ublue-os · castrojo · Mar 1, 2026 · Mar 1, 2026 · Mar 1, 2026 · Mar 1, 2026
@@ -13,8 +13,6 @@ on:
     branches:
       - main
       - lts
-  schedule:
-    - cron: '0 2 * * 0'  # Weekly on Sunday at 2 AM UTC
   merge_group:
   workflow_dispatch:
 
@@ -35,6 +33,5 @@ jobs:
       flavor: dx
       kernel-pin: 6.17.12-200.fc42
       rechunk: ${{ github.event_name != 'pull_request' }}
-      sbom: ${{ (github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/lts' || github.ref == 'refs/heads/main')) || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
       publish: ${{ (github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/lts' || github.ref == 'refs/heads/main')) || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
       hwe: true
@@ -13,8 +13,6 @@ on:
     branches:
       - main
       - lts
-  schedule:
-    - cron: '0 2 * * 0'  # Weekly on Sunday at 2 AM UTC
   merge_group:
   workflow_dispatch:
 
@@ -30,5 +28,4 @@ jobs:
       image-name: bluefin-dx
       flavor: dx
       rechunk: ${{ github.event_name != 'pull_request' }}
-      sbom: ${{ (github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/lts' || github.ref == 'refs/heads/main')) || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
       publish: ${{ (github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/lts' || github.ref == 'refs/heads/main')) || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
@@ -13,8 +13,6 @@ on:
     branches:
       - main
       - lts
-  schedule:
-    - cron: '0 2 * * 0'  # Weekly on Sunday at 2 AM UTC
   merge_group:
   workflow_dispatch:
 
@@ -31,5 +29,4 @@ jobs:
       flavor: gdx
       kernel-pin: 6.17.12-200.fc42
       rechunk: ${{ github.event_name != 'pull_request' }}
-      sbom: ${{ (github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/lts' || github.ref == 'refs/heads/main')) || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
       publish: ${{ (github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/lts' || github.ref == 'refs/heads/main')) || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
@@ -13,8 +13,6 @@ on:
     branches:
       - main
       - lts
-  schedule:
-    - cron: '0 2 * * 0'  # Weekly on Sunday at 2 AM UTC
   merge_group:
   workflow_dispatch:
 
@@ -34,7 +32,6 @@ jobs:
       image-name: bluefin
       kernel-pin: 6.17.12-200.fc42
       rechunk: ${{ github.event_name != 'pull_request' }}
-      sbom: ${{ (github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/lts' || github.ref == 'refs/heads/main')) || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
       publish: ${{ (github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/lts' || github.ref == 'refs/heads/main')) || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
       hwe: true
 
@@ -13,8 +13,6 @@ on:
     branches:
       - main
       - lts
-  schedule:
-    - cron: '0 2 * * 0'  # Weekly on Sunday at 2 AM UTC
   merge_group:
   workflow_dispatch:
 
@@ -29,5 +27,4 @@ jobs:
     with:
       image-name: bluefin
       rechunk: ${{ github.event_name != 'pull_request' }}
-      sbom: ${{ (github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/lts' || github.ref == 'refs/heads/main')) || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
       publish: ${{ (github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/lts' || github.ref == 'refs/heads/main')) || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
@@ -25,11 +25,15 @@ on:
 jobs:
   generate-release:
     runs-on: ubuntu-latest
-    # Only run if the workflow was successful and on lts branch
+    # Only run if the workflow was successful, on lts branch, and triggered by
+    # workflow_dispatch (meaning scheduled-lts-release.yml fired it — images were published).
+    # Push-to-lts validation builds complete successfully too but publish nothing,
+    # so we must not create a release for those.
     if: |
       github.event_name == 'workflow_dispatch' ||
-      (github.event.workflow_run.conclusion == 'success' && 
-       github.event.workflow_run.head_branch == 'lts')
+      (github.event.workflow_run.conclusion == 'success' &&
+       github.event.workflow_run.head_branch == 'lts' &&
+       github.event.workflow_run.event == 'workflow_dispatch')
 
     steps:
       - name: Checkout repository
@@ -63,7 +67,7 @@ jobs:
           fi
 
       - name: Generate changelog
-        uses: hanthor/changelog-action@master
+        uses: hanthor/changelog-action@2d212cd35f65cfe33954dd79013887e7bee76580 # master
         with:
           stream: ${{ steps.target.outputs.target }}
           family: bluefin-lts

@@ -17,46 +17,21 @@ on:
           **IMPORTANT**: This PR should ONLY contain commits from `main` → `lts`. Never merge in the opposite direction.
 
