-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci(oci): push PR test images to ghcr #1133
Conversation
6f4b065
to
75a418d
Compare
@ebaron I think this approach is better than #1124 for various reasons, but this requires the action runner to have permission to push to |
We could use a PAT, or maybe it's less trouble to just create a "cryostat-dev" (or similar) Quay organization where we push the PR images. |
That's an option too. I think cleaning up the images after the PR is closed may be a little easier using ghcr and Actions, but it should still be doable on quay. One additional benefit of using a GitHub machine/bot account is I think the default visibility of those images would be to members of this cryostatio org only, so it they would be available for developer/reviewer ease of testing but wouldn't end up published somewhere visible for end users to pick up and use in unfinished states. |
I'll try creating a very restricted PAT from my own account to add to a secret and update this CI config that way to see how it works out. If we decide to go that way then a separate machine account can be made for that purpose. |
Sounds good. A bot account would also be a good replacement for my PAT used to sync the web-client submodule. |
I couldn't figure out the right combo of permissions to use with GitHub's new beta fine-grained PATs, but I was able to use a "classic" PAT to generate a limited token from my account that I can use to manually log in and push images to ghcr.io using the podman cli on my workstation. I added that as an org secret and updated the CI config to use that, and it's re-running now. |
Gah.
That seems to kill the idea of using a PAT, even one from a machine account, to push to ghcr.io. It would only be possible when the triggering event is the PR being merged and a workflow run against the newly-updated |
There is this: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target which is triggered when a PR is created and runs in the upstream repo's context rather than the fork's context, so it does have access to secrets. This is discouraged because it means that anyone who opens a PR can run an Action that has access to read our Secrets, so the PR could contain code that steals the secrets and records them elsewhere. That's all true and a good security consideration, but we do also have the organization access settings configured so that outside collaborators (non-members of the cryostatio org) require approval for their Actions to run on every PR. If we maintain that standard and don't approve PRs from outside collaborators before reading them then we would be okay, but truthfully this means we have to be that careful about our human process to avoid leaking secrets. |
There is the extra possibility that we can prevent the ghcr push job from running unless the PR has a specific label like |
I think we can check for that label in CI, and also use Mergify to automatically apply that label if the PR author is a member of the cryostatio GH org. This should minimize or eliminate any workflow disruption for our usual contributors while also leaving safeguards in-place to prevent secret leaks from untrusted code in PRs from external collaborators. |
f5ccbd7
to
706f29a
Compare
3e5ab25
to
2fc6ebf
Compare
Latest progress on my fork: https://github.com/andrewazores/cryostat/tree/ghcr-test-image , and andrewazores#6 as a demo of sorts I modified the config there to run on my fork (linked branch is merged in my Because the config now uses https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
|
ebeecd3
to
1c598de
Compare
e5379a3
to
99fe380
Compare
Related to #1118
Closes #1124