From 74b235b62643cf335fe5110dd6bcd499c0c59b32 Mon Sep 17 00:00:00 2001
From: Tim Etchells <tetchell@redhat.com>
Date: Sat, 20 Feb 2021 13:37:54 -0500
Subject: [PATCH] Remove pull_request_target from workflows that push images

Signed-off-by: Tim Etchells <tetchell@redhat.com>
---
 .github/workflows/multiple-build.yaml | 21 ++++++++++-----------
 .github/workflows/verify-push.yaml    | 17 ++++++++++-------
 2 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/multiple-build.yaml b/.github/workflows/multiple-build.yaml
index 70a6be5..8fb1e86 100644
--- a/.github/workflows/multiple-build.yaml
+++ b/.github/workflows/multiple-build.yaml
@@ -1,7 +1,6 @@
 name: Multiple container CLI build tests
 on:
   push:
-  pull_request_target:
   workflow_dispatch:
 env:
   IMAGE_NAME: myimage
@@ -32,12 +31,12 @@ jobs:
           registry: ${{ env.IMAGE_REGISTRY }}/${{ secrets.REGISTRY_USER }}
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
-    
+
       - name: Echo outputs
         run: |
           echo "Digest: ${{ steps.push.outputs.digest }}"
           echo "Registry Paths: ${{ steps.push.outputs.registry-paths }}"
-  
+
   build-only-docker:
     name: Build and push image built only on Docker
     runs-on: ubuntu-20.04
@@ -61,12 +60,12 @@ jobs:
           registry: ${{ env.IMAGE_REGISTRY }}/${{ secrets.REGISTRY_USER }}
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
-    
+
       - name: Echo outputs
         run: |
           echo "Digest: ${{ steps.push.outputs.digest }}"
           echo "Registry Paths: ${{ steps.push.outputs.registry-paths }}"
-  
+
   build-podman-latest:
     name: Build and push image built latest on Podman
     runs-on: ubuntu-20.04
@@ -80,7 +79,7 @@ jobs:
             FROM busybox
             RUN echo "hello world"
             EOF
-      
+
       - name: Build image using Podman
         run: |
             podman build -t ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} -<<EOF
@@ -88,7 +87,7 @@ jobs:
             RUN echo "hello world"
             EOF
 
-      - name: Push image to ${{ env.IMAGE_REGISTRY }} 
+      - name: Push image to ${{ env.IMAGE_REGISTRY }}
         id: push
         uses: ./
         with:
@@ -97,7 +96,7 @@ jobs:
           registry: ${{ env.IMAGE_REGISTRY }}/${{ secrets.REGISTRY_USER }}
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
-    
+
       - name: Echo outputs
         run: |
           echo "Digest: ${{ steps.push.outputs.digest }}"
@@ -124,7 +123,7 @@ jobs:
             RUN echo "hello world"
             EOF
 
-      - name: Push image to ${{ env.IMAGE_REGISTRY }} 
+      - name: Push image to ${{ env.IMAGE_REGISTRY }}
         id: push
         uses: ./
         with:
@@ -133,8 +132,8 @@ jobs:
           registry: ${{ env.IMAGE_REGISTRY }}/${{ secrets.REGISTRY_USER }}
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
-    
+
       - name: Echo outputs
         run: |
           echo "Digest: ${{ steps.push.outputs.digest }}"
-          echo "Registry Paths: ${{ steps.push.outputs.registry-paths }}"
\ No newline at end of file
+          echo "Registry Paths: ${{ steps.push.outputs.registry-paths }}"
diff --git a/.github/workflows/verify-push.yaml b/.github/workflows/verify-push.yaml
index 2abf9cd..4054caf 100644
--- a/.github/workflows/verify-push.yaml
+++ b/.github/workflows/verify-push.yaml
@@ -2,7 +2,10 @@
 # is some change in code done to ensure that the changes
 # are not buggy and we are getting the desired output.
 name: Test Build and Push
-on: [ push, workflow_dispatch, pull_request_target ]
+on:
+  push:
+  workflow_dispatch:
+
 env:
   PROJECT_DIR: spring-petclinic
   IMAGE_NAME: spring-petclinic
@@ -28,14 +31,14 @@ jobs:
         with:
           repository: "spring-projects/spring-petclinic"
           path: ${{ env.PROJECT_DIR }}
-      
+
       # If none of these files has changed, we assume that the contents of
       # .m2/repository can be fetched from the cache.
       - name: Hash Maven files
         working-directory: ${{ env.PROJECT_DIR }}
         run: |
           echo "MVN_HASH=${{ hashFiles('**/pom.xml', '.mvn/**/*', 'mvnw*') }}" >> $GITHUB_ENV
-      
+
       # Download the m2 repository from the cache to speed up the build.
       - name: Check for Maven cache
         id: check-mvn-cache
@@ -54,7 +57,7 @@ jobs:
       - name: Maven
         working-directory: ${{ env.PROJECT_DIR }}
         run: |
-          mvn package -ntp -B 
+          mvn package -ntp -B
 
        # If there was no cache hit above, store the output into the cache now.
       - name: Save Maven repo into cache
@@ -63,7 +66,7 @@ jobs:
         with:
           path: ${{ env.MVN_REPO_DIR }}
           key: ${{ env.MVN_HASH }}
-      
+
       # Build image using Buildah action
       - name: Build Image
         id: build_image
@@ -81,7 +84,7 @@ jobs:
             spring-petclinic-*.jar
           port: 8080
           oci: 'true'
-      
+
       # Push the image to Quay.io (Image Registry)
       - name: Push To Quay
         uses: ./push-to-registry/
@@ -94,7 +97,7 @@ jobs:
           password: ${{ secrets.REGISTRY_PASSWORD }}
           extra-args: |
             --disable-content-trust
-      
+
       - name: Echo outputs
         run: |
           echo "Digest: ${{ steps.push.outputs.digest }}"