From e797d1d22359f8099a36ddc43fd30b7b72ccf24a Mon Sep 17 00:00:00 2001
From: Michael Skalka <mskalka@nvidia.com>
Date: Mon, 3 Feb 2025 12:30:53 -0500
Subject: [PATCH 1/2] fix(agentless): force lowercase for agentless tags

---
 .github/workflows/agentless-container.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/agentless-container.yaml b/.github/workflows/agentless-container.yaml
index 802e0ebf..5d4774ca 100644
--- a/.github/workflows/agentless-container.yaml
+++ b/.github/workflows/agentless-container.yaml
@@ -55,6 +55,7 @@ jobs:
           for version in $TEST_VERSIONS; do
             TAGS+="-t ${{ env.REGISTRY }}/${{env.IMAGE_NAME}}/agentless:$version "
           done
+          TAGS=$(echo $TAGS | tr '[:upper:]' '[:lower:]')
 
           docker buildx build --push --platform linux/amd64,linux/arm64 $TAGS --metadata-file=metadata.json -f ../containers/agentless/Dockerfile ../containers/agentless
 

From 01b7d266c18cfb13da98e8643bf3bc1dcaad201b Mon Sep 17 00:00:00 2001
From: Michael Skalka <mskalka@nvidia.com>
Date: Mon, 3 Feb 2025 12:45:58 -0500
Subject: [PATCH 2/2] feat(agentless): only push agent containers on merges to
 main

---
 .github/workflows/agentless-container.yaml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/agentless-container.yaml b/.github/workflows/agentless-container.yaml
index 5d4774ca..28c9bbb4 100644
--- a/.github/workflows/agentless-container.yaml
+++ b/.github/workflows/agentless-container.yaml
@@ -2,6 +2,12 @@ name: Build and push agentless container image
 
 # Configures this workflow to run every time a tag is created
 on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - containers/agentless/**
+      - .github/workflows/agentless-container.yaml
   push:
     branches: 
       - main
@@ -57,7 +63,10 @@ jobs:
           done
           TAGS=$(echo $TAGS | tr '[:upper:]' '[:lower:]')
 
-          docker buildx build --push --platform linux/amd64,linux/arm64 $TAGS --metadata-file=metadata.json -f ../containers/agentless/Dockerfile ../containers/agentless
+          # GITHUB_BASE_REF is only set when the action source event is a pull request.
+          # in that case don't push.
+          export PUSH=$(if [ -z ${GITHUB_BASE_REF+x} ]; then echo "--push"; else echo ""; fi)
+          docker buildx build $PUSH --platform linux/amd64,linux/arm64 $TAGS --metadata-file=metadata.json -f ../containers/agentless/Dockerfile ../containers/agentless
 
           cat metadata.json
           echo "digest=$(cat metadata.json | jq -r .\"containerimage.digest\")" >> $GITHUB_OUTPUT
@@ -66,6 +75,7 @@ jobs:
       # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see [AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). 
       - name: Generate artifact attestation
         uses: actions/attest-build-provenance@v2
+        if: ${{ env.GITHUB_BASE_REF != '' }}
         with:
           subject-name: ${{ env.REGISTRY }}/${{env.IMAGE_NAME}}/agentless
           subject-digest: ${{ steps.build.outputs.digest }}