Don't store the resulting image for PRs

Moving this out of the security scope of the repository would make that we need to store this for the `github.author`. As we never used this before it's now taken out.
DOMjudge · Jun 2, 2024 · 02e8da0 · 02e8da0
1 parent c1e3d42
commit 02e8da0
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 8 deletions.
diff --git a/.github/workflows/build-contributor-container-PR.yml b/.github/workflows/build-contributor-container-PR.yml
@@ -41,7 +41,7 @@ jobs:
         with:
           context: docker-contributor
           platforms: linux/amd64,linux/arm64
-          push: true
+          push: false
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
diff --git a/.github/workflows/build-domjudge-container-PR.yml b/.github/workflows/build-domjudge-container-PR.yml
@@ -58,30 +58,29 @@ jobs:
         run: |
           cd docker
           set -x
-          sh ./build.sh "${{ env.DOMJUDGE_VERSION }}" ${{ github.actor }}
+          sh ./build.sh "${{ env.DOMJUDGE_VERSION }}"
           set +x
 
-      - run: docker image list
-
       - name: Build and push
         run: |
           for IMG in domserver judgehost default-judgehost-chroot; do
             echo "::group::$IMG"
             IMAGE_NAME="${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.DOMJUDGE_VERSION }}"
             docker image tag "$IMAGE_NAME" ghcr.io/${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.PR_TAG }}
             docker image tag "$IMAGE_NAME" ${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.PR_TAG }}
-            docker push ghcr.io/${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.PR_TAG }}
             echo "::endgroup::"
           done
 
+      - run: docker image list
+
       - name: Check for wrong permisions
         run: |
           docker image list
           set -x
           for IMG in domserver judgehost; do
-            files=$(docker run --rm --pull=never "${{ github.repository_owner }}/$IMG:${{ env.PR_TAG }}" find / -xdev -perm -o+w ! -type l ! \( -type d -a -perm -+t \) ! -type c)
+            files=$(docker run --rm --pull=never "domjudge/$IMG:${{ env.PR_TAG }}" find / -xdev -perm -o+w ! -type l ! \( -type d -a -perm -+t \) ! -type c)
             if [ -n "$files" ]; then
-              echo "error: image ${{ github.repository_owner }}/$IMG:${{ env.PR_TAG }} contains world-writable files:" >&2
+              echo "error: image domjudge/$IMG:${{ env.PR_TAG }} contains world-writable files:" >&2
               printf "%s\n" "$files" >&2
               exit 1
             fi

diff --git a/.github/workflows/build-gitlab-container-PR.yml b/.github/workflows/build-gitlab-container-PR.yml
@@ -42,7 +42,7 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: "./docker-gitlabci" 
-          push: true
+          push: false
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}