Skip to content

RHOAIENG-16517: chore(tests): add sandboxing so that Dockerfile builds can only access files we know they access #631

RHOAIENG-16517: chore(tests): add sandboxing so that Dockerfile builds can only access files we know they access

RHOAIENG-16517: chore(tests): add sandboxing so that Dockerfile builds can only access files we know they access #631

---
"name": "Build Notebooks (pr)"
"on":
"pull_request":
permissions:
contents: read
packages: read
pull-requests: read
concurrency:
group: ${{ format('build-notebooks-pr-{0}', github.event.pull_request.number) }}
cancel-in-progress: true
jobs:
gen:
name: Generate job matrix
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.gen.outputs.matrix }}
has_jobs: ${{ steps.gen.outputs.has_jobs }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
cache-dependency-path: "**/*.sum"
- name: Determine targets to build based on changed files
run: |
set -x
git fetch --no-tags origin 'pull/${{ github.event.pull_request.number }}/head:${{ github.event.pull_request.head.ref }}'
git fetch --no-tags origin '+refs/heads/${{ github.event.pull_request.base.ref }}:refs/remotes/origin/${{ github.event.pull_request.base.ref }}'
python3 ci/cached-builds/gen_gha_matrix_jobs.py \
--from-ref 'origin/${{ github.event.pull_request.base.ref }}' \
--to-ref '${{ github.event.pull_request.head.ref }}'
id: gen
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
build:
needs: ["gen"]
strategy:
fail-fast: false
matrix: "${{ fromJson(needs.gen.outputs.matrix) }}"
uses: ./.github/workflows/build-notebooks-TEMPLATE.yaml
if: ${{ fromJson(needs.gen.outputs.has_jobs) }}
with:
target: "${{ matrix.target }}"
github: "${{ toJSON(github) }}"
secrets: inherit