Skip to content

Commit 82f7c4a

Browse files
Zerpetmergify[bot]
Zerpet
authored and
mergify[bot]
committed
CI: tweak OCI build triggers
Building on push to any branch is wasteful and unnecessary, because most of built images are never used. The workflow dispatch trigger covers the use case to build an image from the latest commit in a branch. The use case to validate/QA a PR is now covered by on pull request trigger. This trigger has a caveat: PRs from forks won't produce a docker image. Why? Because PRs from forks do not inject rabbitmq-server secrets. This is a security mechanism from GitHub, to protect repository secrets. With this trigger is possible to QA/validate PRs from other Core team members. Technically, anyone with 'write' access to our repo to push branches. (cherry picked from commit 4efb3df) # Conflicts: # .github/workflows/oci-make.yaml
1 parent 02268ef commit 82f7c4a

File tree

1 file changed

+15
-1
lines changed

1 file changed

+15
-1
lines changed

.github/workflows/oci-make.yaml

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,13 +5,25 @@
55
#
66
name: OCI (make)
77
on:
8+
<<<<<<< HEAD
89
push:
910
paths-ignore:
1011
- '.github/workflows/secondary-umbrella.yaml'
1112
- '.github/workflows/update-elixir-patches.yaml'
1213
- '.github/workflows/update-otp-patches.yaml'
1314
- '.github/workflows/release-alphas.yaml'
1415
- '*.md'
16+
=======
17+
pull_request:
18+
paths:
19+
- deps/**
20+
- scripts/**
21+
- Makefile
22+
- plugins.mk
23+
- rabbitmq-components.mk
24+
- packaging/**
25+
- .github/workflows/oci-make.yaml
26+
>>>>>>> 4efb3df39 (CI: tweak OCI build triggers)
1527
workflow_dispatch:
1628
inputs:
1729
otp_version:
@@ -25,7 +37,7 @@ on:
2537
default: false
2638
env:
2739
REGISTRY_IMAGE: pivotalrabbitmq/rabbitmq
28-
VERSION: 4.1.0+${{ github.sha }}
40+
VERSION: 4.2.0+${{ github.sha }}
2941
concurrency:
3042
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
3143
cancel-in-progress: true
@@ -37,6 +49,8 @@ jobs:
3749
- ${{ github.event.inputs.otp_version || '27' }}
3850
runs-on: ubuntu-latest
3951
outputs:
52+
# When dependabot, or a user from a fork, creates PRs, secrets are not injected, and the OCI workflow can't push the image
53+
# This check acts as a gate keeper
4054
authorized: ${{ steps.authorized.outputs.authorized }}
4155
steps:
4256
- name: CHECK IF IMAGE WILL PUSH

0 commit comments

Comments
 (0)