From c35db0ffa0d29534571b344f48d19162fcae7707 Mon Sep 17 00:00:00 2001
From: penguin <penguin@epenguin.net>
Date: Mon, 8 Dec 2025 19:42:09 -0600
Subject: [PATCH] infra: image: protect :latest tag so only the default branch
 can push to it

infra: image: fix hard coded image name
---
 .gitea/workflows/gentoo-utils.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/gentoo-utils.yml b/.gitea/workflows/gentoo-utils.yml
index 7a91fe8..dd74570 100644
--- a/.gitea/workflows/gentoo-utils.yml
+++ b/.gitea/workflows/gentoo-utils.yml
@@ -16,6 +16,13 @@ jobs:
         id: image-changes
         run: |
           echo "branch_name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITEA_OUTPUT
+
+          if [[ "${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" == "${{ gitea.event.repository.default_branch }}" ]]; then
+            echo "image_tag=latest"
+          else
+            echo "image_tag=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}"
+          fi
+
           if ! git diff ${{ gitea.event.before }} ${{ gitea.sha }} --no-patch --exit-code .docker; then
             echo changes_detected=true >> $GITEA_OUTPUT
           else
@@ -39,13 +46,13 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           push: true
-          tags: git.epenguin.net/${{ gitea.repository }}:latest
+          tags: git.epenguin.net/${{ gitea.repository }}:${{ steps.image-changes.outputs.image_tag }}
           context: "{{defaultContext}}:.docker"
 
   build:
     runs-on: brutalisk
     container:
-      image: git.epenguin.net/gentoo-utils/gentoo-utils-gitea:latest
+      image: git.epenguin.net/${{ gitea.repository }}:${{ steps.image-changes.outputs.image_tag }}
     needs: build-oci-image
     steps:
       - name: Checkout repo