fix: switch pull_request_target to pull_request

- Replace pull_request_target with pull_request to prevent fork PRs
  from running with elevated permissions and secret access
- Remove conditional fork-safe checkout; use single actions/checkout@v4
- Fix upload condition to trigger on push/schedule/workflow_dispatch only
- Add packages: write permission required for GHCR push

Signed-off-by: Keerthi Gowda <kbalehal@qti.qualcomm.com>

Author: keerthi-go

.github/actions/build_container/action.yml

@@ -1,6 +1,6 @@
 name: Builds the container and chroots
 description: |
-  This Github Actions builds the container and sets up the chroot environment for building packages for noble and questing.
+  This Github Action builds the containers and sets up the chroot environment for building packages for noble and questing.
 
 inputs:
 
@@ -29,20 +29,3 @@ runs:
     - name: Build noble and questing containers
       shell: bash
       run: ./docker_deb_build.py --rebuild --no-update-check
-
-    - name: Push to GHCR
-      if: ${{inputs.push-to-ghcr}} == 'true'
-      shell: bash
-      run: |
-        echo ${{inputs.token}} | docker login ghcr.io -u ${{inputs.username}} --password-stdin
-
-        # UBUNTU IMAGES
-        docker push ghcr.io/${{env.QCOM_ORG_NAME}}/${{env.IMAGE_NAME}}:${{inputs.arch}}-noble
-        docker push ghcr.io/${{env.QCOM_ORG_NAME}}/${{env.IMAGE_NAME}}:${{inputs.arch}}-questing
-        docker push ghcr.io/${{env.QCOM_ORG_NAME}}/${{env.IMAGE_NAME}}:${{inputs.arch}}-resolute
-
-        # DEBIAN IMAGES
-        docker push ghcr.io/${{env.QCOM_ORG_NAME}}/${{env.IMAGE_NAME}}:${{inputs.arch}}-trixie
-        docker push ghcr.io/${{env.QCOM_ORG_NAME}}/${{env.IMAGE_NAME}}:${{inputs.arch}}-sid
-
-

.github/actions/upload_containers/action.yml

@@ -0,0 +1,42 @@
+name: Uploads the containers
+description: |
+  This Github Action uploads the built containers.
+
+inputs:
+
+  arch:
+    description: The architecture to build for. Ex amd64, arm64, etc
+    required: true
+
+  push-to-ghcr:
+    description: Whether to push the built image to GitHub Container Registry
+    required: true
+    default: "true"
+
+  token:
+    description: PAT token
+    required: true
+
+  username:
+    description: Username for the PAT token
+    required: true
+
+runs:
+  using: "composite"
+
+  steps:
+
+    - name: Push to GHCR
+      if: ${{ inputs.push-to-ghcr == 'true' }}
+      shell: bash
+      run: |
+        echo ${{inputs.token}} | docker login ghcr.io -u ${{inputs.username}} --password-stdin
+
+        # UBUNTU IMAGES
+        docker push ghcr.io/${{env.QCOM_ORG_NAME}}/${{env.IMAGE_NAME}}:${{inputs.arch}}-noble
+        docker push ghcr.io/${{env.QCOM_ORG_NAME}}/${{env.IMAGE_NAME}}:${{inputs.arch}}-questing
+        docker push ghcr.io/${{env.QCOM_ORG_NAME}}/${{env.IMAGE_NAME}}:${{inputs.arch}}-resolute
+
+        # DEBIAN IMAGES
+        docker push ghcr.io/${{env.QCOM_ORG_NAME}}/${{env.IMAGE_NAME}}:${{inputs.arch}}-trixie
+        docker push ghcr.io/${{env.QCOM_ORG_NAME}}/${{env.IMAGE_NAME}}:${{inputs.arch}}-sid

.github/workflows/qcom-container-build-and-upload.yml

@@ -1,16 +1,14 @@
 name: Container Build And Upload
 description: |
   Builds and uploads to GHCR (GitHub Container Registry) the container used to build the Qualcomm debian packages.
-  This workflow will assumes the build architecture is amd64 (x86_64) since the github's 'ubuntu-latest' runs-on tag
-  is used. Using docker's buildx, the Dockerfile in this repo's docker/ folder will be built for amd64 and cross-compiled
-  for arm64.
+  Builds natively on an arm64 self-hosted runner. Images are uploaded on push to main, scheduled runs, and manual dispatches.
 
 on:
   schedule:
     # Runs at 00:00 UTC every Monday
     - cron: '0 0 * * 1'
 
-  pull_request_target:
+  pull_request:
     branches:
       - main
     paths:
@@ -30,6 +28,7 @@ on:
 
 permissions:
   contents: read
+  packages: write
 
 env:
   QCOM_ORG_NAME: "qualcomm-linux"
@@ -45,24 +44,20 @@ jobs:
     runs-on: ubuntu-24.04-arm
     steps:
 
-      # PRs from forks (pull_request_target): check out the PR's fork + exact commit
-      - name: Checkout PR head (fork-safe)
-        if: ${{ github.event_name == 'pull_request_target' }}
-        uses: actions/checkout@v4
-        with:
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
-          ref: ${{ github.event.pull_request.head.sha }}
-          persist-credentials: false
-
-      # Push / schedule / manual: normal checkout
       - name: Checkout repository
-        if: ${{ github.event_name != 'pull_request_target' }}
         uses: actions/checkout@v4
 
       - name: Build Images
         uses: ./.github/actions/build_container
         with:
           arch: arm64
-          push-to-ghcr: ${{ github.event_name != 'pull_request_target' }}
+
+      - name: Upload Images
+        uses: ./.github/actions/upload_containers
+        # Only upload on trusted events that land code on main
+        if: ${{ github.event_name == 'schedule' || github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
+        with:
+          arch: arm64
+          push-to-ghcr: "true"
           token: ${{ secrets.DEB_PKG_BOT_CI_TOKEN }}
           username: ${{ vars.DEB_PKG_BOT_CI_USERNAME }}