Fix supply chain security: pin reusable workflows to SHA and add fork guard

[Copilot]

Addresses two supply chain security issues in CI/CD workflows: mutable @main refs on reusable workflows allow unreviewed upstream changes to execute with elevated permissions, and pull_request_target without a fork guard exposes write tokens to fork PRs.

---

📝 Summary of Changes

• Pinned all kubestellar/infra reusable workflow references from @main to immutable SHA af322d48cc67ade7345cabc6a0ed55c6c7040ee4
• Added fork guard to copilot-automation.yml to block fork PRs from triggering elevated-permission pull_request_target path

---

Changes Made

• Pinned reusable-add-help-wanted.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
• Pinned reusable-ai-fix.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
• Pinned reusable-assignment-helper.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
• Pinned reusable-copilot-automation.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
• Pinned reusable-copilot-dco.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
• Pinned reusable-feedback.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
• Pinned reusable-greetings.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
• Pinned reusable-label-helper.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
• Pinned reusable-pr-verifier.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
• Pinned reusable-scorecard.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
• Pinned reusable-stale.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
• Added fork guard if condition to copilot-automation.yml

Fork guard added to copilot-automation.yml:

jobs:
  copilot-automation:
    if: >-
      github.event_name != 'pull_request_target' ||
      github.event.pull_request.head.repo.full_name == github.repository
    uses: kubestellar/infra/.github/workflows/reusable-copilot-automation.yml@af322d48cc67ade7345cabc6a0ed55c6c7040ee4  # main

---

Checklist

• I have reviewed the project's contribution guidelines.
• I have performed a self-review of my changes.
• I have written unit tests for the changes (if applicable).
• I have updated the documentation (if applicable).
• I have tested the changes locally and ensured they work as expected.
• All CI checks are passing.

Security Considerations

• Dockerfiles — verified base images, avoided running as root
• Kubernetes manifests — checked RBAC permissions and secrets handling
• CI/CD workflows — inspected for command injection or credential exposure
• Dependencies — validated new packages, checked for known vulnerabilities
• Security configs — changes align with project security policies

---

Screenshots or Logs (if applicable)

N/A

---

👀 Reviewer Notes

All 11 workflow files previously referenced kubestellar/infra reusable workflows at the mutable @main ref. A compromised or unreviewed push to infra@main would silently execute with the permissions declared in each calling workflow (some with contents: write, pull-requests: write, etc.). The fork guard on copilot-automation.yml follows the pattern established in kubestellar/console.

Original prompt

Fix security issues #5940 and #5941 in kubestellar/docs repository.

Issue #5940: Pin reusable workflows to immutable commit SHAs

Nine workflows use kubestellar/infra reusable workflows at @main (mutable ref). Pin all to SHA af322d48cc67ade7345cabc6a0ed55c6c7040ee4.

Workflows to update:

1. .github/workflows/add-help-wanted.yml - pin reusable-add-help-wanted.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
2. .github/workflows/ai-fix.yml - pin reusable-ai-fix.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
3. .github/workflows/assignment-helper.yml - pin reusable-assignment-helper.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
4. .github/workflows/copilot-automation.yml - pin reusable-copilot-automation.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
5. .github/workflows/copilot-dco.yml - pin reusable-copilot-dco.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
6. .github/workflows/feedback.yml - pin reusable-feedback.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
7. .github/workflows/greetings.yml - pin reusable-greetings.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
8. .github/workflows/label-helper.yml - pin reusable-label-helper.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
9. .github/workflows/pr-verifier.yml - pin reusable-pr-verifier.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
10. .github/workflows/scorecard.yml - pin reusable-scorecard.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main
11. .github/workflows/stale.yml - pin reusable-stale.yml@main → @af322d48cc67ade7345cabc6a0ed55c6c7040ee4 # main

Issue #5941: Add fork guard to copilot-automation.yml

Add condition to prevent fork PRs from running with elevated permissions:

jobs:
  copilot-automation:
    if: >-
      github.event_name != 'pull_request_target' ||
      github.event.pull_request.head.repo.full_name == github.repository
    uses: kubestellar/infra/.github/workflows/reusable-copilot-automation.yml@af322d48cc67ade7345cabc6a0ed55c6c7040ee4  # main

Reference implementation: kubestellar/console/.github/workflows/copilot-automation.yml

Use DCO sign-off: git commit -s

[kubestellar-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubestellar-prow]

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

• 3729734 Initial plan

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[netlify]

❌ Deploy Preview for kubestellar-docs failed. Why did it fail? →

Name	Link
🔨 Latest commit	3729734
🔍 Latest deploy log	https://app.netlify.com/projects/kubestellar-docs/deploys/6a3395b6c1ea930008738c0a

[kubestellar-prow]

Hi @Copilot. Thanks for your PR.

I'm waiting for a kubestellar member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.