From 5cbb05d23156f5741705948468519f561799c508 Mon Sep 17 00:00:00 2001 From: "alex.stanfield" <13949480+chaptersix@users.noreply.github.com> Date: Fri, 21 Nov 2025 07:39:15 -0600 Subject: [PATCH] Migrate Docker publishing from Docker Hub to GHCR - Replace Docker Hub authentication with GHCR using GITHUB_TOKEN - Update image namespace to ghcr.io/chaptersix/temporal-cli - Remove repository owner checks to enable publishing from fork - Remove Docker Hub secrets from workflow configuration --- .github/docker/docker-bake.hcl | 8 ++++---- .github/workflows/build-and-publish.yml | 21 +++++++++------------ .github/workflows/goreleaser.yml | 3 --- 3 files changed, 13 insertions(+), 19 deletions(-) diff --git a/.github/docker/docker-bake.hcl b/.github/docker/docker-bake.hcl index e1818912b..c84ddce33 100644 --- a/.github/docker/docker-bake.hcl +++ b/.github/docker/docker-bake.hcl @@ -1,5 +1,5 @@ variable "IMAGE_REPO" { - default = "temporalio" + default = "ghcr.io/chaptersix" } variable "IMAGE_SHA_TAG" {} @@ -27,9 +27,9 @@ target "cli" { dockerfile = ".github/docker/cli.Dockerfile" context = "." tags = compact([ - "${IMAGE_REPO}/temporal:${IMAGE_SHA_TAG}", - "${IMAGE_REPO}/temporal:${VERSION}", - TAG_LATEST ? "${IMAGE_REPO}/temporal:latest" : "", + "${IMAGE_REPO}/temporal-cli:${IMAGE_SHA_TAG}", + "${IMAGE_REPO}/temporal-cli:${VERSION}", + TAG_LATEST ? "${IMAGE_REPO}/temporal-cli:latest" : "", ]) platforms = ["linux/amd64", "linux/arm64"] args = { diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index d60fcc37a..d6fb864ca 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -11,11 +11,7 @@ on: description: "Version tag for the release (required if publish is true)" required: false type: string - secrets: - DOCKER_USERNAME: - required: false - DOCKER_PASSWORD: - required: false + secrets: {} jobs: build: @@ -84,12 +80,13 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Log in to Docker Hub - if: inputs.publish && github.repository_owner == 'temporalio' + - name: Log in to GitHub Container Registry + if: inputs.publish uses: docker/login-action@v3 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Get build metadata id: meta @@ -134,7 +131,7 @@ jobs: console.log(`Release prerelease: ${release.prerelease}, tag_latest: ${!release.prerelease}`) - name: Build and push Docker image - if: inputs.publish && github.repository_owner == 'temporalio' + if: inputs.publish run: | docker buildx bake \ --file .github/docker/docker-bake.hcl \ @@ -146,7 +143,7 @@ jobs: IMAGE_BRANCH_TAG: ${{ steps.meta.outputs.image_branch_tag }} VERSION: ${{ steps.meta.outputs.version }} TAG_LATEST: ${{ steps.check_latest.outputs.tag_latest }} - IMAGE_REPO: temporalio + IMAGE_REPO: ${{ steps.meta.outputs.image_repo }} - name: Build Docker image if: ${{ !inputs.publish }} @@ -160,7 +157,7 @@ jobs: IMAGE_BRANCH_TAG: ${{ steps.meta.outputs.image_branch_tag }} VERSION: ${{ steps.meta.outputs.version }} TAG_LATEST: false - IMAGE_REPO: temporalio + IMAGE_REPO: ${{ steps.meta.outputs.image_repo }} - name: Upload build artifacts if: ${{ !inputs.publish }} diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml index dfd79cedd..a01b97044 100644 --- a/.github/workflows/goreleaser.yml +++ b/.github/workflows/goreleaser.yml @@ -15,6 +15,3 @@ jobs: with: publish: true version: ${{ github.ref_name }} - secrets: - DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}