Add Repro Checks to `dev-*` branches

[CodeGat]

Background

Since the QA checks are run before the Repro checks in release-* branches, we might as well add them to dev-* as well. This gives the dev-* PRs the ability to test reproducibility before opening a release-* PR and potentially having to go back and open a dev-* PR again if one gets an unfavourable reproducibility result.

Considerations

• We will have to remove the requirement of Environments only being able to deploy to protected branches, as the it takes the source branch rather than the target branch.

[CodeGat]

Just working on the dev-* branch repro checks and have bumped into a security hole. The GitHub Environmment that allows us to deploy to Gadi only allows deployment from protected (source) branches (release-, dev- ) This protects us from bad actors modifying the workflow files and opening an (auto-CI-running) PR because they must first get it into `dev-via a pull request (which currently doesn’t access the Gadi Environment). In order to allow Environments (and hence repro) on PRs intodev-*`, we have three options:

• Require deployment review by a human for all PRs (reliant on a human which isn’t fast)
• Investigate requiring deployment review by a bot for all PRs which will be based on if the PR was opened by a member of staff (will require thonking time)
• Add branch protections for all branches (*) that restricts creation of branches to staff only (need to investigate this too) The root of the problem is that workflow files are editable, and PRs run those files automatically if on.pull_request. So we need a check outside of the file itself.

[anton-seaice]

There is a github setting "Fork pull request workflows from outside collaborators" which you can set to " Require approval for all outside collaborators " - I had assumed this would be sufficient ?

[CodeGat]

Yeah I'm starting to think the above security hole isn't as much of an issue. We lock down who has write access in our own org, and forks don't have access to upstream environments.