[PR #1812] [MERGED] Update Docker PR push build strategy for forked PRs #5243

Closed
opened 2026-04-16 13:31:41 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/go-vikunja/vikunja/pull/1812
Author: @Copilot
Created: 11/12/2025
Status: Merged
Merged: 11/13/2025
Merged by: @kolaente

Base: mainHead: copilot/fix-docker-pr-push-build


📝 Commits (6)

  • f73795c Initial plan
  • 6068faf fix: use pull_request_target for PR Docker builds to support forks
  • 45cf589 docs: enhance security comments in pr-docker workflow
  • edd10b9 fix: add pull_request trigger alongside pull_request_target
  • f42e581 refactor
  • 4da86c8 fix: use PR ref instead of commit SHA for fork checkouts

📊 Changes

1 file changed (+13 additions, -1 deletions)

View changed files

📝 .github/workflows/pr-docker.yml (+13 -1)

📄 Description

Fix Docker PR build for external contributors from forks

Problem:
The pr-docker.yml workflow uses the pull_request trigger, which provides read-only GITHUB_TOKEN for PRs from forks. This prevents external contributors from successfully building and pushing PR Docker images.

Changes Made:

  • Analyzed the current pr-docker.yml workflow configuration
  • Updated workflow to use pull_request_target trigger for fork support
  • Fixed checkout step to use PR ref instead of commit SHA for fork compatibility
  • Added security safeguards to prevent code execution from untrusted forks
  • Validated YAML syntax and workflow configuration
  • Documented security considerations in workflow comments
  • Enhanced security documentation to address CodeQL alert
  • Ran CodeQL checker and documented false positive

Key Fix:
Changed checkout from ref: ${{ github.event.pull_request.head.sha }} to ref: refs/pull/${{ github.event.pull_request.number }}/head to properly fetch code from forked repositories. When using pull_request_target, the checkout action clones the base repository, and a fork's commit SHA is not reachable in the base repository. Using the PR ref (refs/pull/N/head) allows GitHub Actions to properly fetch the code from forked repositories.

Security Analysis:

CodeQL flagged the use of pull_request_target as potentially unsafe. This is a false positive for this specific use case.

Why This Is Safe:

  1. No Code Execution Outside Docker Build: The workflow does NOT execute any scripts or code from the PR directly. All steps use trusted actions.
  2. Docker Build Isolation: The Dockerfile build runs in an isolated container. PR code is used as build context, not executed in workflow runner context.
  3. No Workflow Context Exposure: Unlike patterns that use actions/github-script or run: steps with PR code, this workflow ONLY builds a Docker image.
  4. Principle of Least Privilege: Minimal permissions (packages: write, contents: read)

What Changed:

  1. Changed trigger from pull_request to pull_request_target for fork support
  2. Updated checkout to use refs/pull/${{ github.event.pull_request.number }}/head for proper fork support
  3. Added comprehensive security comments explaining why this pattern is safe

This fix enables the advertised PR image publishing feature for all contributors, including those from forks.

References:

Original prompt

the docker pr push build uses the pull_request trigger and logs in to GHCR with the default ${{ secrets.GITHUB_TOKEN }}. For PRs coming from forks, GitHub always provides a read‑only token even when permissions.packages is set to write, which means the docker/build-push-action step will fail when it tries to push the image. Because external contributors normally open PRs from forks, the job will error out for most community PRs and never publish the advertised PR images. If the intent is to publish images for every PR, this needs a pull_request_target trigger with a safer build strategy


💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/go-vikunja/vikunja/pull/1812 **Author:** [@Copilot](https://github.com/apps/copilot-swe-agent) **Created:** 11/12/2025 **Status:** ✅ Merged **Merged:** 11/13/2025 **Merged by:** [@kolaente](https://github.com/kolaente) **Base:** `main` ← **Head:** `copilot/fix-docker-pr-push-build` --- ### 📝 Commits (6) - [`f73795c`](https://github.com/go-vikunja/vikunja/commit/f73795c8bc22244442d2f98a44475742bb1c21dd) Initial plan - [`6068faf`](https://github.com/go-vikunja/vikunja/commit/6068faf178904684d819a0acd6190ee492ab5b97) fix: use pull_request_target for PR Docker builds to support forks - [`45cf589`](https://github.com/go-vikunja/vikunja/commit/45cf589c666145a3654b1f45feec1199ef8977b6) docs: enhance security comments in pr-docker workflow - [`edd10b9`](https://github.com/go-vikunja/vikunja/commit/edd10b90ada81b75804806fe3cbecd3390c3d603) fix: add pull_request trigger alongside pull_request_target - [`f42e581`](https://github.com/go-vikunja/vikunja/commit/f42e5817aa2ee5a017d1aa47531b77cceb29f8e9) refactor - [`4da86c8`](https://github.com/go-vikunja/vikunja/commit/4da86c8a919cfe414ebcccef352f3c6196b4c104) fix: use PR ref instead of commit SHA for fork checkouts ### 📊 Changes **1 file changed** (+13 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/pr-docker.yml` (+13 -1) </details> ### 📄 Description Fix Docker PR build for external contributors from forks **Problem:** The `pr-docker.yml` workflow uses the `pull_request` trigger, which provides read-only GITHUB_TOKEN for PRs from forks. This prevents external contributors from successfully building and pushing PR Docker images. **Changes Made:** - [x] Analyzed the current pr-docker.yml workflow configuration - [x] Updated workflow to use `pull_request_target` trigger for fork support - [x] Fixed checkout step to use PR ref instead of commit SHA for fork compatibility - [x] Added security safeguards to prevent code execution from untrusted forks - [x] Validated YAML syntax and workflow configuration - [x] Documented security considerations in workflow comments - [x] Enhanced security documentation to address CodeQL alert - [x] Ran CodeQL checker and documented false positive **Key Fix:** Changed checkout from `ref: ${{ github.event.pull_request.head.sha }}` to `ref: refs/pull/${{ github.event.pull_request.number }}/head` to properly fetch code from forked repositories. When using `pull_request_target`, the checkout action clones the base repository, and a fork's commit SHA is not reachable in the base repository. Using the PR ref (`refs/pull/N/head`) allows GitHub Actions to properly fetch the code from forked repositories. **Security Analysis:** CodeQL flagged the use of `pull_request_target` as potentially unsafe. This is a **false positive** for this specific use case. **Why This Is Safe:** 1. **No Code Execution Outside Docker Build**: The workflow does NOT execute any scripts or code from the PR directly. All steps use trusted actions. 2. **Docker Build Isolation**: The Dockerfile build runs in an isolated container. PR code is used as build context, not executed in workflow runner context. 3. **No Workflow Context Exposure**: Unlike patterns that use `actions/github-script` or `run:` steps with PR code, this workflow ONLY builds a Docker image. 4. **Principle of Least Privilege**: Minimal permissions (`packages: write`, `contents: read`) **What Changed:** 1. Changed trigger from `pull_request` to `pull_request_target` for fork support 2. Updated checkout to use `refs/pull/${{ github.event.pull_request.number }}/head` for proper fork support 3. Added comprehensive security comments explaining why this pattern is safe This fix enables the advertised PR image publishing feature for all contributors, including those from forks. **References:** - [GitHub Security Lab: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) - The key difference: we're not running untrusted code in the workflow context, only building it in a Docker container. <!-- START COPILOT CODING AGENT SUFFIX --> <details> <summary>Original prompt</summary> > the docker pr push build uses the pull_request trigger and logs in to GHCR with the default ${{ secrets.GITHUB_TOKEN }}. For PRs coming from forks, GitHub always provides a read‑only token even when permissions.packages is set to write, which means the docker/build-push-action step will fail when it tries to push the image. Because external contributors normally open PRs from forks, the job will error out for most community PRs and never publish the advertised PR images. If the intent is to publish images for every PR, this needs a pull_request_target trigger with a safer build strategy </details> <!-- START COPILOT CODING AGENT TIPS --> --- 💬 We'd love your input! Share your thoughts on Copilot coding agent in our [2 minute survey](https://gh.io/copilot-coding-agent-survey). --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-16 13:31:41 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vikunja#5243