CI: use forge-managed registry auth (github.token)
cebfc36 · gmorell · 2026-06-25 17:31
Message
{commit_body(@commit)}
Files changed
modified
.forgejo/workflows/build.yml
+11
−5
@@ -12,16 +12,22 @@ jobs:
| 12 | 12 | |
| 13 | 13 | - uses: docker/setup-buildx-action@v3 |
| 14 | 14 | |
| 15 | + # Forge-managed registry auth: the per-job token (github.token) is | |
| 16 | + # accepted by /v2/token and authorized to push this repo's own | |
| 17 | + # image — no stored creds. The username is ignored by the token | |
| 18 | + # endpoint but login-action requires it to be non-empty. | |
| 15 | 19 | - uses: docker/login-action@v3 |
| 16 | 20 | with: |
| 17 | 21 | registry: ${{ vars.CI_REGISTRY }} |
| 18 | − username: ${{ secrets.CI_REGISTRY_USER }} | |
| 19 | − password: ${{ secrets.CI_REGISTRY_PASSWORD }} | |
| 22 | + username: gitgud-actions | |
| 23 | + password: ${{ github.token }} | |
| 20 | 24 | |
| 21 | 25 | - uses: docker/metadata-action@v5 |
| 22 | 26 | id: meta |
| 23 | 27 | with: |
| 24 | − images: ${{ vars.CI_REGISTRY_IMAGE }} | |
| 28 | + # Push to the job's OWN repo path (ggr.neiam.co/<owner>/<repo>); | |
| 29 | + # the per-job token only grants push there. | |
| 30 | + images: ${{ vars.CI_REGISTRY }}/${{ github.repository }} | |
| 25 | 31 | tags: | |
| 26 | 32 | type=sha,format=long |
| 27 | 33 | type=ref,event=branch |
@@ -34,5 +40,5 @@ jobs:
| 34 | 40 | push: true |
| 35 | 41 | tags: ${{ steps.meta.outputs.tags }} |
| 36 | 42 | labels: ${{ steps.meta.outputs.labels }} |
| 37 | − cache-from: type=registry,ref=${{ vars.CI_REGISTRY_IMAGE }}:buildcache | |
| 38 | − cache-to: type=registry,ref=${{ vars.CI_REGISTRY_IMAGE }}:buildcache,mode=max | |
| 43 | + cache-from: type=registry,ref=${{ vars.CI_REGISTRY }}/${{ github.repository }}:buildcache | |
| 44 | + cache-to: type=registry,ref=${{ vars.CI_REGISTRY }}/${{ github.repository }}:buildcache,mode=max |
Parents: 12c8ec4