avoid using pull_request_target in workflows

.github/PULL_REQUEST_TEMPLATE.md

@@ -20,3 +20,17 @@ Please explain the changes you made here.
 <!--
 Detailed instructions may help reviewers test this PR quickly and provide quicker feedback.
 -->
+
+## Building Container Images for Testing
+
+Need to test container images from this PR?
+
+**For Maintainers:** Triggering Builds
+To trigger a test image build, review the code and comment with the specific commit SHA you are approving:
+`/build-images <sha>` *(e.g., `/build-images a1b2c3d`)*
+
+*(You can find the short SHA at the bottom of the PR timeline or in the Commits tab).*
+
+**For Contributors:** Ask a maintainer to run `/build-images <sha>`
+
+Images will be built and pushed to Quay with links posted in comments.

.github/workflows/pr-bundle-diff-checks.yaml

@@ -1,93 +1,64 @@
 name: PR Bundle Manifests Validator
 
 on:
-  # pull_request_target needed to be able to commit and push bundle diffs to external fork PRs.
-  # But we included a manual authorization safeguard to prevent PWN requests. See the 'authorize' job below.
-  pull_request_target:
+  pull_request:
+    types: [opened, synchronize, reopened]
     branches:
-    - main
-    - rhdh-1.[0-9]+
-    - 1.[0-9]+.x
-    - release-1.[0-9]+
+      - main
+      - release-1.[0-9]+
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.number }}
   cancel-in-progress: true
 
 jobs:
-  authorize:
-    # The 'external' environment is configured with the repo maintainers team as required reviewers.
-    # All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks.
-    # see list of approvers in OWNERS file
-    environment:
-      ${{ (github.event.pull_request.head.repo.full_name == github.repository ||
-      contains(fromJSON('["gazarenkov","nickboldt","rm3l","kim-tsao","kadel","Fortune-Ndlovu","subhashkhileri","zdrapela","openshift-cherrypick-robot", "OpinionatedHeron"]'), github.event.pull_request.user.login)) && 'internal' || 'external' }}
+  check-bundle:
+    name: Validate Bundle Manifests
     runs-on: ubuntu-latest
-    steps:
-      - name: approved
-        run: echo "✓"
+    timeout-minutes: 20
 
-  pr-bundle-diff-checks:
-    name: PR Bundle Diff
-    runs-on: ubuntu-latest
-    needs: authorize
-    permissions:
-      contents: write
-      pull-requests: write
     steps:
-      - name: Clean Go module cache
-        run: rm -rf "${GOMODCACHE:-$HOME/go/pkg/mod}" 
-
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           fetch-depth: 0
-          repository: ${{github.event.pull_request.head.repo.full_name}}
-          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Setup Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: 'go.mod'
 
-      - name: Check for outdated bundle or manifests
-        id: manifests-diff-checker
+      - name: Verify bundle manifests are up to date
         run: |
           make bundles build-installers
-          git status --porcelain
+
+          # Check if bundle manifests changed (ignoring createdAt timestamps)
           # Since operator-sdk 1.26.0, `make bundle` changes the `createdAt` field from the bundle every time we run it.
-          # The `git diff` below checks if only the createdAt field has changed. If is the only change, it is ignored.
+          # The `git diff` below checks if only the createdAt field has changed. If it is the only change, it is ignored.
           # Inspired from https://github.com/operator-framework/operator-sdk/issues/6285#issuecomment-1415350333
-          echo "MANIFESTS_CHANGED=$(if git diff --quiet -I'^    createdAt: ' bundle config dist; then echo "false"; else echo "true"; fi)" >> $GITHUB_OUTPUT
-
-      - name: Commit and push any manifest changes
-        if: ${{ steps.manifests-diff-checker.outputs.MANIFESTS_CHANGED == 'true' }}
-        run: |
-          git remote add fork "https://github.com/${{ github.event.pull_request.head.repo.full_name }}.git"
-          git fetch fork ${{ github.event.pull_request.head.ref }}
-          git checkout -B pr-branch fork/${{ github.event.pull_request.head.ref }}
-
-          git config user.name 'github-actions[bot]'
-          git config user.email 'github-actions[bot]@users.noreply.github.com'
+          if git diff --quiet -I'^    createdAt: ' bundle config dist; then
+            echo "✅ Bundle manifests are up to date"
+            exit 0
+          fi
 
-          git add -A .
-          git commit \
-            -m "Regenerate bundle/installer manifests" \
-            -m "Co-authored-by: $GITHUB_ACTOR <$GITHUB_ACTOR@users.noreply.github.com>"
+          # Bundle is out of sync - provide helpful error message
+          echo "::error::Bundle manifests are out of sync with the code"
+          echo ""
+          echo "❌ The bundle manifests need to be regenerated."
+          echo ""
+          echo "This usually happens when you modify:"
+          echo "  - CRD definitions (api/)"
+          echo "  - Operator manifests (config/manifests/)"
+          echo "  - RBAC permissions (config/rbac/)"
+          echo "  - Webhook configurations (config/webhook/)"
+          echo ""
+          echo "To fix this, run:"
+          echo "  make bundles build-installers"
+          echo "  git add bundle/ config/ dist/"
+          echo "  git commit -m 'chore: regenerate bundle manifests'"
+          echo "  git push"
+          echo ""
+          echo "Changed files:"
+          git diff --name-only -I'^    createdAt: ' bundle config dist
 
-          git push fork pr-branch:${{ github.event.pull_request.head.ref }}
-
-      - name: Comment on PR if manifests were updated
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
-        if: ${{ !cancelled() && steps.manifests-diff-checker.outputs.MANIFESTS_CHANGED == 'true' }}
-        continue-on-error: true
-        env:
-          GH_BLOB_VIEWER_BASE_URL: ${{github.event.pull_request.head.repo.html_url}}/blob/${{github.event.pull_request.head.ref}}
-        with:
-          script: |
-            await github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: '⚠️ <b>Files changed in bundle and installer generation!</b><br/><br/>Those changes to the operator bundle/installer manifests should have been pushed automatically to your PR branch.<br/><br/><b>NOTE: </b>If the PR checks are stuck after this additional commit, manually close the PR and immediately reopen it to trigger the checks again.'
-            })
+          exit 1