From be908fcbc6614b051cc5727f0bedabfc4a404e47 Mon Sep 17 00:00:00 2001
From: Bjordis Collaku <bcollaku@qti.qualcomm.com>
Date: Thu, 26 Mar 2026 15:06:44 -0700
Subject: [PATCH] ci: fix forked PR checkout & harden pull_request_target
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Replace `ref: ${{ github.head_ref }}` with a fork-safe checkout using:
  `repository: ${{ github.event.pull_request.head.repo.full_name }}`
  `ref: ${{ github.event.pull_request.head.sha }}`
  `persist-credentials: false`
- Keep default checkout for push/schedule/workflow_dispatch
- Split build step so PRs never receive secrets or push to GHCR
- Remove stray text after `username:` input

Rationale:
- `github.head_ref` assumes the branch exists in the base repo; for forked PRs, it points to a non-existent branch or the wrong repo.
- `pull_request_target` runs with base-repo context; avoiding persisted Git credentials and withholding secrets prevents token/secrets exposure.
- Ensures PR validation builds against the contributor’s Dockerfiles while only publishing images on trusted events.

Affected file:
- .github/workflows/qcom-container-build-and-upload.yml

Signed-off-by: Bjordis Collaku <bcollaku@qti.qualcomm.com>
---
 .../workflows/qcom-container-build-and-upload.yml | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/qcom-container-build-and-upload.yml b/.github/workflows/qcom-container-build-and-upload.yml
index 9f0f9d6..e5a0b8c 100644
--- a/.github/workflows/qcom-container-build-and-upload.yml
+++ b/.github/workflows/qcom-container-build-and-upload.yml
@@ -45,10 +45,19 @@ jobs:
     runs-on: ubuntu-24.04-arm
     steps:
       
-      - name: Checkout Repository
+      # PRs from forks (pull_request_target): check out the PR's fork + exact commit
+      - name: Checkout PR head (fork-safe)
+        if: ${{ github.event_name == 'pull_request_target' }}
         uses: actions/checkout@v4
         with:
-          ref: ${{github.head_ref}}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
+
+      # Push / schedule / manual: normal checkout
+      - name: Checkout repository
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: actions/checkout@v4
 
       - name: Build Images
         uses: ./.github/actions/build_container
@@ -56,4 +65,4 @@ jobs:
           arch: arm64
           push-to-ghcr: ${{ github.event_name != 'pull_request_target' }}
           token: ${{ secrets.DEB_PKG_BOT_CI_TOKEN }}
-          username: ${{ vars.DEB_PKG_BOT_CI_USERNAME }}
\ No newline at end of file
+          username: ${{ vars.DEB_PKG_BOT_CI_USERNAME }}