From b23e95e8bc17646e1f93a362812f057caa06e89f Mon Sep 17 00:00:00 2001
From: Matt Glaman <matt.glaman@acquia.com>
Date: Fri, 7 Nov 2025 09:01:56 -0600
Subject: [PATCH 1/2] Consolidate Docker workflows with fork-safe conditional
 logic
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Combines BuildDockerImage.yml and PublishDockerImage.yml into a single
DockerImage.yml workflow that:

- Builds images for all events (PRs, main pushes, tag pushes)
- Only pushes to registry on main branch or tags in the original repository
- Prevents login/push failures on forks using github.event.repository.fork check
- Maintains all existing functionality while reducing duplication

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/BuildDockerImage.yml        | 42 -------------------
 ...PublishDockerImage.yml => DockerImage.yml} | 13 ++++--
 2 files changed, 10 insertions(+), 45 deletions(-)
 delete mode 100644 .github/workflows/BuildDockerImage.yml
 rename .github/workflows/{PublishDockerImage.yml => DockerImage.yml} (74%)

diff --git a/.github/workflows/BuildDockerImage.yml b/.github/workflows/BuildDockerImage.yml
deleted file mode 100644
index 8dfd46d..0000000
--- a/.github/workflows/BuildDockerImage.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-name: Create a Docker image
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
-
-jobs:
-  build-and-push-image:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            type=ref,event=pr
-            type=sha
-
-      - name: Build Docker image
-        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: false
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/PublishDockerImage.yml b/.github/workflows/DockerImage.yml
similarity index 74%
rename from .github/workflows/PublishDockerImage.yml
rename to .github/workflows/DockerImage.yml
index bf3b559..7828259 100644
--- a/.github/workflows/PublishDockerImage.yml
+++ b/.github/workflows/DockerImage.yml
@@ -1,6 +1,8 @@
-name: Create and publish a Docker image
+name: Docker Image
 
 on:
+  pull_request:
+    types: [opened, synchronize, reopened]
   push:
     branches: ['main']
     tags:
@@ -29,6 +31,8 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Log in to the Container registry
+        # Only login when we're going to push (main branch or tags) AND not on a fork
+        if: github.event_name == 'push' && github.event.repository.fork == false
         uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
         with:
           registry: ${{ env.REGISTRY }}
@@ -54,13 +58,16 @@ jobs:
         with:
           context: .
           platforms: linux/amd64,linux/arm64
-          push: true
+          # Push only when on main branch or tags (not on PRs) AND not on a fork
+          push: ${{ github.event_name == 'push' && github.event.repository.fork == false }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
       - name: Generate artifact attestation
+        # Only generate attestation when we actually pushed AND not on a fork
+        if: github.event_name == 'push' && github.event.repository.fork == false
         uses: actions/attest-build-provenance@v3
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
           subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+          push-to-registry: true
\ No newline at end of file

From daae268257b0a27b144be8894954621658d8963d Mon Sep 17 00:00:00 2001
From: Sally Young <github@justa.fish>
Date: Fri, 7 Nov 2025 15:16:10 +0000
Subject: [PATCH 2/2] Apply suggestion from @justafish

---
 .github/workflows/DockerImage.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/DockerImage.yml b/.github/workflows/DockerImage.yml
index 7828259..4cf47d2 100644
--- a/.github/workflows/DockerImage.yml
+++ b/.github/workflows/DockerImage.yml
@@ -70,4 +70,4 @@ jobs:
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
           subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
\ No newline at end of file
+          push-to-registry: true