Build production image only from main or release branch

bogsi17 · bogsi17 · commit 4a7909a3f68f · 2025-04-15T09:56:01.000+01:00
diff --git a/.github/workflows/build-and-push-image.yml b/.github/workflows/build-and-push-image.yml
@@ -34,6 +34,7 @@ jobs:
             echo "BUILD_NEEDED=true" >> $GITHUB_ENV
           fi
       - name: Configure AWS Production credentials
+        if: ${{ github.ref_name == 'main' || github.ref_name == 'release' }}
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::820242920762:role/GithubDeployMavisAndInfrastructure
@@ -64,16 +65,29 @@ jobs:
         with:
           name: image
           path: image.tar
+  define-matrix:
+    name: Determine AWS roles to push the image
+    runs-on: ubuntu-latest
+    needs: check-image-presence
+    outputs:
+      aws-roles: ${{ steps.determine-aws-roles.outputs.aws-roles }}
+    steps:
+      - name: Set aws roles
+        id: determine-aws-roles
+        run: |
+          if [ ${{ github.ref_name }} = 'main' ] || [ ${{ github.ref_name }} = 'release' ]; then
+            echo 'aws-roles=["arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure", "arn:aws:iam::820242920762:role/GithubDeployMavisAndInfrastructure"]' >> $GITHUB_OUTPUT
+          else
+            echo 'aws-roles=["arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure"]' >> $GITHUB_OUTPUT
+          fi
   push:
     runs-on: ubuntu-latest
-    needs: build
+    needs: [build, define-matrix]
     permissions:
       id-token: write
     strategy:
       matrix:
-        aws-role:
-          - arn:aws:iam::820242920762:role/GithubDeployMavisAndInfrastructure
-          - arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure
+        aws-role: ${{ fromJSON(needs.determine-aws-roles.outputs.aws-roles) }}
     steps:
       - name: Download Docker image
         uses: actions/download-artifact@v4
