From 65b7182cd59213c085a5fe36c3e620dc84f8e9b3 Mon Sep 17 00:00:00 2001
From: safinsaf <safinsaft@gmail.com>
Date: Wed, 11 May 2022 06:02:48 +0300
Subject: [PATCH 1/8] Remove running build from comment

Signed-off-by: safinsaf <safinsaft@gmail.com>
---
 .github/build-iroha1-fork.src.yml       | 25 ++-----------------------
 .github/workflows/build-iroha1-fork.yml |  6 ------
 2 files changed, 2 insertions(+), 29 deletions(-)

diff --git a/.github/build-iroha1-fork.src.yml b/.github/build-iroha1-fork.src.yml
index db8fd09ea5f..eb3c0059426 100644
--- a/.github/build-iroha1-fork.src.yml
+++ b/.github/build-iroha1-fork.src.yml
@@ -33,7 +33,7 @@ jobs:
     name: Pull requests from forks should use this workflow 
     if: github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     steps:
-      -
+      - &step_show_context
         name: Show context
         run: |
           echo "::group::GitHub context"
@@ -89,23 +89,8 @@ jobs:
     environment: test-env
     runs-on: ubuntu-20.04
     needs: check_if_pull_request_comes_from_fork
-    if: ${{ (github.event_name != 'comment') || ( github.event.comment &&
-          github.event.issue.pull_request &&
-          startsWith(github.event.comment.body, '/build') ) }}
     steps:
-      - &step_show_context
-        name: Show context
-        run: |
-          echo "::group::GitHub context"
-          cat <<'END'
-          ${{ toJson(github) }}
-          END
-          echo "::endgroup::"
-          echo "::group::GitHub needs"
-          cat <<'END'
-          ${{ toJson(needs) }}
-          END
-          echo "::endgroup::"
+      - *step_show_context
       - &step_detect_commented_pr
         name: REF and SHA of commented PR to ENV
         if: github.event.comment
@@ -118,14 +103,8 @@ jobs:
               "PR_NUM="+(.number|tostring),
               "PR_REPO="+.head.repo.full_name' >>$GITHUB_ENV
       - *step_checkout_head
-      -
-        name: Generate matrix for build triggered by chat-ops - comment to PR
-        if: github.event.issue.pull_request && github.event.comment
-        id: comment_body
-        run: echo "${{github.event.comment.body}}" >/tmp/comment_body
       -
         name: Generate default matrix for regular builds
-        if: ${{ steps.comment_body.outcome == 'skipped' }}  ## i.e. not github.event.issue.pull_request
         run: |
           set -x
           git fetch origin ${{github.event.pull_request.head.sha}} --depth=2  ## depth=2 to detect if fetched commit is merge commit
diff --git a/.github/workflows/build-iroha1-fork.yml b/.github/workflows/build-iroha1-fork.yml
index 71fc8854ec7..65006d33506 100644
--- a/.github/workflows/build-iroha1-fork.yml
+++ b/.github/workflows/build-iroha1-fork.yml
@@ -79,7 +79,6 @@ jobs:
     environment: test-env
     runs-on: ubuntu-20.04
     needs: check_if_pull_request_comes_from_fork
-    if: ${{ (github.event_name != 'comment') || ( github.event.comment && github.event.issue.pull_request && startsWith(github.event.comment.body, '/build') ) }}
     steps:
       - name: Show context
         run: |
@@ -106,12 +105,7 @@ jobs:
         uses: actions/checkout@v2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - name: Generate matrix for build triggered by chat-ops - comment to PR
-        if: github.event.issue.pull_request && github.event.comment
-        id: comment_body
-        run: echo "${{github.event.comment.body}}" >/tmp/comment_body
       - name: Generate default matrix for regular builds
-        if: ${{ steps.comment_body.outcome == 'skipped' }} ## i.e. not github.event.issue.pull_request
         run: |
           set -x
           git fetch origin ${{github.event.pull_request.head.sha}} --depth=2  ## depth=2 to detect if fetched commit is merge commit

