Image build pipelines should run only when merged to main of exospherehost/exospherehost

[NiveditJain]

Context

Our Docker image build and publish workflows are running in situations where they should not, like PRs and forks. This risks pushing untrusted images and wastes CI minutes.

Goal

Run image build and publish only when code is merged to main in the canonical repository exospherehost/exospherehost. Forks and non-main branches should never publish.

Proposal

1. Restrict triggers to pushes on main for the image workflow.
2. Gate jobs and publish steps with a repository check.
3. Keep PR CI green by allowing build/test without publishing, but guard any registry login or push with conditions.

Example GitHub Actions changes

Trigger only on merges to main:

# .github/workflows/docker-images.yml
name: Docker Images

on:
  push:
    branches: [ main ]
    paths:
      - "Dockerfile"
      - "deploy/docker/**"
      - ".github/workflows/docker-images.yml"
  workflow_dispatch:

Gate the job to the canonical repo:

jobs:
  build_and_publish:
    if: github.repository == 'exospherehost/exospherehost'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write

Guard registry login and push steps so they only run on main pushes in the canonical repo:

    steps:
      - uses: actions/checkout@v4

      - uses: docker/setup-buildx-action@v3

      - name: Login to GHCR
        if: github.repository == 'exospherehost/exospherehost' && github.ref == 'refs/heads/main' && github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push
        if: github.repository == 'exospherehost/exospherehost' && github.ref == 'refs/heads/main' && github.event_name == 'push'
        uses: docker/build-push-action@v6
        with:
          context: .
          push: true
          tags: ghcr.io/exospherehost/exospherehost:sha-${{ github.sha }},ghcr.io/exospherehost/exospherehost:latest

Optional tag based release workflow:

on:
  push:
    tags:
      - "v*.*.*"

jobs:
  release_images:
    if: github.repository == 'exospherehost/exospherehost'
    runs-on: ubuntu-latest
    steps:
      # same login and build-push steps as above, but use tag in image name

Testing

• Open a PR from a fork and from a branch in the main repo. Confirm that no publish steps run.
• Merge to main. Confirm images are built and pushed once.
• Check GHCR for latest and sha-<commit> tags after the main merge.

Acceptance criteria

• Image publish never runs on forks or PRs.
• Image publish only runs on push to main in exospherehost/exospherehost.
• Logs show guarded steps are skipped outside those conditions.

[anisharaz]

@NiveditJain i can look into it.

[NiveditJain]

sure! Currently image builds are also running on forks which is unnecessary, assigning you this @anisharaz