Bypass actor validation for Image, Build, Test, Vul-Scan workflow triggered by forked PRs

[zhijie-yang]

• I have signed the CLA?
• I am following the CONTRIBUTING guidelines

Ping the @canonical/rocks team.

---

Description

According to the GitHub documentation, secrets are not passed to the runner when a workflow is triggered from a forked repository. Therefore, for forked PR, the actor validation will always fail. To cope with this issue, we allow the bypassing of actor validation for the Image, Build-Rock, Tests and Vulnerability-Scan workflows triggered with a forked pull request.

More security thought: The external user's PR workflow will only run upon approval by the repo's maintainer, so the chance of exploiting is considered low. The external user's PR will neither trigger Upload and Release workflows nor have the secrets in the main repo, so the secrets are safe from stealing.

Related issues

Failed Image workflow run: https://github.com/canonical/oci-factory/actions/runs/11048142134/job/30691724573

Tests

1. Actor validation is bypassed when a PR from a forked repo triggers the workflow. https://github.com/canonical/oci-factory/actions/runs/11069540851/job/30757337773?pr=252

[cjdcordeiro]

What made you change the plan for disabling it all together for PRs? (given that contacts.yaml files are incomplete)

[zhijie-yang]

The maintainers field of the contacts.yaml file should be properly inflated when the external contributor is onboarding the new image to the oci factory. In the forked PRs, the workflow after "Tests" won't be run by default. Once the new image is onboard, the contacts.yaml file should be ready, and the workflow should have green lights all the way through till the end.