Run container build action as a pull_request_target

Ensuring that it can only be run on PRs from the same repository. This means that it will be run even when the PR doesn't merge, and against the PR head rather than the merge.
moergo-sc · Oct 22, 2023 · 7998772 · 7998772
1 parent 35ab724
commit 7998772
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 13 deletions.
diff --git a/.github/workflows/build-container.yml b/.github/workflows/build-container.yml
@@ -2,17 +2,16 @@ name: Build Compiler Service Container
 
 on:
   push:
-    branches:
-      - "main"
     tags:
       - "*"
-  pull_request:
+  pull_request_target:
     branches:
       - main
 
 jobs:
   build:
-    if: github.repository == 'moergo-sc/zmk'
+    # This job must never be run on a PR from outside the same repository
+    if: github.repository == 'moergo-sc/zmk' && (github.event.pull_request == null || github.event.pull_request.head.repo.full_name == github.repository)
     runs-on: ubuntu-latest
     # These permissions are needed to interact with GitHub's OIDC Token endpoint.
     permissions:
@@ -22,9 +21,14 @@ jobs:
       ECR_REPOSITORY: zmk-builder-lambda
       VERSIONS_BUCKET: glove80firmwarepipelines-compilerversionsbucket44-zubaquiyjdam
       UPDATE_COMPILER_VERSIONS_FUNCTION: arn:aws:lambda:us-east-1:431227615537:function:Glove80FirmwarePipelineSt-UpdateCompilerVersions2A-CNxPOHb4VSuV
-      REVISION_TAG: ${{ github.sha }}
+      REVISION_TAG: ${{ github.event.pull_request && github.event.pull_request.head.sha || github.sha  }}
+      PR_NUMBER: ${{ github.event.number }}
     steps:
       - uses: actions/checkout@v2.4.0
+        with:
+          repository: moergo-sc/zmk
+          ref: ${{ github.event.pull_request && github.event.pull_request.head.sha || github.sha }}
+          fetch-depth: 0
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:
@@ -33,16 +37,12 @@ jobs:
       - name: Extract container name from branch name
         shell: bash
         run: |
-          if [ "$GITHUB_REF" = "refs/heads/main" ]; then
-            tag="branch.main"
-          elif [ "$GITHUB_HEAD_REF" ]; then
-            pr=${GITHUB_REF#refs/pull/}
-            pr=${pr%/merge}
-            tag="pr${pr}.${GITHUB_HEAD_REF}"
+          if [ "$GITHUB_HEAD_REF" ]; then
+            tag="pr${PR_NUMBER}.${GITHUB_HEAD_REF}"
           elif [[ "$GITHUB_REF" == refs/tags/* ]]; then
             tag="${GITHUB_REF#refs/tags/}"
           else
-            echo "Not a release branch or tag" >&2
+            echo "Not a pull request or release tag" >&2
             exit 1
           fi
           # Replace / with . in container tag names
@@ -76,12 +76,13 @@ jobs:
         run: |
           digest="$(docker inspect --format='{{index .RepoDigests 0}}' $REGISTRY/$ECR_REPOSITORY:$REVISION_TAG)"
           digest="${digest##*@}"
+          api_version="$(cat lambda/api_version.txt)"
           jq -n '$ARGS.named' \
             --arg name     "$CONTAINER_NAME" \
             --arg revision "$REVISION_TAG" \
             --arg branch   "$GITHUB_REF" \
             --arg digest   "$digest" \
-            --arg api_version "2" \
+            --arg api_version "$api_version" \
             > "/tmp/$CONTAINER_NAME.json"
       - name: Upload image metadata file to versions bucket
         run: aws s3 cp "/tmp/$CONTAINER_NAME.json" "s3://$VERSIONS_BUCKET/images/$CONTAINER_NAME.json"

diff --git a/lambda/api_version.txt b/lambda/api_version.txt
@@ -0,0 +1 @@
+2