Skip to content

ci: trigger publish-test-deps-image on PR Dockerfile changes #403

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dgarske merged 2 commits into from
May 27, 2026
Merged

ci: trigger publish-test-deps-image on PR Dockerfile changes #403

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
74bae34
ci: trigger publish-test-deps-image on PR Dockerfile changes
aidangarske May 27, 2026
09f6616
ci: lock publish to OWNER/MEMBER, single global concurrency, fix imag…
aidangarske May 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 19 additions & 7 deletions .github/workflows/publish-test-deps-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,21 +3,31 @@ name: Publish test-deps image
# Builds docker/wolfprovider-test-deps/Dockerfile and pushes it to
# ghcr.io/wolfssl/wolfprovider-test-deps:bookworm.
#
# Fires when the Dockerfile (or this workflow file) changes on master.
# The pushed package stays private -- consumer workflows running on
# wolfSSL/wolfProvider use the canonical GITHUB_TOKEN, which has read
# access to the org's private packages.
# Triggers:
# - push to master/main when the Dockerfile changes -> rebuilds :bookworm
# - pull_request_target when the Dockerfile changes -> rebuilds :bookworm
# from the PR head SHA, so PR jobs that consume the image (sanitizers,
# static-analysis, multi-compiler, OSP) actually see the updated deps.
# pull_request_target runs from BASE with canonical secrets, so the
# ghcr push has the right scope; checkout pins to the PR head SHA so
# the build sees the PR's Dockerfile.
# - workflow_dispatch for manual rebuilds

on:
push:
branches: [ 'master', 'main' ]
paths:
- 'docker/wolfprovider-test-deps/**'
- '.github/workflows/publish-test-deps-image.yml'
pull_request_target:
paths:
- 'docker/wolfprovider-test-deps/**'
- '.github/workflows/publish-test-deps-image.yml'
Comment thread
aidangarske marked this conversation as resolved.
workflow_dispatch: {}

concurrency:
group: publish-test-deps-image
# Serialize per-PR/branch so two pushes don't race to overwrite :bookworm.
group: publish-test-deps-image-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: false
Comment thread
aidangarske marked this conversation as resolved.

permissions:
Expand All @@ -26,14 +36,16 @@ permissions:

jobs:
publish:
# Only the canonical repo's runner has a token authorized to push
# to ghcr.io/wolfssl/*. Forks won't have that scope, so skip.
# Canonical repo only - forks lack the ghcr push scope.
if: github.repository == 'wolfSSL/wolfProvider'
Comment thread
aidangarske marked this conversation as resolved.
Outdated
runs-on: ubuntu-22.04
timeout-minutes: 45
steps:
- uses: actions/checkout@v4
with:
# For pull_request_target, default checkout pulls BASE. We need
# the PR head SHA so the build sees the PR's Dockerfile.
ref: ${{ github.event.pull_request.head.sha || github.sha }}
fetch-depth: 1
Comment thread
aidangarske marked this conversation as resolved.

- name: Set up Docker Buildx
Expand Down
Loading