feat: add fork PR support with manual approval #2582
Conversation
Co-authored-by: derek.roberts <[email protected]>
Co-authored-by: derek.roberts <[email protected]>
Co-authored-by: derek.roberts <[email protected]>
Co-authored-by: derek.roberts <[email protected]>
Co-authored-by: derek.roberts <[email protected]>
There was a problem hiding this comment.
Pull request overview
This PR implements support for fork pull requests with manual approval protection. It adds three new fork-specific workflows that use the pull_request_target trigger to run in the base repository context with secrets access, while requiring explicit approval through a protected environment. The reusable workflows for tests and deployment are updated to support checking out code from fork repositories.
Changes:
- Added three fork-specific workflows with
pull_request_targettrigger for validation, builds/deploys, and analysis - Updated
.deployer.ymland.tests.ymlreusable workflows to accept optional repository and ref parameters for fork checkout - Added documentation for setting up the
fork-pr-approvalenvironment with required reviewers
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/pr-validate-fork.yml |
New fork PR validation workflow - validates PR metadata for fork PRs |
.github/workflows/pr-open-fork.yml |
New fork PR build and deploy workflow with approval gate |
.github/workflows/analysis-fork.yml |
New fork PR analysis workflow with approval gate for tests and code scanning |
.github/workflows/.tests.yml |
Updated to support optional fork repository/ref checkout parameters |
.github/workflows/.deployer.yml |
Updated to support fork checkout and handle pull_request_target events |
README.md |
Added documentation for fork PR approval environment setup |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| jobs: | ||
| validate: | ||
| name: Validate PR | ||
| if: (! github.event.pull_request.draft) && github.event.pull_request.head.repo.full_name != github.repository |
There was a problem hiding this comment.
The fork validation workflow does not include a gate job with environment protection. This workflow uses pull_request_target which has access to secrets and runs in the base repository context. Unlike the other fork workflows (pr-open-fork.yml and analysis-fork.yml), this workflow lacks a gate job that requires approval via the fork-pr-approval environment before executing. This creates a security risk as untrusted fork code could potentially be executed without manual approval.
| jobs: | |
| validate: | |
| name: Validate PR | |
| if: (! github.event.pull_request.draft) && github.event.pull_request.head.repo.full_name != github.repository | |
| jobs: | |
| gate: | |
| name: Fork PR Approval Gate | |
| if: (! github.event.pull_request.draft) && github.event.pull_request.head.repo.full_name != github.repository | |
| runs-on: ubuntu-24.04 | |
| environment: fork-pr-approval | |
| steps: | |
| - run: echo "Awaiting fork-pr-approval environment approval" | |
| validate: | |
| name: Validate PR | |
| if: (! github.event.pull_request.draft) && github.event.pull_request.head.repo.full_name != github.repository | |
| needs: [gate] |
| needs: [validate] | ||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - run: echo "Success!" |
There was a problem hiding this comment.
The results job is missing proper failure checking logic. Unlike other fork workflows (pr-open-fork.yml and analysis-fork.yml), this results job doesn't check if any dependent jobs have failed or been canceled. It should include a step that checks for failures and exits with an error code to properly reflect the workflow status.
| - run: echo "Success!" | |
| - name: Check job dependencies | |
| run: | | |
| if [ "${{ needs.validate.result }}" != "success" ]; then | |
| echo "Dependent job 'validate' did not succeed (status: ${{ needs.validate.result }})." | |
| exit 1 | |
| fi | |
| - name: Report success | |
| run: echo "Success!" |
- Remove analysis-fork.yml and pr-validate-fork.yml (read-only, no gating needed) - Simplify checkout logic in reusable workflows - Only pr-open-fork.yml requires approval (deploys infrastructure)
- Create .fork-handler.yml reusable workflow for fork detection and approval - Add pull_request_target trigger to pr-open.yml alongside pull_request - Remove repository/ref parameters from .deployer.yml and .tests.yml - Implement artifact-based code transfer for fork PRs - Add environment validation with clear error messages - Update all jobs to depend on fork-handler - Remove separate pr-open-fork.yml workflow - Add restrictive permissions at workflow level
The fork-handler is the single blocking workflow. Builds job should not handle fork-specific logic.
Implements fork PR support with manual approval via environment protection.
Changes
pr-open-fork.yml) that usespull_request_targettriggerScope
Only
pr-open.yml(builds, deploys, tests) requires gating because it:analysis.ymlandpr-validate.ymldo NOT need gating (read-only operations).Related
Closes #2581
Related: DerekRoberts#1
Security
fork-pr-approvalenvironmentpull_request_targetto run in base repo context (has secrets access)Testing
fork-pr-approvalis configuredThanks for the PR!
Deployments, as required, will be available below:
Please create PRs in draft mode. Mark as ready to enable:
After merge, new images are deployed in: