From 69c52e2875e6ad68fd3c67ec5e6f2850fb9b6d3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hartmut=20N=C3=B6renberg?= Date: Mon, 13 Apr 2026 07:13:37 +0200 Subject: [PATCH] ci(release): push images to Gitea registry, drop GHCR secret requirement MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The release-images job failed on every run because GHCR_USERNAME and GHCR_TOKEN are not configured on the Gitea repo — and they don't need to be: Gitea has its own container registry at the same host, reachable with the auto-provisioned GITHUB_TOKEN. - Derive the registry host from GITHUB_SERVER_URL (the Gitea base URL) - Log in with $GITHUB_TOKEN + ${{ github.actor }} - Tag images as //-{app,migrator}:sha- - Add packages: write permission - Drop the workflow_call secrets block — no external secrets needed Consumers (deploy-staging.yml, deploy-prod.yml) that previously pulled from ghcr.io//-app will need to be updated to pull from the Gitea registry next; flagging separately. --- .github/workflows/release-image.yml | 34 +++++++++++++++++++---------- 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/.github/workflows/release-image.yml b/.github/workflows/release-image.yml index c851f40..81b329e 100644 --- a/.github/workflows/release-image.yml +++ b/.github/workflows/release-image.yml @@ -2,6 +2,9 @@ name: Release Image # Reusable workflow: called from ci.yml after all checks pass. # Can also be dispatched manually for rebuilds or tag overrides. +# +# Pushes to the Gitea container registry (the same host the workflow runs on) +# using the auto-provisioned GITHUB_TOKEN. No external secrets required. on: workflow_call: inputs: @@ -9,11 +12,6 @@ on: description: Optional tag override, defaults to sha- required: false type: string - secrets: - GHCR_USERNAME: - required: true - GHCR_TOKEN: - required: true workflow_dispatch: inputs: image_tag: @@ -23,6 +21,7 @@ on: permissions: contents: read + packages: write jobs: build-and-push: @@ -35,12 +34,22 @@ jobs: - name: Set up Docker Buildx run: docker buildx create --use --name ci-builder 2>/dev/null || true - - name: Login to GHCR - # Requires Gitea secrets: GHCR_USERNAME (GitHub username) and - # GHCR_TOKEN (GitHub PAT with write:packages scope) + - id: registry + name: Resolve Gitea registry host + # GITHUB_SERVER_URL is the Gitea base URL (e.g. https://gitea.hartmut-noerenberg.com). + # Strip the scheme to get the container-registry host. run: | - echo "${{ secrets.GHCR_TOKEN }}" | \ - docker login ghcr.io -u "${{ secrets.GHCR_USERNAME }}" --password-stdin + host="${GITHUB_SERVER_URL#https://}" + host="${host#http://}" + echo "host=${host}" >> "$GITHUB_OUTPUT" + + - name: Login to Gitea container registry + # GITHUB_TOKEN is auto-provisioned by Gitea Actions for the running + # workflow; no manual secret configuration required. + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | \ + docker login "${{ steps.registry.outputs.host }}" \ + -u "${{ github.actor }}" --password-stdin - id: vars name: Compute image refs @@ -51,8 +60,9 @@ jobs: if [ -z "${image_tag}" ]; then image_tag="sha-${GITHUB_SHA}" fi - echo "app_image=ghcr.io/${owner}/${repo}-app:${image_tag}" >> "$GITHUB_OUTPUT" - echo "migrator_image=ghcr.io/${owner}/${repo}-migrator:${image_tag}" >> "$GITHUB_OUTPUT" + host="${{ steps.registry.outputs.host }}" + echo "app_image=${host}/${owner}/${repo}-app:${image_tag}" >> "$GITHUB_OUTPUT" + echo "migrator_image=${host}/${owner}/${repo}-migrator:${image_tag}" >> "$GITHUB_OUTPUT" # Guardrail anchor: target: runner - name: Build and push app image