From 848cd6a6b321bc39a2cceedf20e6b0a5fd39d88a Mon Sep 17 00:00:00 2001 From: Tim 'mithro' Ansell Date: Fri, 12 Dec 2025 14:08:33 +1030 Subject: [PATCH 1/2] chore: add .worktrees/ to .gitignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Prevent worktree contents from being tracked in the repository. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 462cc79..725ef0c 100644 --- a/.gitignore +++ b/.gitignore @@ -140,3 +140,6 @@ cython_debug/ # Generated version file actions_includes/version.py docker/*.tar.gz + +# Git worktrees +.worktrees/ From 29480f3c49fda9c3a6855654da297fd1f5d3f08c Mon Sep 17 00:00:00 2001 From: Tim 'mithro' Ansell Date: Fri, 12 Dec 2025 15:19:48 +1030 Subject: [PATCH 2/2] fix: use GITHUB_TOKEN instead of GHA_CR_TOKEN for GHCR authentication MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The custom GHA_CR_TOKEN PAT was invalid/expired, causing all push events to fail when publishing Docker images to ghcr.io. Changes: - Add permissions block with `packages: write` for GITHUB_TOKEN - Replace GHA_CR_TOKEN with GITHUB_TOKEN (always available) - Simplify push logic (no need to check for token existence) - Update docker/login-action from v1 to v3 - Replace deprecated `::set-output` with GITHUB_OUTPUT env file Benefits: - No manual token management required - Token is automatically rotated by GitHub - Proper permissions scoped per-workflow Fixes #52 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- .github/workflows/publish-docker-image.yml | 23 +++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/.github/workflows/publish-docker-image.yml b/.github/workflows/publish-docker-image.yml index 2d30470..af386cf 100644 --- a/.github/workflows/publish-docker-image.yml +++ b/.github/workflows/publish-docker-image.yml @@ -26,6 +26,10 @@ jobs: name: Push Docker image to GitHub Packages runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # Run a local registry services: registry: @@ -51,8 +55,6 @@ jobs: - name: Push To id: push_to shell: python - env: - HAS_GHA_CR_TOKEN: ${{ secrets.GHA_CR_TOKEN != '' }} run: | import os @@ -63,22 +65,25 @@ jobs: gh_repo = g('GITHUB_REPOSITORY') gh_event = g('GITHUB_EVENT_NAME') - has_cr_token = g('HAS_GHA_CR_TOKEN') i = [] print("Adding local service.") i.append("localhost:5000/"+gh_repo) - if gh_event == 'push' and has_cr_token == 'true': + # Use GITHUB_TOKEN for authentication (always available) + if gh_event == 'push': print("Adding GitHub Container Repository (ghcr.io)") i.append("ghcr.io/{}/image".format(gh_repo)) else: - print("Skipping GitHub Container Repository (ghcr.io)") + print("Skipping GitHub Container Repository (ghcr.io) for non-push events") l = ",".join(i) print("Final locations:", repr(l)) - print("::set-output name=images::{}".format(l)) + + # Use environment file instead of deprecated set-output + with open(os.environ['GITHUB_OUTPUT'], 'a') as f: + f.write("images={}\n".format(l)) - name: Docker meta id: docker_meta @@ -97,11 +102,11 @@ jobs: - name: Login to GHCR if: ${{ contains(steps.push_to.outputs.images, 'ghcr.io') }} - uses: docker/login-action@v1 + uses: docker/login-action@v3 with: - username: ${{ github.actor }} - password: ${{ secrets.GHA_CR_TOKEN }} registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} # - name: Login to local registry # uses: docker/login-action@v1