ci: add upstream folder change check

[christian-heusel]

Pull Request Template for Kubeflow Manifests

✏️ Summary of Changes

• ci: Add workflow to detect upstream folder changes in PRs

This potentially needs a follow-up PR as I was not able to test it properly, since on: pull_request actions don't get "write" tokens and on: pull_request_target actions don't run until commited to the default branch.

📦 Dependencies

none

🐛 Related Issues

none

✅ Contributor Checklist

• I have tested these changes with kustomize. See Installation Prerequisites.
• All commits are signed-off to satisfy the DCO check.
• I have considered adding my company to the adopters page to support Kubeflow and help the community, since I expect help from the community for my issue (see 1. and 2.).

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kimwnasptd for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Pull request overview

This PR adds a GitHub Actions workflow to detect and warn about changes to upstream folders in pull requests. The workflow triggers on pull requests that modify files in any **/upstream/** path and outputs a warning if such changes are detected.

Changes:

• Added .github/workflows/check_upstream_changes.yaml workflow that detects modifications to upstream folder structures
• Added test string "Test123" to applications/volumes-web-app/upstream/base/cluster-role-binding.yaml

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/check_upstream_changes.yaml	New workflow to detect upstream folder changes and emit warnings
applications/volumes-web-app/upstream/base/cluster-role-binding.yaml	Unintended test content added

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.

[Copilot]

The workflow uses the Issues Comments API endpoints (e.g., repos/.../issues/.../comments and repos/.../issues/comments/...) but the workflow permissions only grant pull-requests: write. Add issues: write (and keep pull-requests: write only if you also need PR-specific endpoints) so the gh api calls can reliably list/create/update PR comments.

Suggested change

	actions: read
	actions: read
	issues: write

[Copilot]

pull_request_target runs with write-capable tokens in the context of the base repository. Checking out github.event.pull_request.head.sha means this job will fetch and operate on untrusted fork/branch content, and it will also fail for fork PRs unless you explicitly checkout github.event.pull_request.head.repo.full_name (the head SHA typically is not present in the base repo). Consider avoiding checkout entirely and instead use the GitHub API to list changed files; if you must checkout the head, make sure it cannot influence any step that uses the write token.

Suggested change

	- name: Checkout
	uses: actions/checkout@v5
	with:
	fetch-depth: 0
	ref: ${{ github.event.pull_request.head.sha }}
	- name: Fetch master branch
	run: git fetch origin master
	- name: Detect changed upstream paths
	id: upstream_changes
	run: |
	changed=$(git diff-tree -r --no-commit-id --name-only origin/master..HEAD | grep '/upstream/' || true)
	- name: Detect changed upstream paths
	id: upstream_changes
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: |
	changed="$(
	gh api \
	"repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files" \
	--paginate \
	--jq '.[] | .filename' | grep '/upstream/' || true
	)"

[Copilot]

This change detection is hard-coded to origin/master..HEAD (two-dot) and a separately fetched master branch. This can produce incorrect results for PRs that are not rebased (and for PRs targeting branches other than master). Prefer diffing the PR base vs head using the PR’s base.sha/base.ref and a merge-base aware comparison (triple-dot) so the changed file list matches what GitHub considers part of the PR.

Suggested change

	- name: Fetch master branch
	run: git fetch origin master
	- name: Detect changed upstream paths
	id: upstream_changes
	run: |
	changed=$(git diff-tree -r --no-commit-id --name-only origin/master..HEAD | grep '/upstream/' || true)
	- name: Fetch pull request base branch
	run: git fetch --no-tags --prune --depth=1 origin "${{ github.event.pull_request.base.ref }}"
	- name: Detect changed upstream paths
	id: upstream_changes
	run: |
	changed=$(git diff --name-only "${{ github.event.pull_request.base.sha }}...HEAD" | grep '/upstream/' || true)

[Copilot]

The PR-controlled changed_files output is interpolated directly into a Bash double-quoted string when building body. In Bash, file names containing command substitutions (e.g., $(...) or backticks) would be executed during assignment, which is especially dangerous in a pull_request_target workflow with a write token. Treat the file list as untrusted data: build the comment body using a single-quoted heredoc / --body-file approach (no shell evaluation), or escape $, backticks, and backslashes before embedding.

Suggested change

	body="${marker}
	⚠️ **Upstream folder changes detected**
	This PR modifies files inside one or more \`upstream\` folders. Changes to upstream manifests are usually wrong and should be reviewed carefully.
	**Changed upstream files:**
	\`\`\`
	${{ steps.upstream_changes.outputs.changed_files }}
	\`\`\`"
	existing=$(gh api "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
	--jq ".[] | select(.body | contains(\"$marker\")) | .id" | head -1)
	if [ -n "$existing" ]; then
	gh api "repos/${{ github.repository }}/issues/comments/$existing" \
	-X PATCH -f body="$body"
	else
	gh pr comment "${{ github.event.pull_request.number }}" --body "$body"
	comment_body_file="$(mktemp)"
	trap 'rm -f "$comment_body_file"' EXIT
	cat > "$comment_body_file" <<'EOF'
	<!-- upstream-changes-warning -->
	⚠️ **Upstream folder changes detected**
	This PR modifies files inside one or more `upstream` folders. Changes to upstream manifests are usually wrong and should be reviewed carefully.
	**Changed upstream files:**
	```
	EOF
	printf '%s\n' '${{ steps.upstream_changes.outputs.changed_files }}' >> "$comment_body_file"
	printf '```\n' >> "$comment_body_file"
	existing=$(gh api "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
	--jq ".[] | select(.body | contains(\"$marker\")) | .id" | head -1)
	if [ -n "$existing" ]; then
	gh api "repos/${{ github.repository }}/issues/comments/$existing" \
	-X PATCH -F "body=@$comment_body_file"
	else
	gh pr comment "${{ github.event.pull_request.number }}" --body-file "$comment_body_file"