From 35aef2ca376a50ff83648a3fb63a0ca769942b39 Mon Sep 17 00:00:00 2001
From: nicolethoen <nthoen@redhat.com>
Date: Tue, 28 Apr 2026 09:59:06 -0400
Subject: [PATCH 1/2] chore: update gh actions

---
 .github/workflows/label-pf-team-issue.yml |  9 +++++++++
 .github/workflows/pr-preview.yml          | 13 +++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/label-pf-team-issue.yml

diff --git a/.github/workflows/label-pf-team-issue.yml b/.github/workflows/label-pf-team-issue.yml
new file mode 100644
index 00000000..9019ee29
--- /dev/null
+++ b/.github/workflows/label-pf-team-issue.yml
@@ -0,0 +1,9 @@
+name: Label PF Team issues
+on:
+  issues:
+    types:
+      - opened
+jobs:
+  label:
+    uses: patternfly/.github/.github/workflows/add-pf-team-label-workflow.yml@main
+    secrets: inherit
diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml
index 430eb172..e690b26c 100644
--- a/.github/workflows/pr-preview.yml
+++ b/.github/workflows/pr-preview.yml
@@ -1,14 +1,23 @@
 ### WARNING -- this file was generated by generate-workflows
 name: pr-preview
-on: pull_request_target
+on:
+  pull_request_target:
+  issue_comment:
+    types: [created]
 jobs:
+  check-permissions:
+    uses: patternfly/.github/.github/workflows/check-team-membership.yml@main
+    secrets: inherit
+
   build-upload:
     runs-on: ubuntu-latest
+    needs: check-permissions
+    if: needs.check-permissions.outputs.allowed == 'true'
     env:
       SURGE_LOGIN: ${{ secrets.SURGE_LOGIN }}
       SURGE_TOKEN: ${{ secrets.SURGE_TOKEN }}
       GH_PR_TOKEN: ${{ secrets.GH_PR_TOKEN }}
-      GH_PR_NUM:   ${{ github.event.number }}
+      GH_PR_NUM:   ${{ needs.check-permissions.outputs.pr-number }}
     steps:
       - uses: actions/checkout@v4
       # Yes, we really want to checkout the PR

From 2d2fe08f9d50dea218ad6531ff1020da4bb1c820 Mon Sep 17 00:00:00 2001
From: nicolethoen <nthoen@redhat.com>
Date: Thu, 30 Apr 2026 20:45:09 -0400
Subject: [PATCH 2/2] ci(workflows): pin patternfly/.github reusable workflows
 to SHA

Replace @main with commit fdb52a63a2220ec8a3b6c2d43f312cda708ffa06 for reproducible, auditable runs.

Made-with: Cursor
---
 .github/workflows/label-pf-team-issue.yml | 2 +-
 .github/workflows/pr-preview.yml          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/label-pf-team-issue.yml b/.github/workflows/label-pf-team-issue.yml
index 9019ee29..8ead60e2 100644
--- a/.github/workflows/label-pf-team-issue.yml
+++ b/.github/workflows/label-pf-team-issue.yml
@@ -5,5 +5,5 @@ on:
       - opened
 jobs:
   label:
-    uses: patternfly/.github/.github/workflows/add-pf-team-label-workflow.yml@main
+    uses: patternfly/.github/.github/workflows/add-pf-team-label-workflow.yml@fdb52a63a2220ec8a3b6c2d43f312cda708ffa06
     secrets: inherit
diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml
index e690b26c..f70fd77e 100644
--- a/.github/workflows/pr-preview.yml
+++ b/.github/workflows/pr-preview.yml
@@ -6,7 +6,7 @@ on:
     types: [created]
 jobs:
   check-permissions:
-    uses: patternfly/.github/.github/workflows/check-team-membership.yml@main
+    uses: patternfly/.github/.github/workflows/check-team-membership.yml@fdb52a63a2220ec8a3b6c2d43f312cda708ffa06
     secrets: inherit
 
   build-upload: