mirror of
https://github.com/aljazceru/kata-containers.git
synced 2026-01-04 15:04:25 +01:00
e0d6475b49
We have GH configured so that manual approval is required for CI runs triggered by outside contributors. However, because CI is triggered by the `pull_request_target` event, this setting isn't being honored (see [1]). This means that an attacker could trivially extracts secrets by submitting a PR. This change aims to mititgate this issue by preventing PRs from triggering CI unless the `ok-to-test` label is set. Note: For further context, we use the `pull_request_target` event and manually check out the PR branch because it is the only way to both access secrets and test incoming code changes. Fixes: #7163 [1]: https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
77 lines
3.2 KiB
YAML
77 lines
3.2 KiB
YAML
name: Kata Containers CI
|
|
on:
|
|
pull_request_target:
|
|
branches:
|
|
- 'main'
|
|
types:
|
|
# Adding 'labeled' to the list of activity types that trigger this event
|
|
# (default: opened, synchronize, reopened) so that we can run this
|
|
# workflow when the 'ok-to-test' label is added.
|
|
# Reference: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
|
|
- opened
|
|
- synchronize
|
|
- reopened
|
|
- labeled
|
|
|
|
jobs:
|
|
build-kata-static-tarball-amd64:
|
|
if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
|
|
uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
|
|
with:
|
|
tarball-suffix: -${{ github.event.pull_request.number}}-${{ github.event.pull_request.head.sha }}
|
|
|
|
publish-kata-deploy-payload-amd64:
|
|
if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
|
|
needs: build-kata-static-tarball-amd64
|
|
uses: ./.github/workflows/publish-kata-deploy-payload-amd64.yaml
|
|
with:
|
|
tarball-suffix: -${{ github.event.pull_request.number}}-${{ github.event.pull_request.head.sha }}
|
|
registry: ghcr.io
|
|
repo: ${{ github.repository_owner }}/kata-deploy-ci
|
|
tag: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-amd64
|
|
secrets: inherit
|
|
|
|
run-k8s-tests-on-aks:
|
|
if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
|
|
needs: publish-kata-deploy-payload-amd64
|
|
uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
|
|
with:
|
|
registry: ghcr.io
|
|
repo: ${{ github.repository_owner }}/kata-deploy-ci
|
|
tag: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-amd64
|
|
secrets: inherit
|
|
|
|
run-k8s-tests-on-sev:
|
|
if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
|
|
needs: publish-kata-deploy-payload-amd64
|
|
uses: ./.github/workflows/run-k8s-tests-on-sev.yaml
|
|
with:
|
|
registry: ghcr.io
|
|
repo: ${{ github.repository_owner }}/kata-deploy-ci
|
|
tag: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-amd64
|
|
|
|
run-k8s-tests-on-snp:
|
|
if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
|
|
needs: publish-kata-deploy-payload-amd64
|
|
uses: ./.github/workflows/run-k8s-tests-on-snp.yaml
|
|
with:
|
|
registry: ghcr.io
|
|
repo: ${{ github.repository_owner }}/kata-deploy-ci
|
|
tag: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-amd64
|
|
|
|
run-k8s-tests-on-tdx:
|
|
if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
|
|
needs: publish-kata-deploy-payload-amd64
|
|
uses: ./.github/workflows/run-k8s-tests-on-tdx.yaml
|
|
with:
|
|
registry: ghcr.io
|
|
repo: ${{ github.repository_owner }}/kata-deploy-ci
|
|
tag: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-amd64
|
|
|
|
run-metrics-tests:
|
|
if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
|
|
needs: build-kata-static-tarball-amd64
|
|
uses: ./.github/workflows/run-metrics.yaml
|
|
with:
|
|
tarball-suffix: -${{ github.event.pull_request.number}}-${{ github.event.pull_request.head.sha }}
|