fix: authenticate to container registry with a package-scoped PAT
Build and publish container / build (pull_request) Successful in 2m7s
Build and publish container / build (pull_request) Successful in 2m7s
The auto-provided GITEA_TOKEN does not carry container registry write permission on most Gitea instances, causing docker login to fail with "unauthorized". Use a Personal Access Token supplied via the PACKAGES_TOKEN secret, with the package namespace owner as the username. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Emma Thorpe
@@ -23,13 +23,16 @@ jobs:
|
|||||||
- name: Set up Buildx
|
- name: Set up Buildx
|
||||||
uses: docker/setup-buildx-action@v3
|
uses: docker/setup-buildx-action@v3
|
||||||
|
|
||||||
|
# Uses a Personal Access Token with package read/write scope, stored as
|
||||||
|
# the PACKAGES_TOKEN secret. The auto-provided GITEA_TOKEN does not carry
|
||||||
|
# container-registry write permission on most Gitea instances.
|
||||||
- name: Log in to the Gitea container registry
|
- name: Log in to the Gitea container registry
|
||||||
if: github.event_name != 'pull_request'
|
if: github.event_name != 'pull_request'
|
||||||
uses: docker/login-action@v3
|
uses: docker/login-action@v3
|
||||||
with:
|
with:
|
||||||
registry: ${{ env.REGISTRY }}
|
registry: ${{ env.REGISTRY }}
|
||||||
username: ${{ github.actor }}
|
username: ${{ github.repository_owner }}
|
||||||
password: ${{ secrets.GITEA_TOKEN }}
|
password: ${{ secrets.PACKAGES_TOKEN }}
|
||||||
|
|
||||||
- name: Extract image metadata
|
- name: Extract image metadata
|
||||||
id: meta
|
id: meta
|
||||||
|
|||||||
@@ -46,9 +46,14 @@ docker run --rm -p 8080:8080 dlr
|
|||||||
|
|
||||||
`.gitea/workflows/build-and-publish.yml` builds the container with Gitea Actions
|
`.gitea/workflows/build-and-publish.yml` builds the container with Gitea Actions
|
||||||
and publishes it to this Gitea instance's container registry on pushes to `main`
|
and publishes it to this Gitea instance's container registry on pushes to `main`
|
||||||
and on `v*` tags. Pull requests build the image but do not push. Authentication
|
and on `v*` tags. Pull requests build the image but do not push. The registry
|
||||||
uses the automatically provided `GITEA_TOKEN`; the registry host is derived from
|
host is derived from the Gitea server URL.
|
||||||
the Gitea server URL.
|
|
||||||
|
Authentication requires a Personal Access Token with package read/write scope,
|
||||||
|
because the automatically provided `GITEA_TOKEN` does not carry container
|
||||||
|
registry write permission on most Gitea instances. Create the token under an
|
||||||
|
account with write access to the target package namespace, then store it as a
|
||||||
|
repository Actions secret named `PACKAGES_TOKEN`.
|
||||||
|
|
||||||
The published image is `<gitea-host>/<owner>/<repo>`, tagged by branch, semver
|
The published image is `<gitea-host>/<owner>/<repo>`, tagged by branch, semver
|
||||||
(for `v*` tags), commit SHA, and `latest` on the default branch.
|
(for `v*` tags), commit SHA, and `latest` on the default branch.
|
||||||
|
|||||||
Reference in New Issue
Block a user