From b95b5ad301b2367773328b06192ce45aea706c05 Mon Sep 17 00:00:00 2001
From: safinsaf <safinsaft@gmail.com>
Date: Thu, 12 May 2022 10:43:25 +0300
Subject: [PATCH 2/8] Fix potential injection in contexts log

Signed-off-by: safinsaf <safinsaft@gmail.com>
---
 .github/build-iroha1-fork.src.yml       |  7 ++-
 .github/workflows/build-iroha1-fork.yml | 70 ++++++++++++++++++-------
 2 files changed, 55 insertions(+), 22 deletions(-)

diff --git a/.github/build-iroha1-fork.src.yml b/.github/build-iroha1-fork.src.yml
index eb3c0059426..7bc12aa5e72 100644
--- a/.github/build-iroha1-fork.src.yml
+++ b/.github/build-iroha1-fork.src.yml
@@ -38,14 +38,17 @@ jobs:
         run: |
           echo "::group::GitHub context"
           cat <<'END'
-          ${{ toJson(github) }}
+          $JSON_github
           END
           echo "::endgroup::"
           echo "::group::GitHub needs"
           cat <<'END'
-          ${{ toJson(needs) }}
+          $JSON_needs
           END
           echo "::endgroup::"
+        env:
+          JSON_github: ${{ toJSON(github) }}
+          JSON_needs: ${{ toJson(needs) }}
       
