Skip to content

Add allow-unsafe-pr-checkout: true for fork PR checkouts#1275

Merged
MatousJobanek merged 1 commit into
codeready-toolchain:masterfrom
fbm3307:fix-actions-checkout-fork
Jul 8, 2026
Merged

Add allow-unsafe-pr-checkout: true for fork PR checkouts#1275
MatousJobanek merged 1 commit into
codeready-toolchain:masterfrom
fbm3307:fix-actions-checkout-fork

Conversation

@fbm3307

@fbm3307 fbm3307 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

actions/checkout@v7 refuses to check out fork PR code from a pull_request_target workflow without this flag. This mirrors the fix applied to registration-service in codeready-toolchain/registration-service#600.

Summary by CodeRabbit

  • Chores
    • Updated the component publishing workflow used for end-to-end tests to handle pull request code checkout more safely and consistently.
    • No visible product behavior changed.

actions/checkout@v7 refuses to check out fork PR code from a
pull_request_target workflow without this flag. This mirrors the fix
applied to registration-service in codeready-toolchain/registration-service#600.

Co-authored-by: Cursor <cursoragent@cursor.com>
@openshift-ci openshift-ci Bot requested review from rajivnathan and xcoulon July 8, 2026 06:28
@openshift-ci openshift-ci Bot added the approved label Jul 8, 2026
@sonarqubecloud

sonarqubecloud Bot commented Jul 8, 2026

Copy link
Copy Markdown

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Walkthrough

This PR modifies a GitHub Actions workflow file, adding the allow-unsafe-pr-checkout: true setting to two checkout steps used for pull_request_target and issue_comment triggered events.

Changes

Workflow Checkout Configuration

Layer / File(s) Summary
Enable unsafe PR checkout
.github/workflows/publish-components-for-e2e-tests.yml
Adds allow-unsafe-pr-checkout: true to the actions/checkout@v7 step for pull_request_target events and to the checkout step for issue_comment events.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Suggested labels: bug

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: enabling allow-unsafe-pr-checkout for fork PR checkouts.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot added the bug Something isn't working label Jul 8, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/publish-components-for-e2e-tests.yml (1)

24-31: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Harden the unsafe fork checkout path (.github/workflows/publish-components-for-e2e-tests.yml:24-31,46-53). This job checks out untrusted PR code and then runs the publish action with TEST_QUAY_TOKEN; add persist-credentials: false to both checkout steps and an explicit least-privilege permissions: block.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-components-for-e2e-tests.yml around lines 24 - 31,
The PR checkout path in the workflow is too permissive for untrusted fork code,
especially before running the publish action with TEST_QUAY_TOKEN. Update both
checkout steps in the workflow to set persist-credentials to false, and add an
explicit permissions block on the job with the minimum GitHub token access
needed for the checkout and publish steps. Use the existing checkout steps and
the publish action invocation as the anchors for the change.

Source: Linters/SAST tools

🧹 Nitpick comments (1)
.github/workflows/publish-components-for-e2e-tests.yml (1)

25-31: 🧹 Nitpick | 🔵 Trivial

Sibling repos may need the same fix.

The linked-repository research shows member-operator, api, toolchain-common, and toolchain-e2e have an identical publish-components-for-e2e-tests.yml workflow using actions/checkout@v7 for fork PR checkout without allow-unsafe-pr-checkout, so those workflows may now be failing under the new v7 default-refusal behavior if they're triggered by fork PRs. Worth confirming whether the same fix needs to be rolled out there.

Also applies to: 47-53

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-components-for-e2e-tests.yml around lines 25 - 31,
The fork-PR checkout in publish-components-for-e2e-tests.yml is relying on
actions/checkout@v7 without the explicit unsafe checkout override, which can
break when the workflow runs on pull_request_target. Update the checkout step in
this workflow to keep the explicit allow-unsafe-pr-checkout setting, and verify
the same pattern in the sibling publish-components-for-e2e-tests.yml workflows
for member-operator, api, toolchain-common, and toolchain-e2e so they all use
the same fork-checkout configuration.

Source: Linked repositories

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/publish-components-for-e2e-tests.yml:
- Around line 24-31: The PR checkout path in the workflow is too permissive for
untrusted fork code, especially before running the publish action with
TEST_QUAY_TOKEN. Update both checkout steps in the workflow to set
persist-credentials to false, and add an explicit permissions block on the job
with the minimum GitHub token access needed for the checkout and publish steps.
Use the existing checkout steps and the publish action invocation as the anchors
for the change.

