Skip to content

Add fork-safe PR build workflow #442

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bschwedler merged 16 commits into from
Apr 10, 2026
Merged

Add fork-safe PR build workflow #442

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
a8f9fbb
Fix script injection in build workflows
bschwedler Apr 10, 2026
fdf1dd9
Fix script injection in auxiliary workflows
bschwedler Apr 10, 2026
94be2ce
Add permissions to shared reusable workflows
bschwedler Apr 10, 2026
f34e317
Add permissions to ci.yml and issues.yml
bschwedler Apr 10, 2026
ea10201
Fix missing permissions for checkout, OIDC, and checks
bschwedler Apr 10, 2026
23c3069
Skip test result publish on Dependabot PRs
bschwedler Apr 10, 2026
1806e68
Merge main into security/injection-and-permissions
bschwedler Apr 10, 2026
f6cac3f
Also skip test result publish on fork PRs
bschwedler Apr 10, 2026
36e4763
Remove top-level permissions from reusable workflows
bschwedler Apr 10, 2026
cb05dc7
Remove top-level permissions from ci.yml
bschwedler Apr 10, 2026
62e5fae
Remove id-token:write from reusable workflow jobs
bschwedler Apr 10, 2026
e0e838d
Add pull-requests:write for test result comments
bschwedler Apr 10, 2026
6c2e23b
Add fork-safe PR build workflow
bschwedler Apr 10, 2026
65de5bb
Wire bakery-build-pr.yml into CI
bschwedler Apr 10, 2026
4cd1c7a
Use default bakery version for PR builds
bschwedler Apr 10, 2026
5a07624
Remove top-level permissions from PR workflow
bschwedler Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
132 changes: 83 additions & 49 deletions .github/workflows/bakery-build-native.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,10 +75,18 @@ defaults:
run:
shell: bash

# Security policy: No ${{ }} expressions in `run:` blocks.
# All expression values are assigned to `env:` and referenced as
# shell variables. This prevents script injection from runtime values
# (matrix outputs, secrets) and keeps the rule enforceable by zizmor
# without per-expression exceptions.

jobs:
matrix:
name: Image Matrix
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
platform-matrix: ${{ steps.images-by-platform.outputs.platform_matrix }}
versions-matrix: ${{ steps.images-by-version.outputs.versions_matrix }}
Expand All @@ -94,15 +102,26 @@ jobs:

- name: Images by Version/Platform
id: images-by-platform
env:
DEV_VERSIONS: ${{ inputs.dev-versions }}
MATRIX_VERSIONS: ${{ inputs.matrix-versions }}
CONTEXT: ${{ inputs.context }}
run: |
echo "platform_matrix=$(bakery ci matrix --quiet --dev-versions ${{ inputs.dev-versions }} --matrix-versions ${{ inputs.matrix-versions }} --context ${{ inputs.context }} | jq --compact-output .)" >> $GITHUB_OUTPUT
echo "platform_matrix=$(bakery ci matrix --quiet --dev-versions "$DEV_VERSIONS" --matrix-versions "$MATRIX_VERSIONS" --context "$CONTEXT" | jq --compact-output .)" >> $GITHUB_OUTPUT
- name: Images by Version
id: images-by-version
env:
DEV_VERSIONS: ${{ inputs.dev-versions }}
MATRIX_VERSIONS: ${{ inputs.matrix-versions }}
CONTEXT: ${{ inputs.context }}
run: |
echo "versions_matrix=$(bakery ci matrix --quiet --dev-versions ${{ inputs.dev-versions }} --matrix-versions ${{ inputs.matrix-versions }} --exclude platform --context ${{ inputs.context }} | jq --compact-output .)" >> $GITHUB_OUTPUT
echo "versions_matrix=$(bakery ci matrix --quiet --dev-versions "$DEV_VERSIONS" --matrix-versions "$MATRIX_VERSIONS" --exclude platform --context "$CONTEXT" | jq --compact-output .)" >> $GITHUB_OUTPUT

