From 02e8da0fed8a2694a23d0bbb572d8fd0f618c65d Mon Sep 17 00:00:00 2001 From: Michael Vasseur Date: Sun, 2 Jun 2024 16:13:48 +0200 Subject: [PATCH] Don't store the resulting image for PRs Moving this out of the security scope of the repository would make that we need to store this for the `github.author`. As we never used this before it's now taken out. --- .github/workflows/build-contributor-container-PR.yml | 2 +- .github/workflows/build-domjudge-container-PR.yml | 11 +++++------ .github/workflows/build-gitlab-container-PR.yml | 2 +- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-contributor-container-PR.yml b/.github/workflows/build-contributor-container-PR.yml index 90fcc57..889466c 100644 --- a/.github/workflows/build-contributor-container-PR.yml +++ b/.github/workflows/build-contributor-container-PR.yml @@ -41,7 +41,7 @@ jobs: with: context: docker-contributor platforms: linux/amd64,linux/arm64 - push: true + push: false tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/build-domjudge-container-PR.yml b/.github/workflows/build-domjudge-container-PR.yml index 80a170c..ae4e8a4 100644 --- a/.github/workflows/build-domjudge-container-PR.yml +++ b/.github/workflows/build-domjudge-container-PR.yml @@ -58,11 +58,9 @@ jobs: run: | cd docker set -x - sh ./build.sh "${{ env.DOMJUDGE_VERSION }}" ${{ github.actor }} + sh ./build.sh "${{ env.DOMJUDGE_VERSION }}" set +x - - run: docker image list - - name: Build and push run: | for IMG in domserver judgehost default-judgehost-chroot; do @@ -70,18 +68,19 @@ jobs: IMAGE_NAME="${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.DOMJUDGE_VERSION }}" docker image tag "$IMAGE_NAME" ghcr.io/${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.PR_TAG }} docker image tag "$IMAGE_NAME" ${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.PR_TAG }} - docker push ghcr.io/${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.PR_TAG }} echo "::endgroup::" done + - run: docker image list + - name: Check for wrong permisions run: | docker image list set -x for IMG in domserver judgehost; do - files=$(docker run --rm --pull=never "${{ github.repository_owner }}/$IMG:${{ env.PR_TAG }}" find / -xdev -perm -o+w ! -type l ! \( -type d -a -perm -+t \) ! -type c) + files=$(docker run --rm --pull=never "domjudge/$IMG:${{ env.PR_TAG }}" find / -xdev -perm -o+w ! -type l ! \( -type d -a -perm -+t \) ! -type c) if [ -n "$files" ]; then - echo "error: image ${{ github.repository_owner }}/$IMG:${{ env.PR_TAG }} contains world-writable files:" >&2 + echo "error: image domjudge/$IMG:${{ env.PR_TAG }} contains world-writable files:" >&2 printf "%s\n" "$files" >&2 exit 1 fi diff --git a/.github/workflows/build-gitlab-container-PR.yml b/.github/workflows/build-gitlab-container-PR.yml index 0b02c3c..ffdb67f 100644 --- a/.github/workflows/build-gitlab-container-PR.yml +++ b/.github/workflows/build-gitlab-container-PR.yml @@ -42,7 +42,7 @@ jobs: uses: docker/build-push-action@v5 with: context: "./docker-gitlabci" - push: true + push: false tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }}