Use Pull Request Target for PRs

.github/workflows/container-ci.yaml

@@ -35,6 +35,10 @@ on:
         description: 'Enter Bash Env Variable Overrides in `KEY=VAL KEY2=VAL2` format:'
         required: false
         type: string
+      ref:
+        description: 'Enter Git Ref:'
+        required: true
+        type: string
       runner_label:
         description: 'Enter Validation Runner Label:'
         default: test-runner
@@ -66,6 +70,9 @@ on:
       no_start:
         required: false
         type: boolean
+      ref:
+        required: true
+        type: string
 jobs:
   ####################################################################################################
   # Compose Build
@@ -76,6 +83,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ inputs.ref }}
     - name: Set Matrix
       id: build-matrix
       run: echo "matrix=$(jq -c . < ${{ inputs.group_dir }}/.actions.json)" >> $GITHUB_OUTPUT
@@ -93,6 +102,8 @@ jobs:
       group: ${{ steps.build-group.outputs.container-group }}
     steps:
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ inputs.ref }}
       if: ${{ !inputs.no_build }}
     - uses: docker/login-action@v3
       with:
@@ -136,6 +147,8 @@ jobs:
       fail-fast: false
     steps:
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ inputs.ref }}
     - uses: docker/login-action@v3
       with:
         registry: ${{ secrets.REGISTRY }}
@@ -164,6 +177,8 @@ jobs:
       matrix: ${{ steps.test-matrix.outputs.matrix }}
     steps:
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ inputs.ref }}
     - name: Get Recipes
       id: test-matrix
       run: echo "matrix=$(find ${{ inputs.group_dir }} -type f -name 'tests.yaml' -exec dirname {} \; | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT
@@ -181,6 +196,8 @@ jobs:
       with:
         egress-policy: audit
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ inputs.ref }}
     - uses: docker/login-action@v3
       with:
         registry: ${{ secrets.REGISTRY }}

.github/workflows/dependency-review.yaml

@@ -25,14 +25,14 @@ on: [pull_request]
 permissions:
   contents: read
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/dependency-review-action@v4
-        with:
-          comment-summary-in-pr: true
+    - uses: actions/checkout@v4
+    - uses: actions/dependency-review-action@v4
+      with:
+        comment-summary-in-pr: true

.github/workflows/dockerhub-description.yml

@@ -15,29 +15,29 @@
 name: Docker Description Publish
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
 permissions: read-all
 jobs:
   setup-matrix:
     runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
-     - uses: actions/checkout@v4
-     - name: Set matrix data
-       id: set-matrix
-       run: echo "matrix=$(jq -c . < .github/dockerhub-readmes.json)" >> $GITHUB_OUTPUT
+    - uses: actions/checkout@v4
+    - name: Set matrix data
+      id: set-matrix
+      run: echo "matrix=$(jq -c . < .github/dockerhub-readmes.json)" >> $GITHUB_OUTPUT
   publish-dockerhub-description:
     runs-on: ubuntu-latest
     needs: setup-matrix
     strategy:
       matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
       fail-fast: false
     steps:
-      - uses: actions/checkout@v4
-      - uses: peter-evans/dockerhub-description@v4
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PASSWORD }}
-          repository: ${{ matrix.readmes.repo-name }}
-          readme-filepath: ${{ matrix.readmes.fname }}
+    - uses: actions/checkout@v4
+    - uses: peter-evans/dockerhub-description@v4
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_PASSWORD }}
+        repository: ${{ matrix.readmes.repo-name }}
+        readme-filepath: ${{ matrix.readmes.fname }}

.github/workflows/docs.yaml

@@ -21,7 +21,7 @@ on:
     - main
 permissions: read-all
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 jobs:
   mkdocs:
@@ -31,17 +31,17 @@ jobs:
       id-token: write
       pages: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: 3.8
-          cache: pip
-      - name: Install python requirements
-        run: python -m pip install -r docs/requirements.txt
-      - name: Build
-        run: mkdocs build --clean
-      - uses: actions/upload-pages-artifact@v3
-        with:
-          path: site
-      - if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
-        uses: actions/deploy-pages@v4
+    - uses: actions/checkout@v4
+    - uses: actions/setup-python@v5
+      with:
+        python-version: 3.8
+        cache: pip
+    - name: Install python requirements
+      run: python -m pip install -r docs/requirements.txt
+    - name: Build
+      run: mkdocs build --clean
+    - uses: actions/upload-pages-artifact@v3
+      with:
+        path: site
+    - if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
+      uses: actions/deploy-pages@v4

.github/workflows/gitleaks.yaml

@@ -16,19 +16,22 @@ name: gitleaks
 on:
   push:
     branches:
-      - main
-  pull_request: null
+    - main
+  pull_request_target:
+    types: [opened, edited, reopened, synchronize]
+    branches: [main]
   workflow_dispatch: null
 permissions: read-all
 jobs:
   scan:
     name: gitleaks
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }}
-          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        ref: ${{ 'refs/pull/${{ github.event.number }}/merge' || 'main' }}
+    - uses: gitleaks/gitleaks-action@v2
+      env:
+        GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }}
+        GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}

