-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Workflow: PR Conditional Build and Push Image to Quay.io Repo #768
Conversation
This is solving only one part of the #241 We might want to create another github issue for |
@@ -207,4 +207,4 @@ jobs: | |||
username: ${{ secrets.IMG_REGISTRY_USERNAME }} | |||
password: ${{ secrets.IMG_REGISTRY_TOKEN }} | |||
- name: Print Image URL | |||
run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}" | |||
run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick: lets keep this line break so that the PR doesn't touch this file since it's doesn't change anything other than removing a line break
|
||
jobs: | ||
workflow-build: | ||
if: ${{ github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'forked_image_approved') }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if: ${{ github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'forked_image_approved') }} | |
if: contains(github.event.pull_request.labels.*.name, 'forked_image_approved') |
I think we can simplify to this instead since we should only get events from pull_request_target
defined in the on
previously already
@didierofrivia re. #241, why do we want to trigger this job on pull requests? |
In other words, why do we want to push images to quay for forked repos? Build images make sense as it is yet another test |
secrets: inherit | ||
with: | ||
kuadrantOperatorVersion: ${{ github.event.pull_request.user.login }}-${{ github.event.pull_request.number }} | ||
kuadrantOperatorTag: ${{ github.event.pull_request.user.login }}-${{ github.event.pull_request.number }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should also consider to always remove the forked_image_approved
label regardless of whether the image build was successfull or not as an additional security measure - https://github.com/actions-ecosystem/action-remove-labels.
And also possibly disallow multiples of this workflow from running concurrently (i.e. I'm thinking someone might first get the label and then quickly push something that could leak our secrets so we should try to prevent/mitigate this from happening) 🤔 - https://docs.github.com/en/actions/using-jobs/using-concurrency
@eguzki @mikenairn I'd imagine for some testing during the review... would you reckon it's better to not build at all on PRs? |
I like building. It is "cheap" and I see it as another type of testing which needs to succeed. I do not think we should push to quay.io kuadrant org the builds from forks. What is the value? |
I see this as a way for some maintainers (such as me) that typically make PRs from forks rather than branches to run the image build since the image build flow is not run these "external" PRs. If QE or anyone want to build the image they can as it can serve as another type of test as @eguzki mentioned. Downside is this does allow for a security risk given the scope that the It can also potentially replace the |
Signed-off-by: dlaw4608 <[email protected]>
Signed-off-by: dlaw4608 <[email protected]>
Signed-off-by: dlaw4608 <[email protected]>
Going to close this as it doesn't look like it's a priority and not sure is this worth the security risk given the scope that the Will re-open if we want to explore this again. |
Closes: #241
To solve the issue of pull requests (PRs) coming from forks not being able to trigger the build and push of images, a new workflow has been implemented.
Summary:
This workflow leverages the pull_request_target event and performs the build and push only if the forked_image_approved label is applied to the PR. This ensures that only approved changes can trigger the image build and push process, maintaining security for secrets.
Verification Steps
Should look like this:
(https://github.com/user-attachments/assets/563717f2-9442-47fb-afbe-e0a83333e8cd)