git-mirrors/continuwuity
1
0
Fork 0
mirror of https://forgejo.ellis.link/continuwuation/continuwuity.git synced 2025-09-10 00:23:03 +02:00
Code Issues Projects Releases Packages Wiki Activity

fix(ci): Resolve registry push failures for fork PRs

Browse source 
Fork PRs now fail during Docker image build with 'tag is needed when
pushing to registry' because BUILTIN_REGISTRY_ENABLED evaluates to false
without proper credentials, leaving the images list empty. This appears
to be due to recent Forgejo permission changes affecting fork access to
repository secrets.

Add fallback to official registry when credentials unavailable, skip
registry login and push operations for forks, and make merge job
conditional since no digests exist without push. This allows forks to
test Docker builds whilst avoiding authentication failures.
This commit is contained in:
Tom Foster 2025-09-07 17:08:36 +01:00
commit 84fdcd326a
1 changed files with 11 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

12
.forgejo/workflows/release-image.yml
View file

@ -53,6 +53,9 @@ jobs:
let images = [] let images = []
if (process.env.BUILTIN_REGISTRY_ENABLED === "true") { if (process.env.BUILTIN_REGISTRY_ENABLED === "true") {
images.push(builtinImage) images.push(builtinImage)
} else {
// Fallback to official registry for forks/PRs without credentials
images.push('forgejo.ellis.link/continuwuation/continuwuity')
} }
core.setOutput('images', images.join("\n")) core.setOutput('images', images.join("\n"))
core.setOutput('images_list', images.join(",")) core.setOutput('images_list', images.join(","))
@ -111,6 +114,7 @@ jobs:
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@v3
# Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
- name: Login to builtin registry - name: Login to builtin registry
if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
uses: docker/login-action@v3 uses: docker/login-action@v3
with: with:
registry: ${{ env.BUILTIN_REGISTRY }} registry: ${{ env.BUILTIN_REGISTRY }}
@ -207,7 +211,7 @@ jobs:
cache-from: type=gha cache-from: type=gha
# cache-to: type=gha,mode=max # cache-to: type=gha,mode=max
sbom: true sbom: true
outputs: type=image,"name=${{ needs.define-variables.outputs.images_list }}",push-by-digest=true,name-canonical=true,push=true outputs: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' && format('type=image,"name={0}",push-by-digest=true,name-canonical=true,push=true', needs.define-variables.outputs.images_list) || 'type=docker' }}
env: env:
SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
@ -249,6 +253,7 @@ jobs:
needs: [define-variables, build-image] needs: [define-variables, build-image]
steps: steps:
- name: Download digests - name: Download digests
if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
uses: forgejo/download-artifact@v4 uses: forgejo/download-artifact@v4
with: with:
path: /tmp/digests path: /tmp/digests
@ -256,6 +261,7 @@ jobs:
merge-multiple: true merge-multiple: true
# Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
- name: Login to builtin registry - name: Login to builtin registry
if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
uses: docker/login-action@v3 uses: docker/login-action@v3
with: with:
registry: ${{ env.BUILTIN_REGISTRY }} registry: ${{ env.BUILTIN_REGISTRY }}
@ -263,6 +269,7 @@ jobs:
password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }} password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx - name: Set up Docker Buildx
if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
with: with:
# Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125) # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
@ -270,6 +277,7 @@ jobs:
endpoint: ${{ env.BUILDKIT_ENDPOINT || '' }} endpoint: ${{ env.BUILDKIT_ENDPOINT || '' }}
- name: Extract metadata (tags) for Docker - name: Extract metadata (tags) for Docker
if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
id: meta id: meta
uses: docker/metadata-action@v5 uses: docker/metadata-action@v5
with: with:
@ -287,6 +295,7 @@ jobs:
DOCKER_METADATA_ANNOTATIONS_LEVELS: index DOCKER_METADATA_ANNOTATIONS_LEVELS: index
- name: Create manifest list and push - name: Create manifest list and push
if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
working-directory: /tmp/digests working-directory: /tmp/digests
env: env:
IMAGES: ${{needs.define-variables.outputs.images}} IMAGES: ${{needs.define-variables.outputs.images}}
@ -304,6 +313,7 @@ jobs:
done done
- name: Inspect image - name: Inspect image
if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
env: env:
IMAGES: ${{needs.define-variables.outputs.images}} IMAGES: ${{needs.define-variables.outputs.images}}
shell: bash shell: bash