ci(fix): run ghcr build as separate workflow to fix permission issues…

… with forks
teslamate-org · Oct 19, 2024 · 0410593 · 0410593
1 parent 52ace50
commit 0410593
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 15 deletions.
diff --git a/.github/workflows/devops.yml b/.github/workflows/devops.yml
@@ -49,10 +49,3 @@ jobs:
       - ensure_linting
     if: needs.check_paths.outputs.githubfolder != 'true' || github.event_name == 'schedule'
     uses: ./.github/workflows/elixir_test.yml
-
-  ghcr_build:
-    needs:
-      - check_paths
-      - elixir_dep_verification_and_static_analysis
-    if: needs.check_paths.outputs.githubfolder != 'true'
-    uses: ./.github/workflows/ghcr_build.yml
diff --git a/.github/workflows/ghcr_build.yml b/.github/workflows/ghcr_build.yml
@@ -1,7 +1,13 @@
 name: Build GHCR images
 
 on:
-  workflow_call:
+  pull_request_target:
+    branches: ["master", "ci"]
+    paths:
+      - "**/*"
+      - "!.github/**" # Important: Exclude PRs related to .github from auto-run
+      - "!.github/workflows/**" # Important: Exclude PRs related to .github/workflows from auto-run
+      - "!.github/actions/**" # Important: Exclude PRs related to .github/actions from auto-run
 
 env:
   REGISTRY_IMAGE: ghcr.io/${{ github.repository }}
@@ -12,7 +18,6 @@ permissions:
 
 jobs:
   check_paths:
-    if: ${{ github.event_name != 'workflow_call' }}
     uses: ./.github/workflows/check_paths.yml
 
   teslamate_build:
@@ -37,10 +42,9 @@ jobs:
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
-        if: ${{ github.event.pull_request.head.repo.full_name }} == ${{ github.repository }}
+        if: ${{ github.event_name != 'pull_request_target' }}
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
-        # coming from a fork
-        if: ${{ github.event.pull_request.head.repo.full_name }} != ${{ github.repository }}
+        if: ${{ github.event_name == 'pull_request_target' }}
         with:
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -52,7 +56,7 @@ jobs:
           repository_owner: ${{ github.repository_owner }}
           repository: ${{ github.repository }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
-          version: ${{ github.head_ref || github.ref_name }}
+          version: ${{ github.ref_name }}
           labels: |
             org.opencontainers.image.version=${{ github.ref || github.ref_name }}
 
@@ -85,9 +89,9 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
-        if: ${{ github.event.pull_request.head.repo.full_name }} == ${{ github.repository }}
+        if: ${{ github.event_name != 'pull_request_target' }}
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
-        if: ${{ github.event.pull_request.head.repo.full_name }} != ${{ github.repository }}
+        if: ${{ github.event_name == 'pull_request_target' }}
         with:
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -46,6 +46,7 @@
 - ci: cleanup caches when pr is closed ([75cfc7c](https://github.com/teslamate-org/teslamate/commit/75cfc7cdd4b8f83f247211dc7fc5c5cd433bf746) - @JakobLichterfeld)
 - ci(fix): run ghcr build in DevOps workflow for forks ([688147e](https://github.com/teslamate-org/teslamate/commit/688147e2cf3fb5b55e702185a97a4a4ebb14d7ca) - @JakobLichterfeld)
 - ci(fix): correct syntax in ghcr_build workflow for workflow_call ([9e6a275](https://github.com/teslamate-org/teslamate/commit/9e6a2758d5ff21604976184ad69befc1c546e600) - @JakobLichterfeld)
+- ci(fix): run ghcr build as separate workflow to fix permission issues with forks ( - @JakobLichterfeld)
 
 #### Dashboards