Fix checkout of untrusted code in a privileged context

mirkokurt · mirkokurt · commit 9c8772a6ab87 · 2025-10-22T17:47:36.000+02:00
diff --git a/.github/workflows/calculate-size-delta.yml b/.github/workflows/calculate-size-delta.yml
@@ -7,7 +7,6 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write
   
 jobs:
   build:
@@ -37,18 +36,42 @@ jobs:
         run: |
           if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
             echo "Searching for PR from branch '${{ github.ref_name }}'..."
-            PR_NUMBER=$(gh pr list --state open --head "${{ github.ref_name }}" --json number --jq '.[0].number // empty')
+            UPSTREAM_REPO=$(gh api repos/${{ github.repository }} --jq '.parent.full_name // empty')
+            
+            if [ -n "$UPSTREAM_REPO" ]; then
+              echo "This is a fork. Upstream repository: $UPSTREAM_REPO"
+              # Get current repo owner and branch
+              CURRENT_USER=$(gh api repos/${{ github.repository }} --jq '.owner.login')
+              BRANCH_NAME="${{ github.ref_name }}"
+              echo "Searching in upstream for PR from $CURRENT_USER:$BRANCH_NAME"
+              
+              # Use API to search for PR with matching head
+              PR_NUMBER=$(gh api "repos/$UPSTREAM_REPO/pulls?state=open&head=$CURRENT_USER:$BRANCH_NAME" --jq '.[0].number // empty')
+              
+              if [ -z "$PR_NUMBER" ]; then
+                echo "Not found with API, trying gh pr list..."
+                PR_NUMBER=$(gh pr list --repo "$UPSTREAM_REPO" --state open --json number,headRefName,headRepositoryOwner \
+                  --jq ".[] | select(.headRefName == \"$BRANCH_NAME\" and .headRepositoryOwner.login == \"$CURRENT_USER\") | .number")
+              fi
+              TARGET_REPO="$UPSTREAM_REPO"
+            else
+              echo "This is not a fork. Searching in current repo..."
+              PR_NUMBER=$(gh pr list --state open --head "${{ github.ref_name }}" --json number --jq '.[0].number // empty')
+              TARGET_REPO="${{ github.repository }}"
+            fi
           else
             # For issue_comment, the PR number is in the event context
             PR_NUMBER=${{ github.event.issue.number }}
+            TARGET_REPO="${{ github.repository }}"
           fi
 
           if [ -z "$PR_NUMBER" ]; then
             echo "Could not find an associated open pull request."
           else
-            echo "Found PR #$PR_NUMBER"
+            echo "Found PR #$PR_NUMBER in repo $TARGET_REPO"
           fi
           echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+          echo "target_repo=$TARGET_REPO" >> $GITHUB_OUTPUT
 
       - name: Checkout PR Branch (for comment trigger)
         if: github.event_name == 'issue_comment'
@@ -109,6 +132,14 @@ jobs:
           docker image pull --platform linux/arm64 localhost:5000/app-bricks/python-base:latest
           docker image pull --platform linux/arm64 localhost:5000/app-bricks/python-apps-base:latest
 
+      - name: Calculate image sizes
+        id: sizes
+        run: |
+          SIZE1=$(docker images 'localhost:5000/app-bricks/python-base:latest' --format '{{.Size}}')
+          SIZE2=$(docker images 'localhost:5000/app-bricks/python-apps-base:latest' --format '{{.Size}}')
+          echo "python_base_size=$SIZE1" >> $GITHUB_OUTPUT
+          echo "python_apps_base_size=$SIZE2" >> $GITHUB_OUTPUT
+
       - name: Add image sizes to Job Summary
         run: |
           echo "## Docker Image Sizes" >> $GITHUB_STEP_SUMMARY
@@ -117,19 +148,34 @@ jobs:
           echo "|-------|------|" >> $GITHUB_STEP_SUMMARY
           echo "| app-bricks/python-base | $(docker images 'localhost:5000/app-bricks/python-base:latest' --format '{{.Size}}') |" >> $GITHUB_STEP_SUMMARY
           echo "| app-bricks/python-apps-base | $(docker images 'localhost:5000/app-bricks/python-apps-base:latest' --format '{{.Size}}') |" >> $GITHUB_STEP_SUMMARY
-
+    outputs:
+      python_base_size: ${{ steps.sizes.outputs.python_base_size }}
+      python_apps_base_size: ${{ steps.sizes.outputs.python_apps_base_size }}
+      pr_number: ${{ steps.pr_info.outputs.pr_number }}
+      target_repo: ${{ steps.pr_info.outputs.target_repo }}
+  comment-results:
+    runs-on: ubuntu-latest
+    needs: build
+    if: needs.build.outputs.pr_number != ''
+    permissions:
+      pull-requests: write
+    steps:
       - name: Comment on PR with image sizes
-        if: steps.pr_info.outputs.pr_number != ''
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          SIZE1=$(docker images 'localhost:5000/app-bricks/python-base:latest' --format '{{.Size}}')
-          SIZE2=$(docker images 'localhost:5000/app-bricks/python-apps-base:latest' --format '{{.Size}}')
-          gh pr comment ${{ steps.pr_info.outputs.pr_number }} --body-file - <<EOF
+          if gh pr comment ${{ needs.build.outputs.pr_number }} --repo "${{ needs.build.outputs.target_repo }}" --body-file - <<EOF
           ## Docker Image Sizes
 
           | Image | Size |
           |-------|------|
-          | app-bricks/python-base | $SIZE1 |
-          | app-bricks/python-apps-base | $SIZE2 |
+          | app-bricks/python-base | ${{ needs.build.outputs.python_base_size }} |
+          | app-bricks/python-apps-base | ${{ needs.build.outputs.python_apps_base_size }} |
           EOF
+          then
+            echo "✅ Comment posted successfully"
+          else
+            echo "⚠️ Could not post comment (likely permission issue for cross-repo commenting)"
+            echo "Image sizes are available in the job summary of the build-images job"
+            exit 0
+          fi
