Fix preview deployment workflow for variable expansion and fork PRs

[Copilot]

Preview Deployment Fixes

• Analyzed the preview deployment workflow
• Identified the issue: GitHub Actions expressions inside heredoc with single quotes are not expanded
• Fix the preview.yml workflow to properly use environment variables instead of GitHub Actions expressions in heredoc
• Test the fix by validating the workflow syntax
• Verify all GitHub Actions expressions are properly converted to environment variables
• Simulate the complete workflow execution to verify correctness
• Validate YAML syntax
• Check for similar issues in other workflows (none found)
• Fix GITHUB_OUTPUT variable to prevent "Body cannot be blank" error
• Add fork detection to skip image pushing for external contributors

Summary

Fixed three issues in the preview deployment workflow:

Issue 1: Variable expansion in PR comments

• Root cause: Heredoc used single quotes preventing variable expansion
• Solution: Use environment variables with unquoted heredoc

Issue 2: Empty comment body error

• Root cause: $GITHUB_OUTPUT was escaped as \$GITHUB_OUTPUT, creating a literal file instead of using the environment variable
• Solution: Remove backslash escape so bash expands $GITHUB_OUTPUT to the actual output file path
• Error prevented: "Body cannot be blank" (HTTP 422 from GitHub API)

Issue 3: External contributors can't push to organization's container registry

• Root cause: PRs from forks don't have write permissions to ghcr.io/owasp/*
• Error prevented: "denied: installation not allowed to Write organization package"
• Solution:
  • Detect fork PRs using github.event.pull_request.head.repo.full_name != github.repository
  • Only push images when PR is from same repo or it's a push to main: push: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }}
  • Provide fork-specific instructions with local build steps instead of container registry deployment

The workflow now correctly:

1. Generates deployment instructions with expanded variables
2. Writes output to the proper GitHub Actions output file
3. Passes non-empty content to the comment creation step
4. Skips pushing images for fork PRs (builds only for validation)
5. Provides appropriate testing instructions based on PR source (fork vs same-repo)

External contributors can now submit PRs without permission errors, while maintainers still get pre-built preview images for internal PRs.

Fixes #986

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Preview deployment fixes</issue_title>
<issue_description>Can you fix the failing preview deployments?</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #986

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[commjoen]

@copilot can you fix the following error?
Run actions/github-script@v7
RequestError [HttpError]: Validation Failed: {"resource":"IssueComment","code":"unprocessable","field":"data","message":"Body cannot be blank"}
at /home/runner/work/_actions/actions/github-script/v7/dist/index.js:9537:21
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async eval (eval at callAsyncFunction (/home/runner/work/_actions/actions/github-script/v7/dist/index.js:36187:16), :30:3)
at async main (/home/runner/work/_actions/actions/github-script/v7/dist/index.js:36285:20) {
status: 422,
response: {
url: 'https://api.github.com/repos/OWASP/wrongsecrets-ctf-party/issues/987/comments',
status: 422,
headers: {
'access-control-allow-origin': '*',
'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
'content-length': '247',
'content-security-policy': "default-src 'none'",
'content-type': 'application/json; charset=utf-8',
date: 'Mon, 06 Oct 2025 22:14:07 GMT',
'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
server: 'github.com',
'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
vary: 'Accept-Encoding, Accept, X-Requested-With',
'x-accepted-github-permissions': 'issues=write; pull_requests=write',
'x-content-type-options': 'nosniff',
'x-frame-options': 'deny',
'x-github-api-version-selected': '2022-11-28',
'x-github-media-type': 'github.v3; format=json',
'x-github-request-id': '7839:1077B0:1BCAB26:760F920:68E43F2F',
'x-ratelimit-limit': '15000',
'x-ratelimit-remaining': '14948',
'x-ratelimit-reset': '1759791975',
'x-ratelimit-resource': 'core',
'x-ratelimit-used': '52',
'x-xss-protection': '0'
},
data: {
message: 'Validation Failed',
errors: [Array],
documentation_url: 'https://docs.github.com/rest/issues/comments#create-an-issue-comment',
status: '422'
}
},
request: {
method: 'POST',
url: 'https://api.github.com/repos/OWASP/wrongsecrets-ctf-party/issues/987/comments',
headers: {
accept: 'application/vnd.github.v3+json',
'user-agent': 'actions/github-script octokit-core.js/5.0.1 Node.js/20.19.4 (linux; x64)',
authorization: 'token [REDACTED]',
'content-type': 'application/json; charset=utf-8'
},
body: '{"body":""}',
request: {
agent: [Agent],
fetch: [Function: proxyFetch],
hook: [Function: bound bound register]
}
}
}
Error: Unhandled error: HttpError: Validation Failed: {"resource":"IssueComment","code":"unprocessable","field":"data","message":"Body cannot be blank"}
from the github rpeveiw action?

[Copilot]

@copilot can you fix the following error?
Run actions/github-script@v7
RequestError [HttpError]: Validation Failed: {"resource":"IssueComment","code":"unprocessable","field":"data","message":"Body c...

Fixed in commit ca6b0ba. The issue was that $GITHUB_OUTPUT was escaped as \$GITHUB_OUTPUT, which created a literal file named "$GITHUB_OUTPUT" instead of using the environment variable. This caused the output to not be captured, resulting in an empty body being passed to the GitHub API. Removed the backslash escapes so the variable expands correctly.

[commjoen]

@copilot can you fix the following issue when extenral contributors file a PR?

1 warning found (use docker --debug to expand):

• FromAsCasing: 'as' and 'FROM' keywords' casing do not match (line 1)
  ERROR: failed to build: failed to solve: failed to push ghcr.io/owasp/cleaner:pr-985: denied: installation not allowed to Write organization package
  Reference
  Check build summary support
  Error: buildx failed with: ERROR: failed to build: failed to solve: failed to push ghcr.io/owasp/cleaner:pr-985: denied: installation not allowed to Write organization package

[Copilot]

@copilot can you fix the following issue when extenral contributors file a PR?

1 warning found (use docker --debug to expand):
...

Fixed in commit 50883c7. The issue occurs because external contributors from forks don't have write permissions to the organization's container registry. The workflow now:

1. Detects fork PRs using github.event.pull_request.head.repo.full_name != github.repository
2. Only pushes images when it's a push to main OR a PR from the same repo (not a fork)
3. For fork PRs, still builds images (for validation) but skips pushing
4. Provides fork-specific instructions with local build and deployment steps

This prevents the "denied: installation not allowed to Write organization package" error while still validating that fork PR changes build successfully.

[github-actions]

🚀 Preview Deployment Ready!

Your pull request has been built and is ready for preview deployment.
Here's how to test your changes:

Container Images Built

• Balancer: ghcr.io/OWASP/wrongsecrets-balancer:pr-987
• Cleaner: ghcr.io/OWASP/cleaner:pr-987

Quick Deploy with Helm

# Add the wrongsecrets helm repository
helm repo add wrongsecrets https://owasp.org/wrongsecrets-ctf-party
helm repo update

# Deploy with preview images
helm install my-preview wrongsecrets/wrongsecrets-ctf-party \
  --set balancer.repository=ghcr.io/OWASP/wrongsecrets-balancer \
  --set balancer.tag=pr-987 \
  --set wrongsecretsCleanup.repository=ghcr.io/OWASP/cleaner \
  --set wrongsecretsCleanup.tag=pr-987 \
  --set imagePullPolicy=Always

# Port forward to access locally
kubectl port-forward service/wrongsecrets-balancer 3000:3000

Deploy with Custom Values

Click to see preview-values.yaml

balancer:
  repository: ghcr.io/OWASP/wrongsecrets-balancer
  tag: pr-987

wrongsecretsCleanup:
  repository: ghcr.io/OWASP/cleaner
  tag: pr-987

# Preview configuration
ingress:
  enabled: true
  hosts:
    - host: >-
        preview-pr-987.wrongsecrets.local
      paths:
        - "/"

# Save the above values to preview-values.yaml, then:
helm install my-preview wrongsecrets/wrongsecrets-ctf-party \
  -f preview-values.yaml

Deploy with Local Build Scripts

# Clone this PR
git fetch origin pull/987/head:pr-987
git checkout pr-987

# Use the existing deployment script with custom images
./build-and-deploy.sh

Test the Changes

1. Access the application at http://localhost:3000
2. Create a team and verify functionality
3. Test any new features or bug fixes

Container Registry

The preview images are available at:

• https://github.com/OWASP/wrongsecrets-ctf-party/pkgs/container/wrongsecrets-balancer
• https://github.com/OWASP/wrongsecrets-ctf-party/pkgs/container/cleaner

---

This preview was automatically generated for PR #987