       - &step_checkout_head
         name: Checkout head
diff --git a/.github/workflows/build-iroha1-fork.yml b/.github/workflows/build-iroha1-fork.yml
index 65006d33506..bf3bd49977d 100644
--- a/.github/workflows/build-iroha1-fork.yml
+++ b/.github/workflows/build-iroha1-fork.yml
@@ -35,14 +35,17 @@ jobs:
         run: |
           echo "::group::GitHub context"
           cat <<'END'
-          ${{ toJson(github) }}
+          $JSON_github
           END
           echo "::endgroup::"
           echo "::group::GitHub needs"
           cat <<'END'
-          ${{ toJson(needs) }}
+          $JSON_needs
           END
           echo "::endgroup::"
+        env:
+          JSON_github: ${{ toJSON(github) }}
+          JSON_needs: ${{ toJson(needs) }}
       - name: Checkout head
         uses: actions/checkout@v2
         with:
@@ -84,14 +87,17 @@ jobs:
         run: |
           echo "::group::GitHub context"
           cat <<'END'
-          ${{ toJson(github) }}
+          $JSON_github
           END
           echo "::endgroup::"
           echo "::group::GitHub needs"
           cat <<'END'
-          ${{ toJson(needs) }}
+          $JSON_needs
           END
           echo "::endgroup::"
+        env:
+          JSON_github: ${{ toJSON(github) }}
+          JSON_needs: ${{ toJson(needs) }}
       - name: REF and SHA of commented PR to ENV
         if: github.event.comment
         run: >
@@ -184,14 +190,17 @@ jobs:
         run: |
           echo "::group::GitHub context"
           cat <<'END'
-          ${{ toJson(github) }}
+          $JSON_github
           END
           echo "::endgroup::"
           echo "::group::GitHub needs"
           cat <<'END'
-          ${{ toJson(needs) }}
+          $JSON_needs
           END
           echo "::endgroup::"
+        env:
+          JSON_github: ${{ toJSON(github) }}
+          JSON_needs: ${{ toJson(needs) }}
       - name: System info
         run: |
           set -x
@@ -356,14 +365,17 @@ jobs:
         run: |
           echo "::group::GitHub context"
           cat <<'END'
-          ${{ toJson(github) }}
+          $JSON_github
           END
           echo "::endgroup::"
           echo "::group::GitHub needs"
           cat <<'END'
-          ${{ toJson(needs) }}
+          $JSON_needs
           END
           echo "::endgroup::"
+        env:
+          JSON_github: ${{ toJSON(github) }}
+          JSON_needs: ${{ toJson(needs) }}
       - name: Show needs
         run: |
           cat >/dev/null <<'END'
@@ -637,14 +649,17 @@ jobs:
         run: |
           echo "::group::GitHub context"
           cat <<'END'
-          ${{ toJson(github) }}
+          $JSON_github
           END
           echo "::endgroup::"
           echo "::group::GitHub needs"
           cat <<'END'
-          ${{ toJson(needs) }}
+          $JSON_needs
           END
           echo "::endgroup::"
+        env:
+          JSON_github: ${{ toJSON(github) }}
+          JSON_needs: ${{ toJson(needs) }}
       - name: Show needs
         run: |
           cat >/dev/null <<'END'
@@ -915,14 +930,17 @@ jobs:
         run: |
           echo "::group::GitHub context"
           cat <<'END'
-          ${{ toJson(github) }}
+          $JSON_github
           END
           echo "::endgroup::"
           echo "::group::GitHub needs"
           cat <<'END'
-          ${{ toJson(needs) }}
+          $JSON_needs
           END
           echo "::endgroup::"
+        env:
+          JSON_github: ${{ toJSON(github) }}
+          JSON_needs: ${{ toJson(needs) }}
   build-M:
     needs:
       - prepare-macos-env
@@ -940,14 +958,17 @@ jobs:
         run: |
           echo "::group::GitHub context"
           cat <<'END'
-          ${{ toJson(github) }}
+          $JSON_github
           END
           echo "::endgroup::"
           echo "::group::GitHub needs"
           cat <<'END'
-          ${{ toJson(needs) }}
+          $JSON_needs
           END
           echo "::endgroup::"
+        env:
+          JSON_github: ${{ toJSON(github) }}
+          JSON_needs: ${{ toJson(needs) }}
       - name: System info
         run: |
           set -x
@@ -1214,14 +1235,17 @@ jobs:
         run: |
           echo "::group::GitHub context"
           cat <<'END'
-          ${{ toJson(github) }}
+          $JSON_github
           END
           echo "::endgroup::"
           echo "::group::GitHub needs"
           cat <<'END'
-          ${{ toJson(needs) }}
+          $JSON_needs
           END
           echo "::endgroup::"
+        env:
+          JSON_github: ${{ toJSON(github) }}
+          JSON_needs: ${{ toJson(needs) }}
     defaults:
       run:
         shell: bash
@@ -1327,14 +1351,17 @@ jobs:
         run: |
           echo "::group::GitHub context"
           cat <<'END'
-          ${{ toJson(github) }}
+          $JSON_github
           END
           echo "::endgroup::"
           echo "::group::GitHub needs"
           cat <<'END'
-          ${{ toJson(needs) }}
+          $JSON_needs
           END
           echo "::endgroup::"
+        env:
+          JSON_github: ${{ toJSON(github) }}
+          JSON_needs: ${{ toJson(needs) }}
       - name: System info
         run: |
           set -x
@@ -1499,14 +1526,17 @@ jobs:
         run: |
           echo "::group::GitHub context"
           cat <<'END'
-          ${{ toJson(github) }}
+          $JSON_github
           END
           echo "::endgroup::"
           echo "::group::GitHub needs"
           cat <<'END'
-          ${{ toJson(needs) }}
+          $JSON_needs
           END
           echo "::endgroup::"
+        env:
+          JSON_github: ${{ toJSON(github) }}
+          JSON_needs: ${{ toJson(needs) }}
       - name: System info
         run: |
           set -x

From e6045e219b67be7e0284594a492519adb40e132b Mon Sep 17 00:00:00 2001
From: safinsaf <safinsaft@gmail.com>
Date: Thu, 12 May 2022 10:56:19 +0300
Subject: [PATCH 3/8] Try echo instead of cat

Signed-off-by: safinsaf <safinsaft@gmail.com>
---
 .github/build-iroha1-fork.src.yml       |  8 +--
 .github/workflows/build-iroha1-fork.yml | 80 +++++++------------------
 2 files changed, 22 insertions(+), 66 deletions(-)

