Merge pull request #14 from Molecule-AI/fix/no-publish-on-pr

fix(publish-image): drop pull_request trigger — leaks PR builds to GHCR
2026-04-29 00:56:54 -07:00 · 2026-04-29 00:56:54 -07:00 · afc0fae6e7
commit afc0fae6e7
parent 7cb0c6c45b 2bd206e89b
1 changed files with 8 additions and 3 deletions
--- a/.github/workflows/publish-image.yml
+++ b/.github/workflows/publish-image.yml
@ -14,7 +14,12 @@ on:
    types: [runtime-published]
  push:
    branches: [main]
-  pull_request:
+  # NOTE: do NOT add `pull_request:` here. The reusable
+  # publish-template-image workflow has no PR-skip guard, so a PR
+  # trigger pushes per-PR :latest clobbers and sha-<7> tags for
+  # unmerged code to GHCR. PRs already get a Dockerfile build smoke
+  # test from the validate-workspace-template workflow (no push) —
+  # that's the right place for PR-time verification.
  workflow_dispatch:
    inputs:
      runtime_version:
@ -35,6 +40,6 @@ jobs:
      # exact version PyPI just published. Forwarded to the reusable
      # workflow as a docker --build-arg so the cache key changes
      # per-version and pip install resolves freshly.
-      # On other events (push/PR/manual without input), this is empty
-      # and the Dockerfile's default (requirements.txt pin) applies.
+      # On other events (push to main / manual without input), this is
+      # empty and the Dockerfile's default (requirements.txt pin) applies.
      runtime_version: ${{ github.event.client_payload.runtime_version || inputs.runtime_version || '' }}