Open
Description
Currently this action is not usable for PRs from forks because secrets are not available in this case – and you currently enforce a login to Docker Hub.
The recommended solution (see Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests) is to split this up in two parts. For this action this probably would mean:
- Work without credentials for PRs from forks in
on pull_request:- Build the image with
outputs: type=oci,dest=image.tar - Upload the PR number and the image tarball as artifacts
- Build the image with
- In
on workflow_run:- Download the artifacts
- Log in to Docker Hub
- Run
docker/scout-actionwithimage: archive://image.tarand giving the PR number as an option
Actually, most of this should be doable today already. But I don't see how the action gets the correct PR to comment on in this case. This probably will need a new config to pass the PR number.
(Of course it would be a lot easier if the Scout service had a different way to authenticate. Maybe via the "Docker Inc" GitHub app?)
Metadata
Assignees
Labels
No labels