 permissions:
-  contents: write
   pull-requests: write
+  issues: write
 
 jobs:
   create-promotion-pr:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          ref: lts
-          fetch-depth: 0
-
-      - name: Configure Git
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-
-      - name: Create promotion branch
-        id: create-branch
-        run: |
-          BRANCH_NAME="promote-main-to-lts-$(date +%Y%m%d-%H%M%S)"
-          echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
-          git checkout -b "$BRANCH_NAME"
-
-      - name: Merge main into promotion branch
-        run: |
-          git merge origin/main --no-edit -m "Merge main into lts"
-
-      - name: Push promotion branch
-        run: |
-          git push origin ${{ steps.create-branch.outputs.branch_name }}
-
       - name: Create Pull Request
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
           gh pr create \
+            --repo ${{ github.repository }} \
             --base lts \
-            --head ${{ steps.create-branch.outputs.branch_name }} \
+            --head main \
             --title "${{ inputs.pr_title }}" \
             --body "${{ inputs.pr_body }}" \
             --label "promotion"
@@ -32,11 +32,6 @@ on:
         required: false
         type: boolean
         default: true
-      sbom:
-        description: "Generate/publish SBOMs for the artifacts"
-        required: false
-        type: boolean
-        default: true
       cleanup_runner:
         description: "Use the ublue cleanup action to clean up the runner before running the build"
         required: false
@@ -52,7 +47,7 @@ on:
         required: false
         type: boolean
         # default: ${{ github.event_name != 'pull_request' }}
-        default: true
+        default: false
       tag-suffix:
         description: "The suffix to append to the image tag"
         required: false
@@ -176,12 +171,14 @@ jobs:
 
       - name: Setup Syft
         id: setup-syft
-        if: ${{ inputs.sbom && inputs.publish }}
+        if: ${{ github.ref == 'refs/heads/lts' && inputs.publish }}
+        continue-on-error: true
         uses: anchore/sbom-action/download-syft@17ae1740179002c89186b61233e0f892c3118b11 # v0
 
       - name: Generate SBOM
         id: generate-sbom
-        if: ${{ inputs.sbom && inputs.publish }}
+        if: ${{ github.ref == 'refs/heads/lts' && inputs.publish }}
+        continue-on-error: true
         env:
           IMAGE: ${{ env.IMAGE_NAME }}
           DEFAULT_TAG: ${{ env.DEFAULT_TAG }}
@@ -267,7 +264,8 @@ jobs:
           COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
 
       - name: Add SBOM Attestation
-        if: ${{ inputs.sbom }}
+        if: ${{ github.ref == 'refs/heads/lts' && inputs.publish }}
+        continue-on-error: true
         env:
           IMAGE: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
           DIGEST: ${{ steps.push.outputs.remote_image_digest }}
@@ -369,10 +367,10 @@ jobs:
             export DEFAULT_TAG="${DEFAULT_TAG}-hwe"
             export CENTOS_VERSION_SUFFIX="-hwe"
           fi
-          if [ "${REF_NAME}" != "${PRODUCTION_BRANCH}" ] && [ "$EVENT_NAME" == "pull_request" ] || [ "${EVENT_NAME}" == "merge_group" ] ; then
+          if [ "${REF_NAME}" != "${PRODUCTION_BRANCH}" ]; then
             export TAG_SUFFIX="testing"
             export DEFAULT_TAG="${DEFAULT_TAG}-${TAG_SUFFIX}"
-            export CENTOS_VERSION_SUFFIX="-${TAG_SUFFIX}"
+            export CENTOS_VERSION_SUFFIX="${CENTOS_VERSION_SUFFIX}-${TAG_SUFFIX}"
           fi
           echo "DEFAULT_TAG=${DEFAULT_TAG}" >> "${GITHUB_ENV}"
           echo "CENTOS_VERSION_SUFFIX=${CENTOS_VERSION_SUFFIX}" >> "${GITHUB_ENV}"
@@ -492,7 +490,7 @@ jobs:
           echo "${{ secrets.GITHUB_TOKEN }}" | podman login -u "${{ github.actor }}" --password-stdin "${REGISTRY}"
 
       - name: Push Manifest
-        if: github.event_name != 'pull_request'
+        if: ${{ inputs.publish }}
         id: push_manifest
         env:
           MANIFEST: ${{ steps.create-manifest.outputs.MANIFEST }}
@@ -512,7 +510,7 @@ jobs:
   # so we move this to another step in order to run on Ubuntu
   sign:
     needs: manifest
-    if: github.event_name != 'pull_request'
+    if: ${{ inputs.publish }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -531,6 +529,7 @@ jobs:
         uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
 
       - name: Sign Manifest
+        if: ${{ inputs.publish }}
         env:
           DIGEST: ${{ needs.manifest.outputs.digest }}
           IMAGE: ${{ needs.manifest.outputs.image }}