ci: run build-test-push on all PRs, not just same-repo#39
Conversation
|
Thanks for the thorough review, @ljmnoonan! Both points are addressed in the latest revision:
|
|
Hi, thanks for putting in the work for this PR. |
Fork PRs previously skipped the build-test-push job entirely, preventing contributors from getting build and test feedback. The GHCR push step used || between independent secrets: BOT_TOKEN || GITHUB_TOKEN and BOT_LOGIN || repository_owner. When only one BOT_* secret was set, credentials became a mismatched pair, causing a denied: denied authentication failure from ghcr.io. Changes: - Remove same-repo restriction from job condition so all PRs run the pipeline. - Use && to ensure both BOT_TOKEN and BOT_LOGIN must exist together to be used; otherwise fall back to the always- available GITHUB_TOKEN + github.repository_owner pair. - Expose BOT_TOKEN and BOT_LOGIN as env vars so they can be evaluated in the if: condition. - Allow GHCR push on fork PRs when bot credentials are available; skip only when GITHUB_TOKEN would be read-only (fork PR without BOT_TOKEN/BOT_LOGIN). - Use github.repository_owner as fallback username instead of github.actor to avoid confusion in org fork scenarios.
|
Rebased. |
Fork PRs previously skipped the build-test-push job entirely,
preventing contributors from getting build and test feedback.
Removing the same-repo restriction lets all PRs run the pipeline.
The DockerHub push step was already guarded by credential checks,
and a guard was added to the GHCR push step to prevent failures
on forks where GITHUB_TOKEN is read-only.