From 82f7c4abc4496e719997afa3989e44f2df9e0cf2 Mon Sep 17 00:00:00 2001
From: Aitor Perez <1515757+Zerpet@users.noreply.github.com>
Date: Tue, 13 May 2025 11:10:19 +0100
Subject: [PATCH 1/2] CI: tweak OCI build triggers

Building on push to any branch is wasteful and unnecessary, because most
of built images are never used. The workflow dispatch trigger covers the
use case to build an image from the latest commit in a branch.

The use case to validate/QA a PR is now covered by on pull request
trigger. This trigger has a caveat: PRs from forks won't produce a
docker image.

Why?
Because PRs from forks do not inject rabbitmq-server secrets. This is a
security mechanism from GitHub, to protect repository secrets.

With this trigger is possible to QA/validate PRs from other Core team
members. Technically, anyone with 'write' access to our repo to push
branches.

(cherry picked from commit 4efb3df39e28b24f69398df32144ef558d0ddcb3)

# Conflicts:
#	.github/workflows/oci-make.yaml
---
 .github/workflows/oci-make.yaml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/oci-make.yaml b/.github/workflows/oci-make.yaml
index 72767c326c..8ec5f0ce4f 100644
--- a/.github/workflows/oci-make.yaml
+++ b/.github/workflows/oci-make.yaml
@@ -5,6 +5,7 @@
 #
 name: OCI (make)
 on:
+<<<<<<< HEAD
   push:
     paths-ignore:
       - '.github/workflows/secondary-umbrella.yaml'
@@ -12,6 +13,17 @@ on:
       - '.github/workflows/update-otp-patches.yaml'
       - '.github/workflows/release-alphas.yaml'
       - '*.md'
+=======
+  pull_request:
+    paths:
+      - deps/**
+      - scripts/**
+      - Makefile
+      - plugins.mk
+      - rabbitmq-components.mk
+      - packaging/**
+      - .github/workflows/oci-make.yaml
+>>>>>>> 4efb3df39 (CI: tweak OCI build triggers)
   workflow_dispatch:
     inputs:
       otp_version:
@@ -25,7 +37,7 @@ on:
         default: false
 env:
   REGISTRY_IMAGE: pivotalrabbitmq/rabbitmq
-  VERSION: 4.1.0+${{ github.sha }}
+  VERSION: 4.2.0+${{ github.sha }}
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -37,6 +49,8 @@ jobs:
         - ${{ github.event.inputs.otp_version || '27' }}
     runs-on: ubuntu-latest
     outputs:
+      # When dependabot, or a user from a fork, creates PRs, secrets are not injected, and the OCI workflow can't push the image
+      # This check acts as a gate keeper
       authorized: ${{ steps.authorized.outputs.authorized }}
     steps:
       - name: CHECK IF IMAGE WILL PUSH

From 224a5785c91989ca647d6b17abbd57ffc1df4608 Mon Sep 17 00:00:00 2001
From: Michael Klishin <michaelklishin@icloud.com>
Date: Tue, 13 May 2025 21:08:25 -0400
Subject: [PATCH 2/2] Resolve a conflict #13890 #13891

---
 .github/workflows/oci-make.yaml | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/.github/workflows/oci-make.yaml b/.github/workflows/oci-make.yaml
index 8ec5f0ce4f..98353c8aa2 100644
--- a/.github/workflows/oci-make.yaml
+++ b/.github/workflows/oci-make.yaml
@@ -5,15 +5,6 @@
 #
 name: OCI (make)
 on:
-<<<<<<< HEAD
-  push:
-    paths-ignore:
-      - '.github/workflows/secondary-umbrella.yaml'
-      - '.github/workflows/update-elixir-patches.yaml'
-      - '.github/workflows/update-otp-patches.yaml'
-      - '.github/workflows/release-alphas.yaml'
-      - '*.md'
-=======
   pull_request:
     paths:
       - deps/**
@@ -23,7 +14,6 @@ on:
       - rabbitmq-components.mk
       - packaging/**
       - .github/workflows/oci-make.yaml
->>>>>>> 4efb3df39 (CI: tweak OCI build triggers)
   workflow_dispatch:
     inputs:
       otp_version: