Currently this action is not usable for PRs from forks because secrets are not available in this case – and you currently enforce a login to Docker Hub.
Work without credentials for PRs from forks in on pull_request:
Build the image with outputs: type=oci,dest=image.tar
Upload the PR number and the image tarball as artifacts
In on workflow_run:
Download the artifacts
Log in to Docker Hub
Run docker/scout-action with image: archive://image.tar and giving the PR number as an option
Actually, most of this should be doable today already. But I don't see how the action gets the correct PR to comment on in this case. This probably will need a new config to pass the PR number.
(Of course it would be a lot easier if the Scout service had a different way to authenticate. Maybe via the "Docker Inc" GitHub app?)
Currently this action is not usable for PRs from forks because secrets are not available in this case – and you currently enforce a login to Docker Hub.
The recommended solution (see Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests) is to split this up in two parts. For this action this probably would mean:
on pull_request:outputs: type=oci,dest=image.taron workflow_run:docker/scout-actionwithimage: archive://image.tarand giving the PR number as an optionActually, most of this should be doable today already. But I don't see how the action gets the correct PR to comment on in this case. This probably will need a new config to pass the PR number.
(Of course it would be a lot easier if the Scout service had a different way to authenticate. Maybe via the "Docker Inc" GitHub app?)