added lite workflow for fork PRs (#509)

* added lite workflow for fork PRs * sonarqube secrets fix * specific read permissions on jobs
2026-06-27 22:05:45 +00:00 · 2026-05-19 14:35:50 +01:00
parent 57bfc4763b
commit 49c8b9338f
2 changed files with 64 additions and 4 deletions
--- a/.github/workflows/build-bitwarden-lite-workflow-target.yml
+++ b/.github/workflows/build-bitwarden-lite-workflow-target.yml
@@ -0,0 +1,36 @@
+name: Build Bitwarden lite (fork PR)
+run-name: Build Bitwarden lite fork PR #${{ github.event.pull_request.number }}
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+    branches:
+      - main
+    paths:
+      - "bitwarden-lite/**"
+      - ".github/workflows/build-bitwarden-lite.yml"
+      - ".github/workflows/build-bitwarden-lite-workflow-target.yml"
+
+jobs:
+  check-run:
+    name: Check PR run approval
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+    permissions:
+      contents: read
+
+  build:
+    name: Build Docker image (fork PR)
+    needs: check-run
+    if: github.event.pull_request.head.repo.full_name != github.repository
+    uses: ./.github/workflows/build-bitwarden-lite.yml
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+      security-events: write
+    secrets:
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+    with:
+      self_host_repo_ref: ${{ github.event.pull_request.head.sha }}
--- a/.github/workflows/build-bitwarden-lite.yml
+++ b/.github/workflows/build-bitwarden-lite.yml
@@ -55,22 +55,45 @@ on:
        description: "Use the latest web version from version.json instead of branch"
        type: boolean
        default: false
+    secrets:
+      AZURE_CLIENT_ID:
+        description: "Azure client ID for ACR/Cosign auth"
+        required: false
+      AZURE_SUBSCRIPTION_ID:
+        description: "Azure subscription ID"
+        required: false
+      AZURE_TENANT_ID:
+        description: "Azure tenant ID"
+        required: false
  pull_request:
+    types: [opened, synchronize]
+    branches:
+      - main
    paths:
-      - ".github/workflows/build-bitwarden-lite.yml"
      - "bitwarden-lite/**"
+      - ".github/workflows/build-bitwarden-lite.yml"

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions:
-  contents: read
-
 jobs:
+  check-event-source:
+    name: Check event and source
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    steps:
+      - name: Check PR event and source
+        run: echo "Internal PR, push, dispatch, or workflow_call — proceeding"
+
  setup:
    name: Setup
    runs-on: ubuntu-24.04
+    needs: check-event-source
+    permissions:
+      contents: read
    outputs:
      server_ref: ${{ steps.set-server-variables.outputs.server_ref }}
      web_ref: ${{ steps.set-web-variables.outputs.web_ref }}
@@ -131,6 +154,7 @@ jobs:
    timeout-minutes: 60
    needs: setup
    permissions:
+      contents: read
      id-token: write
      packages: write
      security-events: write