Do not push to GHCR for Pull Requests from fork repositories

[allgandalf]

Description

Fixed issue #3618

With this PR, we fix the CI failure for forked branches, we cannot push to dockerhub since forks dont have write permission to Pecan Project GHCR.

Motivation and Context

Review Time Estimate

• Immediately
• Within one week
• When possible

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My change requires a change to the documentation.
• My name is in the list of CITATION.cff
• I agree that PEcAn Project may distribute my contribution under any or all of
  • the same license as the existing code,
  • and/or the BSD 3-clause license.
• I have updated the CHANGELOG.md.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.

[robkooper]

the other thing we need to fix is that it uses the right base image later, see error at: https://github.com/PecanProject/pecan/actions/runs/17475953611/job/49637278181?pr=3619#step:12:254

[robkooper]

best if we do a case insensitive compare.

[allgandalf]

Putting comments from slack here for future work since slack messages aren't visible after sometime:

Details

Rohan Sasne
Sep 5th at 2:12 AM
my understanding here was that we do not need to push docker builds from PR's which are raised from fork repositories to GHCR, but please correct me if i am wrong!
2:13
we only need to build the docker file

infotroph
Sep 5th at 2:20 AM
The part that gets thorny is that the build is a whole stack of images that build on each other, so if we’re not pushing one we have to decide whether that means not building the ones that depend on it, building them on top of the last-pushed version and hoping it’s close enough, etc.
I believe there are some complications around Docker build cache as well, but I don’t have a firm enough grasp on how that works to know what changes are needed.
All solveable, but I’ll defer to @kooper on how we should approach it.
👍
1

Rohan Sasne
Sep 5th at 2:28 AM
so if we’re not pushing one
Just to be clear are you concerned that we will not push the changes to GHCR when we merge the pull request with my current changes?
2:28
or do you mean that during building on the new commits in the current pull request which is yet to get merged? (edited)

infotroph
Sep 5th at 2:35 AM
The second — we want to check that all images build successfully from this particular commit, and the way everything is setup right now that requires pushing the freshly built images as we go so that we can pull the ones that are dependencies back when building each downstream one on top of it.
2:38
Last time we discussed this I think @kooper mentioned we might be able to work around that by configuring a local-to-the-runner Docker registry, but then immediately added something to the effect “but then we’d run into all kinds of disk space issues”. I’ll let Rob tell us whether that was a possiblity worth pursuing or one he was immediately talking himself out of. (edited)
Also sent to the channel

kooper
Sep 11th at 7:31 AM
Yes if you look at the workflow for the docker images they are building on top of each other:
depends -> base -> pecan ->models -> sipnet
7:33
so if you want to test the build we need each of the intermediate images, and to get those in the next step of the workflow we have to store them somewhere. As far as I have seen there are 2 options, you save them and write them to storage, every github has some small storage, or we leverage a docker registry. We can use a local registry, but the more I looked into that the harder it will be since we have different jobs, and I don't think we can keep the registr alive between jobs, esp since we use a matrix, where the jobs will run on different servers.
7:35
or, what we started to do, we push the images to a registry, like dockerhub or github. What we need to do is when we specify the image we want to use, we don't just specify the name, but also include the project and repository, so image arg should be more like ghcr.io/pecanproject/depends:pr-966 this way we have the exact image that we want to use.

[AritraDey-Dev]

For this PR, if I'm not wrong, it looks like the PR description is mismatched with the code changes done in the PR. It does build the image and upload the changes as artifacts, till here it's fine. But then I'm not sure why that workflow is not triggered in the CI for this PR.

Given the stack of images that we should run in CI one after another, as @infotroph also mentioned in Slack, I feel we should do it like: after building those artifacts, it should trigger another workflow that runs in the main repo context with access to secrets, downloads the artifacts, and pushes them to DockerHub. So that we should build those images one after another, probably something like first depends builds with the tag of the commit SHA(This can be the unique tag), and then the next one (i.e., base Docker build) will wait for it until depends is pushed,then pull it, and like that it will continue. Probably that will take some time in CI, but I think it's worth doing.

Another idea I have is to build the images sequentially in a single workflow, like depends → base → models → sipnet, so that every build gets the context of the previous build. This would be a more monolithic approach, but it helps to avoid the complexity of artifacts and pushing them.

[infotroph]

after building those artifacts, it should trigger another workflow that runs in the main repo context

I think this would still have the same basic problem that it lets someone else run code they control in a context where our secrets live. As annoying as the restriction against forked workflows using main repo secrets is for this case, it does has a solid security justification: Granting automated access to untrusted code is very hard to do safely. As soon as a workflow from an external fork can automatically make something happen in a context we think of as under our control (uses our secrets / runs on hardware billed to us / pushes to our registries), the number of ways malicious (or just incautious) actors could cause trouble for us expands greatly.

I'm now leaning more towards saying this isn't worth either the hassle to push to a registry from a fork or to try to build the stack without pushing. I wonder if instead the entire Docker GHA job:

• shouldn't run at all in external PRs before merge
• should run in the merge queue and we should treat that as the decisive test whether a change builds successfully
• For PRs that need more detailed testing (ones with Docker-specific changes?), encourage those with write access to push their branches to origin?

...but I might be off-base, and obviously waiting for merge queue failures means we're clicking merge on things before knowing the build will work. Does this idea make any sense?