From 0410593850cde00e8f201a9b7d6009f0581ed43c Mon Sep 17 00:00:00 2001 From: Jakob Lichterfeld Date: Sat, 19 Oct 2024 12:54:07 +0200 Subject: [PATCH] ci(fix): run ghcr build as separate workflow to fix permission issues with forks --- .github/workflows/devops.yml | 7 ------- .github/workflows/ghcr_build.yml | 20 ++++++++++++-------- CHANGELOG.md | 1 + 3 files changed, 13 insertions(+), 15 deletions(-) diff --git a/.github/workflows/devops.yml b/.github/workflows/devops.yml index f31b19b60f..9e93532914 100644 --- a/.github/workflows/devops.yml +++ b/.github/workflows/devops.yml @@ -49,10 +49,3 @@ jobs: - ensure_linting if: needs.check_paths.outputs.githubfolder != 'true' || github.event_name == 'schedule' uses: ./.github/workflows/elixir_test.yml - - ghcr_build: - needs: - - check_paths - - elixir_dep_verification_and_static_analysis - if: needs.check_paths.outputs.githubfolder != 'true' - uses: ./.github/workflows/ghcr_build.yml diff --git a/.github/workflows/ghcr_build.yml b/.github/workflows/ghcr_build.yml index 1a8dd17ac7..38f7789ffc 100644 --- a/.github/workflows/ghcr_build.yml +++ b/.github/workflows/ghcr_build.yml @@ -1,7 +1,13 @@ name: Build GHCR images on: - workflow_call: + pull_request_target: + branches: ["master", "ci"] + paths: + - "**/*" + - "!.github/**" # Important: Exclude PRs related to .github from auto-run + - "!.github/workflows/**" # Important: Exclude PRs related to .github/workflows from auto-run + - "!.github/actions/**" # Important: Exclude PRs related to .github/actions from auto-run env: REGISTRY_IMAGE: ghcr.io/${{ github.repository }} @@ -12,7 +18,6 @@ permissions: jobs: check_paths: - if: ${{ github.event_name != 'workflow_call' }} uses: ./.github/workflows/check_paths.yml teslamate_build: @@ -37,10 +42,9 @@ jobs: timeout-minutes: 10 steps: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - if: ${{ github.event.pull_request.head.repo.full_name }} == ${{ github.repository }} + if: ${{ github.event_name != 'pull_request_target' }} - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - # coming from a fork - if: ${{ github.event.pull_request.head.repo.full_name }} != ${{ github.repository }} + if: ${{ github.event_name == 'pull_request_target' }} with: ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -52,7 +56,7 @@ jobs: repository_owner: ${{ github.repository_owner }} repository: ${{ github.repository }} github_token: ${{ secrets.GITHUB_TOKEN }} - version: ${{ github.head_ref || github.ref_name }} + version: ${{ github.ref_name }} labels: | org.opencontainers.image.version=${{ github.ref || github.ref_name }} @@ -85,9 +89,9 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - if: ${{ github.event.pull_request.head.repo.full_name }} == ${{ github.repository }} + if: ${{ github.event_name != 'pull_request_target' }} - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - if: ${{ github.event.pull_request.head.repo.full_name }} != ${{ github.repository }} + if: ${{ github.event_name == 'pull_request_target' }} with: ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} diff --git a/CHANGELOG.md b/CHANGELOG.md index a3da99f335..25dbdc3219 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,6 +46,7 @@ - ci: cleanup caches when pr is closed ([75cfc7c](https://github.com/teslamate-org/teslamate/commit/75cfc7cdd4b8f83f247211dc7fc5c5cd433bf746) - @JakobLichterfeld) - ci(fix): run ghcr build in DevOps workflow for forks ([688147e](https://github.com/teslamate-org/teslamate/commit/688147e2cf3fb5b55e702185a97a4a4ebb14d7ca) - @JakobLichterfeld) - ci(fix): correct syntax in ghcr_build workflow for workflow_call ([9e6a275](https://github.com/teslamate-org/teslamate/commit/9e6a2758d5ff21604976184ad69befc1c546e600) - @JakobLichterfeld) +- ci(fix): run ghcr build as separate workflow to fix permission issues with forks ( - @JakobLichterfeld) #### Dashboards