Correctly restrict push actions to ownership repos (#16398)

* Correctly restrict push actions to ownership repos

* Use standard action to see if push actions should run

* Run spec job for 2.6 and higher

* Be even more restrictve, do not push if on a fork

.github/workflows/_repo-owns-branch.yml

@@ -0,0 +1,55 @@
+---
+name: Repo Owns Branch
+
+# Reusable workflow that determines whether the current repository
+# owns the current branch for push operations.
+#
+# Ownership rules:
+#   - ansible/awx owns: devel, feature_*
+#   - ansible/tower owns: stable-*, release_*
+#   - workflow_dispatch is always allowed
+#
+# All other repo/branch combinations are skipped.
+
+on:
+  workflow_call:
+    outputs:
+      should_run:
+        description: Whether this repo owns the current branch
+        value: ${{ jobs.check.outputs.should_run }}
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    outputs:
+      should_run: ${{ steps.check.outputs.should_run }}
+    steps:
+      - name: Check branch ownership
+        id: check
+        run: |
+          REPO="${{ github.repository }}"
+          BRANCH="${{ github.ref_name }}"
+          EVENT="${{ github.event_name }}"
+
+          if [[ "$EVENT" == "workflow_dispatch" ]]; then
+            echo "should_run=true" >> $GITHUB_OUTPUT
+            echo "Manual trigger — allowed"
+            exit 0
+          fi
+
+          # ansible/awx owns devel and feature_* branches
+          if [[ "$REPO" == "ansible/awx" ]] && [[ "$BRANCH" == "devel" || "$BRANCH" == feature_* ]]; then
+            echo "should_run=true" >> $GITHUB_OUTPUT
+            echo "Repository '$REPO' owns branch '$BRANCH'"
+            exit 0
+          fi
+
+          # ansible/tower owns stable-* and release_* branches
+          if [[ "$REPO" == "ansible/tower" ]] && [[ "$BRANCH" == stable-* || "$BRANCH" == release_* ]]; then
+            echo "should_run=true" >> $GITHUB_OUTPUT
+            echo "Repository '$REPO' owns branch '$BRANCH'"
+            exit 0
+          fi
+
+          echo "should_run=false" >> $GITHUB_OUTPUT
+          echo "Repository '$REPO' does not own branch '$BRANCH' — skipping"

.github/workflows/devel_images.yml

@@ -12,7 +12,12 @@ on:
       - feature_*
       - stable-*
 jobs:
+  check-ownership:
+    uses: ./.github/workflows/_repo-owns-branch.yml
+
   push-development-images:
+    needs: check-ownership
+    if: needs.check-ownership.outputs.should_run == 'true'
     runs-on: ubuntu-latest
     timeout-minutes: 120
     permissions:
@@ -30,12 +35,6 @@ jobs:
             make-target: awx-kube-buildx
     steps:
 
-      - name: Skipping build of awx image for non-awx repository
-        run: |
-          echo "Skipping build of awx image for non-awx repository"
-          exit 0
-        if: matrix.build-targets.image-name == 'awx' && !endsWith(github.repository, '/awx')
-
       - uses: actions/checkout@v4
         with:
           show-progress: false

.github/workflows/spec-sync-on-merge.yml

@@ -16,9 +16,16 @@ on:
   push:
     branches:
       - devel
+      - 'stable-2.[6-9]'
+      - 'stable-2.[1-9][0-9]'
   workflow_dispatch: # Allow manual triggering for testing
 jobs:
+  check-ownership:
+    uses: ./.github/workflows/_repo-owns-branch.yml
+
   sync-openapi-spec:
+    needs: check-ownership
+    if: needs.check-ownership.outputs.should_run == 'true'
     name: Sync OpenAPI spec to central repo
     runs-on: ubuntu-latest
     permissions:

.github/workflows/upload_schema.yml

@@ -13,7 +13,12 @@ on:
       - feature_**
       - stable-**
 jobs:
+  check-ownership:
+    uses: ./.github/workflows/_repo-owns-branch.yml
+
   push:
+    needs: check-ownership
+    if: needs.check-ownership.outputs.should_run == 'true'
     runs-on: ubuntu-latest
     timeout-minutes: 60
     permissions: