Update CI build workflow permissions and conditions

LucHeart · web-flow · commit 603dec129477 · 2025-11-15T16:05:59.000+01:00
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
@@ -26,6 +26,11 @@ on:
 
 name: ci-build
 
+permissions:
+  contents: read
+  actions: write
+  packages: write
+
 env:
   DOTNET_VERSION: 10.0.x
   REGISTRY: ghcr.io
@@ -130,8 +135,8 @@ jobs:
             latest=false
           tags: |
             type=raw,value={{branch}},enable=${{ github.ref_type == 'branch' && github.event_name != 'pull_request' }}
-            type=raw,value=latest,enable=${{ inputs.latest || false }}
-            type=raw,value=rc,enable=${{ inputs.rc || false }}
+            type=raw,value=latest,enable=${{ github.event_name == 'workflow_call' && (inputs.latest || false) }}
+            type=raw,value=rc,enable=${{ github.event_name == 'workflow_call' && (inputs.rc || false) }}
             type=ref,event=branch
             type=ref,event=pr
             type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
@@ -143,7 +148,7 @@ jobs:
         with:
           context: .
           file: Dockerfile
-          push: ${{ inputs.latest || inputs.rc || (github.ref_protected && github.event_name != 'pull_request') }}
+          push: ${{ (github.event_name == 'workflow_call' && (inputs.latest || inputs.rc)) || (github.ref_protected && github.event_name != 'pull_request') }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           platforms: ${{ inputs.platforms || 'linux/amd64' }}
