From 0a6979b5aaec0c17f3f67a1ff0cde331f64433ac Mon Sep 17 00:00:00 2001
From: James A Sutherland <j@sutherland.pw>
Date: Sun, 7 Dec 2025 20:20:53 -0600
Subject: [PATCH] Skip docker push for non-tagged builds and upgrade checkout
 to v6

Only push containers to GHCR when building from a tag, avoiding
permission errors on Dependabot and regular branch builds.
---
 .github/workflows/dockerpush.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/dockerpush.yml b/.github/workflows/dockerpush.yml
index 0f5f595..964eda9 100644
--- a/.github/workflows/dockerpush.yml
+++ b/.github/workflows/dockerpush.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           submodules: recursive
           fetch-depth: 0
@@ -20,6 +20,7 @@ jobs:
           make minidocker docker
       
       - name: Log in to the GitHub Container registry
+        if: startsWith(github.ref, 'refs/tags/')
         uses: redhat-actions/podman-login@v1
         with:
           registry: ghcr.io/jas88
@@ -27,6 +28,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Push mini-container to GitHub Container Repository
+        if: startsWith(github.ref, 'refs/tags/')
         id: push-mini-to-ghcr
         uses: redhat-actions/push-to-registry@v2
         with:
@@ -35,6 +37,7 @@ jobs:
           registry: ghcr.io/jas88
 
       - name: Push full stack container to GitHub Container Repository
+        if: startsWith(github.ref, 'refs/tags/')
         id: push-full-to-ghcr
         uses: redhat-actions/push-to-registry@v2
         with: