This change switches from pull_request to pull_request_target trigger,
allowing PRs from forks to successfully build and push Docker images.
The pull_request trigger provides a read-only GITHUB_TOKEN for fork PRs,
even when permissions.packages is set to write. This caused builds to fail
for external contributors.
Using pull_request_target is safe here because:
- We explicitly checkout the PR's head SHA
- Only Docker build happens (isolated, no arbitrary code execution)
- No untrusted scripts are run in the workflow context
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: kolaente <13721712+kolaente@users.noreply.github.com>
Co-authored-by: kolaente <k@knt.li>
* Initial plan
* feat: add PR docker build workflow
Add a new workflow that builds and pushes Docker images for pull requests:
- Runs independently without waiting for tests
- Builds only for linux/amd64 platform
- Pushes only to GHCR (not Docker Hub)
- Tags images with pr-<number> format
Co-authored-by: kolaente <13721712+kolaente@users.noreply.github.com>
* feat: add SHA tag to PR Docker images
Add type=sha,format=long to docker tags for PR images.
This will tag images with both pr-<number> and sha-<commit_hash>.
Co-authored-by: kolaente <13721712+kolaente@users.noreply.github.com>
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: kolaente <13721712+kolaente@users.noreply.github.com>