ci: gate Helm chart prerelease publish behind a repository variable

d-cs · claude · d-cs · commit 3f62dcbc293d · 2026-06-15T12:19:55.000+01:00
The prerelease job pushes the packaged chart to oci://ghcr.io/<owner>/charts, which needs write_package on the owner's charts namespace. Forks and private mirrors that lack it fail this job (403 permission_denied) on every PR. Add an ENABLE_HELM_PRERELEASE gate, matching the pattern from #3901: the job runs unless the variable is explicitly 'false', so behaviour is unchanged where it's unset. The lint-and-test job (no push) always runs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/helm-prerelease.yml b/.github/workflows/helm-prerelease.yml
@@ -68,10 +68,15 @@ jobs:
 
   prerelease:
     needs: lint-and-test
+    # Set the ENABLE_HELM_PRERELEASE repository variable to 'false' to turn off
+    # publishing the chart to GHCR — e.g. forks/mirrors that lack write_package
+    # on the owner's charts namespace. Defaults to enabled; the lint-and-test
+    # job above always runs regardless.
     if: |
-      (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
+      vars.ENABLE_HELM_PRERELEASE != 'false' &&
+      ((github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
       github.event_name == 'push' ||
-      github.event_name == 'workflow_dispatch'
+      github.event_name == 'workflow_dispatch')
     runs-on: ubuntu-latest
     permissions:
       contents: read
