From ce2e15e406cb928006f2ce3a63491db03499ad73 Mon Sep 17 00:00:00 2001 From: Sven Lito Date: Tue, 12 Aug 2025 13:58:46 +0700 Subject: [PATCH] fix: handle fork PR permissions in Docker workflow - Only push to registry for internal PRs (same repository) - Build-only for fork PRs to test Docker compatibility - Separate comments and summaries for different PR types - Fixes permission issues with fork contributions --- .github/workflows/auto-version.yml | 56 ++++++++++++++++++++++++++++-- 1 file changed, 53 insertions(+), 3 deletions(-) diff --git a/.github/workflows/auto-version.yml b/.github/workflows/auto-version.yml index 5607be0..60e7b9c 100644 --- a/.github/workflows/auto-version.yml +++ b/.github/workflows/auto-version.yml @@ -31,6 +31,7 @@ jobs: uses: docker/setup-buildx-action@v3 - name: Login to GitHub Container Registry + if: github.event.pull_request.head.repo.full_name == github.repository uses: docker/login-action@v3 with: registry: ghcr.io @@ -47,7 +48,8 @@ jobs: type=raw,value=pr-${{ github.event.number }}-${{ github.sha }} type=raw,value=pr-${{ github.event.number }} - - name: Build and push Docker image + - name: Build and push Docker image (internal PRs) + if: github.event.pull_request.head.repo.full_name == github.repository uses: docker/build-push-action@v5 with: context: . @@ -58,7 +60,20 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max - - name: Comment on PR with Docker info + - name: Build Docker image (fork PRs) + if: github.event.pull_request.head.repo.full_name != github.repository + uses: docker/build-push-action@v5 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: false + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Comment on PR with Docker info (internal PRs) + if: github.event.pull_request.head.repo.full_name == github.repository uses: actions/github-script@v7 with: script: | @@ -108,7 +123,33 @@ jobs: body: comment }); - - name: Create deployment summary + - name: Comment on PR with Docker info (fork PRs) + if: github.event.pull_request.head.repo.full_name != github.repository + uses: actions/github-script@v7 + with: + script: | + const prNumber = context.payload.pull_request.number; + const sha = context.sha.substring(0, 7); + + const comment = `🐳 **Docker Build Complete (Build Only)** + + **PR**: #${prNumber} | **Commit**: \`${sha}\` + + ✅ **Docker build successful** - Multi-platform image built and tested + + **Note**: Fork PRs only build (no push) for security. Images will be available once PR is merged. + + The Docker build confirms your changes are compatible with the containerized deployment.`; + + github.rest.issues.createComment({ + issue_number: prNumber, + owner: context.repo.owner, + repo: context.repo.repo, + body: comment + }); + + - name: Create deployment summary (internal PRs) + if: github.event.pull_request.head.repo.full_name == github.repository run: | echo "## 🐳 PR Docker Build Complete" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY @@ -118,3 +159,12 @@ jobs: echo "\`\`\`" >> $GITHUB_STEP_SUMMARY echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY echo "\`\`\`" >> $GITHUB_STEP_SUMMARY + + - name: Create deployment summary (fork PRs) + if: github.event.pull_request.head.repo.full_name != github.repository + run: | + echo "## 🐳 Docker Build Complete (Build Only)" >> $GITHUB_STEP_SUMMARY + echo "** PR**: #${{ github.event.number }}" >> $GITHUB_STEP_SUMMARY + echo "**Commit**: ${{ github.sha }}" >> $GITHUB_STEP_SUMMARY + echo "✅ Multi-platform Docker build successful" >> $GITHUB_STEP_SUMMARY + echo "Note: Fork PRs only build (no push) for security" >> $GITHUB_STEP_SUMMARY