token }}
-          whitelisted_authors: '["openshift-cherrypick-robot"]'
-
-  authorize:
-    # The 'external' environment is configured with the maintainers team as required reviewers.
-    # All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks.
-    # Use 'internal' environment if the author is in the team OR if it's an internal PR (not from a fork)
-    # see list of approvers in OWNERS file
-    environment:
-      ${{ (needs.check-commit-author.outputs.is_active_team_member == 'true' || github.event.pull_request.head.repo.full_name == github.repository) && 'internal' || 'external' }}
-    runs-on: ubuntu-latest
-    needs: check-commit-author
-    steps:
-      - name: Check if internal PR
-        id: check
-        run: |
-          if [[ "${{ needs.check-commit-author.outputs.is_active_team_member }}" == "true" ]]; then
-            echo "✓ Commit author is in rhdh team - using internal environment"
-          elif [[ "${{ github.event.pull_request.head.repo.full_name }}" == "${{ github.repository }}" ]]; then
-            echo "✓ Internal PR (not from fork) - using internal environment"
-          else
-            echo "✓ External PR from fork from non-rhdh team member - using external environment for security"
-          fi
   build:
     name: Build with Node.js ${{ matrix.node-version }}
     runs-on: ubuntu-latest
     strategy:
       matrix:
         node-version: [22]
-    needs: authorize
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Check Image and Relevant Changes
         id: check-image
@@ -132,14 +81,12 @@ jobs:
     strategy:
       matrix:
         node-version: [22]
-    needs: authorize
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
+          persist-credentials: false
       - name: Check Image and Relevant Changes
         id: check-image
         uses: ./.github/actions/check-image-and-changes
diff --git a/.github/workflows/pr-build-image.yaml b/.github/workflows/pr-build-image.yaml
@@ -34,6 +34,7 @@ jobs:
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Check Image and Relevant Changes
         id: check-image
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -15,7 +15,7 @@
 name: PR
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
     branches:
       - main
@@ -31,69 +31,18 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  check-commit-author:
-    # This job is used to check if the commit author is an active member of the rhdh team.
-    # It is used to determine if the PR should be run with the internal or external environment.
-    # The job is run on the main branch to ensure that the action is not tampered with.
-    runs-on: ubuntu-latest
-    outputs:
-      is_active_team_member: ${{ steps.team-check.outputs.is_active_member }}
-    steps:
-      - name: Generate GitHub App Token
-        id: app-token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-        with:
-          app-id: ${{ secrets.RHDH_GITHUB_APP_ID }}
-          private-key: ${{ secrets.RHDH_GITHUB_APP_PRIVATE_KEY }}
-      - name: Checkout main branch for secure version of check-author action
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-        with:
-          fetch-depth: 1
-          ref: main  # Always use main branch for security-critical action
-          persist-credentials: false
-      - name: Check if commit author is an active member of the team
-        id: team-check
-        uses: ./.github/actions/check-author
-        with:
-          author: ${{ github.actor }}
-          organization: redhat-developer
-          team: rhdh
-          gh_token: ${{ steps.app-token.outputs.token }}
-          whitelisted_authors: '["openshift-cherrypick-robot"]'
-
-  authorize:
-    # The 'external' environment is configured with the maintainers team as required reviewers.
-    # All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks.
-    # Use 'internal' environment if the author is in the team OR if it's an internal PR (not from a fork)
-    # see list of approvers in OWNERS file
-    environment:
-      ${{ (needs.check-commit-author.outputs.is_active_team_member == 'true' || github.event.pull_request.head.repo.full_name == github.repository) && 'internal' || 'external' }}
-    runs-on: ubuntu-latest
-    needs: check-commit-author
-    steps:
-      - name: Check if internal PR
-        id: check
-        run: |
-          if [[ "${{ needs.check-commit-author.outputs.is_active_team_member }}" == "true" ]]; then
-            echo "✓ Commit author is in rhdh team - using internal environment"
-          elif [[ "${{ github.event.pull_request.head.repo.full_name }}" == "${{ github.repository }}" ]]; then
-            echo "✓ Internal PR (not from fork) - using internal environment"
-          else
-            echo "✓ External PR from fork from non-rhdh team member - using external environment for security"
-          fi
   build:
     name: Build with Node.js ${{ matrix.node-version }}
     runs-on: ubuntu-latest
     strategy:
       matrix:
         node-version: [22]
-    needs: authorize
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Check Image and Relevant Changes
         id: check-image
@@ -130,14 +79,12 @@ jobs:
     strategy:
       matrix:
         node-version: [22]
-    needs: authorize
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
+          persist-credentials: false
       - name: Check Image and Relevant Changes
         id: check-image
         uses: ./.github/actions/check-image-and-changes
