This is a well repository to show how to modify a GitHub Package using write permission or GitHub Actions.
Reposiroty configuration:
main
has branch protection enabled with a review fromCODEOWNERS
- anyone in PagoPA GitHub Organization has
write
permission on this repository - repository package is a docker image
packages
doesn't inherit access from source repository- repository admins has
write
permission on thepackages
- GitHub Actions has no access to
packages
- a GitHub Bot has a
write
permission on this repository. We use a secretBOT_TOKEN
to authenticate the bot with a personal access token. The secret is configured as described here https://github.com/orgs/pagopa/example-good-repo-secrets
You can check packages
settings here https://github.com/orgs/pagopa/packages/container/example-good-repo-packages/settings
Safe scenario #1:
- a user with
write
permission try to modify an existing docker image taggedv2
inpackages
using his personal PAT token. The push operation fails becasuse the user doesn't havewrite
permission onpackages
.
docker login ghcr.io
> insert GITHUB_USERNAME
> insert GITHUB_PAT_TOKEN
docker build -f Dockerfile.evil -t ghcr.io/pagopa/example-good-repo-packages:v2 .
docker image push ghcr.io/pagopa/example-good-repo-packages:v2
Safe scenario #2:
- a user with
write
permission create a Pull Request to try getBOT_TOKEN
value. The GitHub Action fails to start because only a protected branch can useprod
environment (example Pull Request #1)
See this example https://github.com/pagopa/example-good-repo-packages