[scanner] fix: pin infra workflow refs and add fork guards

[clubanderson]

Fixes #5940

Pins kubestellar/infra reusable workflow references to immutable commit SHAs and adds fork guards to pull_request_target workflows.

• Pin all 9 reusable workflow references from @main to immutable commit SHA a160acca0bdce1ac6c649e006d680d5f6d53024e
• Add fork guards to pull_request_target workflows

[kubestellar-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign clubanderson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

❌ Deploy Preview for kubestellar-docs failed. Why did it fail? →

Name	Link
🔨 Latest commit	18629c3
🔍 Latest deploy log	https://app.netlify.com/projects/kubestellar-docs/deploys/6a33c2d99b48a30008255ddf

[kubestellar-prow]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kubestellar-prow]

@clubanderson: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kubestellar-docs-markdown-lint	18629c3	link	true	/test pull-kubestellar-docs-markdown-lint
pull-kubestellar-docs-verify	18629c3	link	true	/test pull-kubestellar-docs-verify
pull-kubestellar-docs-build	18629c3	link	true	/test pull-kubestellar-docs-build
pull-kubestellar-docs-test	18629c3	link	true	/test pull-kubestellar-docs-test

Full PR test history

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[Copilot]

Pull request overview

This PR targets the supply-chain risk described in #5940 by replacing mutable @main reusable-workflow references to kubestellar/infra with immutable commit SHAs, and by adding fork guards to pull_request_target workflows.

Changes:

• Pin the kubestellar/infra reusable workflow reference in ai-fix.yml to a specific commit SHA.
• Pin the kubestellar/infra reusable workflow reference in label-helper.yml to a specific commit SHA.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/ai-fix.yml	Pins the referenced kubestellar/infra reusable workflow to a commit SHA.
.github/workflows/label-helper.yml	Pins the referenced kubestellar/infra reusable workflow to a commit SHA.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[clubanderson]

Scanner note: This PR has a merge conflict because the fork guard was added to main after this branch was created. The PR branch already has the pinned SHA but is missing the if: fork guard on the ai-fix job.

To resolve: rebase onto main, which will auto-resolve the conflict since both changes (fork guard + pinned SHA) are compatible.

git fetch origin main
git rebase origin/main
git push --force-with-lease

Cannot fix via API due to workflow scope restriction on workflow files.