Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

ci(release): push images to Gitea registry, drop GHCR secret requirement
CI / Architecture Guardrails (push) Successful in 3m15s
Details
CI / Typecheck (push) Successful in 4m15s
Details
CI / Assistant Split Regression (push) Successful in 5m0s
Details
CI / Lint (push) Successful in 5m4s
Details
CI / Build (push) Failing after 1m41s
Details
CI / E2E Tests (push) Has been skipped
Details
CI / Fresh-Linux Docker Deploy (push) Has been skipped
Details
CI / Release Images (push) Has been cancelled
Details
CI / Unit Tests (push) Has been cancelled
Details

Browse Source 
The release-images job failed on every run because GHCR_USERNAME and
GHCR_TOKEN are not configured on the Gitea repo — and they don't need
to be: Gitea has its own container registry at the same host, reachable
with the auto-provisioned GITHUB_TOKEN.

- Derive the registry host from GITHUB_SERVER_URL (the Gitea base URL)
- Log in with $GITHUB_TOKEN + ${{ github.actor }}
- Tag images as <gitea-host>/<owner>/<repo>-{app,migrator}:sha-<commit>
- Add packages: write permission
- Drop the workflow_call secrets block — no external secrets needed

Consumers (deploy-staging.yml, deploy-prod.yml) that previously pulled
from ghcr.io/<owner>/<repo>-app will need to be updated to pull from
the Gitea registry next; flagging separately.
This commit is contained in:
Hartmut Nörenberg
2026-04-13 07:13:37 +02:00
parent 0b330fd344
commit 69c52e2875
1 changed files with 22 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/release-image.yml
+22 -12
View File
@@ -2,6 +2,9 @@ name: Release Image
# Reusable workflow: called from ci.yml after all checks pass.
# Can also be dispatched manually for rebuilds or tag overrides.
#
# Pushes to the Gitea container registry (the same host the workflow runs on)
# using the auto-provisioned GITHUB_TOKEN. No external secrets required.
on:
workflow_call:
inputs:
@@ -9,11 +12,6 @@ on:
description: Optional tag override, defaults to sha-<commit>
required: false
type: string
secrets:
GHCR_USERNAME:
required: true
GHCR_TOKEN:
required: true
workflow_dispatch:
inputs:
image_tag:
@@ -23,6 +21,7 @@ on:
permissions:
contents: read
packages: write
jobs:
build-and-push:
@@ -35,12 +34,22 @@ jobs:
- name: Set up Docker Buildx
run: docker buildx create --use --name ci-builder 2>/dev/null || true
- name: Login to GHCR
# Requires Gitea secrets: GHCR_USERNAME (GitHub username) and
# GHCR_TOKEN (GitHub PAT with write:packages scope)
- id: registry
name: Resolve Gitea registry host
# GITHUB_SERVER_URL is the Gitea base URL (e.g. https://gitea.hartmut-noerenberg.com).
# Strip the scheme to get the container-registry host.
run: |
echo "${{ secrets.GHCR_TOKEN }}" | \
docker login ghcr.io -u "${{ secrets.GHCR_USERNAME }}" --password-stdin
host="${GITHUB_SERVER_URL#https://}"
host="${host#http://}"
echo "host=${host}" >> "$GITHUB_OUTPUT"
- name: Login to Gitea container registry
# GITHUB_TOKEN is auto-provisioned by Gitea Actions for the running
# workflow; no manual secret configuration required.
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | \
docker login "${{ steps.registry.outputs.host }}" \
-u "${{ github.actor }}" --password-stdin
- id: vars
name: Compute image refs
@@ -51,8 +60,9 @@ jobs:
if [ -z "${image_tag}" ]; then
image_tag="sha-${GITHUB_SHA}"
fi
echo "app_image=ghcr.io/${owner}/${repo}-app:${image_tag}" >> "$GITHUB_OUTPUT"
echo "migrator_image=ghcr.io/${owner}/${repo}-migrator:${image_tag}" >> "$GITHUB_OUTPUT"
host="${{ steps.registry.outputs.host }}"
echo "app_image=${host}/${owner}/${repo}-app:${image_tag}" >> "$GITHUB_OUTPUT"
echo "migrator_image=${host}/${owner}/${repo}-migrator:${image_tag}" >> "$GITHUB_OUTPUT"
# Guardrail anchor: target: runner
- name: Build and push app image