Update docker-build.yml

Author: Thiemann96

.github/workflows/docker-build.yml

@@ -5,16 +5,21 @@ on:
     branches:
       - development
     tags:
-      - "v*"  # Triggers on version tags like v1.0.0
+      - "v*"
   pull_request:
     branches:
       - main
-  workflow_dispatch:  # Allow manual trigger
+  workflow_dispatch:
 
 jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      packages: write  # notwendig für GHCR push
+      pull-requests: read
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -23,16 +28,17 @@ jobs:
         uses: docker/setup-buildx-action@v2
 
       - name: Log in to GitHub Container Registry
+        if: github.event.pull_request.head.repo.full_name == github.repository  # verhindert push bei externen PRs
         uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-          
+
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:
-          push: ${{ github.event_name != 'pull_request' }}
+          push: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
           tags: |
             ghcr.io/${{ github.repository_owner }}/react-ardublockly-backend:latest
             ghcr.io/${{ github.repository_owner }}/react-ardublockly-backend:${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || github.ref_name }}