.github/workflows/integration-test.yaml

@@ -12,49 +12,50 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
----
 name: Integration Tests
 on:
   merge_group: null
-  pull_request: null
+  pull_request_target:
+    types: [opened, edited, reopened, synchronize]
+    branches: [main]
 permissions: read-all
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 jobs:
   group-diff:
     runs-on: ubuntu-latest
     outputs:
       groups: ${{ steps.group-list.outputs.FOLDERS }}
     steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Output Modified Group Directories
-        id: group-list
-        run: |
-          # Get diff array filtered by specific filetypes
-          DIFF=$(git diff --diff-filter=d \
-              --name-only ${{ github.event.merge_group.base_sha || github.event.pull_request.base.sha }}...${{ github.event.merge_group.head_sha || github.event.pull_request.head.sha }} \
-              -- '*/*Dockerfile' '*.py' '*.yaml' '*.yml' '*.sh' '*/*requirements.txt' '*.json' | \
-              jq -R '.' | jq -sc '.' \
-          )
-          # Search for compose files in each file to determine the container groups
-          DOCKER_COMPOSE_PATHS=()
-          for path in $(echo $DIFF | jq -r '.[]'); do
-            while [[ "$path" != "." ]]; do
-              DIR_PATH=$(dirname "$path")
-              if [ -n "$(find "$DIR_PATH" -name 'docker-compose.yaml' -print -quit)" ] && [ "$DIR_PATH" != "." ]; then
-                DOCKER_COMPOSE_PATHS+=("$DIR_PATH")
-                path="."
-              else
-                path="$DIR_PATH"
-              fi
-            done
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Output Modified Group Directories
+      id: group-list
+      run: |
+        # Get diff array filtered by specific filetypes
+        DIFF=$(git diff --diff-filter=d \
+            --name-only ${{ github.event.merge_group.base_sha || github.event.pull_request.base.sha }}...${{ github.event.merge_group.head_sha || github.event.pull_request.head.sha }} \
+            -- '*/*Dockerfile' '*.py' '*.yaml' '*.yml' '*.sh' '*/*requirements.txt' '*.json' | \
+            jq -R '.' | jq -sc '.' \
+        )
+        # Search for compose files in each file to determine the container groups
+        DOCKER_COMPOSE_PATHS=()
+        for path in $(echo $DIFF | jq -r '.[]'); do
+          while [[ "$path" != "." ]]; do
+            DIR_PATH=$(dirname "$path")
+            if [ -n "$(find "$DIR_PATH" -name 'docker-compose.yaml' -print -quit)" ] && [ "$DIR_PATH" != "." ]; then
+              DOCKER_COMPOSE_PATHS+=("$DIR_PATH")
+              path="."
+            else
+              path="$DIR_PATH"
+            fi
           done
-          # Convert the array to a JSON array
-          DOCKER_COMPOSE_PATHS_JSON=$(printf '%s\n' "${DOCKER_COMPOSE_PATHS[@]}" | jq -R '.' | jq -sc 'unique_by(.)')
-          echo "FOLDERS=$DOCKER_COMPOSE_PATHS_JSON" >> $GITHUB_OUTPUT
+        done
+        # Convert the array to a JSON array
+        DOCKER_COMPOSE_PATHS_JSON=$(printf '%s\n' "${DOCKER_COMPOSE_PATHS[@]}" | jq -R '.' | jq -sc 'unique_by(.)')
+        echo "FOLDERS=$DOCKER_COMPOSE_PATHS_JSON" >> $GITHUB_OUTPUT
   pipeline-ci:
     needs: group-diff
     if: needs.group-diff.outputs.groups != '[""]'
@@ -66,17 +67,18 @@ jobs:
     uses: ./.github/workflows/container-ci.yaml
     with:
       group_dir: ${{ matrix.group }}
+      ref: "refs/pull/${{ github.event.number }}/merge"
     secrets: inherit
   status-check:
-    needs: [ group-diff, pipeline-ci ]
+    needs: [group-diff, pipeline-ci]
     runs-on: ubuntu-latest
     if: always()
     steps:
-      - run: exit 1
-        if: >-
-          ${{
-               contains(needs.*.result, 'failure')
-            || contains(needs.*.result, 'cancelled')
-            || contains(needs.*.result, 'skipped')
-            && needs.group-diff.outputs.groups != '[""]'
-          }}
+    - run: exit 1
+      if: >-
+        ${{
+             contains(needs.*.result, 'failure')
+          || contains(needs.*.result, 'cancelled')
+          || contains(needs.*.result, 'skipped')
+          && needs.group-diff.outputs.groups != '[""]'
+        }}

.github/workflows/lint.yaml

@@ -12,37 +12,38 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
----
 name: Lint
 permissions: read-all
 on:
   merge_group: null
-  pull_request: null
+  pull_request_target:
+    types: [opened, edited, reopened, synchronize]
+    branches: [main]
   push:
     branches:
-      - develop
-      - main
+    - main
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: super-linter/super-linter/slim@v6.5.1
-        env:
-          # To report GitHub Actions status checks
-          GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }}
-          GITHUB_ACTIONS_COMMAND_ARGS: '-ignore SC.*'
-          VALIDATE_BASH_EXEC: false
-          VALIDATE_CHECKOV: false
-          VALIDATE_HTML: false
-          VALIDATE_KUBERNETES_KUBECONFORM: false
-          VALIDATE_NATURAL_LANGUAGE: false
-          VALIDATE_PYTHON_FLAKE8: false
-          VALIDATE_PYTHON_MYPY: false
-          VALIDATE_PYTHON_RUFF: false
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        ref: ${{ 'refs/pull/${{ github.event.number }}/merge' || 'main' }}
+    - uses: super-linter/super-linter/slim@v6.5.1
+      env:
+        # To report GitHub Actions status checks
+        GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }}
+        GITHUB_ACTIONS_COMMAND_ARGS: '-ignore SC.*'
+        VALIDATE_BASH_EXEC: false
+        VALIDATE_CHECKOV: false
+        VALIDATE_HTML: false
+        VALIDATE_KUBERNETES_KUBECONFORM: false
+        VALIDATE_NATURAL_LANGUAGE: false
+        VALIDATE_PYTHON_FLAKE8: false
+        VALIDATE_PYTHON_MYPY: false
+        VALIDATE_PYTHON_RUFF: false