GH workflows: Remove trigger on pull_request_target

Replaced with pull_request + workflow_run
Although the risk of pwn request attacks was mitigated with the
ok-to-test label protection, this was still human-error prone.
This workflow increases security by not running any code with secret
access privileges.

Author: jotak

.github/workflows/build_image_pr.yml

@@ -0,0 +1,40 @@
+name: Build PR image and upload artifact
+on:
+  pull_request:
+    types: [labeled]
+
+env:
+  WF_REGISTRY: quay.io/netobserv
+  WF_IMAGE: network-observability-cli
+
+jobs:
+  build-pr-image:
+    if: ${{ github.event.label.name == 'ok-to-test' }}
+    name: Build PR image and upload artifact
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install make
+        run: sudo apt -y install make
+      - name: get short sha
+        run: echo "short_sha=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+      - name: build and save image
+        run: OCI_BUILD_OPTS="--label quay.expires-after=2w" IMAGE=${{ env.WF_REGISTRY }}/${{ env.WF_IMAGE }}:${{ env.short_sha }} CLEAN_BUILD=1 make tar-image
+      - name: make commands
+        run: USER=netobserv VERSION=${{ env.short_sha }} make commands
+      - name: upload commands
+        id: artifact-upload-step
+        uses: actions/upload-artifact@v4
+        with:
+          name: commands
+          path: build/
+      - name: save PR number
+        run: |
+          echo ${{ github.event.number }} > ./out/pr-id
+          echo ${{ env.short_sha }} > ./out/short-sha
+          echo ${{ steps.artifact-upload-step.outputs.artifact-url }} > ./out/commands-url
+      - name: upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: pr
+          path: out/

.github/workflows/push_image_pr.yml

@@ -1,66 +1,64 @@
-name: Build and push PR image to quay.io
+name: Push PR image to quay.io
 on:
-  pull_request_target:
-    types: [labeled]
+  workflow_run:
+    workflows: ["Build PR image and upload artifact"]
+    types:
+      - completed
 
 env:
   WF_REGISTRY_USER: netobserv+github_ci
-  WF_REGISTRY: quay.io/netobserv
-  WF_IMAGE: network-observability-cli
-  WF_ORG: netobserv
 
 jobs:
   push-pr-image:
-    if: ${{ github.event.label.name == 'ok-to-test' }}
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
     name: push PR image
     runs-on: ubuntu-latest
     steps:
-      - name: install make
-        run: sudo apt-get install make
-      - name: set up go 1.x
-        uses: actions/setup-go@v3
+      - name: download artifact
+        uses: actions/download-artifact@v5
         with:
-          go-version: '1.25'
-      - name: checkout
-        uses: actions/checkout@v3
-        with:
-          ref: "refs/pull/${{ github.event.number }}/merge"
+          name: pr
+          run-id: ${{github.event.workflow_run.id }}
+          github-token: ${{secrets.GITHUB_TOKEN}}
+      - name: load images
+        run: |
+          docker load --input ./image.tar
       - name: docker login to quay.io
         uses: docker/login-action@v2
         with:
           username: ${{ env.WF_REGISTRY_USER }}
           password: ${{ secrets.QUAY_SECRET }}
           registry: quay.io
-      - name: get short sha
-        run: echo "short_sha=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
-      - name: build and push manifest with images
-        run: OCI_BUILD_OPTS="--label quay.expires-after=2w" IMAGE_ORG=${{ env.WF_ORG }} IMAGE=${{ env.WF_REGISTRY }}/${{ env.WF_IMAGE }}:${{ env.short_sha }} CLEAN_BUILD=1 make images
-      - name: make commands
-        run: USER=netobserv VERSION=${{ env.short_sha }} make commands
-      - name: upload commands
-        id: artifact-upload-step
-        uses: actions/upload-artifact@v4
-        with:
-          name: commands
-          path: build
+      - name: push images
+        run: |
+          DOCKER_BUILDKIT=1 docker push $(cat ./name)
       - uses: actions/github-script@v6
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
           script: |
+            var fs = require('fs');
+            var issueNumber = Number(fs.readFileSync('./pr-id'));
+            var shortSha = String(fs.readFileSync('./short-sha')).trim();
+            var mainImage = fs.readFileSync('./name');
+            var commandsURL = fs.readFileSync('./commands-url');
             github.rest.issues.createComment({
-              issue_number: context.issue.number,
+              issue_number: issueNumber,
               owner: context.repo.owner,
               repo: context.repo.repo,
               body: `New image:
-            ${{ env.WF_REGISTRY }}/${{ env.WF_IMAGE }}:${{ env.short_sha }}
+            \`\`\`bash
+            ${mainImage}
+            \`\`\`
 
-            It will expire after two weeks.
+            It will expire in two weeks.
 
             To use this build, update your commands using:
             \`\`\`bash
-            USER=netobserv VERSION=${{ env.short_sha }} make commands
+            USER=netobserv VERSION=${shortSha} make commands
             \`\`\`
             
-            or [download the updated commands](${{ steps.artifact-upload-step.outputs.artifact-url }}).
+            or [download the updated commands](${commandsURL}).
             `
             })

Makefile

@@ -242,6 +242,14 @@ else
 	DOCKER_BUILDKIT=1 $(OCI_BIN) manifest push ${IMAGE} docker://${IMAGE};
 endif
 
+.PHONY: tar-image
+tar-image: MULTIARCH_TARGETS=amd64
+tar-image: image-build ## Build single arch (amd64) and save as a tar
+	$(OCI_BIN) tag $(IMAGE)-amd64 $(IMAGE)
+	mkdir -p ./out
+	$(OCI_BIN) save -o out/image.tar $(IMAGE)
+	echo $(IMAGE) > ./out/name
+
 .PHONY: help
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)