Closed shymega closed 1 year ago
shymega
commented
1 year ago Rebased this against main. It's currently a bug on forks, as they run the container workflow. An alternative approach is to only run the container workflow on the original repository - i.e, this one.
cc @Ralim - let me know what approach you prefer.
Ralim
commented
1 year ago I'm not really following the issue here. We do not want forks to have any ability to push to pine64 packages, but they are welcome to pull the pine64 package if they want. My understanding was that that I granted the github key for this repo the ability to push, and that key is not shared to forks?
shymega
commented
1 year ago I should clarify. Workflows run in the context of the repository they're in. They do not have access to the parent repository unless explicitly granted. All this PR does is grant each repository access to their own GHCR.io namespace, in terms of writing. I've tested this on the MultiBuds fork, and it doesn't write to the pine64 organization.
shymega
commented
1 year ago It's necessary for this PR to be merged, or at the very least, add a conditional to the container build workflow to only run on this repository, because otherwise when people push to their forks, the containers workflow will fail.
shymega
commented
1 year ago Thanks for approving. We can hopefully merge now, I've updated the PR description.
Ralim
commented
1 year ago Yep, I can't merge this from phone as it requires Sudo mode, so will merge it one I'm at a PC.
This PR changes the 'build-and-push-to-registry' workflow to only run on the Pine64 repository, which prevents image pushing errors occurring.
By doing this, we ensure the container images only come from the Pine64 OpenPineBuds repository.