ci: switch away from pull_request_target in the pre-commit workflow [RHIDP 11561] (#306)

Co-authored-by: rhdh-qodo-merge[bot] <232573409+rhdh-qodo-merge[bot]@users.noreply.github.com>

Author: rm3l

.github/pull_request_template.md

@@ -24,7 +24,7 @@ Detailed instructions may help reviewers test this PR quickly and provide quicke
 ## Checklist
 
 - [ ] For each Chart updated, version bumped in the corresponding `Chart.yaml` according to [Semantic Versioning](http://semver.org/).
-- [ ] For each Chart updated, variables are documented in the `values.yaml` and added to the corresponding README.md. The [pre-commit](https://pre-commit.com/) utility can be used to generate the necessary content. Use `pre-commit run -a` to apply changes. The [pre-commit Workflow](./workflows/pre-commit.yaml) will do this automatically for you if needed.
+- [ ] For each Chart updated, variables are documented in the `values.yaml` and added to the corresponding README.md. The [pre-commit](https://pre-commit.com/) utility can be used to generate the necessary content. Run `pre-commit run --all-files` to run the hooks and then push any resulting changes. The [pre-commit Workflow](./workflows/pre-commit.yaml) will enforce this and warn you if needed.
 - [ ] JSON Schema template updated and re-generated the raw schema via the `pre-commit` hook.
 - [ ] Tests pass using the [Chart Testing](https://github.com/helm/chart-testing) tool and the `ct lint` command.
 - [ ] If you updated the [orchestrator-infra](../charts/orchestrator-infra) chart, make sure the versions of the [Knative CRDs](../charts/orchestrator-infra/crds) are aligned with the versions of the CRDs installed by the OpenShift Serverless operators declared in the [values.yaml](../charts/orchestrator-infra/values.yaml) file. See [Installing Knative Eventing and Knative Serving CRDs](../charts/orchestrator-infra/README.md#installing-knative-eventing-and-knative-serving-crds) for more details.

.github/workflows/pre-commit-comment.yaml

@@ -0,0 +1,103 @@
+name: Pre-commit comment
+
+on:
+  workflow_run:
+    workflows: ["Pre-commit"]
+    types:
+      - completed
+
+jobs:
+  comment:
+    name: Comment on PR
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.event == 'pull_request'
+    permissions:
+      pull-requests: write
+
+    steps:
+
+      - name: Get the PR number from the workflow run
+        id: pr-number
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        with:
+          script: |
+            const prs = context.payload.workflow_run.pull_requests;
+            if (prs.length > 0) {
+              const num = prs[0].number;
+              if (Number.isInteger(num)) {
+                core.setOutput('number', num);
+              } else {
+                core.setFailed(`Invalid PR number detected: ${num}`);
+              }
+            }
+
+      - name: Delete previous pre-commit failure comments
+        if: steps.pr-number.outputs.number
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        env:
+          PR_NUMBER: ${{ steps.pr-number.outputs.number }}
+        with:
+          script: |
+            const prNumber = parseInt(process.env.PR_NUMBER, 10);
+
+            // Get all comments on the PR
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+            });
+
+            console.log(`Found ${comments.length} total comments on PR #${prNumber}`);
+
+            const botComments = comments.filter(comment => {
+              return comment.user.login === 'github-actions[bot]' && 
+                     comment.body && 
+                     comment.body.includes('⚠️ Pre-commit hook failures');
+            });
+
+            for (const comment of botComments) {
+              try {
+                await github.rest.issues.deleteComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: comment.id,
+                });
+              } catch (error) {
+                console.warn(`Failed to delete comment ${comment.id}:`, error.message);
+              }
+            }
+
+      - name: Post comment
+        if: steps.pr-number.outputs.number && github.event.workflow_run.conclusion == 'failure'
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        env:
+          PR_NUMBER: ${{ steps.pr-number.outputs.number }}
+        with:
+          script: |
+            const prNumber = parseInt(process.env.PR_NUMBER, 10);
+
+            const body = `
+            ## ⚠️ Pre-commit hook failures
+
+            The pre-commit hooks detected issues that need to be fixed.
+
+            **To fix these issues:**
+
+            1. Install the required dependencies:
+               - [pre-commit](https://pre-commit.com/#install)
+               - [helm-docs](https://github.com/norwoodj/helm-docs#installation)
+
+            2. Run pre-commit on all files:
+               \`\`\`bash
+               pre-commit run --all-files
+               \`\`\`
+
+            3. Commit and push any resulting changes
+            `.trim().replace(/^ {12}/gm, '');
+
+            await github.rest.issues.createComment({
+              issue_number: prNumber,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: body
+            });

.github/workflows/pre-commit.yaml

@@ -1,48 +1,31 @@
 name: Pre-commit
 
 on:
-  # pull_request_target needed to be able to commit and push pre-commit diffs to external fork PRs.
-  # But we included a manual authorization safeguard to prevent PWN requests. See the 'authorize' job below.
-  pull_request_target:
+  pull_request:
     branches:
       - main
-      - rhdh-1.[0-9]+
-      - 1.[0-9]+.x
       - release-1.[0-9]+
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.number }}
   cancel-in-progress: true
 
-jobs:
-  authorize:
-    # The 'external' environment is configured with the maintainers team as required reviewers.
-    # All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks.
-    # see list of approvers in OWNERS file
-    environment:
-      ${{ (github.event.pull_request.head.repo.full_name == github.repository ||
-      contains(fromJSON('["gazarenkov","kadel","nickboldt","rm3l","kim-tsao","Fortune-Ndlovu","subhashkhileri","zdrapela","openshift-cherrypick-robot", "OpinionatedHeron"]'), github.event.pull_request.user.login)) && 'internal' || 'external' }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: approved
-        run: echo "✓"
+# Revoke all permissions by default, then grant only what is needed
+permissions:
+  contents: read
 
+jobs:
   pre-commit:
     name: Pre-commit
     runs-on: ubuntu-latest
-    needs: authorize
-    permissions:
-      contents: write
-      pull-requests: write
     env:
       GO111MODULE: on
     steps:
       - name: Checkout
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           fetch-depth: 0
-          repository: ${{github.event.pull_request.head.repo.full_name}}
-          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false # Avoid token leakage to hooks
 
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
@@ -57,41 +40,5 @@ jobs:
 
       - name: Run pre-commit
         uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
-        continue-on-error: true  # Don't fail immediately; we'll handle it below
         with:
           extra_args: --verbose --all-files --show-diff-on-failure
-
-      - name: Check for changes after pre-commit
-        id: diff-checker
-        run: |
-          echo "CHANGED=$(if git diff --quiet; then echo "false"; else echo "true"; fi)" >> $GITHUB_OUTPUT
-
-      - name: Commit and push any manifest changes
-        if: ${{ steps.diff-checker.outputs.CHANGED == 'true' }}
-        run: |
-          git remote add fork "https://github.com/${{ github.event.pull_request.head.repo.full_name }}.git"
-          git fetch fork ${{ github.event.pull_request.head.ref }}
-          git checkout -B pr-branch fork/${{ github.event.pull_request.head.ref }}
-
-          git config user.name 'github-actions[bot]'
-          git config user.email 'github-actions[bot]@users.noreply.github.com'
-
-          git add -A .
-          git commit \
-            -m "chore(pre-commit): Auto-fix hooks" \
-            -m "Co-authored-by: $GITHUB_ACTOR <$GITHUB_ACTOR@users.noreply.github.com>"
-
-          git push fork pr-branch:${{ github.event.pull_request.head.ref }}
-
-      - name: Comment on PR if manifests were updated
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
-        if: ${{ !cancelled() && steps.diff-checker.outputs.CHANGED == 'true' }}
-        continue-on-error: true
-        with:
-          script: |
-            await github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: '⚠️ <b>Files changed after running the pre-commit hooks</b><br/><br/>Those changes should have been pushed automatically to your PR branch.<br/><br/><b>NOTE: </b>If the PR checks are stuck after this additional commit, manually close the PR and immediately reopen it to trigger the checks again.'
-            })