From f8ce44651bb3a0dd79af1222f33e814c5cc28ab8 Mon Sep 17 00:00:00 2001
From: "Han Verstraete (OpenFaaS Ltd)" <han@openfaas.com>
Date: Tue, 18 Jun 2024 15:13:33 +0200
Subject: [PATCH] Create separate build and publish workflows

- Prevent failing CI for PRs bacause of missing permission to push
  images.
- Prevent image builds from users with sufficient permission to get
  published on PRs and branches other than master.

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
---
 .github/workflows/build.yaml   | 16 +++-------
 .github/workflows/publish.yaml | 58 ++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+), 11 deletions(-)
 create mode 100644 .github/workflows/publish.yaml

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 065e6ca..30ad8bf 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -33,29 +33,23 @@ jobs:
       - name: Get Repo Owner
         id: get_repo_owner
         run: echo "REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" > $GITHUB_ENV
-
-      - name: Docker Login
-        run: > 
-          echo ${{ secrets.GITHUB_TOKEN }} | 
-          docker login ghcr.io --username 
-          ${{ env.REPO_OWNER  }} 
-          --password-stdin
-      - name: Publish multi-arch functions
+        
+      - name: Build multi-arch functions
         run: >
           OWNER="${{ env.REPO_OWNER  }}" 
           TAG="latest"
           SERVER="ghcr.io"
-          faas-cli publish
+          faas-cli build
           --extra-tag ${{ github.sha }}
           --build-arg GO111MODULE=on
           --platforms linux/arm/v7,linux/arm64,linux/amd64
 
-      - name: Publish amd64-only functions
+      - name: Build amd64-only functions
         run: >
           OWNER="${{ env.REPO_OWNER  }}" 
           TAG="latest"
           SERVER="ghcr.io"
-          faas-cli publish
+          faas-cli build
           --extra-tag ${{ github.sha }}
           --platforms linux/amd64
           -f stack-amd64.yml
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
new file mode 100644
index 0000000..0c54caf
--- /dev/null
+++ b/.github/workflows/publish.yaml
@@ -0,0 +1,58 @@
+name: publish
+
+on:
+  push:
+    branches:
+      - 'master'
+
+jobs:
+  build:
+    concurrency: 
+      group: ${{ github.ref }}
+      cancel-in-progress: true
+
+    permissions:
+      packages: write
+      checks: write
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@master
+        with:
+          fetch-depth: 1
+      - name: Get faas-cli
+        run: curl -sLSf https://cli.openfaas.com | sudo sh
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Get Repo Owner
+        id: get_repo_owner
+        run: echo "REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" > $GITHUB_ENV
+
+      - name: Docker Login
+        run: > 
+          echo ${{ secrets.GITHUB_TOKEN }} | 
+          docker login ghcr.io --username 
+          ${{ env.REPO_OWNER  }} 
+          --password-stdin
+      - name: Publish multi-arch functions
+        run: >
+          OWNER="${{ env.REPO_OWNER  }}" 
+          TAG="latest"
+          SERVER="ghcr.io"
+          faas-cli publish
+          --extra-tag ${{ github.sha }}
+          --build-arg GO111MODULE=on
+          --platforms linux/arm/v7,linux/arm64,linux/amd64
+
+      - name: Publish amd64-only functions
+        run: >
+          OWNER="${{ env.REPO_OWNER  }}" 
+          TAG="latest"
+          SERVER="ghcr.io"
+          faas-cli publish
+          --extra-tag ${{ github.sha }}
+          --platforms linux/amd64
+          -f stack-amd64.yml
\ No newline at end of file