From ef227a316b87d44a8aae61ad6c2f6cd1e9fa9cd7 Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Sun, 8 Feb 2026 18:34:23 +0000
Subject: [PATCH] fix: unblock pipeline by removing push_image gate from
 downstream jobs

Integration, E2E, and security jobs were being skipped on PR builds because
they required push_image == 'true'. Since the build succeeded and images were
available, these jobs should run regardless of push policy.

Changed conditions to depend on build success and image availability rather
than registry push status. This allows comprehensive testing on all builds
while still optimizing resource usage where needed.
---
 .github/workflows/ci-pipeline.yml | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml
index aa9d8151..3ea612c6 100644
--- a/.github/workflows/ci-pipeline.yml
+++ b/.github/workflows/ci-pipeline.yml
@@ -297,6 +297,8 @@ jobs:
             IMAGE_REF_GHCR="${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${DIGEST}"
             echo "image_ref_dockerhub=${IMAGE_REF_DOCKERHUB}" >> "$GITHUB_OUTPUT"
             echo "image_ref_ghcr=${IMAGE_REF_GHCR}" >> "$GITHUB_OUTPUT"
+            echo "::add-mask::${IMAGE_REF_DOCKERHUB}"
+            echo "::add-mask::${IMAGE_REF_GHCR}"
           fi
           echo "image_tag=${{ steps.tags.outputs.image_tag }}" >> "$GITHUB_OUTPUT"
 
@@ -304,7 +306,7 @@ jobs:
     name: Integration - Cerberus
     runs-on: ubuntu-latest
     needs: build-image
-    if: needs.build-image.result == 'success' && needs.build-image.outputs.push_image == 'true' && needs.build-image.outputs.image_ref_dockerhub != '' && (github.event_name != 'workflow_dispatch' || inputs.run_integration != false)
+    if: needs.build-image.result == 'success' && needs.build-image.outputs.image_ref_dockerhub != '' && (github.event_name != 'workflow_dispatch' || inputs.run_integration != false)
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
@@ -329,7 +331,7 @@ jobs:
     name: Integration - CrowdSec
     runs-on: ubuntu-latest
     needs: build-image
-    if: needs.build-image.result == 'success' && needs.build-image.outputs.push_image == 'true' && needs.build-image.outputs.image_ref_dockerhub != '' && (github.event_name != 'workflow_dispatch' || inputs.run_integration != false)
+    if: needs.build-image.result == 'success' && needs.build-image.outputs.image_ref_dockerhub != '' && (github.event_name != 'workflow_dispatch' || inputs.run_integration != false)
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
@@ -355,7 +357,7 @@ jobs:
     name: Integration - WAF
     runs-on: ubuntu-latest
     needs: build-image
-    if: needs.build-image.result == 'success' && needs.build-image.outputs.push_image == 'true' && needs.build-image.outputs.image_ref_dockerhub != '' && (github.event_name != 'workflow_dispatch' || inputs.run_integration != false)
+    if: needs.build-image.result == 'success' && needs.build-image.outputs.image_ref_dockerhub != '' && (github.event_name != 'workflow_dispatch' || inputs.run_integration != false)
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
@@ -380,7 +382,7 @@ jobs:
     name: Integration - Rate Limit
     runs-on: ubuntu-latest
     needs: build-image
-    if: needs.build-image.result == 'success' && needs.build-image.outputs.push_image == 'true' && needs.build-image.outputs.image_ref_dockerhub != '' && (github.event_name != 'workflow_dispatch' || inputs.run_integration != false)
+    if: needs.build-image.result == 'success' && needs.build-image.outputs.image_ref_dockerhub != '' && (github.event_name != 'workflow_dispatch' || inputs.run_integration != false)
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
@@ -442,7 +444,7 @@ jobs:
     needs:
       - build-image
       - integration-gate
-    if: (github.event_name != 'workflow_dispatch' || inputs.run_e2e != false) && needs.build-image.outputs.push_image == 'true'
+    if: (github.event_name != 'workflow_dispatch' || inputs.run_e2e != false) && needs.build-image.result == 'success'
     uses: ./.github/workflows/e2e-tests-split.yml
     with:
       browser: all
@@ -666,7 +668,7 @@ jobs:
     needs:
       - build-image
       - codecov-gate
-    if: (github.event_name != 'workflow_dispatch' || inputs.run_security_scans != false) && needs.build-image.outputs.push_image == 'true'
+    if: (github.event_name != 'workflow_dispatch' || inputs.run_security_scans != false) && needs.build-image.result == 'success'
     permissions:
       contents: read
       security-events: write
@@ -710,7 +712,7 @@ jobs:
     needs:
       - build-image
       - codecov-gate
-    if: (github.event_name != 'workflow_dispatch' || inputs.run_security_scans != false) && needs.build-image.outputs.push_image == 'true'
+    if: (github.event_name != 'workflow_dispatch' || inputs.run_security_scans != false) && needs.build-image.result == 'success'
     permissions:
       contents: read
       security-events: write