New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to build&push image on PR automatically #611
Conversation
742fdb7
to
9e340b7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few comments 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please apply these two small comments and run the job again on your fork, just to confirm it works. We'll be ready to merge this (ofc if @PrasadG193 agrees with this approach) 👍
3c2b128
to
ed4f416
Compare
Hi @mszostok, As #615 will require that job with image build, maybe let's merge this? Generally it's LGTM from my side, but I would like to see it running on fork with the applied improvements before merge. Even after merge, we can apply any other suggestions if necessary 👍 We will refine the solution over time anyway. |
6a5a9f8
to
5619734
Compare
Hi @pkosiec Branch was rebased with the newest develop. I applied minor changes (628c1c7 5619734)
The example run is here: https://github.com/mszostok/botkube/actions/runs/2534149331 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - but please remove v
prefix if possible, to have a bit nicer tag. Thanks!
ISSUE TYPE
SUMMARY
Add an option to push the BotKube image automatically on PR. It's alternative approach for #604.
This PR will solve the problem with manual PR builds, e.g. we had that issue here:
golangci-lint
and resolve all found issues #593Example run: https://github.com/mszostok/botkube/runs/6714112689?check_suite_focus=true
Fixes #590
To ensure that secrets won't be available for untrusted code, first we need to build the image and share it with the second job, which doesn't check out the untrusted code and can safely push an artifact to ghcr.io.
The flow is as follows:
Job1—runs untrusted code but without write repo perms
Job2—push built image with package write perms
Security
This article describes it well: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/