ci(release-gateway): authenticate to ghcr.io with GHCR_PAT instead of… #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release-gateway | |
| on: | |
| push: | |
| branches: [main, feat/external-compute-driver-socket] | |
| paths: | |
| - 'crates/**' | |
| - 'proto/**' | |
| - 'Cargo.toml' | |
| - 'Cargo.lock' | |
| - 'Dockerfile.gateway' | |
| - '.github/workflows/release-gateway.yml' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| packages: write | |
| jobs: | |
| image: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| # Authenticate to ghcr.io with a fork-owned classic PAT instead of the | |
| # workflow's auto-issued GITHUB_TOKEN. The auto-token's package-write | |
| # access depends on the target package being linked to this repo, which | |
| # breaks if the repo is ever recreated (the package becomes orphaned and | |
| # the token is denied). The PAT is scoped to write:packages on the | |
| # st-gr account and is independent of the repo→package linkage; pushes | |
| # re-establish the link automatically. | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: st-gr | |
| password: ${{ secrets.GHCR_PAT }} | |
| - name: Lowercase repo owner | |
| id: repo | |
| run: echo "lower=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" | |
| - name: Tag set | |
| id: tags | |
| run: | | |
| set -e | |
| BRANCH="${GITHUB_REF_NAME//\//-}" | |
| { | |
| echo "tags<<EOF" | |
| echo "ghcr.io/${{ steps.repo.outputs.lower }}/openshell-gateway:${{ github.sha }}" | |
| if [ "$GITHUB_REF" = "refs/heads/main" ]; then | |
| echo "ghcr.io/${{ steps.repo.outputs.lower }}/openshell-gateway:latest" | |
| else | |
| echo "ghcr.io/${{ steps.repo.outputs.lower }}/openshell-gateway:branch-${BRANCH}" | |
| fi | |
| echo "EOF" | |
| } >> "$GITHUB_OUTPUT" | |
| - name: Build and push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: Dockerfile.gateway | |
| push: true | |
| tags: ${{ steps.tags.outputs.tags }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max |