From 367f1c9cd73da464a63b0aba03ad5ef089ccdbd2 Mon Sep 17 00:00:00 2001
From: Jairo Llopis <jairo@moduon.team>
Date: Mon, 15 Jun 2026 09:24:50 +0100
Subject: [PATCH 1/2] ci: run build-test-push on all PRs, not just same-repo

Fork PRs previously skipped the build-test-push job entirely,
preventing contributors from getting build and test feedback.

Removing the same-repo restriction lets all PRs run the pipeline.
The DockerHub push step was already guarded by credential checks,
and a guard was added to the GHCR push step to prevent failures
on forks where GITHUB_TOKEN is read-only.
---
 .github/workflows/ci.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 3ffd4ea..4acab42 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -25,7 +25,7 @@ jobs:
       - uses: pre-commit/action@v1.0.1
 
   build-test-push:
-    if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository)
+    if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     needs: pre-commit
     permissions:
@@ -98,6 +98,7 @@ jobs:
           REGISTRY_USERNAME: ${{ env.DOCKERHUB_LOGIN }}
         run: ./hooks/push
       - name: Push Docker Image to GitHub Registry
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         env:
           REGISTRY_HOST: ghcr.io
           REGISTRY_TOKEN: ${{ secrets.BOT_TOKEN || secrets.GITHUB_TOKEN }}

From 8ce6e424c952f1d81e07c73fac3fa3adac2c0780 Mon Sep 17 00:00:00 2001
From: Jairo Llopis <jairo@moduon.team>
Date: Mon, 15 Jun 2026 10:06:09 +0100
Subject: [PATCH 2/2] ci: fix ghcr push credential consistency

The GHCR push step used `||` between independent secrets:
`BOT_TOKEN || GITHUB_TOKEN` and `BOT_LOGIN || repository_owner`.
When only one `BOT_` secret was set, credentials became a mismatched
pair (e.g. BOT_TOKEN + repository_owner), causing a `denied: denied`
authentication failure from ghcr.io.

Now `&&` ensures both `BOT_TOKEN` and `BOT_LOGIN` must exist together
to be used; otherwise it falls back to the always-available and
consistent `GITHUB_TOKEN` + `github.actor` pair.

This is backwards-compatible: setups with both bot secrets keep working.
Setups with none or only one now consistently use GITHUB_TOKEN.
---
 .github/workflows/ci.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 4acab42..cc5af7c 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -101,6 +101,6 @@ jobs:
         if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         env:
           REGISTRY_HOST: ghcr.io
-          REGISTRY_TOKEN: ${{ secrets.BOT_TOKEN || secrets.GITHUB_TOKEN }}
-          REGISTRY_USERNAME: ${{ secrets.BOT_LOGIN || github.repository_owner }}
+          REGISTRY_TOKEN: ${{ secrets.BOT_LOGIN && secrets.BOT_TOKEN || secrets.GITHUB_TOKEN }}
+          REGISTRY_USERNAME: ${{ secrets.BOT_TOKEN && secrets.BOT_LOGIN || github.actor }}
         run: ./hooks/push