ci: Allow PRs from external forks to run (specific) workflows

[orfeas-k]

Why it needs to get done

Context

At the moment, all workflows in our CI require credentials. People outside of the Kubeflow GH group, sending PRs from a fork, won't be able to run any of the GH workflows. This is by design since we want to avoid access to our repos' credentials/secrets.

What we typically do is someone from our team will duplicate the PR to be able to run the CI. This goes both for parts of our CI that actually require credentials (like publish jobs and lib-check) but also for the rest of them (lint, unit and integration tests)

Goals

• Ensure contributions from users outside the Kubeflow GH group can be merged in a standardized/smooth way while at the same, PRs run all must-pass workflows.
• Avoid the hassle of having to duplicate PRs.

What needs to get done

• Remove the CHARMCRAFT_CREDENTIALS.required: true from our CI in order to enable workflows to run
• Add a condition to lib-check job in order to run only when credentials secret is available. This way, on PRs from forks, the job will be Skipped (instead of Failed) while it will run on internal PRs. We 're OK with omitting this check.
• Refactor publish job in order to ensure that the job can build the charm (without publishing it). This way, on PRs from forks, we 'll have the job only building the charm on PRs from forks. Note that we already build the charms during integration tests but in the past (and I 'm quoting @ca-scribner on this), we 've seen some discrepancies between the output from the publish jobs and charmcraft pack in our tests.

When is the task considered done

• PRs from forks run all CI apart from lib-check job and publish part of publish job

[syncronize-issues-to-jira]

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/KF-5061.

This message was autogenerated

[ca-scribner]

link for the comment above about how we ship different images than we test: #766