ci: gate workflow changes from forks behind committer approval

[Ma77Ball]

Task Summary

Forked PRs can execute arbitrary code in CI by modifying the build workflow file, since GitHub Actions runs the modified workflow on the fork's branch. This gives external contributors potential access to repository secrets and the CI environment without any maintainer review.
The current build workflow has no protection against this — any fork PR that modifies .github/workflows/github-action-build.yml will run the modified workflow immediately. This creates two problems:

Security risk: A malicious or accidental workflow change from a fork could expose repository secrets or compromise the CI environment without any committer review.
Inefficiency: Since there is currently no automated trust mechanism, contributors constantly have to wait for a committer to manually trigger CI runs on their PRs, creating unnecessary back-and-forth and slowing down both contributors and committers.

Priority

P2 – Medium

Task Type

• Code Implementation
• Documentation
• Refactor / Cleanup
• Testing / QA
• DevOps / Deployment

[Ma77Ball]

flowchart TD
    A[PR opened / push / workflow_dispatch] --> B[check-permissions]
    B --> C{Does PR modify\ngithub-action-build.yml?}
    C -- No --> E[frontend / scala / python\nrun automatically]
    C -- Yes --> D{Is actor a committer?\nwrite / maintain / admin}
    D -- Yes --> E
    D -- No --> F[❌ Fail\nA committer must review\nand re-run manually]
    F --> G[Committer reviews & re-runs]
    G --> E

Loading