Support CI PR contributions

[thrix]

• From non repository owners a owner/member/collaborator approval is needed.
• From a MR openend not from a fork, it should run automatically

Summary by Sourcery

Gate container image CI for pull requests from forks, requiring maintainer approval while allowing trusted and same-repo contributions to run automatically.

New Features:

• Add a dedicated workflow to handle container builds for pull requests from forks with optional maintainer-triggered test runs via issue comments.
• Expose the main container build workflow as a callable workflow with inputs and secrets to support reuse from other workflows.

Enhancements:

• Update the main container build workflow to skip fork-based pull requests directly and centralize git SHA and PR reference resolution for consistent image tagging and Testing Farm invocation.

[sourcery-ai]

Reviewer's Guide

Refactors the main container workflow to support being called from other workflows with explicit PR context, introduces ref/tag resolution logic, and adds a new pull_request_target/issue_comment workflow to safely run container builds for forked PRs with maintainer-controlled triggering.

Sequence diagram for maintainer-approved CI on forked pull requests

sequenceDiagram
  actor Contributor
  actor Maintainer
  participant GitHub
  participant container_pr_notify as container-pr.yml_notify
  participant container_pr_resolve as container-pr.yml_resolve
  participant container_pr_build as container-pr.yml_build
  participant container_workflow as container.yml_build
  participant TestingFarm
  participant GHCR

  Contributor->>GitHub: Open fork pull_request
  GitHub-->>container_pr_notify: pull_request_target opened
  GitHub-->>container_pr_resolve: pull_request_target opened

  alt Untrusted contributor (not OWNER/MEMBER/COLLABORATOR)
    container_pr_notify->>GitHub: Post comment (CI requires maintainer /test)
    note over container_pr_resolve: resolve job condition not satisfied
  end

  Maintainer->>GitHub: Add issue_comment "/test"
  GitHub-->>container_pr_resolve: issue_comment created

  alt Trusted maintainer comment
    container_pr_resolve->>GitHub: Fetch PR info via gh api
    container_pr_resolve->>container_pr_resolve: Determine pr_number and git_sha
    container_pr_resolve-->>container_pr_build: Expose outputs git_sha, pr_number

    container_pr_build-->>container_workflow: workflow_call container.yml
    activate container_workflow
    container_workflow->>container_workflow: Resolve refs (prefer inputs git_sha, pr_number)
    container_workflow->>container_workflow: Compute image tag (pr-<number>-<version>)
    container_workflow->>TestingFarm: Schedule build
    container_workflow->>GHCR: Use GHCR_TOKEN for auth
    deactivate container_workflow
  end

Loading

File-Level Changes

Change	Details	Files
Enable the main container workflow to be invoked via workflow_call with explicit inputs and secrets.	Add workflow_call trigger with required git_sha and pr_number string inputs. Declare TESTING_FARM_API_TOKEN and GHCR_TOKEN as required secrets for workflow_call invocations.	.github/workflows/container.yml .github/workflows/container.yml.j2
Unify git SHA and PR number resolution across push, pull_request, and workflow_call events and use it for image tagging and Testing Farm builds.	Add a Resolve refs step that determines pr_number and git_sha from workflow_call inputs, pull_request events, or push events. Update Compute image tag step to derive PR-prefixed tags from resolved pr_number instead of directly from the GitHub event payload. Change Testing Farm scheduling step to use the resolved git_sha output instead of github.event.pull_request.head.sha
Avoid running the main container workflow directly for fork-origin PRs, delegating them to a dedicated PR workflow.	Add an if condition on the build job to skip pull_request events where the PR head repository differs from the base repository.	.github/workflows/container.yml .github/workflows/container.yml.j2
Introduce a dedicated workflow to handle forked PRs with maintainer-gated CI triggering.	Create container-pr.yml workflow triggered by pull_request_target and issue_comment events with minimal default permissions. Add notify job that comments on newly opened external fork PRs explaining that CI requires maintainer approval. Add resolve job that determines the PR number and head SHA either from trusted fork PRs or from /test comments by trusted users. Add build job that calls the main container workflow via uses with resolved git_sha and pr_number, passing through required secrets.	.github/workflows/container-pr.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The /test trigger condition will match any comment starting with /test (e.g. /testfoo); if you intend to only allow a specific command, consider tightening the check (e.g. exact match or using a regex for /test(\s|$) after trimming).
• The OWNER/MEMBER/COLLABORATOR checks are duplicated in both the pull_request_target and issue_comment conditions; consider extracting this into a single reusable expression via env or a job-level boolean to reduce maintenance overhead and the risk of divergence.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `/test` trigger condition will match any comment starting with `/test` (e.g. `/testfoo`); if you intend to only allow a specific command, consider tightening the check (e.g. exact match or using a regex for `/test(\s|$)` after trimming).
- The OWNER/MEMBER/COLLABORATOR checks are duplicated in both the `pull_request_target` and `issue_comment` conditions; consider extracting this into a single reusable expression via `env` or a job-level boolean to reduce maintenance overhead and the risk of divergence.

