cost-model/.github/workflows/build-test-image.yml

name: Build and Publish Test Image

on:
  merge_group:
    types: [checks_requested]
  pull_request_target:
    branches:
      - develop

permissions: {}

env:
  REGISTRY: ghcr.io

jobs:
  check_actor_permissions:
        runs-on: ubuntu-latest
        if: ${{ github.event_name == 'pull_request_target' || github.event_name == 'merge_group' }}
        outputs:
            ismaintainer: ${{ steps.determine-maintainer.outputs.ismaintainer }}
        steps:
          - name: Check team membership
            uses: tspascoal/get-user-teams-membership@v3
            if: ${{ github.actor != 'dependabot[bot]' }}
            id: teamAffiliation
            with:
              GITHUB_TOKEN: ${{ secrets.ORG_READER_PAT }}
              username: ${{ github.actor }}
              organization: opencost
          - name: determine if actor is a maintainer
            id: determine-maintainer
            env:
              TEAMS: ${{ join(steps.teamAffiliation.outputs.teams, ',') }}
              ACTOR: ${{ github.actor }}
              IS_MAINTAINER: ${{ contains(join(steps.teamAffiliation.outputs.teams, ','), 'OpenCost Maintainers') || (github.actor == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == 'opencost/opencost') }}
            run: |
                echo "Actor: $ACTOR"
                echo "teams: $TEAMS"
                echo "Is maintainer: $IS_MAINTAINER"
                echo "ismaintainer=$IS_MAINTAINER" >> $GITHUB_OUTPUT
      
  build-and-publish-test-image:
    runs-on: ubuntu-latest
    needs: check_actor_permissions
    if: ${{ (always() && !cancelled()) && ( github.event_name == 'merge_group' || (github.event_name == 'pull_request_target' && needs.check_actor_permissions.outputs.ismaintainer == 'true')) }}
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout Repo
        uses: actions/checkout@v6.0.2
        with:
          ref: ${{ github.event.merge_group.head_sha || github.event.pull_request.head.sha }}
      - name: Set SHA
        id: sha
        run: |
          echo "OC_SHORTHASH=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
      - name: Set OpenCost Image Tags
        id: tags
        env:
          REPO_OWNER: ${{ github.repository_owner }}
          OC_SHORTHASH: ${{ steps.sha.outputs.OC_SHORTHASH }}
        run: |
          echo "IMAGE_TAG=ghcr.io/$REPO_OWNER/opencost:test-$OC_SHORTHASH" >> $GITHUB_OUTPUT
      - name: Build and publish container
        uses: ./.github/actions/build-container
        with:
          actor: ${{ github.actor }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          image_tag: ${{ steps.tags.outputs.IMAGE_TAG }}
          release_version: test-${{ steps.sha.outputs.OC_SHORTHASH }}