kstatelibraries · misilot · Oct 15, 2025 · Aug 20, 2025
diff --git a/.github/workflows/reusable-docker-build.yml b/.github/workflows/reusable-docker-build.yml
@@ -57,6 +57,7 @@ env:
     type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch }}
     type=ref,event=branch,enable=${{ github.ref_name != github.event.repository.default_branch }}
     type=ref,event=tag
+    type=raw,value=pr-${{ github.event.pull_request.number }},enable=${{ github.event_name == 'pull_request' }}
   # Define default tag "flavor" for docker/metadata-action per
   # https://github.com/docker/metadata-action#flavor-input
   # We manage the 'latest' tag ourselves to the 'main' branch (see settings above)
@@ -66,7 +67,6 @@ env:
 
 jobs:
   docker-build:
-
     strategy:
       matrix:
         # Architectures / Platforms for which we will build Docker images
@@ -94,7 +94,7 @@ jobs:
 
       # https://github.com/actions/checkout
       - name: Checkout codebase
-        uses: actions/checkout@v5
+        uses: actions/checkout@v5.0.0
 
       # https://github.com/docker/setup-buildx-action
       - name: Setup Docker Buildx
@@ -106,8 +106,8 @@ jobs:
 
       # https://github.com/docker/login-action
       - name: Login to DockerHub
-        # Only login if not a PR, as PRs only trigger a Docker build and not a push
-        if: ${{ ! matrix.isPr }}
+        # Only login if not from a fork
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
         uses: docker/login-action@v3.5.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
@@ -133,24 +133,23 @@ jobs:
           context: ${{ inputs.dockerfile_context }}
           file: ${{ inputs.dockerfile_path }}
           platforms: ${{ matrix.arch }}
-          # For pull requests, we run the Docker build (to ensure no PR changes break the build),
-          # but we ONLY do an image push to DockerHub if it's NOT a PR
-          push: ${{ ! matrix.isPr }}
+          # push if NOT a PR OR if it’s a same-repo PR
+          push: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
           # Use tags / labels provided by 'docker/metadata-action' above
           tags: ${{ steps.meta_build.outputs.tags }}
           labels: ${{ steps.meta_build.outputs.labels }}
 
       # Export the digest of Docker build locally (for non PRs only)
       - name: Export Docker build digest
-        if: ${{ ! matrix.isPr }}
+        if: ${{ !matrix.isPr }}
         run: |
-            mkdir -p /tmp/digests
-            digest="${{ steps.docker_build.outputs.digest }}"
-            touch "/tmp/digests/${digest#sha256:}"
+          mkdir -p /tmp/digests
+          digest="${{ steps.docker_build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
 
       # Upload digest to an artifact, so that it can be used in manifest below
       - name: Upload Docker build digest to artifact
-        if: ${{ ! matrix.isPr }}
+        if: ${{ !matrix.isPr }}
         uses: actions/upload-artifact@v4.6.2
         with:
           name: digests-${{ inputs.build_id }}-${{ env.ARCH_NAME }}
@@ -165,8 +164,7 @@ jobs:
   docker-build_manifest:
     if: ${{ github.event_name != 'pull_request' }}
     runs-on: ubuntu-latest
-    needs:
-      - docker-build
+    needs: docker-build
     steps:
       - name: Download Docker build digests
         uses: actions/download-artifact@v5.0.0
@@ -202,4 +200,3 @@ jobs:
       - name: Inspect image
         run: |
           docker buildx imagetools inspect ${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
-