fix(ci): allow checkout@v7 fork PR checkout with environment gate

[rnetser]

What this PR does / why we need it:

actions/checkout@v7 (bumped in #5289) blocks fork PR checkouts in pull_request_target workflows by default to prevent "pwn request" attacks. This broke the utilities-unit-tests workflow for all fork PRs (e.g. #5355).

Fix: Add allow-unsafe-pr-checkout: true with an environment-based gate:

• Org members (COLLABORATOR/MEMBER/OWNER) → run automatically (no environment)
• Outside contributors → require maintainer approval via the external-pr-tests environment

Note: The external-pr-tests environment must be created in repo Settings → Environments with "Required reviewers" enabled for the gate to work. Without it, outside contributor PRs will fail with "environment not found".

Which issue(s) this PR fixes:

Fixes the Run Utilities Unit Tests check failure on fork PRs after checkout@v7 upgrade.

Special notes for reviewer:

• The repo already has "Require approval for all external contributors" at the Actions level, so allow-unsafe-pr-checkout: true alone would be safe. The environment gate adds a second layer of defense.
• v6 had the same behavior (checked out fork code silently) — v7 just made it explicit.

jira-ticket:

Summary by CodeRabbit

• Chores
  • Improved how pull request tests are scheduled for internal vs. external contributions.
  • Updated test checkout settings to better support pull request validation.

[openshift-virtualization-qe-bot-3]

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

• Reviewer Assignment: Reviewers are automatically assigned based on the OWNERS file in the repository root
• Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are automatically applied based on changes
• Issue Creation: A tracking issue is created for this PR and will be closed when the PR is merged or closed
• Branch Labeling: Branch-specific labels are applied to track the target branch
• Auto-verification: Auto-verified users have their PRs automatically marked as verified
• Labels: Enabled categories: branch, can-be-merged, cherry-pick, has-conflicts, hold, needs-rebase, size, verified, wip

📋 Available Commands

PR Status Management

• /wip - Mark PR as work in progress (adds WIP: prefix to title)
• /wip cancel - Remove work in progress status
• /hold - Block PR merging (approvers only)
• /hold cancel - Unblock PR merging
• /verified - Mark PR as verified
• /verified cancel - Remove verification status
• /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)
• /regenerate-welcome - Regenerate this welcome message
• /security-override - Set security check runs to pass (maintainers only)
• /security-override cancel - Re-run security checks

Review & Approval

• /lgtm - Approve changes (looks good to me)
• /approve - Approve PR (approvers only)
• /assign-reviewers - Assign reviewers based on OWNERS file
• /assign-reviewer @username - Assign specific reviewer
• /check-can-merge - Check if PR meets merge requirements

Testing & Validation

• /retest tox - Run Python test suite with tox
• /retest build-container - Rebuild and test container image
• /retest verify-bugs-are-open - verify-bugs-are-open
• /retest all - Run all available tests

Container Operations

• /build-and-push-container - Build and push container image (tagged with PR number)
  • Supports additional build arguments: /build-and-push-container --build-arg KEY=value

Cherry-pick Operations

• /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
  • Multiple branches: /cherry-pick branch1 branch2 branch3
• /cherry-pick-retry <branch> - Retry a failed cherry-pick (merged PRs only)

Branch Management

• /rebase - Rebase this PR branch onto its base branch

Label Management

• /<label-name> - Add a label to the PR
• /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

1. Approval: /approve from at least one approver
2. LGTM Count: Minimum 2 /lgtm from reviewers
3. Status Checks: All required status checks must pass
4. No Blockers: No wip, hold, has-conflicts labels and PR must be mergeable (no conflicts)
5. Verified: PR must be marked as verified

📊 Review Process

Approvers and Reviewers

Approvers:

• dshchedr
• myakove
• rnetser
• vsibirsk

Reviewers:

• RoniKishner
• dshchedr
• rnetser
• vsibirsk

Available Labels

• hold
• verified
• wip
• lgtm
• approve

AI Features

• Cherry-Pick Conflict Resolution: Enabled (claude/claude-opus-4-6-1m)

Security Checks

• Suspicious Path Detection: Monitors paths: .claude/, .vscode/, .cursor/, .devcontainer/, .pi/, .github/workflows/, .github/actions/
• Committer Identity Check: Verifies last committer matches PR author
• Mandatory: Security checks block merge (use /security-override to bypass — maintainers only)

💡 Tips

• WIP Status: Use /wip when your PR is not ready for review
• Verification: The verified label is removed on new commits unless the push is detected as a clean rebase
• Cherry-picking: Cherry-pick labels are processed when the PR is merged
• Container Builds: Container images are automatically tagged with the PR number
• Permission Levels: Some commands require approver permissions
• Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

The utilities-unit-tests.yml workflow gains a conditional environment field: PRs from the same repo or from COLLABORATOR/MEMBER/OWNER authors run without a scoped environment, while all others are assigned external-pr-tests. The checkout step also adds allow-unsafe-pr-checkout: true.

Changes

Utilities Unit Tests Workflow — PR Environment Gating

Layer / File(s)	Summary
Environment gating and unsafe checkout .github/workflows/utilities-unit-tests.yml	Adds a conditional environment value that assigns external-pr-tests to contributors who are not the repo owner and not a COLLABORATOR, MEMBER, or OWNER; also sets allow-unsafe-pr-checkout: true on the checkout step.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• fix(ci): allow checkout@v7 fork PR checkout with environment gate - 5365 #5366 — Both this PR and issue #5366 address the same CI workflow-level gating logic for checkout behavior and environment scoping on pull_request_target events.

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Stp Link Required	❌ Error	Added test file tests/storage/disk_preallocation/test_disk_preallocation.py has a Jira docstring link but no # marker.	Add # <skip-jira-utils-check> to the Jira line in the module docstring, or replace it with STP:/RFE: if appropriate.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the CI checkout gate change and stays within the length limit.
Description check	✅ Passed	The description matches the required template and covers the change, issue, and reviewer notes; only the Jira field is left blank.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Linked repositories: Your configuration references 1 linked repositories, but your current plan allows 0. Analyzed ``, skipped RedHatQE/openshift-virtualization-tests-design-docs.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[rnetser]

Opened in error — closing.