diff --git a/.github/build-iroha1-fork.src.yml b/.github/build-iroha1-fork.src.yml
index 7bc12aa5e72..715412821e5 100644
--- a/.github/build-iroha1-fork.src.yml
+++ b/.github/build-iroha1-fork.src.yml
@@ -37,14 +37,10 @@ jobs:
         name: Show context
         run: |
           echo "::group::GitHub context"
-          cat <<'END'
-          $JSON_github
-          END
+          echo $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          cat <<'END'
-          $JSON_needs
-          END
+          echo $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
diff --git a/.github/workflows/build-iroha1-fork.yml b/.github/workflows/build-iroha1-fork.yml
index bf3bd49977d..b80f4f3f8a8 100644
--- a/.github/workflows/build-iroha1-fork.yml
+++ b/.github/workflows/build-iroha1-fork.yml
@@ -34,14 +34,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          cat <<'END'
-          $JSON_github
-          END
+          echo $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          cat <<'END'
-          $JSON_needs
-          END
+          echo $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -86,14 +82,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          cat <<'END'
-          $JSON_github
-          END
+          echo $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          cat <<'END'
-          $JSON_needs
-          END
+          echo $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -189,14 +181,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          cat <<'END'
-          $JSON_github
-          END
+          echo $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          cat <<'END'
-          $JSON_needs
-          END
+          echo $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -364,14 +352,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          cat <<'END'
-          $JSON_github
-          END
+          echo $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          cat <<'END'
-          $JSON_needs
-          END
+          echo $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -648,14 +632,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          cat <<'END'
-          $JSON_github
-          END
+          echo $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          cat <<'END'
-          $JSON_needs
-          END
+          echo $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -929,14 +909,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          cat <<'END'
-          $JSON_github
-          END
+          echo $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          cat <<'END'
-          $JSON_needs
-          END
+          echo $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -957,14 +933,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          cat <<'END'
-          $JSON_github
-          END
+          echo $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          cat <<'END'
-          $JSON_needs
-          END
+          echo $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -1234,14 +1206,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          cat <<'END'
-          $JSON_github
-          END
+          echo $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          cat <<'END'
-          $JSON_needs
-          END
+          echo $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -1350,14 +1318,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          cat <<'END'
-          $JSON_github
-          END
+          echo $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          cat <<'END'
-          $JSON_needs
-          END
+          echo $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -1525,14 +1489,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          cat <<'END'
-          $JSON_github
-          END
+          echo $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          cat <<'END'
-          $JSON_needs
-          END
+          echo $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}

From 7241bce3ca659d6f40c8f5b50043a112467b06a8 Mon Sep 17 00:00:00 2001
From: safinsaf <safinsaft@gmail.com>
Date: Thu, 12 May 2022 11:09:01 +0300
Subject: [PATCH 4/8] Try jq instead of echo

Signed-off-by: safinsaf <safinsaft@gmail.com>
---
 .github/build-iroha1-fork.src.yml       |  4 +--
 .github/workflows/build-iroha1-fork.yml | 40 ++++++++++++-------------
 2 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/.github/build-iroha1-fork.src.yml b/.github/build-iroha1-fork.src.yml
index 715412821e5..1b9489cdac2 100644
--- a/.github/build-iroha1-fork.src.yml
+++ b/.github/build-iroha1-fork.src.yml
@@ -37,10 +37,10 @@ jobs:
         name: Show context
         run: |
           echo "::group::GitHub context"
-          echo $JSON_github
+          jq <<< $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          echo $JSON_needs
+          jq <<< $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
diff --git a/.github/workflows/build-iroha1-fork.yml b/.github/workflows/build-iroha1-fork.yml
index b80f4f3f8a8..75c39a3da3d 100644
--- a/.github/workflows/build-iroha1-fork.yml
+++ b/.github/workflows/build-iroha1-fork.yml
@@ -34,10 +34,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          echo $JSON_github
+          jq <<< $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          echo $JSON_needs
+          jq <<< $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -82,10 +82,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          echo $JSON_github
+          jq <<< $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          echo $JSON_needs
+          jq <<< $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -181,10 +181,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          echo $JSON_github
+          jq <<< $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          echo $JSON_needs
+          jq <<< $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -352,10 +352,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          echo $JSON_github
+          jq <<< $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          echo $JSON_needs
+          jq <<< $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -632,10 +632,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          echo $JSON_github
+          jq <<< $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          echo $JSON_needs
+          jq <<< $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -909,10 +909,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          echo $JSON_github
+          jq <<< $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          echo $JSON_needs
+          jq <<< $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -933,10 +933,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          echo $JSON_github
+          jq <<< $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          echo $JSON_needs
+          jq <<< $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -1206,10 +1206,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          echo $JSON_github
+          jq <<< $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          echo $JSON_needs
+          jq <<< $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -1318,10 +1318,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          echo $JSON_github
+          jq <<< $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          echo $JSON_needs
+          jq <<< $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}
@@ -1489,10 +1489,10 @@ jobs:
       - name: Show context
         run: |
           echo "::group::GitHub context"
-          echo $JSON_github
+          jq <<< $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          echo $JSON_needs
+          jq <<< $JSON_needs
           echo "::endgroup::"
         env:
           JSON_github: ${{ toJSON(github) }}

From bac6b8ac1a16bc70ce142acba946199074b04811 Mon Sep 17 00:00:00 2001
From: safinsaf <safinsaft@gmail.com>
Date: Mon, 23 May 2022 11:30:05 +0300
Subject: [PATCH 5/8] Restrict changing dependency script from forks

Signed-off-by: safinsaf <safinsaft@gmail.com>
---
 .github/build-iroha1-fork.src.yml       | 12 +++++++++-
 .github/workflows/build-iroha1-fork.yml | 31 ++++++++++++++++++++-----
 2 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/.github/build-iroha1-fork.src.yml b/.github/build-iroha1-fork.src.yml
index 1b9489cdac2..69d5191fe99 100644
--- a/.github/build-iroha1-fork.src.yml
+++ b/.github/build-iroha1-fork.src.yml
@@ -63,6 +63,8 @@ jobs:
               - "**/Dockerfile"
               - "docker/release/entrypoint.sh"
               - "docker/release/wait-for-it.sh"
+            build_dependecies:
+              - "vcpkg/build_iroha_deps.sh"
             
       - name: verify .github folder is not changed
         if: steps.filter.outputs.github == 'true'
@@ -76,6 +78,12 @@ jobs:
           echo "Pull requests from forks are not allowed to change Dockerfiles"
           false
       
+      - name: verify build depedencies script is not changed
+        if: steps.filter.outputs.build_dependecies == 'true'
+        run: |
+          echo "Pull requests from forks are not allowed to change build dependencies script"
+          false
+      
 
