From 3fd3b741b65a77c9372d94523ae9ad666de2c7f7 Mon Sep 17 00:00:00 2001 From: Alan Rominger Date: Tue, 21 Apr 2026 11:26:04 -0400 Subject: [PATCH] Correctly restrict push actions to ownership repos (#16398) * Correctly restrict push actions to ownership repos * Use standard action to see if push actions should run * Run spec job for 2.6 and higher * Be even more restrictve, do not push if on a fork --- .github/workflows/_repo-owns-branch.yml | 55 ++++++++++++++++++++++++ .github/workflows/devel_images.yml | 11 +++-- .github/workflows/spec-sync-on-merge.yml | 7 +++ .github/workflows/upload_schema.yml | 5 +++ 4 files changed, 72 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/_repo-owns-branch.yml diff --git a/.github/workflows/_repo-owns-branch.yml b/.github/workflows/_repo-owns-branch.yml new file mode 100644 index 0000000000..8d58b29997 --- /dev/null +++ b/.github/workflows/_repo-owns-branch.yml @@ -0,0 +1,55 @@ +--- +name: Repo Owns Branch + +# Reusable workflow that determines whether the current repository +# owns the current branch for push operations. +# +# Ownership rules: +# - ansible/awx owns: devel, feature_* +# - ansible/tower owns: stable-*, release_* +# - workflow_dispatch is always allowed +# +# All other repo/branch combinations are skipped. + +on: + workflow_call: + outputs: + should_run: + description: Whether this repo owns the current branch + value: ${{ jobs.check.outputs.should_run }} + +jobs: + check: + runs-on: ubuntu-latest + outputs: + should_run: ${{ steps.check.outputs.should_run }} + steps: + - name: Check branch ownership + id: check + run: | + REPO="${{ github.repository }}" + BRANCH="${{ github.ref_name }}" + EVENT="${{ github.event_name }}" + + if [[ "$EVENT" == "workflow_dispatch" ]]; then + echo "should_run=true" >> $GITHUB_OUTPUT + echo "Manual trigger — allowed" + exit 0 + fi + + # ansible/awx owns devel and feature_* branches + if [[ "$REPO" == "ansible/awx" ]] && [[ "$BRANCH" == "devel" || "$BRANCH" == feature_* ]]; then + echo "should_run=true" >> $GITHUB_OUTPUT + echo "Repository '$REPO' owns branch '$BRANCH'" + exit 0 + fi + + # ansible/tower owns stable-* and release_* branches + if [[ "$REPO" == "ansible/tower" ]] && [[ "$BRANCH" == stable-* || "$BRANCH" == release_* ]]; then + echo "should_run=true" >> $GITHUB_OUTPUT + echo "Repository '$REPO' owns branch '$BRANCH'" + exit 0 + fi + + echo "should_run=false" >> $GITHUB_OUTPUT + echo "Repository '$REPO' does not own branch '$BRANCH' — skipping" diff --git a/.github/workflows/devel_images.yml b/.github/workflows/devel_images.yml index 213d90b8ec..5cacb23ee0 100644 --- a/.github/workflows/devel_images.yml +++ b/.github/workflows/devel_images.yml @@ -12,7 +12,12 @@ on: - feature_* - stable-* jobs: + check-ownership: + uses: ./.github/workflows/_repo-owns-branch.yml + push-development-images: + needs: check-ownership + if: needs.check-ownership.outputs.should_run == 'true' runs-on: ubuntu-latest timeout-minutes: 120 permissions: @@ -30,12 +35,6 @@ jobs: make-target: awx-kube-buildx steps: - - name: Skipping build of awx image for non-awx repository - run: | - echo "Skipping build of awx image for non-awx repository" - exit 0 - if: matrix.build-targets.image-name == 'awx' && !endsWith(github.repository, '/awx') - - uses: actions/checkout@v4 with: show-progress: false diff --git a/.github/workflows/spec-sync-on-merge.yml b/.github/workflows/spec-sync-on-merge.yml index b98f27f9eb..9dbc330e1b 100644 --- a/.github/workflows/spec-sync-on-merge.yml +++ b/.github/workflows/spec-sync-on-merge.yml @@ -16,9 +16,16 @@ on: push: branches: - devel + - 'stable-2.[6-9]' + - 'stable-2.[1-9][0-9]' workflow_dispatch: # Allow manual triggering for testing jobs: + check-ownership: + uses: ./.github/workflows/_repo-owns-branch.yml + sync-openapi-spec: + needs: check-ownership + if: needs.check-ownership.outputs.should_run == 'true' name: Sync OpenAPI spec to central repo runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/upload_schema.yml b/.github/workflows/upload_schema.yml index f9c2118523..9f4c4d7ddb 100644 --- a/.github/workflows/upload_schema.yml +++ b/.github/workflows/upload_schema.yml @@ -13,7 +13,12 @@ on: - feature_** - stable-** jobs: + check-ownership: + uses: ./.github/workflows/_repo-owns-branch.yml + push: + needs: check-ownership + if: needs.check-ownership.outputs.should_run == 'true' runs-on: ubuntu-latest timeout-minutes: 60 permissions: