ci: restrict specific workflows to the upstream repository

[nimdrak]

What does this PR do?

Fixed #28757

All GitHub workflows fail because they require secrets. The only exception is zizmor.yaml, which runs a static analysis security check on GitHub Actions.

Here is the corrected list of workflows that should be restricted to upstream(containers/podman), categorized by why they will fail or act improperly in a fork:

1. Require Custom Upstream Secrets
   They rely on secrets that are only available in the upstream repository:

• check_cirrus_cron.yml: Uses ACTION_MAIL_* secrets for alerting.
• cherry-pick.yml: Uses CHERRY_PICK_TOKEN to automate pushing to release branches.
• dev-bump.yml: Uses PODMANBOT_TOKEN to push version bumps.
• first_contrib_cert_generator.yml: Uses CERTIFICATES_REPO_TOKEN to commit to the external contributor certificates repo.
• issue_pr_lock.yml: Uses STALE_LOCKING_APP_PRIVATE_KEY and ACTION_MAIL_* secrets.
• machine-os-pr.yml: Uses PODMANBOT_TOKEN to push updates.
• release.yml: The primary release pipeline; requires Apple signing (MACOS_*), Azure signing (AZ_*), ACTION_MAIL_*, and PODMANBOT_TOKEN.
• update-podmanio.yml: Uses PODMANBOT_TOKEN to push updates to the containers/podman.io repository.

2. Manage Upstream Issue/PR Tracker State
   These workflows require write permissions to automatically manage issues, labels, and assignments.

• assign.yml: Self-assigns issues.
• issue-labeler.yml: Automatically applies labels to new issues.
• labeler.yml: Automatically applies labels to PRs based on changed file paths.
• needs-info-labeler.yaml: Automates comments when the needs-info label is added.
• stale.yml: Marks older issues and PRs as stale and closes them.

➕ Additional Details
I refactored several complex if conditions using YAML multi-line strings (|) to improve readability and maintainability.

Does this PR introduce a user-facing change?

None

[packit-as-a-service]

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

[nimdrak]

The failed tests are not related with this PR

[Luap99]

We move the repo soon, lets wait with this until we have the new nmae as we need to change the name again otherwise in a follow up commit.

[nimdrak]

@Luap99 Got it, thanks for letting me know!

[Luap99]

The new repo location will be podman-container-tools/podman

[nimdrak]

Could you confirm if the following should also be updated to the new podman-container-tools organization?

Related Repositories:

• UPSTREAM_MACHINE_OS: "containers/podman-machine-os" (in machine-os-pr.yml)
  • -> guess: podman-container-tools/podman-machine-os-sandbox
• --repo containers/podman.io (in update-podmanio.yml)
  • -> guess: podman-container-tools/podman.io

Team Mentions:

• @containers/podman-maintainers PTAL (in release-pipeline-validation.yml)
  • -> guess: podman-container-tools/podman-maintainers

[Luap99]

Could you confirm if the following should also be updated to the new podman-container-tools organization?

Related Repositories:

* UPSTREAM_MACHINE_OS: "containers/podman-machine-os" (in [machine-os-pr.yml](https://github.com/containers/podman/blob/62111c7e9d2c20c8bad81fe18359685c3ba6aeb2/.github/workflows/machine-os-pr.yml#L25-L26))
  
  * ->  guess: `podman-container-tools/podman-machine-os-sandbox`

That will be podman-container-tools/podman-machine-os sandbox is just for testing the CI.

* --repo containers/podman.io (in [update-podmanio.yml](https://github.com/containers/podman/blob/62111c7e9d2c20c8bad81fe18359685c3ba6aeb2/.github/workflows/update-podmanio.yml#L65))
  
  * ->  guess: `podman-container-tools/podman.io`

Team Mentions:

* @containers/podman-maintainers PTAL (in [release-pipeline-validation.yml](https://github.com/containers/podman/blob/62111c7e9d2c20c8bad81fe18359685c3ba6aeb2/.github/workflows/release-pipeline-validation.yml#L145))
  
  * ->  guess: `podman-container-tools/podman-maintainers`

I would not bother with this right now, just update the conditions you want to skip the runs, we take care of the release automation once we are there
cc @ashley-cui

[ashley-cui]

Great idea! I think the release-pipeline-validation.yml also requires secrets.

[nimdrak]

I would not bother with this right now, just update the conditions you want to skip the runs, we take care of the release automation once we are there

Thanks. Got it. I updated the conditions only. Please check it.

I think the release-pipeline-validation.yml also requires secrets.

You're right. I updated too. Thanks.

[Luap99]

cp: cannot stat './hack/ci/make-and-check-size.sh': No such file or directory

That seems a really strange validation error, I mean the script is in the git tree so what happened here?

btw I recommend to not blindly repush to retrigger CI, we can rerun tests as needed and I would have liked to see if this was a flake or not

[nimdrak]

Ah, sorry about the repush! I actually pushed again because I thought I messed up my rebase, not just to retrigger the CI. But I'll keep your advice in mind for next time.

[nimdrak]

That seems a really strange validation error, I mean the script is in the git tree so what happened here?

Regarding the missing script error, I think I found the cause. Initially, instead of doing a proper rebase, I manually deleted. .github/workflows/check_cirrus_cron.yml to match main and pushed.

Because my branch was still outdated, it didn't have ./hack/ci/make-and-check-size.sh yet, which is what broke the CI.

However, I've done a proper rebase now, and it looks like the issue is gone. Sorry for the confusion!

[Luap99]

LGTM