fix(workflow): [PM-19254] Update image tag generation for builds from forked PRs

* Added fork name to tag * Added logging. * Added pull_request_target * Added repository name if on fork. * Limited characters * Added sanitization * Moved to env var for extra security.
2025-12-06 00:13:28 +00:00 · 2025-04-14 21:33:51 -04:00
parent 356a20a4bc
commit 938e9454e1
1 changed files with 9 additions and 3 deletions
--- a/.github/workflows/build-web.yml
+++ b/.github/workflows/build-web.yml
@@ -45,7 +45,7 @@ on:

 env:
  _AZ_REGISTRY: bitwardenprod.azurecr.io
-
+  _GITHUB_PR_REPO_NAME: ${{ github.event.pull_request.head.repo.full_name }}

 jobs:
  setup:
@@ -190,12 +190,18 @@ jobs:
      - name: Generate container image tag
        id: tag
        run: |
-          if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
-            IMAGE_TAG=$(echo "${GITHUB_HEAD_REF}" | sed "s#/#-#g")
+          if [[ "${GITHUB_EVENT_NAME}" == "pull_request" || "${GITHUB_EVENT_NAME}" == "pull_request_target" ]]; then
+            IMAGE_TAG=$(echo "${GITHUB_HEAD_REF}" | sed "s/[^a-zA-Z0-9]/-/g") # Sanitize branch name to alphanumeric only
          else
            IMAGE_TAG=$(echo "${GITHUB_REF_NAME}" | sed "s#/#-#g")
          fi

+          if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
+            SANITIZED_REPO_NAME=$(echo "$_GITHUB_PR_REPO_NAME" | sed "s/[^a-zA-Z0-9]/-/g") # Sanitize repo name to alphanumeric only
+            IMAGE_TAG=$SANITIZED_REPO_NAME-$IMAGE_TAG # Add repo name to the tag
+            IMAGE_TAG=${IMAGE_TAG:0:128}  # Limit to 128 characters, as that's the max length for Docker image tags
+          fi
+
          if [[ "$IMAGE_TAG" == "main" ]]; then
            IMAGE_TAG=dev
          fi