From 82d74bd8febd8318014a78c859b1e2b59079d737 Mon Sep 17 00:00:00 2001 From: nurdotnet <278048682+nurdotnet@users.noreply.github.com> Date: Thu, 23 Apr 2026 16:45:28 +0500 Subject: [PATCH] =?UTF-8?q?ci(forgejo/docker):=20drop=20ghcr=20push=20?= =?UTF-8?q?=E2=80=94=20Forgejo=20GITHUB=5FTOKEN=20can't=20auth=20to=20ghcr?= =?UTF-8?q?.io?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Forgejo Actions synthesizes a GITHUB_TOKEN for the Forgejo API, not github.com. Using it to docker-login to ghcr.io always fails (401). Forgejo side is the new primary — push to the local registry only. ghcr.io mirroring, if ever wanted, will go through a separate job with an explicit GitHub PAT in GHCR_TOKEN secret. --- .forgejo/workflows/docker.yml | 70 +++-------------------------------- 1 file changed, 5 insertions(+), 65 deletions(-) diff --git a/.forgejo/workflows/docker.yml b/.forgejo/workflows/docker.yml index 998c15c..711d38d 100644 --- a/.forgejo/workflows/docker.yml +++ b/.forgejo/workflows/docker.yml @@ -11,13 +11,9 @@ on: - 'src/food-market.infrastructure/**' - 'src/food-market.shared/**' - 'deploy/**' - - '.github/workflows/docker.yml' + - '.forgejo/workflows/docker.yml' workflow_dispatch: -permissions: - contents: read - packages: write - env: LOCAL_REGISTRY: 127.0.0.1:5001 @@ -28,44 +24,15 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Login to ghcr - env: - TOKEN: ${{ secrets.GITHUB_TOKEN }} - ACTOR: ${{ github.actor }} - run: | - for i in 1 2 3 4 5; do - if echo "$TOKEN" | docker login ghcr.io -u "$ACTOR" --password-stdin; then - exit 0 - fi - echo "login attempt $i failed, retrying in 15s" - sleep 15 - done - exit 1 - - name: Build + push api env: - OWNER: ${{ github.repository_owner }} SHA: ${{ github.sha }} run: | docker build -f deploy/Dockerfile.api \ -t $LOCAL_REGISTRY/food-market-api:$SHA \ - -t $LOCAL_REGISTRY/food-market-api:latest \ - -t ghcr.io/$OWNER/food-market-api:$SHA \ - -t ghcr.io/$OWNER/food-market-api:latest . - - # Push to LOCAL registry first (deploy depends on it) — it's on localhost, reliable. + -t $LOCAL_REGISTRY/food-market-api:latest . for tag in $SHA latest; do - docker push $LOCAL_REGISTRY/food-market-api:$tag || { echo "local push $tag failed"; exit 1; } - done - - # Push to ghcr.io as off-site backup. Flaky on KZ network — retry, but don't fail the job. - for tag in $SHA latest; do - for i in 1 2 3 4 5; do - if docker push ghcr.io/$OWNER/food-market-api:$tag; then break; fi - echo "ghcr push $tag attempt $i failed, retrying in 15s" - sleep 15 - [ $i -eq 5 ] && echo "::warning::ghcr push $tag failed after 5 attempts — local registry still has the image" - done + docker push $LOCAL_REGISTRY/food-market-api:$tag done web: @@ -74,40 +41,13 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Login to ghcr - env: - TOKEN: ${{ secrets.GITHUB_TOKEN }} - ACTOR: ${{ github.actor }} - run: | - for i in 1 2 3 4 5; do - if echo "$TOKEN" | docker login ghcr.io -u "$ACTOR" --password-stdin; then - exit 0 - fi - echo "login attempt $i failed, retrying in 15s" - sleep 15 - done - exit 1 - - name: Build + push web env: - OWNER: ${{ github.repository_owner }} SHA: ${{ github.sha }} run: | docker build -f deploy/Dockerfile.web \ -t $LOCAL_REGISTRY/food-market-web:$SHA \ - -t $LOCAL_REGISTRY/food-market-web:latest \ - -t ghcr.io/$OWNER/food-market-web:$SHA \ - -t ghcr.io/$OWNER/food-market-web:latest . - + -t $LOCAL_REGISTRY/food-market-web:latest . for tag in $SHA latest; do - docker push $LOCAL_REGISTRY/food-market-web:$tag || { echo "local push $tag failed"; exit 1; } - done - - for tag in $SHA latest; do - for i in 1 2 3 4 5; do - if docker push ghcr.io/$OWNER/food-market-web:$tag; then break; fi - echo "ghcr push $tag attempt $i failed, retrying in 15s" - sleep 15 - [ $i -eq 5 ] && echo "::warning::ghcr push $tag failed after 5 attempts — local registry still has the image" - done + docker push $LOCAL_REGISTRY/food-market-web:$tag done