Spike: Restrict create-a-derived-table runners to specific branches / teams

[simon-pope]

User Story

As a CaDeT user
I want to ensure that only appropriate users of CaDet can develop workflows against external environments and require that relevant teams approve new workflows as they are created
So that workflows have stronger security guardrails are in place to ensure only the teams working directly with these external environments are able to trigger jobs against them

Value / Purpose

Ensure only appropriate users of create-a-derived-table can develop workflows against external environments / require that relevant teams approve new workflows as they are created.

Useful Contacts

No response

User Types

No response

Hypothesis

If we... [do a thing]
Then... [this will happen]

Proposal

From Feature Request:

Create-a-derived-table workflows using specific self-hosted runners can:

• only be run on a branch which isn't main following a code owner review by a github team linked with that runner
• ideally only be triggered manually by a member of the code owner github team and only if pointing to main (i.e. won't trigger if a user implements a manual trigger via workflow dispatch on another branch)
• can run as normal / automated schedule once the workflow is in main, without further approvals

Additional Information

No response

Definition of Done

• To be added in refinement

[github-actions]

This issue is being marked as stale because it has been open for 60 days with no activity. Remove stale label or comment to keep the issue open.