   ## This job is to generate build matrixes for build jobs
   ## The matrixes depend on what is requeted to be build
@@ -196,13 +204,15 @@ jobs:
         name: Build info
         run: |
           cat << 'END'
-          ref:${{github.ref}}
+          ref:$github_ref
           sha:${{github.sha}}
           run_number:${{github.run_number}}
           event_name:${{github.event_name}}
           event.action:${{github.event.action}}
           event.issue.number:${{ github.event.issue.number }}
           END
+        env:
+          github_ref: ${{ github.ref }}
       - *step_detect_commented_pr
       - &step_checkout_base
         name: Checkout base
diff --git a/.github/workflows/build-iroha1-fork.yml b/.github/workflows/build-iroha1-fork.yml
index 75c39a3da3d..59db049f579 100644
--- a/.github/workflows/build-iroha1-fork.yml
+++ b/.github/workflows/build-iroha1-fork.yml
@@ -57,6 +57,8 @@ jobs:
               - "**/Dockerfile"
               - "docker/release/entrypoint.sh"
               - "docker/release/wait-for-it.sh"
+            build_dependecies:
+              - "vcpkg/build_iroha_deps.sh"
       - name: verify .github folder is not changed
         if: steps.filter.outputs.github == 'true'
         run: |
@@ -67,6 +69,11 @@ jobs:
         run: |
           echo "Pull requests from forks are not allowed to change Dockerfiles"
           false
+      - name: verify build depedencies script is not changed
+        if: steps.filter.outputs.build_dependecies == 'true'
+        run: |
+          echo "Pull requests from forks are not allowed to change build dependencies script"
+          false
   ## This job is to generate build matrixes for build jobs
   ## The matrixes depend on what is requeted to be build
   ## At the moment there are several options:
@@ -200,13 +207,15 @@ jobs:
       - name: Build info
         run: |
           cat << 'END'
-          ref:${{github.ref}}
+          ref:$github_ref
           sha:${{github.sha}}
           run_number:${{github.run_number}}
           event_name:${{github.event_name}}
           event.action:${{github.event.action}}
           event.issue.number:${{ github.event.issue.number }}
           END
+        env:
+          github_ref: ${{ github.ref }}
       - name: REF and SHA of commented PR to ENV
         if: github.event.comment
         run: >
@@ -379,13 +388,15 @@ jobs:
       - name: Build info
         run: |
           cat << 'END'
-          ref:${{github.ref}}
+          ref:$github_ref
           sha:${{github.sha}}
           run_number:${{github.run_number}}
           event_name:${{github.event_name}}
           event.action:${{github.event.action}}
           event.issue.number:${{ github.event.issue.number }}
           END
+        env:
+          github_ref: ${{ github.ref }}
       - name: export CC,BuildType from matrix.buildspec
         run: |
           echo >>$GITHUB_ENV  OS=$(echo ${{matrix.buildspec}} | awk '{print $1}')
@@ -659,13 +670,15 @@ jobs:
       - name: Build info
         run: |
           cat << 'END'
-          ref:${{github.ref}}
+          ref:$github_ref
           sha:${{github.sha}}
           run_number:${{github.run_number}}
           event_name:${{github.event_name}}
           event.action:${{github.event.action}}
           event.issue.number:${{ github.event.issue.number }}
           END
+        env:
+          github_ref: ${{ github.ref }}
       - name: export CC,BuildType from matrix.buildspec
         run: |
           echo >>$GITHUB_ENV  OS=$(echo ${{matrix.buildspec}} | awk '{print $1}')
@@ -952,13 +965,15 @@ jobs:
       - name: Build info
         run: |
           cat << 'END'
-          ref:${{github.ref}}
+          ref:$github_ref
           sha:${{github.sha}}
           run_number:${{github.run_number}}
           event_name:${{github.event_name}}
           event.action:${{github.event.action}}
           event.issue.number:${{ github.event.issue.number }}
           END
+        env:
+          github_ref: ${{ github.ref }}
       - name: export CC,BuildType from matrix.buildspec
         run: |
           echo >>$GITHUB_ENV  OS=$(echo ${{matrix.buildspec}} | awk '{print $1}')
@@ -1337,13 +1352,15 @@ jobs:
       - name: Build info
         run: |
           cat << 'END'
-          ref:${{github.ref}}
+          ref:$github_ref
           sha:${{github.sha}}
           run_number:${{github.run_number}}
           event_name:${{github.event_name}}
           event.action:${{github.event.action}}
           event.issue.number:${{ github.event.issue.number }}
           END
+        env:
+          github_ref: ${{ github.ref }}
       - name: export CC,BuildType from matrix.buildspec
         run: |
           echo >>$GITHUB_ENV  OS=$(echo ${{matrix.buildspec}} | awk '{print $1}')
@@ -1508,13 +1525,15 @@ jobs:
       - name: Build info
         run: |
           cat << 'END'
-          ref:${{github.ref}}
+          ref:$github_ref
           sha:${{github.sha}}
           run_number:${{github.run_number}}
           event_name:${{github.event_name}}
           event.action:${{github.event.action}}
           event.issue.number:${{ github.event.issue.number }}
           END
+        env:
+          github_ref: ${{ github.ref }}
       - name: export CC,BuildType from matrix.buildspec
         run: |
           echo >>$GITHUB_ENV  OS=$(echo ${{matrix.buildspec}} | awk '{print $1}')

From 7b4b4fed2296dfc984b824b749329b477b9ca7a4 Mon Sep 17 00:00:00 2001
From: safinsaf <safinsaft@gmail.com>
Date: Mon, 23 May 2022 11:39:42 +0300
Subject: [PATCH 6/8] Add read only permissions to all jobs that fo not deploy
 anything

