From 9c8772a6ab870aa37fd3d95cd99bc01208f1a4e9 Mon Sep 17 00:00:00 2001 From: Mirko Curtolo Date: Tue, 21 Oct 2025 18:07:20 +0200 Subject: [PATCH 1/3] Fix checkout of untrusted code in a privileged context --- .github/workflows/calculate-size-delta.yml | 66 ++++++++++++++++++---- 1 file changed, 56 insertions(+), 10 deletions(-) diff --git a/.github/workflows/calculate-size-delta.yml b/.github/workflows/calculate-size-delta.yml index 34eb2d27..c13519bf 100644 --- a/.github/workflows/calculate-size-delta.yml +++ b/.github/workflows/calculate-size-delta.yml @@ -7,7 +7,6 @@ on: permissions: contents: read - pull-requests: write jobs: build: @@ -37,18 +36,42 @@ jobs: run: | if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then echo "Searching for PR from branch '${{ github.ref_name }}'..." - PR_NUMBER=$(gh pr list --state open --head "${{ github.ref_name }}" --json number --jq '.[0].number // empty') + UPSTREAM_REPO=$(gh api repos/${{ github.repository }} --jq '.parent.full_name // empty') + + if [ -n "$UPSTREAM_REPO" ]; then + echo "This is a fork. Upstream repository: $UPSTREAM_REPO" + # Get current repo owner and branch + CURRENT_USER=$(gh api repos/${{ github.repository }} --jq '.owner.login') + BRANCH_NAME="${{ github.ref_name }}" + echo "Searching in upstream for PR from $CURRENT_USER:$BRANCH_NAME" + + # Use API to search for PR with matching head + PR_NUMBER=$(gh api "repos/$UPSTREAM_REPO/pulls?state=open&head=$CURRENT_USER:$BRANCH_NAME" --jq '.[0].number // empty') + + if [ -z "$PR_NUMBER" ]; then + echo "Not found with API, trying gh pr list..." + PR_NUMBER=$(gh pr list --repo "$UPSTREAM_REPO" --state open --json number,headRefName,headRepositoryOwner \ + --jq ".[] | select(.headRefName == \"$BRANCH_NAME\" and .headRepositoryOwner.login == \"$CURRENT_USER\") | .number") + fi + TARGET_REPO="$UPSTREAM_REPO" + else + echo "This is not a fork. Searching in current repo..." + PR_NUMBER=$(gh pr list --state open --head "${{ github.ref_name }}" --json number --jq '.[0].number // empty') + TARGET_REPO="${{ github.repository }}" + fi else # For issue_comment, the PR number is in the event context PR_NUMBER=${{ github.event.issue.number }} + TARGET_REPO="${{ github.repository }}" fi if [ -z "$PR_NUMBER" ]; then echo "Could not find an associated open pull request." else - echo "Found PR #$PR_NUMBER" + echo "Found PR #$PR_NUMBER in repo $TARGET_REPO" fi echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT + echo "target_repo=$TARGET_REPO" >> $GITHUB_OUTPUT - name: Checkout PR Branch (for comment trigger) if: github.event_name == 'issue_comment' @@ -109,6 +132,14 @@ jobs: docker image pull --platform linux/arm64 localhost:5000/app-bricks/python-base:latest docker image pull --platform linux/arm64 localhost:5000/app-bricks/python-apps-base:latest + - name: Calculate image sizes + id: sizes + run: | + SIZE1=$(docker images 'localhost:5000/app-bricks/python-base:latest' --format '{{.Size}}') + SIZE2=$(docker images 'localhost:5000/app-bricks/python-apps-base:latest' --format '{{.Size}}') + echo "python_base_size=$SIZE1" >> $GITHUB_OUTPUT + echo "python_apps_base_size=$SIZE2" >> $GITHUB_OUTPUT + - name: Add image sizes to Job Summary run: | echo "## Docker Image Sizes" >> $GITHUB_STEP_SUMMARY @@ -117,19 +148,34 @@ jobs: echo "|-------|------|" >> $GITHUB_STEP_SUMMARY echo "| app-bricks/python-base | $(docker images 'localhost:5000/app-bricks/python-base:latest' --format '{{.Size}}') |" >> $GITHUB_STEP_SUMMARY echo "| app-bricks/python-apps-base | $(docker images 'localhost:5000/app-bricks/python-apps-base:latest' --format '{{.Size}}') |" >> $GITHUB_STEP_SUMMARY - + outputs: + python_base_size: ${{ steps.sizes.outputs.python_base_size }} + python_apps_base_size: ${{ steps.sizes.outputs.python_apps_base_size }} + pr_number: ${{ steps.pr_info.outputs.pr_number }} + target_repo: ${{ steps.pr_info.outputs.target_repo }} + comment-results: + runs-on: ubuntu-latest + needs: build + if: needs.build.outputs.pr_number != '' + permissions: + pull-requests: write + steps: - name: Comment on PR with image sizes - if: steps.pr_info.outputs.pr_number != '' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - SIZE1=$(docker images 'localhost:5000/app-bricks/python-base:latest' --format '{{.Size}}') - SIZE2=$(docker images 'localhost:5000/app-bricks/python-apps-base:latest' --format '{{.Size}}') - gh pr comment ${{ steps.pr_info.outputs.pr_number }} --body-file - < Date: Wed, 22 Oct 2025 17:29:28 +0200 Subject: [PATCH 2/3] Fix ci permissions --- .github/workflows/ci_checks.