scout-action icon indicating copy to clipboard operation
scout-action copied to clipboard
verified publisher icon docker

Not usable for PRs from forks

Open jkreileder opened this issue 2 years ago • 0 comments

Currently this action is not usable for PRs from forks because secrets are not available in this case – and you currently enforce a login to Docker Hub.

The recommended solution (see Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests) is to split this up in two parts. For this action this probably would mean:

  1. Work without credentials for PRs from forks in on pull_request:
    • Build the image with outputs: type=oci,dest=image.tar
    • Upload the PR number and the image tarball as artifacts
  2. In on workflow_run:
    • Download the artifacts
    • Log in to Docker Hub
    • Run docker/scout-action with image: archive://image.tar and giving the PR number as an option

Actually, most of this should be doable today already. But I don't see how the action gets the correct PR to comment on in this case. This probably will need a new config to pass the PR number.

(Of course it would be a lot easier if the Scout service had a different way to authenticate. Maybe via the "Docker Inc" GitHub app?)

jkreileder avatar Dec 29 '23 21:12 jkreileder