## Individual Comments

### Comment 1
<location path=".github/workflows/container.yml" line_range="11-14" />
<code_context>
   schedule:
     - cron: '0 4 * * 1'
   workflow_dispatch:
+  workflow_call:
+    inputs:
+      git_sha:
+        required: true
+        type: string
+      pr_number:
</code_context>
<issue_to_address>
**issue (bug_risk):** Mixing `workflow_call` with `push/schedule/workflow_dispatch` can break because `inputs.*` is not available for non-reusable invocations.

Because this file now mixes normal triggers with `workflow_call`, any unconditional use of `inputs.*` (e.g. `inputs.pr_number` / `inputs.git_sha` in the `Resolve refs` step) will fail validation for `push`/`schedule`/`workflow_dispatch` runs, where the `inputs` context doesn’t exist.

To keep all triggers working, either:
- Move the reusable workflow (`workflow_call`) into its own file, or
- Guard `inputs.*` behind `if: ${{ github.event_name == 'workflow_call' }}` and use `github.sha` / event data for other triggers, or
- Restrict `inputs.*` to a job that only runs for `workflow_call`.

As written, non-`workflow_call` invocations are likely to break.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[thrix]

@sourcery-ai please review

[sourcery-ai]

Sure! I'm generating a new review now.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The /test trigger in container-pr.yml uses an exact string comparison (github.event.comment.body == '/test'), which is quite brittle; consider allowing leading/trailing whitespace or commands like /test something (e.g., via startsWith or simple shell parsing) to make maintainer usage less error-prone.
• In the notify job message you describe CI being triggered by a maintainer comment /test, but there is no mention of restrictions (e.g., only OWNER/MEMBER/COLLABORATOR) or the fact that same‑repo PRs are handled differently; consider updating the wording to more precisely reflect when and how contributors can expect tests to run.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `/test` trigger in `container-pr.yml` uses an exact string comparison (`github.event.comment.body == '/test'`), which is quite brittle; consider allowing leading/trailing whitespace or commands like `/test something` (e.g., via `startsWith` or simple shell parsing) to make maintainer usage less error-prone.
- In the `notify` job message you describe CI being triggered by a maintainer comment `/test`, but there is no mention of restrictions (e.g., only OWNER/MEMBER/COLLABORATOR) or the fact that same‑repo PRs are handled differently; consider updating the wording to more precisely reflect when and how contributors can expect tests to run.

## Individual Comments

### Comment 1
<location path=".github/workflows/container-pr.yml" line_range="12-17" />
<code_context>
+  issue_comment:
+    types: [created]
+
+permissions: {}
+
+jobs:
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Consider explicitly scoping `GITHUB_TOKEN` permissions to the minimal fields used by `gh`.

You already use `permissions: {}` at the workflow level and grant `pull-requests: write/read` at the job level, which is good. Since `gh` here only posts comments and reads PR metadata, you can likely narrow this to `permissions: { issues: write }` for the commenting job (it uses the issues comments API) and `pull-requests: read` only where PR data is needed. This keeps the token closer to least-privilege.

```suggestion
jobs:
  notify:
    runs-on: ubuntu-latest

    permissions:
      issues: write
      pull-requests: read
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

Hey @thrix, I've posted a new review for you!

[thrix]

@sourcery-ai please review

[sourcery-ai]

Sure! I'm generating a new review now.

[sourcery-ai]

Hey - I've left some high level feedback:

• The trusted roles check (OWNER/MEMBER/COLLABORATOR) is duplicated in multiple if expressions; consider extracting this into a single reusable expression (via env or a composite action) to avoid drift if the trusted set ever changes.
• The /test trigger currently requires the comment to start exactly with /test; if you intend to support variations like leading whitespace or casing (/Test, /test foo), consider normalizing the body or using a more flexible pattern.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The trusted roles check (`OWNER`/`MEMBER`/`COLLABORATOR`) is duplicated in multiple `if` expressions; consider extracting this into a single reusable expression (via `env` or a composite action) to avoid drift if the trusted set ever changes.
- The `/test` trigger currently requires the comment to start exactly with `/test`; if you intend to support variations like leading whitespace or casing (`/Test`, `/test foo`), consider normalizing the body or using a more flexible pattern.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

Hey @thrix, I've posted a new review for you!