feat: prevent Docker publishing from template repository

- Add template detection logic to disable publishing from template repo
- Enable publishing only for consuming repositories after customization
- Add explicit checks for template indicators in README.md
- Update documentation to clarify publishing behavior
- Protect template repository from accidental Docker image publishing

Author: AhmedKorim

.github/workflows/docker-publish.yml

@@ -19,12 +19,52 @@ env:
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
+  # Check if this is a template repository or a consuming repository
+  check-repo-type:
+    runs-on: ubuntu-latest
+    outputs:
+      is-template: ${{ steps.check.outputs.is-template }}
+      should-publish: ${{ steps.check.outputs.should-publish }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check repository type
+        id: check
+        run: |
+          # Check if this is a template repository by looking for template indicators
+          # Template repositories typically have specific patterns in their files
+          if [[ "${{ github.repository }}" == "droq-ai/dfx-base-node-template-py" ]]; then
+            echo "is-template=true" >> $GITHUB_OUTPUT
+            echo "should-publish=false" >> $GITHUB_OUTPUT
+            echo "::notice::This is the template repository - Docker publishing is disabled"
+          elif grep -q "droq-node-template" README.md 2>/dev/null && \
+               grep -q "Replace src/node/main.py with your code" README.md 2>/dev/null; then
+            echo "is-template=true" >> $GITHUB_OUTPUT
+            echo "should-publish=false" >> $GITHUB_OUTPUT
+            echo "::notice::Template repository detected - Docker publishing is disabled. Consumers should customize before publishing."
+          else
+            echo "is-template=false" >> $GITHUB_OUTPUT
+
+            # Determine if should publish based on event
+            if [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]] || \
+               [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == refs/tags/* ]] || \
+               [[ "${{ github.event.inputs.publish }}" == "true" ]]; then
+              echo "should-publish=true" >> $GITHUB_OUTPUT
+              echo "::notice::Consuming repository detected - Docker publishing is enabled"
+            else
+              echo "should-publish=false" >> $GITHUB_OUTPUT
+            fi
+          fi
+
   build-and-test:
     runs-on: ubuntu-latest
+    needs: check-repo-type
     outputs:
       image-digest: ${{ steps.build.outputs.digest }}
       image-tag: ${{ steps.meta.outputs.tags }}
-      should-publish: ${{ steps.should-publish.outputs.result }}
+      should-publish: ${{ needs.check-repo-type.outputs.should-publish }}
 
     steps:
       - name: Checkout repository
@@ -46,17 +86,6 @@ jobs:
             type=semver,pattern={{major}}
             type=raw,value=latest,enable={{is_default_branch}}
 
-      - name: Determine if should publish
-        id: should-publish
-        run: |
-          if [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]] || \
-             [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == refs/tags/* ]] || \
-             [[ "${{ github.event.inputs.publish }}" == "true" ]]; then
-            echo "result=true" >> $GITHUB_OUTPUT
-          else
-            echo "result=false" >> $GITHUB_OUTPUT
-          fi
-
       - name: Build Docker image
         id: build
         uses: docker/build-push-action@v5
@@ -73,7 +102,7 @@ jobs:
 
   publish:
     runs-on: ubuntu-latest
-    needs: build-and-test
+    needs: [check-repo-type, build-and-test]
     if: needs.build-and-test.outputs.should-publish == 'true'
     environment: production
 
@@ -131,7 +160,7 @@ jobs:
 
   publish-private-registry:
     runs-on: ubuntu-latest
-    needs: build-and-test
+    needs: [check-repo-type, build-and-test]
     if: needs.build-and-test.outputs.should-publish == 'true' && secrets.PRIVATE_REGISTRY_URL != ''
     environment: production
 
@@ -174,7 +203,7 @@ jobs:
 
   security-scan:
     runs-on: ubuntu-latest
-    needs: [build-and-test, publish]
+    needs: [check-repo-type, build-and-test, publish]
     if: needs.build-and-test.outputs.should-publish == 'true'
     environment: production
 

README.md

@@ -68,14 +68,18 @@ uv add package-name
 
 ## Docker Publishing
 
-The template includes GitHub Actions for automatic Docker publishing:
+The template includes GitHub Actions for automatic Docker publishing that is **disabled for the template repository** and **enabled for consuming repositories**.
 
+**Template Repository**: Docker publishing is automatically disabled
+**Consuming Repositories**: Publishing is enabled after customization
+
+**Features:**
 - **Triggers**: Push to main, git tags, manual dispatch
 - **Registries**: GitHub Container Registry (default) + private registries
 - **Platforms**: linux/amd64, linux/arm64
-- **Features**: Security scanning, SBOM generation
+- **Security**: Security scanning, SBOM generation
 
-Configure private registry with secrets:
+**Private Registry Setup:**
 - `PRIVATE_REGISTRY_URL`
 - `PRIVATE_REGISTRY_USERNAME`
 - `PRIVATE_REGISTRY_PASSWORD`

docs/docker-publishing.md

@@ -1,8 +1,15 @@
 # Docker Publishing
 
-Automated Docker publishing via GitHub Actions.
+Automated Docker publishing via GitHub Actions with template detection.
 
-## Setup
+## Template Protection
+
+**Template Repository**: Docker publishing is **disabled** to prevent accidental publishing
+**Consuming Repositories**: Docker publishing is **enabled** automatically after customization
+
+The workflow detects template repositories and prevents publishing from the template itself.
+
+## Setup for Consuming Repositories
 
 **Triggers:**
 - Push to main branch → `latest` tag