👷(CI) add GHCR workflow for forked repo testing

[dtinth]

Purpose

When I fork the project to make improvements, I want to be able to deploy it to my VPS for testing. I want an image built in a reproducible way. However, the current docker-hub.yml is hardcoded to push to Docker Hub under lasuite registry.

This PR adds a GitHub Actions workflow that builds and pushes Docker images to GitHub Container Registry (GHCR) trigger. This enables forked repositories to build their own images for testing without requiring Docker Hub credentials or having to configure any credentials at all.

I created this workflow while fixing #1788 (submitted as PR #1850). To verify it works, I ran the workflow on my fork:

This generates the images in my account:

Now I can test it on my VPS by pointing my Docker Compose to my built image:

Proposal

• Create .github/workflows/ghcr.yml with workflow_dispatch trigger, based on existing docker-hub.yml
• Only runs on forked repos. It will not run on the source suitenumerique/docs repo.
• Build backend, frontend, and y-provider images
• Push to ghcr.io/{owner}/{repo}/{service}
• Support both manual triggers and pushes to main/tags
• Include proper metadata tagging (branch, semver, SHA)

Notes:

• This workflow is independent of the existing Docker Hub workflow
• Both workflows can coexist and serve different purposes
• GHCR is free for public repositories

External contributions

Thank you for your contribution! 🎉

Please ensure the following items are checked before submitting your pull request:

• I have read and followed the contributing guidelines
• I have read and agreed to the Code of Conduct
• I have signed off my commits with git commit --signoff (DCO compliance)
• I have signed my commits with my SSH or GPG key (git commit -S)
• My commit messages follow the required format: <gitmoji>(type) title description
• I have added a changelog entry under ## [Unreleased] section (if noticeable change)
• I have added corresponding tests for new features or bug fixes (if applicable) - N/A for CI workflow

[lunika]

Do you want to keep the same strategy? You will have the image only when the PR is merged, as I understand, or when a new release is made.

[dtinth]

@lunika Yes, this is the intention. Images can also be created on demand from the workflow_dispatch event. In short:

• When PR is merged → release as main tag
• When vX.Y.Z tag is created → release with version number as the tag
• When manually triggered → release as a commit-based tag

To generate an image using gh cli:

gh workflow run ghcr.yml --ref my-branch

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint-config-next@​15.5.9
	next@​15.5.9
	convert-stream@​1.0.2
	jest@​30.2.0
	workbox-webpack-plugin@​7.1.0
	lodash@​4.17.23
	crisp-sdk-web@​1.0.27
	vitest@​4.0.17
	clsx@​2.1.1
	express-ws@​5.0.2
	pngjs@​7.0.0
	i18next-parser@​9.3.0
	nodemon@​3.1.11
	cross-env@​10.1.0
	emoji-mart@​5.6.0
	stylelint-prettier@​5.0.3
	ts-node@​10.9.2
	vitest-mock-extended@​3.1.0
	eslint-plugin-react@​7.37.5
	canvg@​4.0.3
	tsc-alias@​1.8.16
	uuid@​13.0.0
	eslint-plugin-import@​2.32.0
	eslint-plugin-jsx-a11y@​6.10.2
	react@​19.2.3
	use-debounce@​10.1.0
	fetch-mock@​9.11.0
	node-fetch@​2.7.0
	i18next-browser-languagedetector@​8.2.0
	luxon@​3.7.2
	react-select@​5.10.2
	react-intersection-observer@​10.0.2
	copy-webpack-plugin@​13.0.1
See 31 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/@blocknote/server-util@0.46.2 → npm/i18next-parser@9.3.0 → npm/entities@6.0.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@6.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm vite is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/vitest@4.0.17 → npm/vite@7.1.12 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@7.1.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm vite is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/vite-tsconfig-paths@6.0.4 → npm/vite@7.3.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@7.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report