🌱 [scanner] fix: pin workflow refs to immutable SHA and add fork guard

[Copilot]

Addresses two supply chain security issues: mutable @main refs in reusable workflow calls allow ref-hijacking attacks, and pull_request_target jobs without fork guards can execute privileged code from untrusted forks.

📌 Fixes

---

📝 Summary of Changes

• Pin all kubestellar/infra reusable workflow refs from @main to immutable commit SHA a160acca0bdce1ac6c649e006d680d5f6d53024e
• Add fork guard to pull_request_target jobs in copilot-automation.yml and pr-verifier.yml

---

Changes Made

SHA pinning — all 11 affected workflows:

# Before
uses: kubestellar/infra/.github/workflows/reusable-pr-verifier.yml@main

# After
uses: kubestellar/infra/.github/workflows/reusable-pr-verifier.yml@a160acca0bdce1ac6c649e006d680d5f6d53024e # main

Files: add-help-wanted.yml, ai-fix.yml, assignment-helper.yml, copilot-automation.yml, copilot-dco.yml, feedback.yml, greetings.yml, label-helper.yml, pr-verifier.yml, scorecard.yml, stale.yml

Fork guard — copilot-automation.yml and pr-verifier.yml:

jobs:
  verify:
    if: github.event.pull_request.head.repo.full_name == github.repository
    uses: ...

• Updated add-help-wanted.yml — pinned SHA
• Updated ai-fix.yml — pinned SHA
• Updated assignment-helper.yml — pinned SHA
• Updated copilot-automation.yml — pinned SHA + fork guard
• Updated copilot-dco.yml — pinned SHA
• Updated feedback.yml — pinned SHA
• Updated greetings.yml — pinned SHA
• Updated label-helper.yml — pinned SHA
• Updated pr-verifier.yml — pinned SHA + fork guard
• Updated scorecard.yml — pinned SHA
• Updated stale.yml — pinned SHA

---

Checklist

• I have reviewed the project's contribution guidelines.
• I have performed a self-review of my changes.
• I have written unit tests for the changes (if applicable).
• I have updated the documentation (if applicable).
• I have tested the changes locally and ensured they work as expected.
• All CI checks are passing.

Security Considerations

• Dockerfiles — verified base images, avoided running as root
• Kubernetes manifests — checked RBAC permissions and secrets handling
• CI/CD workflows — inspected for command injection or credential exposure
• Dependencies — validated new packages, checked for known vulnerabilities
• Security configs — changes align with project security policies

---

Screenshots or Logs (if applicable)

---

👀 Reviewer Notes

The SHA a160acca0bdce1ac6c649e006d680d5f6d53024e corresponds to the current main HEAD of kubestellar/infra. When kubestellar/infra main is updated in future, these pins should be bumped deliberately and reviewed.

Original prompt

Fix security issues #5940 and #5941:

1. Pin all reusable workflow references from @main to immutable commit SHA a160acca0bdce1ac6c649e006d680d5f6d53024e

   Affected workflows in .github/workflows/:

   • add-help-wanted.yml
   • ai-fix.yml
   • assignment-helper.yml
   • copilot-automation.yml
   • copilot-dco.yml
   • feedback.yml
   • greetings.yml
   • label-helper.yml
   • pr-verifier.yml
   • scorecard.yml
   • stale.yml

   For each file, replace:
   uses: kubestellar/infra/.github/workflows/reusable-*.yml@main

   With:
   uses: kubestellar/infra/.github/workflows/reusable-*.yml@a160acca0bdce1ac6c649e006d680d5f6d53024e # main

2. Add fork guard to copilot-automation.yml and pr-verifier.yml

   Both files use pull_request_target trigger but lack fork protection. Add this line before the uses: statement in the job definition:
   if: github.event.pull_request.head.repo.full_name == github.repository

The commit message should follow DCO requirements with:

🌱 [scanner] fix: pin workflow refs to immutable SHA and add fork guard

- Pin all kubestellar/infra reusable workflow refs from @main to commit SHA a160acc
- Add fork guard to copilot-automation.yml and pr-verifier.yml for pull_request_target
- Prevents supply chain attacks via mutable refs and fork-based PR attacks

Fixes #5940
Fixes #5941

Signed-off-by: Copilot <223556219+Copilot@users.noreply.github.com>

[kubestellar-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubestellar-prow]

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

• b68612c Initial plan

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[netlify]

❌ Deploy Preview for kubestellar-docs failed. Why did it fail? →

Name	Link
🔨 Latest commit	b68612c
🔍 Latest deploy log	https://app.netlify.com/projects/kubestellar-docs/deploys/6a338f1d92a2db0008644903

[kubestellar-prow]

Hi @Copilot. Thanks for your PR.

I'm waiting for a kubestellar member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.