fix(ci): restore docker-publish workflow test contract

[luandro]

Motivation

• Restore the workflow expressions and permissions that the repository's validation tests expect so CI contracts don't drift.
• Ensure Docker credentials/push are gated to non-PR events and PR comments are restricted to same-repo (non-fork) pull requests to avoid leaking secrets.

Description

• Set top-level env.IMAGE_NAME to use ${{ github.repository }} instead of a hardcoded value.
• Add packages: write to jobs.build.permissions while keeping contents: read and pull-requests: write.
• Replace the custom steps.publish.outputs.push gating with action-native guards by changing the Docker login step to if: github.event_name != 'pull_request' and the build action push to ${{ github.event_name != 'pull_request' }}.
• Tighten the PR comment step if to require github.event_name == 'pull_request' and github.event.pull_request.head.repo.full_name == github.repository so comments only run for non-fork PRs.

Testing

• Installed dependencies with bun i to ensure test deps were available.
• Ran the workflow validation tests with bunx vitest run scripts/docker-publish-workflow.test.ts scripts/ci-validation/docker-publish-workflow.test.ts, and both test files passed (all assertions green).

---

Codex Task

Greptile Overview

Greptile Summary

Restores the docker-publish workflow to match the repository's validation test expectations. The changes ensure proper security by preventing Docker credential exposure to fork PRs while allowing same-repo PRs to receive image build comments.

Key changes:

• Changed env.IMAGE_NAME from hardcoded communityfirst/comapeo-docs-api to ${{ github.repository }} (dynamic repository name)
• Added packages: write permission to job alongside existing contents: read and pull-requests: write
• Removed custom publish mode determination step in favor of native GitHub Actions conditionals
• Gates Docker login to non-PR events with if: github.event_name != 'pull_request'
• Gates Docker push to non-PR events with push: ${{ github.event_name != 'pull_request' }}
• Tightened PR comment condition to require both github.event_name == 'pull_request' AND github.event.pull_request.head.repo.full_name == github.repository (prevents fork PRs from triggering comments that reference non-existent images)

All test files pass validation confirming the workflow meets security and functional requirements.

Confidence Score: 5/5

• Safe to merge - restores test contract compliance with proper security controls
• Score reflects that this PR restores the workflow to match validation test expectations with proper security measures. All changes are defensive improvements: dynamic repository naming, explicit permissions, and tightened fork PR protections. Tests pass confirming no regressions.
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/docker-publish.yml	Restores workflow test contract expectations: uses ${{ github.repository }} for IMAGE_NAME, adds packages: write permission, gates Docker login/push to non-PR events, and restricts PR comments to same-repo PRs

Sequence Diagram

sequenceDiagram
    participant Event as GitHub Event
    participant Workflow as Docker Publish
    participant Docker as Docker Hub
    participant PR as Pull Request

    alt Push to main branch
        Event->>Workflow: push event
        Workflow->>Docker: Login with credentials
        Workflow->>Docker: Build & push (latest + SHA tags)
        Workflow->>Workflow: Skip PR comment (not a PR)
    else Pull Request (same repo)
        Event->>Workflow: pull_request event (same repo)
        Workflow->>Workflow: Skip Docker login (is PR)
        Workflow->>Workflow: Build only (no push)
        Workflow->>PR: Comment with image reference
    else Pull Request (fork)
        Event->>Workflow: pull_request event (fork)
        Workflow->>Workflow: Skip Docker login (is PR)
        Workflow->>Workflow: Build only (no push)
        Workflow->>Workflow: Skip PR comment (fork security)
    else Manual dispatch
        Event->>Workflow: workflow_dispatch
        Workflow->>Docker: Login with credentials
        Workflow->>Docker: Build & push (ref-based tags)
        Workflow->>Workflow: Skip PR comment (not a PR)
    end

Loading

Context used:

• Context from dashboard - CLAUDE.md (source)
• Context from dashboard - AGENTS.md (source)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 06292f9835

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[greptile-apps]

_{1 file reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[github-actions]

🚀 Preview Deployment

Your documentation preview is ready!

Preview URL: https://pr-130.comapeo-docs.pages.dev

🔄 Content: Regenerated 5 pages from Notion (content branch was empty, used fallback)

⚠️ Note: Content branch needed regeneration. Consider running the sync-docs workflow.

This preview will update automatically when you push new commits to this PR.

---

_{Built with commit 0b83d5c}

[luandro]

@codex review
@greptile review

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5aef72cccd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[luandro]

@greptile review

[greptile-apps]

_{1 file reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[github-actions]

🧹 Preview Deployment Cleanup

The preview deployment for this PR has been cleaned up.

Preview URL was: https://pr-130.comapeo-docs.pages.dev

---

_{Note: Cloudflare Pages deployments follow automatic retention policies. Old previews are cleaned up automatically.}