Add option to build&push image on PR automatically #611
Conversation
mszostok
force-pushed
the
build-images-on-prs-v2
branch
from
742fdb7
to
9e340b7
Compare
There was a problem hiding this comment.
Please apply these two small comments and run the job again on your fork, just to confirm it works. We'll be ready to merge this (ofc if @PrasadG193 agrees with this approach) 👍
mszostok
force-pushed
the
build-images-on-prs-v2
branch
from
3c2b128
to
ed4f416
Compare
|
Hi @mszostok, As #615 will require that job with image build, maybe let's merge this? Generally it's LGTM from my side, but I would like to see it running on fork with the applied improvements before merge. Even after merge, we can apply any other suggestions if necessary 👍 We will refine the solution over time anyway. |
mszostok
force-pushed
the
build-images-on-prs-v2
branch
from
6a5a9f8
to
5619734
Compare
|
Hi @pkosiec Branch was rebased with the newest develop. I applied minor changes (628c1c7 5619734)
The example run is here: https://github.com/mszostok/botkube/actions/runs/2534149331 |
ISSUE TYPE
SUMMARY
Add an option to push the BotKube image automatically on PR. It's alternative approach for #604.
This PR will solve the problem with manual PR builds, e.g. we had that issue here:
golangci-lintand resolve all found issues #593Example run: https://github.com/mszostok/botkube/runs/6714112689?check_suite_focus=true
Fixes #590
To ensure that secrets won't be available for untrusted code, first we need to build the image and share it with the second job, which doesn't check out the untrusted code and can safely push an artifact to ghcr.io.
The flow is as follows:
Job1—runs untrusted code but without write repo perms
Job2—push built image with package write perms
Security
This article describes it well: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/