NO-JIRA: use pull_request_target to build PRs from AIPCC bases in rhds/notebooks

Author: jiridanek

.github/workflows/build-notebooks-TEMPLATE.yaml

@@ -281,10 +281,11 @@ jobs:
 
       # region Image build
 
-      - name: Login to quay.io
+      - name: Login to quay.io/aipcc (if the secret is present)
+        if: ${{ secrets.AIPCC_QUAY_BOT_USERNAME != '' }}
         shell: bash
         run: |
-          echo "${{ secrets.AIPCC_QUAY_BOT_PASSWORD }}" | podman login quay.io -u "${{ secrets.AIPCC_QUAY_BOT_USERNAME }}" --password-stdin
+          echo "${{ secrets.AIPCC_QUAY_BOT_PASSWORD }}" | podman login quay.io/aipcc -u "${{ secrets.AIPCC_QUAY_BOT_USERNAME }}" --password-stdin
 
       - name: Compute extra podman build args
         id: extra-podman-build-args

.github/workflows/build-notebooks-pr-aipcc.yaml

@@ -0,0 +1,97 @@
+---
+"name": "Build Notebooks (pr, AIPCC bases)"
+"on":
+  "pull_request_target":
+    "paths-ignore":
+      # Don't build images if the only thing that changed is image digests in manifests
+      - manifests/base/params-latest.env
+      - manifests/base/params.env
+      # In fact, skip the build if there are only changes in manifests and nowhere else
+      - manifests/**
+
+# BEWARE: This GitHub Actions workflow runs on pull_request_target, meaning it has access to our secrets
+# see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-secrets
+# and https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+
+permissions:
+  contents: read
+  packages: read
+
+concurrency:
+  group: ${{ format('build-notebooks-pr-{0}', github.event.pull_request.number) }}
+  cancel-in-progress: true
+
+env:
+  # language=json
+  contributors: |
+    ["atheo89", "andyatmiami", "caponetto", "daniellutz", "dibryant", "harshad16", "jesuino", "jiridanek", "jstourac", "paulovmr", "Fiona-Waters", "grdryn", "kryanbeane", "mtchoum1", "obrown1205", "dependabot[bot]", "ide-developer"]
+
+jobs:
+  gen:
+    name: Generate job matrix
+    runs-on: ubuntu-latest
+    # rhds/notebooks builds from AIPCC bases and requires pull_request_target trigger
+    if: ${{ github.repository == 'red-hat-data-services/notebooks' }}
+    outputs:
+      matrix: ${{ steps.gen.outputs.matrix }}
+      has_jobs: ${{ steps.gen.outputs.has_jobs }}
+    steps:
+
+      - name: Check permissions and deny untrusted users (this must be done FIRST, for security, before we checkout)
+        if: |-
+          github.event_name == 'workflow_dispatch' ||
+          (
+            github.event_name == 'pull_request_target' &&
+            (
+              github.event.repository.private == true ||
+              contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association) ||
+              contains(fromJSON(env.contributors), github.actor)
+            )
+          )
+        run: |
+          echo "GitHub user ${{ github.actor }} is not a registered project contributor, not allowed to run actions requiring secrets!"
+          exit 1
+
+      # Here we are checking out the pull request, so that we can build from the new code
+      # We can do this because we already checked that the submitting user is a contributor
+      - uses: actions/checkout@v5
+        if: ${{ github.event_name == 'pull_request_target' }}
+        with:
+          ref: "refs/pull/${{ github.event.number }}/merge"
+      - uses: actions/checkout@v5
+        if: ${{ github.event_name != 'pull_request_target' }}
+
+      - uses: actions/setup-go@v5
+        with:
+          cache-dependency-path: "**/*.sum"
+
+      - name: Determine targets to build based on changed files
+        if: ${{ github.event_name == 'pull_request_target' }}
+        run: |
+          set -x
+          git fetch --no-tags origin 'pull/${{ github.event.pull_request.number }}/head:${{ github.event.pull_request.head.ref }}'
+          git fetch --no-tags origin '+refs/heads/${{ github.event.pull_request.base.ref }}:refs/remotes/origin/${{ github.event.pull_request.base.ref }}'
+          python3 ci/cached-builds/gen_gha_matrix_jobs.py \
+            --from-ref 'origin/${{ github.event.pull_request.base.ref }}' \
+            --to-ref '${{ github.event.pull_request.head.ref }}' \
+            --rhel-images exclude \
+            --s390x-images include
+        id: gen
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+
+  build:
+    needs: ["gen"]
+    strategy:
+      fail-fast: false
+      matrix: "${{ fromJson(needs.gen.outputs.matrix) }}"
+    uses: ./.github/workflows/build-notebooks-TEMPLATE.yaml
+    if: ${{ fromJson(needs.gen.outputs.has_jobs) }}
+    with:
+      target: "${{ matrix.target }}"
+      python: "${{ matrix.python }}"
+      github: "${{ toJSON(github) }}"
+      platform: "${{ matrix.platform }}"
+      subscription: "${{ matrix.subscription }}"
+    secrets: inherit

.github/workflows/build-notebooks-pr-rhel.yaml

@@ -32,7 +32,16 @@ jobs:
     steps:
 
       - name: Check permissions and deny untrusted users (this must be done FIRST, for security, before we checkout)
-        if: ${{ !contains(fromJSON(env.contributors), github.actor) }}
+        if: |-
+          github.event_name == 'workflow_dispatch' ||
+          (
+            github.event_name == 'pull_request_target' &&
+            (
+              github.event.repository.private == true ||
+              contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association) ||
+              contains(fromJSON(env.contributors), github.actor)
+            )
+          )
         run: |
           echo "GitHub user ${{ github.actor }} is not a registered project contributor, not allowed to run actions on RHEL!"
           exit 1

.github/workflows/build-notebooks-pr.yaml

@@ -22,6 +22,8 @@ jobs:
   gen:
     name: Generate job matrix
     runs-on: ubuntu-latest
+    # rhds/notebooks builds from quay.io/aipcc bases and requires pull_request_target trigger
+    if: ${{ github.repository != 'red-hat-data-services/notebooks' }}
     outputs:
       matrix: ${{ steps.gen.outputs.matrix }}
       has_jobs: ${{ steps.gen.outputs.has_jobs }}