Guard copilot automation workflow against fork PRs

[Copilot]

📌 Fixes

---

📝 Summary of Changes

pull_request_target was allowing the privileged Copilot automation workflow to run without verifying the PR source repository. This change adds a same-repository guard so fork-originated PRs do not invoke the reusable workflow.

• Workflow hardening
  • Added a job-level guard to .github/workflows/copilot-automation.yml
  • Restricted copilot-automation to PRs whose head repo matches github.repository

Example:

jobs:
  copilot-automation:
    if: github.event.pull_request.head.repo.full_name == github.repository
    uses: kubestellar/infra/.github/workflows/reusable-copilot-automation.yml@main

---

Changes Made

• Updated .github/workflows/copilot-automation.yml to gate the job on same-repository PRs
• Refactored ...
• Fixed privileged workflow exposure for fork PRs on pull_request_target
• Added tests for ...

---

Checklist

Please ensure the following before submitting your PR:

• I have reviewed the project's contribution guidelines.
• I have performed a self-review of my changes.
• I have written unit tests for the changes (if applicable).
• I have updated the documentation (if applicable).
• I have tested the changes locally and ensured they work as expected.
• All CI checks are passing.

Security Considerations

If this PR modifies any security-sensitive files, confirm:

• Dockerfiles — verified base images, avoided running as root
• Kubernetes manifests — checked RBAC permissions and secrets handling
• CI/CD workflows — inspected for command injection or credential exposure
• Dependencies — validated new packages, checked for known vulnerabilities
• Security configs — changes align with project security policies

Leave unchecked if not applicable. See CONTRIBUTING.md for details.

---

Screenshots or Logs (if applicable)

---

👀 Reviewer Notes

Small workflow-only security fix. No behavior change for same-repository PRs; fork PRs will now skip this privileged job.

Original prompt

Add a fork guard condition to the copilot-automation job in .github/workflows/copilot-automation.yml to prevent fork PRs from running privileged workflows.

The job currently uses pull_request_target trigger without checking if the PR is from a fork. This is a security risk as it grants fork PRs write access to secrets and permissions.

Add this condition to the copilot-automation job (line 24):

if: github.event.pull_request.head.repo.full_name == github.repository

The job section should become:

jobs:
  copilot-automation:
    if: github.event.pull_request.head.repo.full_name == github.repository
    uses: kubestellar/infra/.github/workflows/reusable-copilot-automation.yml@main
    with:
      pr_number: ${{ github.event.inputs.pr_number || '' }}
    secrets:
      token: ${{ secrets.GITHUB_TOKEN }}

This ensures only PRs from the same repository (not forks) can trigger this workflow.

Fixes #5941

[netlify]

❌ Deploy Preview for kubestellar-docs failed. Why did it fail? →

Name	Link
🔨 Latest commit	1b591ff
🔍 Latest deploy log	https://app.netlify.com/projects/kubestellar-docs/deploys/6a33707bad9d720008d2b3e2

[kubestellar-prow]

Hi @Copilot. Thanks for your PR.

I'm waiting for a kubestellar member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kubestellar-prow]

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

• 5e7c570 Initial plan
• 1b591ff chore: record baseline validation

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[kubestellar-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from clubanderson. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment