From 11223d7aa2f43b11cddb7f83bfd72c2d0abfa78c Mon Sep 17 00:00:00 2001
From: Daniel Sutton <dansutton@trigger.dev>
Date: Wed, 10 Jun 2026 09:45:29 +0100
Subject: [PATCH 1/2] ci: make the main-image dispatch repo and ref
 configurable

The dispatch-main-image gate was hardcoded to triggerdotdev/trigger.dev on
the main ref. Make both overridable via the MAIN_IMAGE_DISPATCH_REPO and
MAIN_IMAGE_DISPATCH_REF_PREFIX repository variables, each defaulting to the
current value so behaviour is unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 3426690fc5..f970a189d0 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -122,7 +122,7 @@ jobs:
   dispatch-main-image:
     name: 📣 Dispatch main image
     needs: [publish-webapp]
-    if: github.repository == 'triggerdotdev/trigger.dev' && needs.publish-webapp.outputs.version == 'main'
+    if: github.repository == (vars.MAIN_IMAGE_DISPATCH_REPO || 'triggerdotdev/trigger.dev') && startsWith(github.ref_name, vars.MAIN_IMAGE_DISPATCH_REF_PREFIX || 'main')
     runs-on: ubuntu-latest
     permissions: {}
     steps:

From 16da77419494a57d94ec8bf9e2c6b50561cff54c Mon Sep 17 00:00:00 2001
From: Daniel Sutton <dansutton@trigger.dev>
Date: Wed, 10 Jun 2026 10:45:36 +0100
Subject: [PATCH 2/2] ci: gate main-image dispatch on push events and make
 target configurable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Addresses review feedback:

- The startsWith(github.ref_name, ...) gate would fire during release builds:
  release.yml invokes publish.yml via workflow_call with an explicit image_tag
  while github.ref_name is still `main`, so the job ran without CROSS_REPO_PAT
  and failed the release pipeline. Gate on github.event_name == 'push' — the
  intended paths (push to main, push of build-* tags) are push events; the
  release path is pull_request/workflow_dispatch. A version-equality check
  can't be used because build-* tags strip the prefix to the version output.
- Make the dispatch target overridable via MAIN_IMAGE_DISPATCH_TARGET,
  defaulting to triggerdotdev/cloud.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f970a189d0..2f2744c770 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -116,13 +116,18 @@ jobs:
       image-ref: ${{ needs.publish-webapp.outputs.image_repo }}:${{ needs.publish-webapp.outputs.version }}
 
   # Announce the freshly published mutable `main` webapp image to subscriber
-  # repos in the org via repository_dispatch, handing them a digest-pinned ref to
-  # build or deploy from. Fires only for the `main` tag — never semver releases or
-  # other tag builds — and only from the canonical repo (forks have no PAT).
+  # repos via repository_dispatch, handing them a digest-pinned ref to build or
+  # deploy from. The repo, ref prefix, and dispatch target all default to the
+  # canonical values and can be overridden by repository variables.
+  #
+  # `push` only: release builds reach publish.yml via workflow_call (from
+  # release.yml) with an explicit image_tag while github.ref_name is still
+  # `main`, so gate on the event to avoid dispatching — and failing on the
+  # absent CROSS_REPO_PAT — during a release.
   dispatch-main-image:
     name: 📣 Dispatch main image
     needs: [publish-webapp]
-    if: github.repository == (vars.MAIN_IMAGE_DISPATCH_REPO || 'triggerdotdev/trigger.dev') && startsWith(github.ref_name, vars.MAIN_IMAGE_DISPATCH_REF_PREFIX || 'main')
+    if: github.repository == (vars.MAIN_IMAGE_DISPATCH_REPO || 'triggerdotdev/trigger.dev') && github.event_name == 'push' && startsWith(github.ref_name, vars.MAIN_IMAGE_DISPATCH_REF_PREFIX || 'main')
     runs-on: ubuntu-latest
     permissions: {}
     steps:
@@ -153,6 +158,6 @@ jobs:
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         with:
           token: ${{ secrets.CROSS_REPO_PAT }}
-          repository: triggerdotdev/cloud
+          repository: ${{ vars.MAIN_IMAGE_DISPATCH_TARGET || 'triggerdotdev/cloud' }}
           event-type: main-image-published
           client-payload: ${{ steps.payload.outputs.client_payload }}