From aab6fc244e48a8e27ef216f377176586e3499bb2 Mon Sep 17 00:00:00 2001
From: tigattack <10629864+tigattack@users.noreply.github.com>
Date: Sun, 5 Oct 2025 23:09:01 +0100
Subject: [PATCH] ci(docker): fix push conditions to prevent pushes from forks

---
 .github/workflows/docker.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 5e24f83..96da157 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -64,7 +64,11 @@ jobs:
           context: .
           file: docker/${{ matrix.image }}.Dockerfile
           platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'workflow_dispatch' || inputs.push == 'true' }}
+          # Push if:
+          # - Event is not workflow_dispatch OR input 'push' is true
+          # AND
+          # - Event is not pull_request OR the PR is from the same repository (to avoid pushing from forks)
+          push: ${{ (github.event_name != 'workflow_dispatch' || inputs.push == 'true') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha,scope=${{ matrix.image }}