Skip to content

ci: fall back to local buildx builder for fork PRs#550

Merged
Benehiko merged 2 commits into
mainfrom
ci/fork-pr-builder-fallback
Jun 3, 2026
Merged

ci: fall back to local buildx builder for fork PRs#550
Benehiko merged 2 commits into
mainfrom
ci/fork-pr-builder-fallback

Conversation

@Benehiko
Copy link
Copy Markdown
Member

@Benehiko Benehiko commented Jun 3, 2026

Fork pull requests don't receive repository secrets, so the docker/login-action step failed with "Password required" and the Docker Build Cloud builder (driver: cloud, endpoint: docker/secrets-engine) was unreachable. This failed every lint/build/proto/vuln job and the Linux keychain tests for external contributions.

Gate the Hub login on trusted events and switch the buildx driver to a local docker-container builder for fork PRs, keeping cloud builds for pushes, tags, and same-repo PRs.

Benehiko and others added 2 commits June 3, 2026 14:55
@Benehiko @claude
ci: fall back to local buildx builder for fork PRs
7a31c2c 
Fork pull requests don't receive repository secrets, so the
docker/login-action step failed with "Password required" and the
Docker Build Cloud builder (driver: cloud, endpoint: docker/secrets-engine)
was unreachable. This failed every lint/build/proto/vuln job and the
Linux keychain tests for external contributions.

Gate the Hub login on trusted events and switch the buildx driver to a
local docker-container builder for fork PRs, keeping cloud builds for
pushes, tags, and same-repo PRs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Benehiko @claude
fix: bump Go to 1.25.11 to resolve stdlib vulnerabilities
77bc744 
govulncheck flagged two standard-library vulnerabilities reachable from
our code across the plugin, credentialhelper, pass, and x modules:

  - GO-2026-5039: unescaped arbitrary input in net/textproto errors
  - GO-2026-5037: inefficient candidate hostname parsing in crypto/x509

Both are fixed in go1.25.11. Bump the go directive in go.work and every
module's go.mod (the Docker build derives GO_VERSION from go.work), and
refresh vendor/modules.txt via `go work vendor`. govulncheck now reports
zero affected vulnerabilities across all modules.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Benehiko Benehiko marked this pull request as ready for review June 3, 2026 13:05
joe0BAB
joe0BAB approved these changes Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@joe0BAB joe0BAB left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️

docker-agent[bot]
docker-agent Bot reviewed Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown

@docker-agent docker-agent Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟡 NEEDS ATTENTION

Two LIKELY medium-severity issues were found in the fork-PR CI fallback path introduced by this PR. No high-severity bugs detected. The overall approach (gating Hub login and Cloud builder on IS_TRUSTED) is sound.

Comment thread .github/workflows/gomodguard.yml
Comment thread .github/workflows/lint.yml
@Benehiko Benehiko merged commit 2c3534f into main Jun 3, 2026
46 checks passed
@Benehiko Benehiko deleted the ci/fork-pr-builder-fallback branch June 3, 2026 13:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@docker-agent docker-agent[bot] docker-agent[bot] left review comments

@joe0BAB joe0BAB joe0BAB approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Benehiko @joe0BAB