From a496964ae426bc34a3c1d4b44d59c0ade32122fc Mon Sep 17 00:00:00 2001
From: Jaimyn Mayer <hello@jaimyn.dev>
Date: Tue, 7 Jan 2025 23:23:25 +1000
Subject: [PATCH 1/2] update GHA to securely build and push docker images for
 third party PRs

---
 .github/workflows/build_docker.pr.yml  | 42 +++++--------
 .github/workflows/upload_docker.pr.yml | 86 ++++++++++++++++++++++++++
 2 files changed, 101 insertions(+), 27 deletions(-)
 create mode 100644 .github/workflows/upload_docker.pr.yml

diff --git a/.github/workflows/build_docker.pr.yml b/.github/workflows/build_docker.pr.yml
index f4de7f92..4bec88de 100644
--- a/.github/workflows/build_docker.pr.yml
+++ b/.github/workflows/build_docker.pr.yml
@@ -13,40 +13,28 @@ jobs:
     outputs:
       branch: ${{ steps.extract_branch.outputs.branch }}
     steps:
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+        uses: docker/setup-buildx-action@v3
       - name: Extract branch name
         shell: bash
         run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" | tr / - >> $GITHUB_OUTPUT
         id: extract_branch
-      - name: Build and push pr image
+      - name: Save PR number and branch name
+        run: |
+          mkdir -p ./pr
+          echo ${{ github.event.number }} > ./pr/prnumber
+          echo ${{ steps.extract_branch.outputs.branch }} > ./pr/branchname
+          echo membermatters/membermatters:untrusted-pr-${{ steps.extract_branch.outputs.branch }} > ./pr/imagename
+      - name: Build pr image
         id: docker_build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v6
         with:
+          tags: membermatters/membermatters:untrusted-pr-${{ steps.extract_branch.outputs.branch }}
+          outputs: type=docker,dest=./pr/untrusted-pr-image.tar
           file: docker/Dockerfile
           platforms: linux/amd64
-          push: true
-          tags: membermatters/membermatters:untrusted-pr-${{ steps.extract_branch.outputs.branch }}
-    
-  comment_docker_image:
-    needs: build-docker-pr
-    runs-on: ubuntu-latest
-    steps:
-      - name: Comment name of docker image
-        id: comment_docker_image
-        uses: actions/github-script@v6
+      - name: Upload pr image as artifact
+        uses: actions/upload-artifact@v4
         with:
-          script: |
-            github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: 'Created image with name `membermatters/membermatters:untrusted-pr-${{ needs.build-docker-pr.outputs.branch }}`.'
-            })
+          name: pr
+          path: ./pr/
diff --git a/.github/workflows/upload_docker.pr.yml b/.github/workflows/upload_docker.pr.yml
new file mode 100644
index 00000000..31a41a73
--- /dev/null
+++ b/.github/workflows/upload_docker.pr.yml
@@ -0,0 +1,86 @@
+name: Upload Docker Image (On PR - after build)
+
+on:
+  workflow_run:
+    workflows: ["Receive PR"]
+    types:
+      - completed
+
+jobs:
+  upload-docker-pr:
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+    outputs:
+      imagename: ${{ steps.extract_image.outputs.imagename }}
+    steps:
+      - name: Download PR Image
+        uses: actions/github-script@v3.1.0
+        with:
+          script: |
+            var artifacts = await github.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{github.event.workflow_run.id }},
+            });
+            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "pr"
+            })[0];
+            var download = await github.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
+      - run: ls -hal
+      - name: Unzip PR Image
+        run: |
+          unzip pr.zip
+      - run: ls -hal
+      - name: Check PR Metadata
+        run: |
+          cat ./pr/prnumber
+          cat ./pr/branchname
+          cat ./pr/imagename
+      - name: Extract image name
+        shell: bash
+        run: echo "imagename="$(cat test)"" | tr / - >> $GITHUB_OUTPUT
+        id: extract_image
+      - name: Load PR Image
+        run: |
+          docker load --input ./pr/untrusted-pr-image.tar
+          docker image ls -a
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Build and Push
+        id: docker_build
+        uses: docker/build-push-action@v6
+        with:
+          file: docker/Dockerfile
+          push: true
+          tags: ${{ steps.extract_image.outputs.imagename }}
+
+  comment_docker_image:
+    needs: upload-docker-pr
+    runs-on: ubuntu-latest
+    steps:
+      - name: Comment name of docker image
+        id: comment_docker_image
+        uses: actions/github-script@v6
+        with:
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: 'Created image with name `${{ needs.upload-docker-pr.outputs.imagename }}`.'
+            })

From b23ea945b2a980ba3aa8b86e653d30785dcb4818 Mon Sep 17 00:00:00 2001
From: Jaimyn Mayer <hello@jaimyn.dev>
Date: Tue, 7 Jan 2025 23:37:37 +1000
Subject: [PATCH 2/2] update typo

---
 .github/workflows/upload_docker.pr.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/upload_docker.pr.yml b/.github/workflows/upload_docker.pr.yml
index 31a41a73..6a376cd4 100644
--- a/.github/workflows/upload_docker.pr.yml
+++ b/.github/workflows/upload_docker.pr.yml
@@ -2,7 +2,7 @@ name: Upload Docker Image (On PR - after build)
 
 on:
   workflow_run:
-    workflows: ["Receive PR"]
+    workflows: ["Build Docker Image (On PR)"]
     types:
       - completed