Security: pin infra reusable workflows to immutable SHA and add fork guards

[Copilot]

Two security issues in GitHub Actions workflows: mutable @main refs on reusable workflow calls (supply chain risk) and unguarded pull_request_target triggers (fork-based privilege escalation risk).

---

📝 Summary of Changes

• Pins all kubestellar/infra reusable workflow references from @main to @a160acca0bdce1ac6c649e006d680d5f6d53024e
• Adds if: fork guards to all pull_request_target jobs to block execution from fork PRs

---

Changes Made

• Pinned kubestellar/infra workflow refs to immutable SHA in 10 workflow files: add-help-wanted.yml, assignment-helper.yml, copilot-dco.yml, feedback.yml, label-helper.yml, pr-verifier.yml, scorecard.yml, stale.yml, greetings.yml, copilot-automation.yml
• Added fork guard to pr-verifier.yml:

  if: github.event.pull_request.head.repo.full_name == github.repository

• Added fork guard to greetings.yml (also handles issues trigger):

  if: github.event_name == 'issues' || github.event.pull_request.head.repo.full_name == github.repository

• Added fork guard to copilot-automation.yml (also handles workflow_dispatch trigger):

  if: github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository

---

Checklist

Please ensure the following before submitting your PR:

• I have reviewed the project's contribution guidelines.
• I have performed a self-review of my changes.
• I have written unit tests for the changes (if applicable).
• I have updated the documentation (if applicable).
• I have tested the changes locally and ensured they work as expected.
• All CI checks are passing.

Security Considerations

If this PR modifies any security-sensitive files, confirm:

• Dockerfiles — verified base images, avoided running as root
• Kubernetes manifests — checked RBAC permissions and secrets handling
• CI/CD workflows — inspected for command injection or credential exposure
• Dependencies — validated new packages, checked for known vulnerabilities
• Security configs — changes align with project security policies

Leave unchecked if not applicable. See CONTRIBUTING.md for details.

---

Screenshots or Logs (if applicable)

---

👀 Reviewer Notes

The SHA a160acca0bdce1ac6c649e006d680d5f6d53024e is the current HEAD of kubestellar/infra at time of this fix. Should be updated whenever kubestellar/infra changes are intentionally adopted. Disabled workflow files (*.disabled) and ai-fix.yml were out of scope per the issue.

Original prompt

Fix two security issues in GitHub Actions workflows:

Issue #5940 - Pin kubestellar/infra reusable workflows to immutable SHA:
The following workflows reference kubestellar/infra reusable workflows using @main which is mutable. Replace all @main references with @a160acca0bdce1ac6c649e006d680d5f6d53024e (the current HEAD SHA of kubestellar/infra).

Files to update:

1. .github/workflows/add-help-wanted.yml
2. .github/workflows/assignment-helper.yml
3. .github/workflows/copilot-dco.yml
4. .github/workflows/feedback.yml
5. .github/workflows/label-helper.yml
6. .github/workflows/pr-verifier.yml
7. .github/workflows/scorecard.yml
8. .github/workflows/stale.yml
9. .github/workflows/greetings.yml
10. .github/workflows/copilot-automation.yml

Issue #5941 - Add fork guard to pull_request_target workflows:
The following workflows use pull_request_target which is dangerous without fork protection. Add this guard condition to the job: if: github.event.pull_request.head.repo.full_name == github.repository

For greetings.yml which also has an issues trigger, use this condition instead:
if: github.event_name == 'issues' || github.event.pull_request.head.repo.full_name == github.repository

For copilot-automation.yml which also has a workflow_dispatch trigger, use:
if: github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository

Files needing fork guards:

1. .github/workflows/pr-verifier.yml
2. .github/workflows/greetings.yml
3. .github/workflows/copilot-automation.yml

The PR body should be:

Fixes #5940
Fixes #5941

**Security fixes for GitHub Actions workflows**

This PR addresses two security issues identified by the scanner:

1. **Pins kubestellar/infra reusable workflow references to immutable commit SHA** (`a160acca0bdce1ac6c649e006d680d5f6d53024e`) instead of `@main`. This prevents supply chain attacks where the upstream workflow could be modified to execute malicious code.

2. **Adds fork guard conditions to `pull_request_target` workflows** to prevent fork-based attacks. The guard `if: github.event.pull_request.head.repo.full_name == github.repository` ensures workflows only run for PRs from the same repository, not from forks with broad write permissions.

### Changes
- Updated 10 workflow files to pin reusable workflow references
- Added fork guards to 3 workflows using pull_request_target

[kubestellar-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubestellar-prow]

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

• 02a1a1a Initial plan

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[netlify]

❌ Deploy Preview for kubestellar-docs failed. Why did it fail? →

Name	Link
🔨 Latest commit	02a1a1a
🔍 Latest deploy log	https://app.netlify.com/projects/kubestellar-docs/deploys/6a3377e0ef7851000853c6b9

[kubestellar-prow]

Hi @Copilot. Thanks for your PR.

I'm waiting for a kubestellar member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.