From e45ab926ff5654527946ea7fdd28d6551e3ffe62 Mon Sep 17 00:00:00 2001 From: Adi <6841988+DeepSpace2@users.noreply.github.com> Date: Sun, 14 Jun 2026 20:12:03 +0300 Subject: [PATCH 1/4] ci: build dev image --- .github/workflows/draft-release.yml | 41 +++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index 332e132..2bed588 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -6,6 +6,28 @@ on: - master jobs: + changes: + runs-on: ubuntu-latest + outputs: + src: ${{ steps.filter.outputs.src }} + steps: + - uses: actions/checkout@v4 + - uses: dorny/paths-filter@v3 + id: filter + with: + filters: | + src: + - '.github/release-drafter.yml' + - '.github/workflows/draft-release.yml' + - '.github/workflows/pr-build.yml' + - '.github/workflows/release.yml' + - '.github/workflows/reusable-docker-build.yml' + - 'pkg/**' + - 'main.go' + - 'go.*' + - 'Dockerfile' + - '.dockerignore' + update_release_draft: runs-on: ubuntu-latest permissions: @@ -17,3 +39,22 @@ jobs: config-name: release-drafter.yml env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + prepare-tags: + needs: changes + if: ${{ needs.changes.outputs.src == 'true' }} + runs-on: ubuntu-latest + outputs: + tags: ${{ steps.prep.outputs.tags }} + steps: + - name: Prepare image tags + id: prep + run: | + REPO=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]') + echo "tags=ghcr.io/$REPO:dev" >> $GITHUB_OUTPUT + + build-image: + needs: prepare-tags + uses: ./.github/workflows/reusable-docker-build.yml + with: + tags: ${{ needs.prepare-tags.outputs.tags }} From 27a6e9ebc069c9510ba8355a8aa89f3ab439afd2 Mon Sep 17 00:00:00 2001 From: Adi Vaknin <6841988+DeepSpace2@users.noreply.github.com> Date: Sun, 14 Jun 2026 20:21:36 +0300 Subject: [PATCH 2/4] add explicit permissions for jobs Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/draft-release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index 2bed588..7448739 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -8,6 +8,8 @@ on: jobs: changes: runs-on: ubuntu-latest + permissions: + contents: read outputs: src: ${{ steps.filter.outputs.src }} steps: @@ -44,6 +46,7 @@ jobs: needs: changes if: ${{ needs.changes.outputs.src == 'true' }} runs-on: ubuntu-latest + permissions: {} outputs: tags: ${{ steps.prep.outputs.tags }} steps: From c2afbdd013b31fa48134d2e945af552ac15c7d25 Mon Sep 17 00:00:00 2001 From: Adi Vaknin <6841988+DeepSpace2@users.noreply.github.com> Date: Sun, 14 Jun 2026 20:25:42 +0300 Subject: [PATCH 3/4] add explicit permissions for jobs Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/draft-release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index 7448739..c7800c9 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -58,6 +58,7 @@ jobs: build-image: needs: prepare-tags + permissions: {} uses: ./.github/workflows/reusable-docker-build.yml with: tags: ${{ needs.prepare-tags.outputs.tags }} From 503ed29cf8e437b0025465b742c1d3d15fb21340 Mon Sep 17 00:00:00 2001 From: Adi <6841988+DeepSpace2@users.noreply.github.com> Date: Sun, 14 Jun 2026 20:34:22 +0300 Subject: [PATCH 4/4] ci: build dev image --- .github/workflows/draft-release.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index c7800c9..8696b7a 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -58,7 +58,11 @@ jobs: build-image: needs: prepare-tags - permissions: {} + permissions: + contents: read + packages: write + attestations: write + id-token: write uses: ./.github/workflows/reusable-docker-build.yml with: tags: ${{ needs.prepare-tags.outputs.tags }}