Update Jenkins job to require maintainer trigger

[lewijacn]

Description

Require maintainer trigger on Jenkins jobs

pull_request_target events are special: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository

With changes...

When a maintainer creates a PR, pushes a change, or retries the Jenkins action on their own PR, the action will execute as normal:

However, when a non-maintainer performs any action that would trigger the Jenkins action (same as list above), the action will fail early with error message:

Issues Resolved

N/A

Testing

Personal fork testing

Check List

• New functionality includes testing
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.39%. Comparing base (a980069) to head (607bf5a).
Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main    #1238   +/-   ##
=========================================
  Coverage     80.39%   80.39%           
  Complexity     3094     3094           
=========================================
  Files           424      424           
  Lines         15742    15742           
  Branches       1066     1066           
=========================================
  Hits          12655    12655           
  Misses         2435     2435           
  Partials        652      652           

Flag	Coverage Δ
unittests	80.39% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[peternied]

This approach won't run these tests when non-maintainers are making changes, that doesn't seem correct. Please check with @opensearch-project/engineering-effectiveness for if we have an incorrect setting in GitHub Action system

[peternied]

If you look at your fork's settings for GitHub Actions - you can see this setting that seems relevant:

^ I think this setting is the desired configuration

[lewijacn]

If you look at your fork's settings for GitHub Actions - you can see this setting that seems relevant:

^ I think this setting is the desired configuration

I'm pretty sure this setting is already enabled, since all of our other Github actions require maintainer approval before they will run. This one uses pull_request_target which is considered safe since it uses the base context, and bypasses this approval: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories

[gaiksaya]

The current setting in this repo is as below:

Let me know if that needs to change to Require approval for all external contributors I believe this applies to all workflows and not just one.

[peterzhuamazon]

A working example in the ml repo might be good to try:

• Add Test Env Require Approval Action ml-commons#3005

Thanks.