Commit 5d699ee
committed
SECURITY FIX: Prevent PRs from pushing to container registry
Critical security vulnerability fixed in dev container prebuild workflow.
**Vulnerability:**
- Workflow was set to `push: always` for ALL events including PRs
- Any pull request (including from FORKS) could push to ghcr.io
- Malicious contributors could push compromised dev container images
- Could overwrite legitimate `latest` tag with malicious image
**Fix:**
- Changed push condition to: `github.event_name != 'pull_request'`
- PRs now build/test ONLY (push: never)
- Only these events can push:
- Push to master branch
- Manual workflow_dispatch
- Scheduled weekly rebuilds
- All require write access to repository
**Behavior Now:**
- ✅ PRs: Build and test image (validates Dockerfile changes)
- ✅ Master: Build, test, and push to registry
- ✅ Schedule: Build, test, and push to registry
- ✅ Manual: Build, test, and push to registry
**Additional Improvements:**
- Updated summary output to clearly indicate push status
- Added security warning for PR builds
- Makes it obvious when image was/wasn't pushed
This ensures only trusted maintainers with repository write access
can publish dev container images to the registry.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <[email protected]>1 parent 90e83d6 commit 5d699ee
1 file changed
+13
-5
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
46 | 46 | | |
47 | 47 | | |
48 | 48 | | |
49 | | - | |
| 49 | + | |
50 | 50 | | |
51 | 51 | | |
52 | 52 | | |
| |||
58 | 58 | | |
59 | 59 | | |
60 | 60 | | |
61 | | - | |
62 | | - | |
63 | | - | |
64 | | - | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
0 commit comments