Signed-off-by: safinsaf <safinsaft@gmail.com>
---
 .github/build-iroha1-fork.src.yml       | 8 +++++++-
 .github/workflows/build-iroha1-fork.yml | 9 ++++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/.github/build-iroha1-fork.src.yml b/.github/build-iroha1-fork.src.yml
index 69d5191fe99..7db4247cc4c 100644
--- a/.github/build-iroha1-fork.src.yml
+++ b/.github/build-iroha1-fork.src.yml
@@ -5,7 +5,7 @@ permissions:
   actions: read
   checks: read
   contents: read
-  deployments: none
+  deployments: read
   issues: read
   packages: write
   pull-requests: read
@@ -30,6 +30,7 @@ jobs:
   ## Also checks that .github folder, Dockerfiles and scripts in docker directory are not changed
   check_if_pull_request_comes_from_fork:
     runs-on: ubuntu-20.04 #ubuntu-latest
+    permissions: read-all
     name: Pull requests from forks should use this workflow 
     if: github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     steps:
@@ -95,6 +96,7 @@ jobs:
   generate_matrixes:
     environment: test-env
     runs-on: ubuntu-20.04
+    permissions: read-all
     needs: check_if_pull_request_comes_from_fork
     steps:
       - *step_show_context
@@ -337,6 +339,7 @@ jobs:
       - Docker-iroha-builder
       - generate_matrixes
     runs-on: [ self-hosted, Linux ]
+    permissions: read-all
     container: ## Container is taken from previous job
       image: &container_image ${{needs.Docker-iroha-builder.outputs.container}}
       options: --user root
@@ -619,6 +622,7 @@ jobs:
     needs: check_if_pull_request_comes_from_fork
     environment: test-env
     runs-on: macos-latest
+    permissions: read-all
     steps:
       - *step_show_context
 
@@ -627,6 +631,7 @@ jobs:
       - prepare-macos-env
       - generate_matrixes
     runs-on: macos-latest #[ self-hosted, MacOS ] #
+    permissions: read-all
     strategy:
       fail-fast: false
       matrix: ${{ fromJSON( needs.generate_matrixes.outputs.matrix_macos ) }}
@@ -688,6 +693,7 @@ jobs:
     needs: check_if_pull_request_comes_from_fork
     environment: test-env
     runs-on: windows-latest
+    permissions: read-all
     steps:
       - *step_show_context
     defaults:
diff --git a/.github/workflows/build-iroha1-fork.yml b/.github/workflows/build-iroha1-fork.yml
index 59db049f579..86022b5e120 100644
--- a/.github/workflows/build-iroha1-fork.yml
+++ b/.github/workflows/build-iroha1-fork.yml
@@ -7,7 +7,7 @@ permissions:
   actions: read
   checks: read
   contents: read
-  deployments: none
+  deployments: read
   issues: read
   packages: write
   pull-requests: read
@@ -28,6 +28,7 @@ jobs:
   ## Also checks that .github folder, Dockerfiles and scripts in docker directory are not changed
   check_if_pull_request_comes_from_fork:
     runs-on: ubuntu-20.04 #ubuntu-latest
+    permissions: read-all
     name: Pull requests from forks should use this workflow
     if: github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     steps:
@@ -84,6 +85,7 @@ jobs:
   generate_matrixes:
     environment: test-env
     runs-on: ubuntu-20.04
+    permissions: read-all
     needs: check_if_pull_request_comes_from_fork
     steps:
       - name: Show context
@@ -347,6 +349,7 @@ jobs:
       - Docker-iroha-builder
       - generate_matrixes
     runs-on: [self-hosted, Linux]
+    permissions: read-all
     container: ## Container is taken from previous job
       image: ${{needs.Docker-iroha-builder.outputs.container}}
       options: --user root
@@ -633,6 +636,7 @@ jobs:
       - Docker-iroha-builder
       - generate_matrixes
     runs-on: [self-hosted, Linux]
+    permissions: read-all
     container: ## Container is taken from previous job
       image: ${{needs.Docker-iroha-builder.outputs.container}}
       options: --user root
@@ -918,6 +922,7 @@ jobs:
     needs: check_if_pull_request_comes_from_fork
     environment: test-env
     runs-on: macos-latest
+    permissions: read-all
     steps:
       - name: Show context
         run: |
@@ -935,6 +940,7 @@ jobs:
       - prepare-macos-env
       - generate_matrixes
     runs-on: macos-latest #[ self-hosted, MacOS ] #
+    permissions: read-all
     strategy:
       fail-fast: false
       matrix: ${{ fromJSON( needs.generate_matrixes.outputs.matrix_macos ) }}
@@ -1217,6 +1223,7 @@ jobs:
     needs: check_if_pull_request_comes_from_fork
     environment: test-env
     runs-on: windows-latest
+    permissions: read-all
     steps:
       - name: Show context
         run: |