build-test:
name: "Build/Test ${{ matrix.img.image }}:${{ matrix.img.version }} (${{ matrix.img.platform }})"
permissions:
contents: read
packages: write
needs: matrix
strategy:
fail-fast: false
Expand Down Expand Up @@ -141,18 +160,12 @@ jobs:
# this step sets an output that we can reference later.
- name: Filter Steps
id: filter-steps
env:
HAS_DOCKER_HUB: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN != '' }}
HAS_AWS_ROLE: ${{ secrets.AWS_ROLE != '' }}
run: |
if [ -n "${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}" ] ; then
echo "docker-hub=true" >> $GITHUB_OUTPUT
else
echo "docker-hub=false" >> $GITHUB_OUTPUT
fi

if [ -n "${{ secrets.AWS_ROLE }}" ] ; then
echo "ecr=true" >> $GITHUB_OUTPUT
else
echo "ecr=false" >> $GITHUB_OUTPUT
fi
echo "docker-hub=$HAS_DOCKER_HUB" >> $GITHUB_OUTPUT
echo "ecr=$HAS_AWS_ROLE" >> $GITHUB_OUTPUT

- name: Login to GitHub Container Registry
uses: docker/login-action@v4
Expand Down Expand Up @@ -190,35 +203,50 @@ jobs:
- name: Build
env:
GIT_SHA: ${{ github.sha }}
RETRY: ${{ inputs.retry }}
IMAGE_NAME: ${{ matrix.img.image }}
IMAGE_VERSION: ${{ matrix.img.version }}
IMAGE_PLATFORM: ${{ matrix.img.platform }}
DEV_VERSIONS: ${{ inputs.dev-versions }}
MATRIX_VERSIONS: ${{ inputs.matrix-versions }}
REGISTRY: ghcr.io/${{ github.repository_owner }}
NORMALIZED_PLATFORM: ${{ steps.normalize-platform.outputs.platform }}
CONTEXT: ${{ inputs.context }}
# Cache-to is conditional on --push (handled by bakery internally)
run: |
PLATFORM=${BUILD_PLATFORM#linux/} \
bakery build \
--strategy build --pull \
--retry ${{ inputs.retry }} \
--image-name '^${{ matrix.img.image }}$' \
--image-version ${{ matrix.img.version }} \
--image-platform ${{ matrix.img.platform }} \
--dev-versions ${{ inputs.dev-versions }} \
--matrix-versions ${{ inputs.matrix-versions }} \
--cache-registry "ghcr.io/${{ github.repository_owner }}" \
--temp-registry "ghcr.io/${{ github.repository_owner }}" \
--metadata-file "./${{ matrix.img.image }}-${{ matrix.img.version }}-${{ steps.normalize-platform.outputs.platform }}-metadata.json" \
--context ${{ inputs.context }} \
--retry "$RETRY" \
--image-name "^${IMAGE_NAME}$" \
--image-version "$IMAGE_VERSION" \
--image-platform "$IMAGE_PLATFORM" \
--dev-versions "$DEV_VERSIONS" \
--matrix-versions "$MATRIX_VERSIONS" \
--cache-registry "$REGISTRY" \
--temp-registry "$REGISTRY" \
--metadata-file "./${IMAGE_NAME}-${IMAGE_VERSION}-${NORMALIZED_PLATFORM}-metadata.json" \
--context "$CONTEXT" \
--push
- name: Test
env:
IMAGE_NAME: ${{ matrix.img.image }}
IMAGE_VERSION: ${{ matrix.img.version }}
IMAGE_PLATFORM: ${{ matrix.img.platform }}
DEV_VERSIONS: ${{ inputs.dev-versions }}
MATRIX_VERSIONS: ${{ inputs.matrix-versions }}
NORMALIZED_PLATFORM: ${{ steps.normalize-platform.outputs.platform }}
CONTEXT: ${{ inputs.context }}
run: |
PLATFORM=${BUILD_PLATFORM#linux/} \
GOSS_PATH=${GITHUB_WORKSPACE}/tools/goss \
DGOSS_PATH=${GITHUB_WORKSPACE}/tools/dgoss \
bakery run dgoss \
--image-name '^${{ matrix.img.image }}$' \
--image-version ${{ matrix.img.version }} \
--image-platform ${{ matrix.img.platform }} \
--dev-versions ${{ inputs.dev-versions }} \
--matrix-versions ${{ inputs.matrix-versions }} \
--metadata-file "./${{ matrix.img.image }}-${{ matrix.img.version }}-${{ steps.normalize-platform.outputs.platform }}-metadata.json" \
--context ${{ inputs.context }}
--image-name "^${IMAGE_NAME}$" \
--image-version "$IMAGE_VERSION" \
--image-platform "$IMAGE_PLATFORM" \
--dev-versions "$DEV_VERSIONS" \
--matrix-versions "$MATRIX_VERSIONS" \
--metadata-file "./${IMAGE_NAME}-${IMAGE_VERSION}-${NORMALIZED_PLATFORM}-metadata.json" \
--context "$CONTEXT"
- name: Upload Metadata
uses: actions/upload-artifact@v7
with:
Expand All @@ -228,6 +256,9 @@ jobs:

merge:
name: "Merge/Push ${{ matrix.img.image }}:${{ matrix.img.version }}"
permissions:
contents: read
packages: write
needs:
- matrix
- build-test
Expand Down Expand Up @@ -260,18 +291,12 @@ jobs:
# this step sets an output that we can reference later.
- name: Filter Steps
id: filter-steps
env:
HAS_DOCKER_HUB: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN != '' }}
HAS_AWS_ROLE: ${{ secrets.AWS_ROLE != '' }}
run: |
if [ -n "${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}" ] ; then
echo "docker-hub=true" >> $GITHUB_OUTPUT
else
echo "docker-hub=false" >> $GITHUB_OUTPUT
fi

if [ -n "${{ secrets.AWS_ROLE }}" ] ; then
echo "ecr=true" >> $GITHUB_OUTPUT
else
echo "ecr=false" >> $GITHUB_OUTPUT
fi
echo "docker-hub=$HAS_DOCKER_HUB" >> $GITHUB_OUTPUT
echo "ecr=$HAS_AWS_ROLE" >> $GITHUB_OUTPUT

- name: Login to GitHub Container Registry
uses: docker/login-action@v4
Expand Down Expand Up @@ -318,15 +343,21 @@ jobs:
- name: Merge/Push
env:
GIT_SHA: ${{ github.sha }}
CONTEXT: ${{ inputs.context }}
REGISTRY: ghcr.io/${{ github.repository_owner }}
PUSH: ${{ inputs.push }}
run: |
if [ "$PUSH" = "true" ]; then PUSH_FLAG=""; else PUSH_FLAG="--dry-run"; fi
bakery ci merge \
--context ${{ inputs.context }} \
--temp-registry "ghcr.io/${{ github.repository_owner }}" \
${{ inputs.push && ' \' || '--dry-run \' }}
--context "$CONTEXT" \
--temp-registry "$REGISTRY" \
$PUSH_FLAG \
*-metadata.json

readme:
name: Push READMEs
permissions:
contents: read
if: ${{ inputs.push }}
needs:
- merge
Expand All @@ -345,8 +376,11 @@ jobs:
env:
DOCKER_HUB_README_USERNAME: ${{ secrets.DOCKER_HUB_README_USERNAME }}
DOCKER_HUB_README_PASSWORD: ${{ secrets.DOCKER_HUB_README_PASSWORD }}
CONTEXT: ${{ inputs.context }}
DEV_VERSIONS: ${{ inputs.dev-versions }}
MATRIX_VERSIONS: ${{ inputs.matrix-versions }}
run: |
bakery ci readme \
--context ${{ inputs.context }} \
--dev-versions ${{ inputs.dev-versions }} \
--matrix-versions ${{ inputs.matrix-versions }}
--context "$CONTEXT" \
--dev-versions "$DEV_VERSIONS" \
--matrix-versions "$MATRIX_VERSIONS"
Loading