Merge pull request #987 from OWASP/copilot/fix-ee85dc5a-1b70-4d54-aa0f-112ff05a74d6

commjoen · web-flow · commit 2c186cf84d82 · 2025-10-07T04:41:33.000+02:00
Fix preview deployment workflow for variable expansion and fork PRs
diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
@@ -68,7 +68,9 @@ jobs:
         with:
           context: ./${{ matrix.component }}
           file: ./${{ matrix.component }}/Dockerfile
-          push: true
+          # Only push if it's a push to main OR a PR from the same repo (not a fork)
+          # External contributors from forks can't write to the org's container registry
+          push: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           platforms: linux/amd64,linux/arm64
@@ -116,65 +118,128 @@ jobs:
 
       - name: Create deployment instructions
         id: instructions
+        env:
+          IMAGE_PREFIX: ${{ env.IMAGE_PREFIX }}
+          TAG: ${{ needs.set-tag.outputs.tag }}
+          PR_NUMBER: ${{ github.event.number }}
+          REPO_OWNER: ${{ github.repository_owner }}
+          VALUES_CONTENT: ${{ steps.values.outputs.values }}
+          IS_FORK: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
         run: |
           # yamllint disable rule:line-length
-          cat > instructions.md << 'EOF'
+          if [ "${IS_FORK}" = "true" ]; then
+            cat > instructions.md << EOF
+          ## 🚀 Preview Build Complete!
+
+          Your pull request has been built successfully. However, since this is from a fork, preview images cannot be pushed to the organization's container registry.
+
+          ### Testing Your Changes
+
+          To test your changes, you can build and deploy locally:
+
+          \`\`\`bash
+          # Clone this PR
+          git fetch origin pull/${PR_NUMBER}/head:pr-${PR_NUMBER}
+          git checkout pr-${PR_NUMBER}
+
+          # Build and deploy locally
+          ./build-and-deploy.sh
+
+          # Or for minikube
+          ./build-and-deploy-minikube.sh
+
+          # Port forward to access locally
+          kubectl port-forward service/wrongsecrets-balancer 3000:3000
+          \`\`\`
+
+          ### Alternative: Manual Build
+
+          \`\`\`bash
+          # Build images locally
+          cd wrongsecrets-balancer
+          docker build -t my-wrongsecrets-balancer:test .
+          cd ../cleaner
+          docker build -t my-cleaner:test .
+
+          # Deploy with custom images using Helm
+          helm repo add wrongsecrets https://owasp.org/wrongsecrets-ctf-party
+          helm repo update
+
+          helm install my-preview wrongsecrets/wrongsecrets-ctf-party \\
+            --set balancer.repository=my-wrongsecrets-balancer \\
+            --set balancer.tag=test \\
+            --set wrongsecretsCleanup.repository=my-cleaner \\
+            --set wrongsecretsCleanup.tag=test \\
+            --set balancer.imagePullPolicy=Never \\
+            --set wrongsecretsCleanup.imagePullPolicy=Never
+          \`\`\`
+
+          ### Why Can't Images Be Pushed?
+
+          External contributors don't have write permissions to the organization's GitHub Container Registry. This is a security measure to protect the organization's packages.
+
+          ---
+
+          *This preview was automatically generated for PR #${PR_NUMBER}*
+          EOF
+          else
+            cat > instructions.md << EOF
           ## 🚀 Preview Deployment Ready!
 
           Your pull request has been built and is ready for preview deployment.
           Here's how to test your changes:
 
           ### Container Images Built
 
-          - **Balancer**: `${{ env.IMAGE_PREFIX }}/wrongsecrets-balancer:${{ needs.set-tag.outputs.tag }}`
-          - **Cleaner**: `${{ env.IMAGE_PREFIX }}/cleaner:${{ needs.set-tag.outputs.tag }}`
+          - **Balancer**: \`${IMAGE_PREFIX}/wrongsecrets-balancer:${TAG}\`
+          - **Cleaner**: \`${IMAGE_PREFIX}/cleaner:${TAG}\`
 
           ### Quick Deploy with Helm
 
-          ```bash
+          \`\`\`bash
           # Add the wrongsecrets helm repository
           helm repo add wrongsecrets https://owasp.org/wrongsecrets-ctf-party
           helm repo update
 
           # Deploy with preview images
-          helm install my-preview wrongsecrets/wrongsecrets-ctf-party \
-            --set balancer.repository=${{ env.IMAGE_PREFIX }}/wrongsecrets-balancer \
-            --set balancer.tag=${{ needs.set-tag.outputs.tag }} \
-            --set wrongsecretsCleanup.repository=${{ env.IMAGE_PREFIX }}/cleaner \
-            --set wrongsecretsCleanup.tag=${{ needs.set-tag.outputs.tag }} \
+          helm install my-preview wrongsecrets/wrongsecrets-ctf-party \\
+            --set balancer.repository=${IMAGE_PREFIX}/wrongsecrets-balancer \\
+            --set balancer.tag=${TAG} \\
+            --set wrongsecretsCleanup.repository=${IMAGE_PREFIX}/cleaner \\
+            --set wrongsecretsCleanup.tag=${TAG} \\
             --set imagePullPolicy=Always
 
           # Port forward to access locally
           kubectl port-forward service/wrongsecrets-balancer 3000:3000
-          ```
+          \`\`\`
 
           ### Deploy with Custom Values
 
           <details>
           <summary>Click to see preview-values.yaml</summary>
 
-          ```yaml
-          ${{ steps.values.outputs.values }}
-          ```
+          \`\`\`yaml
+          ${VALUES_CONTENT}
+          \`\`\`
 
           </details>
 
-          ```bash
+          \`\`\`bash
           # Save the above values to preview-values.yaml, then:
-          helm install my-preview wrongsecrets/wrongsecrets-ctf-party \
+          helm install my-preview wrongsecrets/wrongsecrets-ctf-party \\
             -f preview-values.yaml
-          ```
+          \`\`\`
 
           ### Deploy with Local Build Scripts
 
-          ```bash
+          \`\`\`bash
           # Clone this PR
-          git fetch origin pull/${{ github.event.number }}/head:pr-${{ github.event.number }}
-          git checkout pr-${{ github.event.number }}
+          git fetch origin pull/${PR_NUMBER}/head:pr-${PR_NUMBER}
+          git checkout pr-${PR_NUMBER}
 
           # Use the existing deployment script with custom images
           ./build-and-deploy.sh
-          ```
+          \`\`\`
 
           ### Test the Changes
 
@@ -185,13 +250,14 @@ jobs:
           ### Container Registry
 
           The preview images are available at:
-          - https://github.com/${{ github.repository_owner }}/wrongsecrets-ctf-party/pkgs/container/wrongsecrets-balancer
-          - https://github.com/${{ github.repository_owner }}/wrongsecrets-ctf-party/pkgs/container/cleaner
+          - https://github.com/${REPO_OWNER}/wrongsecrets-ctf-party/pkgs/container/wrongsecrets-balancer
+          - https://github.com/${REPO_OWNER}/wrongsecrets-ctf-party/pkgs/container/cleaner
 
           ---
 
-          *This preview was automatically generated for PR #${{ github.event.number }}*
+          *This preview was automatically generated for PR #${PR_NUMBER}*
           EOF
+          fi
           # yamllint enable rule:line-length
 
           echo "content<<EOF" >> $GITHUB_OUTPUT
