[BRE-1510] Adding templates and README for community contribution workflows (#591)

pixman20 · web-flow · commit 24a42e468954 · 2026-02-02T17:37:00.000-05:00
diff --git a/templates/pull-request/README.md b/templates/pull-request/README.md
@@ -0,0 +1,97 @@
+# Pull Request and Pull Request Target Workflow Templates
+
+Templates for safely handling internal and external fork pull requests in GitHub Actions workflows that require secrets, following Bitwarden security patterns.
+
+## Overview
+
+Different strategies are needed for internal vs. fork PRs when workflows require secrets:
+
+- **Internal PRs**: Use `pull_request` trigger (runs with limited permissions, no secrets needed)
+- **Fork PRs**: Use `pull_request_target` (runs in target repo context with approval gate for secret access)
+
+## The Two-Workflow Pattern
+
+### `example-workflow.yml` - Main Workflow
+
+Contains actual job logic (build, test, deploy, etc.). Triggered by `pull_request` for internal PRs and `workflow_call` for reuse. Skips fork PRs via condition: `if: github.event.pull_request.head.repo.full_name == github.repository`
+
+### `example-workflow-target.yml` - Fork Handler
+
+Safely handles fork PRs needing secrets. Triggered by `pull_request_target` (targets default branch only). Runs `check-run` security gate first, then calls main workflow with `secrets: inherit`. Only executes for forks via condition: `if: github.event.pull_request.head.repo.full_name != github.repository`
+
+## Security Model
+
+**The Problem**: Fork PRs can't access secrets with `pull_request`, but `pull_request_target` runs untrusted code in your repo's context with secret access.
+
+**The Solution**: Two-phase approval process:
+1. `pull_request_target` workflow runs immediately for fork PRs
+2. `check-run` job fails (fork user lacks write permissions)
+3. Maintainer reviews code for malicious behavior
+4. Maintainer re-runs workflow (passes check-run with maintainer identity, grants secret access)
+
+**Protection Layers**:
+- Permission check validates write access
+- Conditional execution separates internal/fork paths
+- Mandatory code review before secret access
+- Workflow linter enforces `pull_request_target` targets default branch only and workflows include `check-run`
+
+## ⚠️ Critical Security Warning
+
+**ALWAYS review fork PR code BEFORE re-running failed workflows.** Once re-run, workflows access repository secrets and can exfiltrate data.
+
+**Check for**:
+- Uploads to external services
+- Unexpected network requests
+- Base64 encoding/obfuscation
+- Secrets exposed in artifacts or logs
+
+## Approval Process
+
+**For `pull_request` (no secrets)**: Click "Approve and run" to unblock workflow execution.
+
+**For `pull_request_target` (with secrets)**:
+1. Workflow runs immediately, `check-run` fails (expected)
+2. Review PR code thoroughly
+3. Click "Re-run failed jobs" (grants secret access via maintainer identity)
+
+## Usage Instructions
+
+1. **Copy templates** to `.github/workflows/` and rename appropriately
+2. **Customize main workflow**: Update name, paths, jobs, secrets, and inputs
+3. **Customize target workflow**: Update name, workflow reference in `uses:`, paths, permissions, and inputs
+4. **Test both scenarios**: Create internal PR (should trigger main workflow) and fork PR (should trigger target workflow with failed check-run)
+
+## Best Practices
+
+**DO**:
+- Use `check-run` job first in `pull_request_target` workflows
+- Review fork code before approving
+- Set minimal permissions per job
+- Pin actions to commit hashes
+- Use conditions to separate internal/fork execution
+
+**DON'T**:
+- Skip `check-run` security gate
+- Use `pull_request_target` unless secrets are required
+- Grant unnecessary permissions
+- Expose secrets in logs/outputs
+- Run both workflows for same PR
+
+## Troubleshooting
+
+**Both workflows running for internal PR**: Check conditional expressions match template patterns.
+
+**"Check PR run" failed (EXPECTED)**: This is the security gate working. Review code, then re-run to grant secret access.
+
+**Secrets unavailable in fork PR**: Ensure using `pull_request_target` pattern with `secrets: inherit`.
+
+**Workflow linter failing**: Verify `pull_request_target` targets default branch only.
+
+**Compliance**: Templates comply with all Bitwarden workflow-linter rules (pinned runners/actions, explicit permissions, proper naming, `pull_request_target` restrictions).
+
+## References
+
+- [GitHub Actions: pull_request vs pull_request_target](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target)
+- [Bitwarden Workflow Linter Rules](https://github.com/bitwarden/workflow-linter/tree/main/src/bitwarden_workflow_linter/rules)
+- [Bitwarden Clients Example](https://github.com/bitwarden/clients/blob/main/.github/workflows/build-web-target.yml)
+- [Keeping your GitHub Actions secure](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)
diff --git a/templates/pull-request/example-workflow-target.yml b/templates/pull-request/example-workflow-target.yml
@@ -0,0 +1,54 @@
+---
+# Example pull_request_target workflow for handling external fork PRs
+#
+# ⚠️ CRITICAL SECURITY WARNING ⚠️
+# This workflow runs IMMEDIATELY when a fork PR is opened and has access to repository secrets.
+# The check-run job will FAIL initially (expected behavior) - this is the security gate.
+#
+# REQUIRED STEPS FOR MAINTAINERS:
+# 1. REVIEW THE PR CODE for malicious code that could exfiltrate secrets
+# 2. Only after code review, click "Re-run failed jobs" in GitHub Actions UI
+# 3. Re-running passes your identity to check-run, granting secret access
+#
+# Key patterns:
+# 1. Triggered by pull_request_target (for fork PRs with secrets)
+# 2. Runs check-run first - FAILS for fork users (expected), PASSES on maintainer re-run
+# 3. Only executes for external forks (internal PRs use pull_request trigger)
+# 4. Calls the main workflow and passes secrets
+# 5. Must target default branch per workflow-linter rules
+
+name: Example Workflow on PR Target
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+    branches:
+      - main # Required by workflow-linter: pull_request_target must target default branch
+    paths:
+      - "example/**"
+      - ".github/workflows/example-workflow.yml"
+      - ".github/workflows/example-workflow-target.yml"
+
+permissions:
+  contents: read
+
+jobs:
+  check-run:
+    name: Check PR run approval
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+    permissions:
+      contents: read
+
+  example-job:
+    name: Run example job for fork
+    needs: check-run
+    # Only run if the PR is from an external fork
+    # Internal PRs are handled by the pull_request trigger in example-workflow.yml
+    if: github.event.pull_request.head.repo.full_name != github.repository
+    uses: ./.github/workflows/example-workflow.yml
+    permissions:
+      contents: read
+      id-token: write
+    secrets: inherit # Pass all repository secrets to the called workflow
+    with:
+      custom_parameter: "fork-pr-value"
diff --git a/templates/pull-request/example-workflow.yml b/templates/pull-request/example-workflow.yml
@@ -0,0 +1,62 @@
+---
+# Example workflow that runs on pull_request and can also be called from pull_request_target
+# This workflow skips execution on external forks since it won't have access to secrets when invoked via pull_request
+#
+# Key patterns:
+# 1. Triggered by pull_request (for internal PRs)
+# 2. Can be called via workflow_call (from pull_request_target workflow for external PRs)
+# 3. Skips execution on forks using condition when triggered with pull_request
+# 4. Explicit permissions at workflow level
+
+name: Example Workflow
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches:
+      - main
+    paths:
+      - "example/**"
+      - ".github/workflows/example-workflow.yml"
+  workflow_call:
+    inputs:
+      custom_parameter:
+        description: "Optional custom parameter from calling workflow"
+        required: false
+        type: string
+        default: "default-value"
+
+permissions:
+  contents: read
+
+jobs:
+  check-event-source:
+    name: Check event and source
+    runs-on: ubuntu-24.04
+    # Only run this job if the event is workflow_call or the PR is from the same repository (not a fork)
+    # This avoid running it twice: once for pull_request from fork and once from pull_request_target
+    if: github.event_name == 'workflow_call' || github.event.pull_request.head.repo.full_name == github.repository
+    steps:
+      - name: Check PR event and source
+        run: echo "This PR is from the same repository (Not a fork) or called via workflow_call."
+  example-job:
+    name: Run example job
+    runs-on: ubuntu-24.04
+    needs: check-event-source # Only run if intended, otherwise skip
+    permissions:
+      contents: read
+      id-token: write # Required if you need to authenticate to external services
+    steps:
+      - name: Get secrets
+        run: echo "Series of steps that would retrieve secrets"
+
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Run some code
+        run: |
+          echo "Running workflow on branch: ${{ github.head_ref }}"
+          echo "Custom parameter: ${{ inputs.custom_parameter }}"
+          echo "This step could build, test, or deploy your code"
