Skip to content

ci: use dynamic repository owner for container images #8548

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sheurich wants to merge 2 commits into
base: main
Choose a base branch
from
Open

ci: use dynamic repository owner for container images #8548

sheurich wants to merge 2 commits into from
+5 −5

Conversation

@sheurich
Copy link
Contributor

@sheurich sheurich commented Jan 8, 2026
edited
Loading

Replace hardcoded letsencrypt with $GITHUB_REPOSITORY_OWNER in workflow image paths.

This enables testing release workflows on forks without modifying the workflow file.

Changes

release.yml:

  • ghcr.io/letsencrypt/boulderghcr.io/$GITHUB_REPOSITORY_OWNER/boulder
  • ghcr.io/letsencrypt/ct-test-srvghcr.io/$GITHUB_REPOSITORY_OWNER/ct-test-srv

try-release.yml:

  • ghcr.io/letsencrypt/ct-test-srvghcr.io/$GITHUB_REPOSITORY_OWNER/ct-test-srv

Testing

Verified by triggering try-release on fork; image paths resolve to fork owner.

@sheurich sheurich requested a review from a team as a code owner January 8, 2026 15:31
@sheurich sheurich requested a review from aarongable January 8, 2026 15:31
aarongable
aarongable reviewed Jan 9, 2026
View reviewed changes
.github/workflows/release.yml Outdated

- name: Tag Boulder container
run: docker tag boulder "ghcr.io/letsencrypt/boulder:${GITHUB_REF_NAME}-go${{ matrix.GO_VERSION }}"
run: docker tag boulder "ghcr.io/${{ github.repository_owner }}/boulder:${GITHUB_REF_NAME}-go${{ matrix.GO_VERSION }}"
Copy link
Contributor

@aarongable aarongable Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm unconvinced we should make this change at all, as it veers dangerously close to referencing untrusted strings in our workflows and enabling fork- or PR-based attacks. However, if other reviewers think this change is fine, at the very least it should use the environment variable version of this rather than the context preprocessor version, to prevent quote escaping issues.

Suggested change
run: docker tag boulder "ghcr.io/${{ github.repository_owner }}/boulder:${GITHUB_REF_NAME}-go${{ matrix.GO_VERSION }}"
run: docker tag boulder "ghcr.io/${GITHUB_REPOSITORY_OWNER}/boulder:${GITHUB_REF_NAME}-go${{ matrix.GO_VERSION }}"

@aarongable aarongable requested review from a team and aarongable and removed request for a team January 9, 2026 20:19
@sheurich @aarongable
fix: switch to ${GITHUB_REPOSITORY_OWNER}
7a72d9d 
Switch to ${GITHUB_REPOSITORY_OWNER} to avoid expression expansion/quoting issues

Co-authored-by: Aaron Gable <[email protected]>
@sheurich
Copy link
Contributor Author

sheurich commented Jan 9, 2026
edited
Loading

I'm unconvinced we should make this change at all, as it veers dangerously close to referencing untrusted strings in our workflows and enabling fork- or PR-based attacks.

Agree on being cautious, but GITHUB_REPOSITORY_OWNER is the repository owner name per GitHub’s variables reference (https://docs.github.com/en/actions/reference/workflows-and-actions/variables), so I don’t see a fork/PR‑controlled input here. If you have a specific attack path in mind, happy to dig in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aarongable aarongable Awaiting requested review from aarongable aarongable is a code owner automatically assigned from letsencrypt/boulder-developers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sheurich @aarongable