From 225e932dd014f2c12ba97ec03bcea03a3c5fbafd Mon Sep 17 00:00:00 2001
From: rnetser <rnetser@redhat.com>
Date: Wed, 24 Jun 2026 14:51:40 +0300
Subject: [PATCH] fix(ci): allow checkout@v7 fork PR checkout with environment
 gate

actions/checkout@v7 blocks fork PR checkouts in pull_request_target
workflows by default. Add allow-unsafe-pr-checkout with an environment
gate: org members run automatically, outside contributors require
maintainer approval via the external-pr-tests environment.

Signed-off-by: rnetser <rnetser@redhat.com>

Co-authored-by: PI (claude-opus-4-6) <noreply@pi.dev>
Signed-off-by: rnetser <rnetser@redhat.com>
---
 .github/workflows/utilities-unit-tests.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/utilities-unit-tests.yml b/.github/workflows/utilities-unit-tests.yml
index 95c2320186..5b70ab060f 100644
--- a/.github/workflows/utilities-unit-tests.yml
+++ b/.github/workflows/utilities-unit-tests.yml
@@ -15,6 +15,8 @@ jobs:
     name: Run Utilities Unit Tests
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    # Org members run automatically; outside contributors need maintainer approval
+    environment: ${{ (github.event.pull_request.head.repo.full_name == github.repository || contains(fromJSON('["COLLABORATOR","MEMBER","OWNER"]'), github.event.pull_request.author_association)) && '' || 'external-pr-tests' }}
     permissions:
       contents: read
       pull-requests: read
@@ -27,6 +29,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
+          allow-unsafe-pr-checkout: true
 
       - name: Install uv
         uses: astral-sh/setup-uv@v8.2.0