Fix workflow dependency and platform conflicts
Fixed critical workflow issues preventing builds: 1. Job Dependency Structure: - build-and-push now properly depends on security-check with always() - Allows push/tag events to run even when security-check is skipped - Only pull_request events trigger security-check - Conditional logic checks needs.security-check.result to handle skipped cases 2. Platform vs Load Conflict: - Removed platform specification for PR builds (load=true) - load: true only works with single platform matching host - Multi-platform (linux/amd64,linux/arm64) only for push events - Empty string for platforms when using load to avoid conflicts 3. Conditional Logic Improvements: - push events: always run (security-check skipped) - workflow_dispatch: always run (security-check skipped) - pull_request: only run if security-check succeeded and not a fork - pull_request_target: only run if has 'safe-to-build' label This ensures: - Branch pushes work correctly - Tag builds work correctly - PRs are security-checked before building - Fork PRs require manual approval
This commit is contained in:
Claude
17
.github/workflows/docker-build.yml
vendored
17
.github/workflows/docker-build.yml
vendored
@@ -40,12 +40,16 @@ jobs:
|
||||
fi
|
||||
|
||||
build-and-push:
|
||||
needs: [security-check]
|
||||
# Only run on non-fork PRs, or if manually approved (has 'safe-to-build' label)
|
||||
needs: security-check
|
||||
# Run on push/tag events (security-check is skipped but that's ok)
|
||||
# For PRs, only run on non-fork PRs or manually approved fork PRs
|
||||
if: |
|
||||
github.event_name != 'pull_request' ||
|
||||
needs.security-check.outputs.is_fork == 'false' ||
|
||||
(github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'safe-to-build'))
|
||||
always() && (
|
||||
github.event_name == 'push' ||
|
||||
github.event_name == 'workflow_dispatch' ||
|
||||
(github.event_name == 'pull_request' && needs.security-check.result == 'success' && needs.security-check.outputs.is_fork == 'false') ||
|
||||
(github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'safe-to-build'))
|
||||
)
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
@@ -106,7 +110,8 @@ jobs:
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
cache-from: type=gha
|
||||
cache-to: type=gha,mode=max
|
||||
platforms: ${{ (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && 'linux/amd64' || 'linux/amd64,linux/arm64' }}
|
||||
# Only specify platforms for push (multi-platform), not for load (single-platform only)
|
||||
platforms: ${{ (github.event_name != 'pull_request' && github.event_name != 'pull_request_target') && 'linux/amd64,linux/arm64' || '' }}
|
||||
sbom: true
|
||||
provenance: true
|
||||
|
||||
|
||||
Reference in New Issue
Block a user