Skip to content

Add fork-safe PR workflow and permissions#73

Merged
bschwedler merged 12 commits intomainfrom
ci/fork-safe-pr
Apr 28, 2026
Merged

Add fork-safe PR workflow and permissions#73
bschwedler merged 12 commits intomainfrom
ci/fork-safe-pr

Conversation

@bschwedler
Copy link
Copy Markdown
Contributor

@bschwedler bschwedler commented Apr 10, 2026

Summary

  • Add pr.yml calling bakery-build-pr.yml@main for fork-safe PR builds (production, development, session)
  • Remove pull_request trigger from existing build workflows (handled by pr.yml)
  • Fix session.yml cron mismatch ('15 3 * * 0' condition vs '15 4 * * 0' cron)
  • Add permissions: {} at workflow level + per-job declarations

Part of rstudio/platform-team#435.

Test plan

  • pr.yml runs on this PR
  • Existing build workflows do not trigger on PRs
  • Push-to-main and schedule triggers still work after merge
  • Session builds trigger correctly on the weekly schedule

@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 24, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

bschwedler added 12 commits April 28, 2026 10:02
@bschwedler @ianpittwood
Add fork-safe PR build workflow
af53054 
Dedicated PR workflow that calls bakery-build-pr.yml, which
is safe for fork PRs (no secrets required). Consolidates all
three build types (production, development, session) into a
single workflow with a unified CI gate.
@bschwedler @ianpittwood
Remove pull_request trigger from build workflows
3f62667 
PR builds are now handled by the dedicated pr.yml workflow
which uses bakery-build-pr.yml (fork-safe, no secrets).
@bschwedler @ianpittwood
Fix session.yml cron condition mismatch
12c41b2 
The if condition referenced cron '15 3 * * 0' but the actual
schedule is '15 4 * * 0'. With pull_request removed, simplify
to check event_name directly instead of matching cron strings.
@bschwedler @ianpittwood
Add permissions declarations
e2299d3 
Set top-level permissions: {} on all workflows and per-job
permissions: {} on CI meta-jobs and the issues job. This
follows the principle of least privilege by requiring each
job to explicitly declare the permissions it needs.
@bschwedler @ianpittwood
Remove top-level permissions from caller workflows
9c0cb91 
Top-level permissions on workflows that call reusable
workflows acts as a ceiling, blocking job-level grants
from reaching the callee. Remove it from all workflows
except issues.yml (which doesn't call reusable workflows).
Per-job permissions remain.
@bschwedler @ianpittwood
Pin third-party actions to commit SHAs
7dc1fc5 
Mutable tags can be overwritten, allowing supply chain
attacks. Pin to immutable commit SHAs with specific
version comments so Dependabot can track updates.
@bschwedler @ianpittwood
Add zizmor static analysis to CI
5e8b695 
Add zizmor job to PR workflows and a .github/zizmor.yml
policy that allows ref-pinned images-shared refs while
requiring hash-pinning for all third-party actions.
@bschwedler @ianpittwood
Add permissions and timeout to release workflow
08e2aa9 
The release workflow was the only workflow without explicit
permissions, inheriting the repo default. Add least-privilege
permissions (contents:write, pull-requests:write) to match
what product-release.yml needs, plus a 10-minute timeout.
@bschwedler @ianpittwood
Tighten PR workflow permissions
a9b69cf 
- Downgrade packages:write to packages:read on PR build jobs —
  PR builds never push, cache is read-only
- Add security-events:write to zizmor job for SARIF upload to
  the Security tab
@bschwedler @ianpittwood
Fix session.yml dispatch and PR cache permissions
ef8f065 
Add workflow_dispatch to the session build job's if condition —
it was excluded, making manual dispatch a no-op despite the push
input already handling it.

Grant packages: write on PR caller jobs so bakery-build-pr.yml
can write to GHCR caches on internal PRs. Fork PRs are unaffected
by GitHub's platform-enforced read-only token.
@bschwedler @ianpittwood
Clean up stale comments and archived action
d6dc182 
Remove stale concurrency comments referencing pull_request trigger
which no longer exists on these workflows. Replace archived
actions-ecosystem/action-add-labels with gh issue edit.
@bschwedler @ianpittwood
Guard release job against non-dispatch triggers
a51825b 
GitHub creates a check run for modified workflow files on push
even when the file only triggers on workflow_dispatch. The run
fails because inputs.version is undefined in a push context.
@bschwedler bschwedler merged commit e93ba0c into main Apr 28, 2026
104 of 109 checks passed
@bschwedler bschwedler deleted the ci/fork-safe-pr branch April 28, 2026 20:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ianpittwood ianpittwood ianpittwood approved these changes

@zachhannum zachhannum Awaiting requested review from zachhannum zachhannum is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bschwedler @github-advanced-security @ianpittwood