From 30956e1139d31af07b6d227be36afa247c663c03 Mon Sep 17 00:00:00 2001 From: John Myers <9696606+johntmyers@users.noreply.github.com> Date: Mon, 30 Mar 2026 09:58:33 -0700 Subject: [PATCH] fix(ci): enable e2e for fork PRs via pull_request_target MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The local-build approach (single job, no GHCR push) is not feasible because the CI container cannot configure the host Docker daemon's insecure registry list, and container networking prevents access to the local registry on the host loopback. Switch to pull_request_target instead, which runs in the base repo context with write permissions to GHCR. The existing three-job pipeline (build-gateway, build-cluster, e2e) works unchanged. Security: the test:e2e label is a maintainer trust gate — only org members can apply it, signalling the PR code has been reviewed. Add ref input to docker-build.yml and e2e-test.yml so callers can pass github.event.pull_request.head.sha for checkout and image tagging, since github.sha points to the base branch under pull_request_target. --- .github/workflows/branch-e2e.yml | 11 +++++++++-- .github/workflows/docker-build.yml | 8 +++++++- .github/workflows/e2e-test.yml | 7 +++++++ 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/.github/workflows/branch-e2e.yml b/.github/workflows/branch-e2e.yml index ad53bb635..7f4c0e053 100644 --- a/.github/workflows/branch-e2e.yml +++ b/.github/workflows/branch-e2e.yml @@ -1,7 +1,11 @@ name: Branch E2E Checks +# pull_request_target runs in the base repo context with write permissions, +# enabling fork PRs to push docker images to GHCR and run e2e tests. +# Security: the test:e2e label is a maintainer trust gate — only org members +# can apply it, signalling that the PR code has been reviewed. on: - pull_request: + pull_request_target: types: [opened, synchronize, reopened, labeled] permissions: @@ -16,6 +20,7 @@ jobs: component: gateway platform: linux/arm64 runner: build-arm64 + ref: ${{ github.event.pull_request.head.sha }} build-cluster: if: contains(github.event.pull_request.labels.*.name, 'test:e2e') @@ -24,10 +29,12 @@ jobs: component: cluster platform: linux/arm64 runner: build-arm64 + ref: ${{ github.event.pull_request.head.sha }} e2e: needs: [build-gateway, build-cluster] uses: ./.github/workflows/e2e-test.yml with: - image-tag: ${{ github.sha }} + image-tag: ${{ github.event.pull_request.head.sha }} runner: build-arm64 + ref: ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 16a8447c9..6a50de9c0 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -32,6 +32,11 @@ on: required: false type: string default: "" + ref: + description: "Git ref to checkout (defaults to the triggering event ref)" + required: false + type: string + default: "" env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -55,7 +60,7 @@ jobs: volumes: - /var/run/docker.sock:/var/run/docker.sock env: - IMAGE_TAG: ${{ github.sha }} + IMAGE_TAG: ${{ inputs.ref || github.sha }} IMAGE_REGISTRY: ghcr.io/nvidia/openshell DOCKER_PUSH: ${{ inputs.push && '1' || '0' }} DOCKER_PLATFORM: ${{ inputs.platform }} @@ -63,6 +68,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + ref: ${{ inputs.ref || '' }} - name: Mark workspace safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index f14ccb880..d9a523b74 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -12,6 +12,11 @@ on: required: false type: string default: "build-amd64" + ref: + description: "Git ref to checkout (defaults to the triggering event ref)" + required: false + type: string + default: "" permissions: contents: read @@ -40,6 +45,8 @@ jobs: OPENSHELL_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} steps: - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref || '' }} - name: Log in to GHCR run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin