From 67c55ba3734a0761e4d166e69904b436ea3759d8 Mon Sep 17 00:00:00 2001 From: Chris Andreae Date: Sun, 30 Jul 2023 22:57:56 +0900 Subject: [PATCH] Run container build action as a `pull_request_target` Ensuring that it can only be run on PRs from the same repository. This means that it will be run even when the PR doesn't merge, and against the PR head rather than the merge. --- .github/workflows/build-container.yml | 32 ++++++++++++++------------- lambda/api_version.txt | 1 + 2 files changed, 18 insertions(+), 15 deletions(-) create mode 100644 lambda/api_version.txt diff --git a/.github/workflows/build-container.yml b/.github/workflows/build-container.yml index 1c701b32df2..f460ffe9065 100644 --- a/.github/workflows/build-container.yml +++ b/.github/workflows/build-container.yml @@ -2,17 +2,16 @@ name: Build Compiler Service Container on: push: - branches: - - 'main' tags: - - '*' - pull_request: + - "*" + pull_request_target: branches: - main jobs: build: - if: github.repository == 'moergo-sc/zmk' + # This job must never be run on a PR from outside the same repository + if: github.repository == 'moergo-sc/zmk' && (github.event.pull_request == null || github.event.pull_request.head.repo.full_name == github.repository) runs-on: ubuntu-latest # These permissions are needed to interact with GitHub's OIDC Token endpoint. permissions: @@ -22,9 +21,14 @@ jobs: ECR_REPOSITORY: zmk-builder-lambda VERSIONS_BUCKET: glove80firmwarepipelines-compilerversionsbucket44-zubaquiyjdam UPDATE_COMPILER_VERSIONS_FUNCTION: arn:aws:lambda:us-east-1:431227615537:function:Glove80FirmwarePipelineSt-UpdateCompilerVersions2A-CNxPOHb4VSuV - REVISION_TAG: ${{ github.sha }} + REVISION_TAG: ${{ github.event.pull_request && github.event.pull_request.head.sha || github.sha }} + PR_NUMBER: ${{ github.event.number }} steps: - uses: actions/checkout@v2.4.0 + with: + repository: moergo-sc/zmk + ref: ${{ github.event.pull_request && github.event.pull_request.head.sha || github.sha }} + fetch-depth: 0 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1 with: @@ -33,16 +37,12 @@ jobs: - name: Extract container name from branch name shell: bash run: | - if [ "$GITHUB_REF" = "refs/heads/main" ]; then - tag="branch.main" - elif [ "$GITHUB_HEAD_REF" ]; then - pr=${GITHUB_REF#refs/pull/} - pr=${pr%/merge} - tag="pr${pr}.${GITHUB_HEAD_REF}" + if [ "$GITHUB_HEAD_REF" ]; then + tag="pr${PR_NUMBER}.${GITHUB_HEAD_REF}" elif [[ "$GITHUB_REF" == refs/tags/* ]]; then tag="${GITHUB_REF#refs/tags/}" else - echo "Not a release branch or tag" >&2 + echo "Not a pull request or release tag" >&2 exit 1 fi # Replace / with . in container tag names @@ -58,7 +58,7 @@ jobs: - uses: cachix/cachix-action@v12 with: name: moergo-glove80-zmk-dev - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" - name: Build lambda image run: nix-build release.nix --arg revision "\"${REVISION_TAG}\"" -A directLambdaImage -o directLambdaImage - name: Import OCI image into docker-daemon @@ -76,11 +76,13 @@ jobs: run: | digest="$(docker inspect --format='{{index .RepoDigests 0}}' $REGISTRY/$ECR_REPOSITORY:$REVISION_TAG)" digest="${digest##*@}" - jq -n '{ name: $name, revision: $revision, branch: $branch, digest: $digest }' \ + api_version="$(cat lambda/api_version.txt)" + jq -n '$ARGS.named' \ --arg name "$CONTAINER_NAME" \ --arg revision "$REVISION_TAG" \ --arg branch "$GITHUB_REF" \ --arg digest "$digest" \ + --arg api_version "$api_version" \ > "/tmp/$CONTAINER_NAME.json" - name: Upload image metadata file to versions bucket run: aws s3 cp "/tmp/$CONTAINER_NAME.json" "s3://$VERSIONS_BUCKET/images/$CONTAINER_NAME.json" diff --git a/lambda/api_version.txt b/lambda/api_version.txt new file mode 100644 index 00000000000..d00491fd7e5 --- /dev/null +++ b/lambda/api_version.txt @@ -0,0 +1 @@ +1