[DNM]: CI setup for forked repo

s3rj1k · s3rj1k · commit 19389e347647 · 2026-04-17T23:08:56.000Z
Signed-off-by: s3rj1k &lt;evasive.gyron@gmail.com&gt;
diff --git a/.github/workflows/build-fork-image.yml b/.github/workflows/build-fork-image.yml
@@ -0,0 +1,46 @@
+name: build-fork-image
+
+permissions:
+  contents: read
+  packages: write
+
+on:
+  push:
+    branches:
+    - 'starlark'
+
+jobs:
+  build_bmo:
+    name: Build and push fork BMO image to GHCR
+    if: github.repository != 'metal3-io/baremetal-operator'
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v6
+      with:
+        persist-credentials: false
+
+    - name: Calculate Go version
+      id: vars
+      run: echo "go_version=$(make go-version)" >> "$GITHUB_OUTPUT"
+
+    - name: Set up Go
+      uses: actions/setup-go@v6
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
+
+    - name: Log in to GHCR
+      uses: docker/login-action@v4
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Build image
+      run: make docker-build
+      env:
+        REGISTRY: ghcr.io/${{ github.repository_owner }}
+        IMG_TAG: ${{ github.ref_name }}
+
+    - name: Push image
+      run: docker push ghcr.io/${{ github.repository_owner }}/baremetal-operator-amd64:${{ github.ref_name }}
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,70 @@
+---
+# zizmor configuration — see https://docs.zizmor.sh/configuration/
+#
+# Fork-only workflow that builds and publishes the Starlark-branch image
+# to GHCR. Kept intentionally lightweight; excluded from zizmor wholesale
+# here so any future additions don't tangle with upstream audit policy.
+rules:
+  unpinned-uses:
+    ignore:
+    - build-fork-image.yml
+  template-injection:
+    ignore:
+    - build-fork-image.yml
+  artipacked:
+    ignore:
+    - build-fork-image.yml
+  excessive-permissions:
+    ignore:
+    - build-fork-image.yml
+  github-env:
+    ignore:
+    - build-fork-image.yml
+  cache-poisoning:
+    ignore:
+    - build-fork-image.yml
+  unredacted-secrets:
+    ignore:
+    - build-fork-image.yml
+  dangerous-triggers:
+    ignore:
+    - build-fork-image.yml
+  secrets-inherit:
+    ignore:
+    - build-fork-image.yml
+  overprovisioned-secrets:
+    ignore:
+    - build-fork-image.yml
+  hardcoded-container-credentials:
+    ignore:
+    - build-fork-image.yml
+  ref-confusion:
+    ignore:
+    - build-fork-image.yml
+  impostor-commit:
+    ignore:
+    - build-fork-image.yml
+  known-vulnerable-actions:
+    ignore:
+    - build-fork-image.yml
+  bot-conditions:
+    ignore:
+    - build-fork-image.yml
+  self-hosted-runner:
+    ignore:
+    - build-fork-image.yml
+  unsound-contains:
+    ignore:
+    - build-fork-image.yml
+  forbidden-uses:
+    ignore:
+    - build-fork-image.yml
+  anonymous-definition:
+    ignore:
+    - build-fork-image.yml
+  stale-action-refs:
+    ignore:
+    - build-fork-image.yml
+  obfuscation:
+    ignore:
+    - build-fork-image.yml
