molecule-ai/molecule-ai-workspace-template-claude-code
35
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(publish-image): drop pull_request trigger — leaks PR builds to GHCR

Browse Source 
`on: pull_request:` was the only template-repo with this trigger
out of the 8 (other 7 trigger only on push:main, repository_dispatch,
workflow_dispatch). The reusable publish-template-image workflow has
no PR-skip guard, so the PR trigger fired every time a PR was opened
or updated and pushed both `:latest` (clobbering the production tag
with unmerged code) and `:sha-<7>` (a stable tag for an unmerged
commit) to GHCR.

Verification at PR time already happens via the
validate-workspace-template workflow's "Docker build smoke test"
step, which builds the image but does NOT push. That's the right
place for PR-time verification.

Removing the trigger here aligns claude-code with the canonical 7
templates and stops the GHCR leak.

While here, updated the runtime_version comment to drop the now-
stale "/PR" reference.
This commit is contained in:
Hongming Wang 2026-04-27 15:15:46 -07:00
parent de2ab5ab33
commit 3531f19668
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.github/workflows/publish-image.yml vendored
View File

@ -14,7 +14,12 @@ on:
types: [runtime-published]
push:
branches: [main]
pull_request:
# NOTE: do NOT add `pull_request:` here. The reusable
# publish-template-image workflow has no PR-skip guard, so a PR
# trigger pushes per-PR :latest clobbers and sha-<7> tags for
# unmerged code to GHCR. PRs already get a Dockerfile build smoke
# test from the validate-workspace-template workflow (no push) —
# that's the right place for PR-time verification.
workflow_dispatch:
inputs:
runtime_version:
@ -35,6 +40,6 @@ jobs:
# exact version PyPI just published. Forwarded to the reusable
# workflow as a docker --build-arg so the cache key changes
# per-version and pip install resolves freshly.
# On other events (push/PR/manual without input), this is empty
# and the Dockerfile's default (requirements.txt pin) applies.
# On other events (push to main / manual without input), this is
# empty and the Dockerfile's default (requirements.txt pin) applies.
runtime_version: ${{ github.event.client_payload.runtime_version || inputs.runtime_version || '' }}