Prefer whitelist approach for Docker image push condition

Replace the exclusion-based condition with an explicit list
of events that should push an image. Any future trigger
added to the workflow will default to not pushing, which
is the safe behavior.
This commit is contained in:
vlakoff 2026-04-30 09:51:27 +02:00
parent ccbd2f971c
commit 09cb2da8c2
No known key found for this signature in database
GPG key ID: D01DA5A5B698E332

View file

@ -36,7 +36,7 @@ jobs:
context: . # Use local checkout to support GitHub Merge Queue
output: image
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' && github.event_name != 'merge_group' }}
push: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
cache: ${{ github.event_name != 'workflow_dispatch' || inputs.use_cache }}
# We don't sign the image because ghcr.io doesn't support OCI Referrers API yet, and the fallback relies on pushing new tags on each build
# https://github.com/docker/github-builder/issues/109#issuecomment-3885082486