ci: run build-test-push on all PRs, not just same-repo#39
Conversation
Fork PRs previously skipped the build-test-push job entirely, preventing contributors from getting build and test feedback. Removing the same-repo restriction lets all PRs run the pipeline. The DockerHub push step was already guarded by credential checks, and a guard was added to the GHCR push step to prevent failures on forks where GITHUB_TOKEN is read-only.
The GHCR push step used `||` between independent secrets: `BOT_TOKEN || GITHUB_TOKEN` and `BOT_LOGIN || repository_owner`. When only one `BOT_` secret was set, credentials became a mismatched pair (e.g. BOT_TOKEN + repository_owner), causing a `denied: denied` authentication failure from ghcr.io. Now `&&` ensures both `BOT_TOKEN` and `BOT_LOGIN` must exist together to be used; otherwise it falls back to the always-available and consistent `GITHUB_TOKEN` + `github.actor` pair. This is backwards-compatible: setups with both bot secrets keep working. Setups with none or only one now consistently use GITHUB_TOKEN.
| REGISTRY_TOKEN: ${{ secrets.BOT_TOKEN || secrets.GITHUB_TOKEN }} | ||
| REGISTRY_USERNAME: ${{ secrets.BOT_LOGIN || github.repository_owner }} | ||
| REGISTRY_TOKEN: ${{ secrets.BOT_LOGIN && secrets.BOT_TOKEN || secrets.GITHUB_TOKEN }} | ||
| REGISTRY_USERNAME: ${{ secrets.BOT_TOKEN && secrets.BOT_LOGIN || github.actor }} |
There was a problem hiding this comment.
I may be mistaken, but I believe using github.actor will cause problems when the fork belongs to an organization.
If I push to github.com/MyOrg/docker-postgres-autoconf, using github.actor will cause this action to try to push the container to ghcr.io/myusername/docker-postgres-autoconf instead of ghcr.io/myorg/docker-postgres-autoconf
| REGISTRY_USERNAME: ${{ env.DOCKERHUB_LOGIN }} | ||
| run: ./hooks/push | ||
| - name: Push Docker Image to GitHub Registry | ||
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository |
There was a problem hiding this comment.
I apologize for the oversight on testing and pushing test pr images in #37
However, I do not think this step should be skipped entirely for PRs from forked repos. After all, If BOT_LOGIN and BOT_TOKEN are configured there should be no problems pushing.
To do this, we can either read these BOT credentials into env and set up a check for them when the event name is a PR like
if: github.event_name != 'pull_request' | | env.BOT_TOKEN && env.BOT_LOGIN && github.event_name = 'pull_request'
Or we can just assume that a repo accepting PRs from forks (really only this one) will always have BOT_LOGIN and BOT_TOKEN configured and will never fall back to GITHUB_TOKEN
2 participants
Fork PRs previously skipped the build-test-push job entirely,
preventing contributors from getting build and test feedback.
Removing the same-repo restriction lets all PRs run the pipeline.
The DockerHub push step was already guarded by credential checks,
and a guard was added to the GHCR push step to prevent failures
on forks where GITHUB_TOKEN is read-only.