Skip to content

ci(build-ci-image): use pull_request_target so fork PRs can access DEPOT_PROJECT_ID#7327

Merged
pingsutw merged 4 commits into
mainfrom
ci-build-ci-image-pull-request-target
May 1, 2026
Merged

ci(build-ci-image): use pull_request_target so fork PRs can access DEPOT_PROJECT_ID#7327
pingsutw merged 4 commits into
mainfrom
ci-build-ci-image-pull-request-target

Conversation

@pingsutw
Copy link
Copy Markdown
Member

@pingsutw pingsutw commented May 1, 2026

Why

Same root cause as #7320 (which fixed `flyte-binary-v2.yml`): the `Build and Publish CI Docker Image` workflow validates and uses `vars.DEPOT_PROJECT_ID`, but GitHub does not pass repository variables to workflows triggered by `pull_request` events from forks. As a result, the `Validate Depot project id` step fails on every fork PR (e.g. PR #7326 from `Sovietaced/flyte`):

```
##[error]DEPOT_PROJECT_ID repo variable is not set.
```

What changed

  • `pull_request` → `pull_request_target` so `vars.*` is available.
  • `actions/checkout@v4` pinned to `github.event.pull_request.head.sha || github.sha` with `persist-credentials: false` so the workflow builds the PR's Dockerfile (default for `pull_request_target` would be the base ref) without leaking the base-repo `GITHUB_TOKEN` into fork-controlled code.
  • `event_name == 'pull_request'` checks updated to also match `pull_request_target`.

Security considerations

  • The image push tag is namespaced to `pr-`, so fork PRs can only push to their own PR-scoped tag, not overwrite `latest`/`v2`.
  • The PR comment step is also bounded to the triggering PR.
  • The base-repo value exposed to fork code is `vars.DEPOT_PROJECT_ID` (a public Depot project id, not a credential). Auth to Depot uses OIDC.

Test plan

  • In-repo branches still build and push.
  • After merge, fork PR Update Go to 1.25 #7326 re-runs and `Validate Depot project id` passes.
  • Fork PR builds publish under `pr-` tag, no overwrite of `latest`.

@pingsutw
ci(build-ci-image): switch to pull_request_target so fork PRs see DEP…
9380891 
…OT_PROJECT_ID

Same fix as flyte-binary-v2: pull_request from a fork doesn't receive vars.*, so DEPOT_PROJECT_ID is empty and Validate fails. pull_request_target runs in the base-repo context where vars are available. Checkout pins to the PR head SHA (with persist-credentials: false) so fork-authored Dockerfile content is what gets built. Updated event_name guards to also match pull_request_target.

Signed-off-by: Kevin Su <pingsutw@apache.org>
Copilot AI review requested due to automatic review settings May 1, 2026 00:28
@github-actions github-actions Bot added the flyte2 label May 1, 2026
@pingsutw
nit
cb6a328 
Signed-off-by: Kevin Su <pingsutw@apache.org>
Copilot AI reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the “Build and Publish CI Docker Image” GitHub Actions workflow to run for fork PRs by switching to pull_request_target, so repository variables (notably vars.DEPOT_PROJECT_ID) are available and Depot builds can proceed.

Changes:

  • Switch workflow trigger from pull_request to pull_request_target and document the security tradeoff.
  • Pin checkout to the PR head SHA (with persist-credentials: false) so the PR’s Dockerfile/content is built under pull_request_target.
  • Update PR-only conditionals to also run under pull_request_target.
Comments suppressed due to low confidence (1)

.github/workflows/build-ci-image.yml:14

  • Switching this workflow to pull_request_target makes the job run with base-repo permissions (packages: write, pull-requests: write, id-token: write) and it currently logs into GHCR with secrets.GITHUB_TOKEN and pushes images unconditionally. For fork PRs this means untrusted PR code can publish images to the base repo’s GHCR namespace, and because docker/metadata-action enables latest/v2 based on github.ref (which is the base branch ref under pull_request_target), a fork PR targeting main can end up tagging/pushing :latest (and similarly for v2). This also creates a supply-chain risk for privileged workflows that pull ci:pr-<N> (e.g. /regen jobs). Please gate GHCR login/push (and any packages: write) to pushes and/or in-repo PRs only (e.g. head.repo.full_name == github.repository + label), and ensure PR builds only ever produce pr-<N> tags (never latest/v2).
  pull_request_target:
    paths:
      - 'gen.Dockerfile'
      - '.github/workflows/build-ci-image.yml'
  workflow_dispatch:

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sovietaced
Sovietaced previously approved these changes May 1, 2026
View reviewed changes
@pingsutw
ci(check-generate): drop event filter when polling build-ci-image runs
93dd03f 
build-ci-image.yml now triggers on pull_request_target (so fork PRs get vars.DEPOT_PROJECT_ID), but check-generate filtered listWorkflowRuns by event='pull_request', so it never found the run and timed out after 20m. Match by head_sha only — sufficient since the head SHA uniquely identifies the PR build.

Signed-off-by: Kevin Su <pingsutw@apache.org>
@pingsutw
tet
9c14dd1 
Signed-off-by: Kevin Su <pingsutw@apache.org>
Copilot AI review requested due to automatic review settings May 1, 2026 00:43
Copilot AI reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/build-ci-image.yml
Comment on lines 9 to 13
- '.github/workflows/build-ci-image.yml'
pull_request:
pull_request_target:
paths:
- 'gen.Dockerfile'
- '.github/workflows/build-ci-image.yml'
Copy link

Copilot AI May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Switching this workflow to pull_request_target changes github.ref to the PR base branch (e.g. refs/heads/main). With the current docker/metadata-action config and unconditional push: true, fork PRs can end up pushing branch tags (e.g. main) and also latest/v2 (because the enable expressions use github.ref). This contradicts the PR description’s “pr- only” guarantee and is a security/operational risk (tag overwrite). Consider gating pushing to base-repo PRs only (e.g. head.repo.full_name == github.repository) and/or making tags PR-scoped when event_name == 'pull_request_target' (disable latest/v2/branch tags on PR runs).

Copilot uses AI. Check for mistakes.
@pingsutw pingsutw merged commit e98ebfa into main May 1, 2026
21 of 22 checks passed
@pingsutw pingsutw deleted the ci-build-ci-image-pull-request-target branch May 1, 2026 01:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Sovietaced Sovietaced Sovietaced approved these changes

Assignees

No one assigned

Labels

flyte2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pingsutw @Sovietaced