---

Nitpick comments:
In @.github/workflows/publish-components-for-e2e-tests.yml:
- Around line 25-31: The fork-PR checkout in
publish-components-for-e2e-tests.yml is relying on actions/checkout@v7 without
the explicit unsafe checkout override, which can break when the workflow runs on
pull_request_target. Update the checkout step in this workflow to keep the
explicit allow-unsafe-pr-checkout setting, and verify the same pattern in the
sibling publish-components-for-e2e-tests.yml workflows for member-operator, api,
toolchain-common, and toolchain-e2e so they all use the same fork-checkout
configuration.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 61e64d5a-4bd5-4cda-8880-85b9ff0caff5

📥 Commits

Reviewing files that changed from the base of the PR and between 715f8ae and 04235dd.

📒 Files selected for processing (1)
  • .github/workflows/publish-components-for-e2e-tests.yml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • codeready-toolchain/registration-service (manual)
  • codeready-toolchain/member-operator (manual)
  • codeready-toolchain/api (manual)
  • codeready-toolchain/toolchain-common (manual)
  • codeready-toolchain/host-operator (manual)
  • codeready-toolchain/toolchain-e2e (manual)
📜 Review details
⏰ Context from checks skipped due to timeout. (2)
  • GitHub Check: test
  • GitHub Check: GolangCI Lint
⚠️ CI failures not shown inline (2)

GitHub Actions: publish-components-for-e2e-tests / 0_Build & push operator bundles & dashboard image for e2e tests.txt: Add allow-unsafe-pr-checkout: true for fork PR checkouts

Conclusion: failure

View job details

##[group]Run actions/checkout@v7
 with:
   ref: fix-actions-checkout-fork
   repository: fbm3307/host-operator
   fetch-depth: 0
   ***REDACTED***
   ssh-strict: true
   ssh-user: git
   persist-credentials: true
   clean: true
   sparse-checkout-cone-mode: true
   fetch-tags: false
   show-progress: true
   lfs: false
   submodules: false
   set-safe-directory: true
   allow-unsafe-pr-checkout: false
 env:
   GOPATH: /tmp/go
 ##[endgroup]
 ##[error]Refusing to check out fork pull request code from a 'pull_request_target' workflow. This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner access. Fetching and executing a fork's code in that trusted context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' on the actions/checkout step.

GitHub Actions: publish-components-for-e2e-tests / Build & push operator bundles & dashboard image for e2e tests: Add allow-unsafe-pr-checkout: true for fork PR checkouts

Conclusion: failure

View job details

##[group]Run actions/checkout@v7
 with:
   ref: fix-actions-checkout-fork
   repository: fbm3307/host-operator
   fetch-depth: 0
   ***REDACTED***
   ssh-strict: true
   ssh-user: git
   persist-credentials: true
   clean: true
   sparse-checkout-cone-mode: true
   fetch-tags: false
   show-progress: true
   lfs: false
   submodules: false
   set-safe-directory: true
   allow-unsafe-pr-checkout: false
 env:
   GOPATH: /tmp/go
 ##[endgroup]
 ##[error]Refusing to check out fork pull request code from a 'pull_request_target' workflow. This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner access. Fetching and executing a fork's code in that trusted context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' on the actions/checkout step.
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/publish-components-for-e2e-tests.yml

[warning] 46-53: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🔀 Multi-repo context

Linked repositories findings

codeready-toolchain/registration-service

  • .github/workflows/publish-components-for-e2e-tests.yml:25-31,47-53 already uses actions/checkout@v7 with allow-unsafe-pr-checkout: true on both PR checkout paths.
  • This is the same pattern as the PR change, so it looks like an existing repo-level precedent.

codeready-toolchain/member-operator

  • .github/workflows/publish-components-for-e2e-tests.yml:25-29,46-49 uses actions/checkout@v7 for pull_request_target and issue_comment checkouts, but the shell search did not show allow-unsafe-pr-checkout in this repo output.
  • If this workflow is still intended to support fork PRs, it may hit the same actions/checkout@v7 restriction.

codeready-toolchain/api

  • .github/workflows/publish-components-for-e2e-tests.yml:25-29,46-49 also uses actions/checkout@v7 in the same PR/issue-comment flow, with no allow-unsafe-pr-checkout shown in the search results.
  • Similar potential exposure to the same checkout behavior.

codeready-toolchain/toolchain-common

  • .github/workflows/publish-components-for-e2e-tests.yml:25-29,46-49 matches the same pattern and likewise showed no allow-unsafe-pr-checkout in the search results.
  • Same potential fork-PR checkout issue.

codeready-toolchain/toolchain-e2e

  • .github/workflows/publish-components-for-e2e-tests.yml:28-29,48-49 uses actions/checkout@v7 in the same event-driven flow, with no allow-unsafe-pr-checkout shown.
  • This repo appears to share the same workflow shape and may need the same fix if it is used for fork PRs.

@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown

@fbm3307: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e 04235dd link true /test e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fbm3307, MatousJobanek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [MatousJobanek,fbm3307]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@MatousJobanek MatousJobanek merged commit 1f40f9c into codeready-toolchain:master Jul 8, 2026
7 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants