feat(ci): update Docker PR push build strategy for forked PRs (#1812)
This change switches from pull_request to pull_request_target trigger, allowing PRs from forks to successfully build and push Docker images. The pull_request trigger provides a read-only GITHUB_TOKEN for fork PRs, even when permissions.packages is set to write. This caused builds to fail for external contributors. Using pull_request_target is safe here because: - We explicitly checkout the PR's head SHA - Only Docker build happens (isolated, no arbitrary code execution) - No untrusted scripts are run in the workflow context Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: kolaente <13721712+kolaente@users.noreply.github.com> Co-authored-by: kolaente <k@knt.li>
This commit is contained in:
parent
eaebcf68b1
commit
b38780e246
|
|
@ -1,7 +1,13 @@
|
|||
name: PR Docker Build
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
# pull_request_target gives write access to GHCR even for PRs from forks.
|
||||
# This is safe because:
|
||||
# 1. We explicitly checkout the PR's head commit (no base branch code execution)
|
||||
# 2. We ONLY build a Docker image (isolated container, no workflow scripts from PR)
|
||||
# 3. No actions that execute PR code in the workflow context (no github-script, etc)
|
||||
# 4. Build happens in isolated Docker container with well-defined Dockerfile
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
docker:
|
||||
|
|
@ -12,6 +18,12 @@ jobs:
|
|||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
|
||||
with:
|
||||
# For pull_request_target, we need to explicitly fetch the PR ref from forks
|
||||
# since the PR's commit SHA is not reachable in the base repository.
|
||||
# This is safe because no PR code is executed in workflow context.
|
||||
# Only Docker build uses the PR code (isolated in container).
|
||||
ref: refs/pull/${{ github.event.pull_request.number }}/head
|
||||
- name: Git describe
|
||||
id: ghd
|
||||
uses: proudust/gh-describe@v2
|
||||
|
|
|
|||
Loading…
Reference in New Issue