From 4efb3df39e28b24f69398df32144ef558d0ddcb3 Mon Sep 17 00:00:00 2001
From: Aitor Perez <1515757+Zerpet@users.noreply.github.com>
Date: Tue, 13 May 2025 11:10:19 +0100
Subject: [PATCH] CI: tweak OCI build triggers

Building on push to any branch is wasteful and unnecessary, because most
of built images are never used. The workflow dispatch trigger covers the
use case to build an image from the latest commit in a branch.

The use case to validate/QA a PR is now covered by on pull request
trigger. This trigger has a caveat: PRs from forks won't produce a
docker image.

Why?
Because PRs from forks do not inject rabbitmq-server secrets. This is a
security mechanism from GitHub, to protect repository secrets.

With this trigger is possible to QA/validate PRs from other Core team
members. Technically, anyone with 'write' access to our repo to push
branches.
---
 .github/workflows/oci-make.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/oci-make.yaml b/.github/workflows/oci-make.yaml
index 51b120960342..98353c8aa270 100644
--- a/.github/workflows/oci-make.yaml
+++ b/.github/workflows/oci-make.yaml
@@ -5,7 +5,7 @@
 #
 name: OCI (make)
 on:
-  push:
+  pull_request:
     paths:
       - deps/**
       - scripts/**
@@ -27,7 +27,7 @@ on:
         default: false
 env:
   REGISTRY_IMAGE: pivotalrabbitmq/rabbitmq
-  VERSION: 4.1.0+${{ github.sha }}
+  VERSION: 4.2.0+${{ github.sha }}
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -39,6 +39,8 @@ jobs:
         - ${{ github.event.inputs.otp_version || '27' }}
     runs-on: ubuntu-latest
     outputs:
+      # When dependabot, or a user from a fork, creates PRs, secrets are not injected, and the OCI workflow can't push the image
+      # This check acts as a gate keeper
       authorized: ${{ steps.authorized.outputs.authorized }}
     steps:
       - name: CHECK IF IMAGE WILL PUSH