Bypass actor validation for Image, Build, Test, Vul-Scan workflow triggered by forked PRs #253
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ping the @canonical/rocks team.
Description
According to the GitHub documentation, secrets are not passed to the runner when a workflow is triggered from a forked repository. Therefore, for forked PR, the actor validation will always fail. To cope with this issue, we allow the bypassing of actor validation for the Image, Build-Rock, Tests and Vulnerability-Scan workflows triggered with a forked pull request.
More security thought: The external user's PR workflow will only run upon approval by the repo's maintainer, so the chance of exploiting is considered low. The external user's PR will neither trigger Upload and Release workflows nor have the secrets in the main repo, so the secrets are safe from stealing.
Related issues
Failed Image workflow run: https://github.com/canonical/oci-factory/actions/runs/11048142134/job/30691724573
Tests