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci_checks.yml b/.github/workflows/ci_checks.yml index fbf86d48..0419606f 100644 --- a/.github/workflows/ci_checks.yml +++ b/.github/workflows/ci_checks.yml @@ -3,6 +3,9 @@ name: Run Tests and Check Documentation on: pull_request: +permissions: + contents: read + jobs: ci-checks: runs-on: ubuntu-latest From b38121e0df71a95995d25947a10dbc097ac608af Mon Sep 17 00:00:00 2001 From: Mirko Curtolo Date: Thu, 23 Oct 2025 09:18:14 +0200 Subject: [PATCH 3/3] Remove search for upstream pr and create an output message step --- .github/workflows/calculate-size-delta.yml | 59 +++++++++------------- 1 file changed, 23 insertions(+), 36 deletions(-) diff --git a/.github/workflows/calculate-size-delta.yml b/.github/workflows/calculate-size-delta.yml index c13519bf..e893af6c 100644 --- a/.github/workflows/calculate-size-delta.yml +++ b/.github/workflows/calculate-size-delta.yml @@ -36,42 +36,22 @@ jobs: run: | if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then echo "Searching for PR from branch '${{ github.ref_name }}'..." - UPSTREAM_REPO=$(gh api repos/${{ github.repository }} --jq '.parent.full_name // empty') - - if [ -n "$UPSTREAM_REPO" ]; then - echo "This is a fork. Upstream repository: $UPSTREAM_REPO" - # Get current repo owner and branch - CURRENT_USER=$(gh api repos/${{ github.repository }} --jq '.owner.login') - BRANCH_NAME="${{ github.ref_name }}" - echo "Searching in upstream for PR from $CURRENT_USER:$BRANCH_NAME" - - # Use API to search for PR with matching head - PR_NUMBER=$(gh api "repos/$UPSTREAM_REPO/pulls?state=open&head=$CURRENT_USER:$BRANCH_NAME" --jq '.[0].number // empty') - - if [ -z "$PR_NUMBER" ]; then - echo "Not found with API, trying gh pr list..." - PR_NUMBER=$(gh pr list --repo "$UPSTREAM_REPO" --state open --json number,headRefName,headRepositoryOwner \ - --jq ".[] | select(.headRefName == \"$BRANCH_NAME\" and .headRepositoryOwner.login == \"$CURRENT_USER\") | .number") - fi - TARGET_REPO="$UPSTREAM_REPO" - else - echo "This is not a fork. Searching in current repo..." - PR_NUMBER=$(gh pr list --state open --head "${{ github.ref_name }}" --json number --jq '.[0].number // empty') - TARGET_REPO="${{ github.repository }}" + PR_NUMBER=$(gh pr list --state open --head "${{ github.ref_name }}" --json number --jq '.[0].number // empty') + if [ -z "$PR_NUMBER" ]; then + echo "Not found in current repo, searching across forks..." + PR_NUMBER=$(gh pr list --state open --json number,headRefName,headRepositoryOwner --jq ".[] | select(.headRefName == \"${{ github.ref_name }}\") | .number" | head -n1) fi else # For issue_comment, the PR number is in the event context PR_NUMBER=${{ github.event.issue.number }} - TARGET_REPO="${{ github.repository }}" fi if [ -z "$PR_NUMBER" ]; then echo "Could not find an associated open pull request." else - echo "Found PR #$PR_NUMBER in repo $TARGET_REPO" + echo "Found PR #$PR_NUMBER" fi echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT - echo "target_repo=$TARGET_REPO" >> $GITHUB_OUTPUT - name: Checkout PR Branch (for comment trigger) if: github.event_name == 'issue_comment' @@ -146,13 +126,12 @@ jobs: echo "" >> $GITHUB_STEP_SUMMARY echo "| Image | Size |" >> $GITHUB_STEP_SUMMARY echo "|-------|------|" >> $GITHUB_STEP_SUMMARY - echo "| app-bricks/python-base | $(docker images 'localhost:5000/app-bricks/python-base:latest' --format '{{.Size}}') |" >> $GITHUB_STEP_SUMMARY - echo "| app-bricks/python-apps-base | $(docker images 'localhost:5000/app-bricks/python-apps-base:latest' --format '{{.Size}}') |" >> $GITHUB_STEP_SUMMARY + echo "| app-bricks/python-base | ${{ steps.sizes.outputs.python_base_size }} |" >> $GITHUB_STEP_SUMMARY + echo "| app-bricks/python-apps-base | ${{ steps.sizes.outputs.python_apps_base_size }} |" >> $GITHUB_STEP_SUMMARY outputs: python_base_size: ${{ steps.sizes.outputs.python_base_size }} python_apps_base_size: ${{ steps.sizes.outputs.python_apps_base_size }} pr_number: ${{ steps.pr_info.outputs.pr_number }} - target_repo: ${{ steps.pr_info.outputs.target_repo }} comment-results: runs-on: ubuntu-latest needs: build @@ -164,7 +143,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - if gh pr comment ${{ needs.build.outputs.pr_number }} --repo "${{ needs.build.outputs.target_repo }}" --body-file - <