chore(ci): Enable PR tagged images on pull request approval

Submits an image to the GitHub Container Registry on pull request approval, permitting approved pull requests to be tested before being merged. Requires branch protection rule: 'Require approval of the most recent reviewable push' This rule ensures that the state of a PR is reset after a new commit has been pushed to an open pull request.
ublue-os · Aug 13, 2023 · f62077e · f62077e
1 parent 12ad35c
commit f62077e
Showing 1 changed file with 10 additions and 8 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,7 +1,9 @@
 name: build-ublue
 on:
   pull_request:
-  merge_group:    
+  pull_request_review:
+    type: [submitted]
+  merge_group:
   schedule:
     - cron: '0 7 * * *'  # 7 am everyday
   workflow_dispatch:
@@ -12,6 +14,7 @@ env:
 jobs:
   push-ghcr:
     name: Build and push image
+    if: github.event.review.state == 'approved' || github.event_name != 'pull_request_review'
     runs-on: ubuntu-22.04
     permissions:
       contents: read
@@ -34,7 +37,7 @@ jobs:
           # When F38 is added, sericea will automatically be built too
           - image_name: sericea
             major_version: 37
-    steps: 
+    steps:
       # Checkout push-to-registry action GitHub repository
       - name: Checkout Push to Registry action
         uses: actions/checkout@v3
@@ -138,7 +141,7 @@ jobs:
       - name: Push To GHCR
         uses: redhat-actions/push-to-registry@v2
         id: push
-        if: github.event_name != 'pull_request'
+        if: github.event.review.state == 'approved' || github.event_name != 'pull_request'
         env:
           REGISTRY_USER: ${{ github.actor }}
           REGISTRY_PASSWORD: ${{ github.token }}
@@ -153,18 +156,18 @@ jobs:
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v2
-        if: github.event_name != 'pull_request'
+        if: github.event.review.state == 'approved' || github.event_name != 'pull_request'
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       # Sign container
       - uses: sigstore/[email protected]
-        if: github.event_name != 'pull_request'
+        if: github.event.review.state == 'approved' || github.event_name != 'pull_request'
 
       - name: Sign container image
-        if: github.event_name != 'pull_request'
+        if: github.event.review.state == 'approved' || github.event_name != 'pull_request'
         run: |
           cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
         env:
@@ -173,7 +176,6 @@ jobs:
           COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
 
       - name: Echo outputs
-        if: github.event_name != 'pull_request'
+        if: github.event.review.state == 'approved' || github.event_name != 'pull_request'
         run: |
           echo "${{ toJSON(steps.push.outputs) }}"
-