@@ -968,7 +968,7 @@ jobs:
968968needs :changes
969969# We always build the dylibs on Go changes to verify we're not merging unbuildable code,
970970# but they need only be signed and uploaded on coder/coder main.
971- if :true
971+ if :needs.changes.outputs.go == ' true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')
972972runs-on :${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest' }}
973973steps :
974974# Harden Runner doesn't work on macOS
@@ -996,7 +996,7 @@ jobs:
996996uses :./.github/actions/setup-go
997997
998998 -name :Install rcodesign
999- if :true
999+ if :${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }}
10001000run :|
10011001 set -euo pipefail
10021002 wget -O /tmp/rcodesign.tar.gz https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.22.0/apple-codesign-0.22.0-macos-universal.tar.gz
@@ -1033,7 +1033,7 @@ jobs:
10331033AC_CERTIFICATE_PASSWORD_FILE :/tmp/apple_cert_password.txt
10341034
10351035 -name :Upload build artifacts
1036- if :true
1036+ if :${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }}
10371037uses :actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
10381038with :
10391039name :dylibs
@@ -1093,7 +1093,7 @@ jobs:
10931093needs :
10941094 -changes
10951095 -build-dylib
1096- if :true
1096+ if :(github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) && needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork
10971097runs-on :${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-22.04' }}
10981098permissions :
10991099# Necessary to push docker images to ghcr.io.
@@ -1260,7 +1260,7 @@ jobs:
12601260 make build/coder_"$version"_linux_{amd64,arm64,armv7}.tag
12611261
12621262 # only push if we are on main branch or release branch
1263- iffalse ; then
1263+ if[[ "${GITHUB_REF}" == "refs/heads/main" || "${GITHUB_REF}" == refs/heads/release/* ]] ; then
12641264 # build and push multi-arch manifest, this depends on the other images
12651265 # being pushed so will automatically push them
12661266 # note: omitting the -j argument to avoid race conditions when pushing
@@ -1479,11 +1479,14 @@ jobs:
14791479deploy :
14801480needs :
14811481 -changes
1482- # - build
1483- if :true
1482+ -build
1483+ if :|
1484+ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/'))
1485+ && needs.changes.outputs.docs-only == 'false'
1486+ && !github.event.pull_request.head.repo.fork
14841487uses :./.github/workflows/deploy.yaml
14851488with :
1486- image :ghcr.io/coder/coder-preview:2.26.0-devel-d5e433119
1489+ image :${{ needs.build.outputs.IMAGE }}
14871490permissions :
14881491contents :read
14891492id-token :write