From e91ba1d48d839a5244b70cffd9ac340d81a84a32 Mon Sep 17 00:00:00 2001
From: safinsaf <safinsaft@gmail.com>
Date: Mon, 23 May 2022 12:50:38 +0300
Subject: [PATCH 7/8] Add work branch to workflow

Signed-off-by: safinsaf <safinsaft@gmail.com>
---
 .github/build-iroha1-fork.src.yml       | 2 +-
 .github/workflows/build-iroha1-fork.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/build-iroha1-fork.src.yml b/.github/build-iroha1-fork.src.yml
index 7db4247cc4c..72ce4893912 100644
--- a/.github/build-iroha1-fork.src.yml
+++ b/.github/build-iroha1-fork.src.yml
@@ -16,7 +16,7 @@ permissions:
 ## This workflow is created for pull requests from forks and has less permissions than build-iroha1 workflow
 on:
   pull_request_target:
-    branches: [ main, support/1.*, edge, develop]
+    branches: [ main, support/1.*, edge, develop, hotfix/iroha-fork-injection ]
     paths-ignore:
       - '**.md'
       - '**.rst'
diff --git a/.github/workflows/build-iroha1-fork.yml b/.github/workflows/build-iroha1-fork.yml
index 86022b5e120..25068e1bd9b 100644
--- a/.github/workflows/build-iroha1-fork.yml
+++ b/.github/workflows/build-iroha1-fork.yml
@@ -17,7 +17,7 @@ permissions:
 ## This workflow is created for pull requests from forks and has less permissions than build-iroha1 workflow
 on:
   pull_request_target:
-    branches: [main, support/1.*, edge, develop]
+    branches: [main, support/1.*, edge, develop, hotfix/iroha-fork-injection]
     paths-ignore:
       - '**.md'
       - '**.rst'

From 8593311936d58fcd81c00b03469c3fe2c9cfa91d Mon Sep 17 00:00:00 2001
From: safinsaf <safinsaft@gmail.com>
Date: Wed, 25 May 2022 09:59:26 +0300
Subject: [PATCH 8/8] Remove test branch

Signed-off-by: safinsaf <safinsaft@gmail.com>
---
 .github/build-iroha1-fork.src.yml       | 2 +-
 .github/workflows/build-iroha1-fork.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/build-iroha1-fork.src.yml b/.github/build-iroha1-fork.src.yml
index 72ce4893912..467abf79826 100644
--- a/.github/build-iroha1-fork.src.yml
+++ b/.github/build-iroha1-fork.src.yml
@@ -16,7 +16,7 @@ permissions:
 ## This workflow is created for pull requests from forks and has less permissions than build-iroha1 workflow
 on:
   pull_request_target:
-    branches: [ main, support/1.*, edge, develop, hotfix/iroha-fork-injection ]
+    branches: [ main, support/1.*, edge, develop ]
     paths-ignore:
       - '**.md'
       - '**.rst'
diff --git a/.github/workflows/build-iroha1-fork.yml b/.github/workflows/build-iroha1-fork.yml
index 25068e1bd9b..86022b5e120 100644
--- a/.github/workflows/build-iroha1-fork.yml
+++ b/.github/workflows/build-iroha1-fork.yml
@@ -17,7 +17,7 @@ permissions:
 ## This workflow is created for pull requests from forks and has less permissions than build-iroha1 workflow
 on:
   pull_request_target:
-    branches: [main, support/1.*, edge, develop, hotfix/iroha-fork-injection]
+    branches: [main, support/1.*, edge, develop]
     paths-ignore:
       - '**.md'
       - '**.rst'