ci: resolve image registry once in parent workflow

Per review feedback, resolve the target container registry namespace a
single time in publish.yml (the orchestration workflow) and pass it down
to every publish job as an image_registry input, rather than each child
workflow independently computing the default.

This also unifies on one override variable: webapp and workers now both
key off IMAGE_REGISTRY (a namespace, e.g. ghcr.io/<owner>), with the
webapp image living at <registry>/<repo-name>. The separate
WEBAPP_IMAGE_REPO variable is dropped, removing the prior asymmetry
between a full-path override for the webapp and a namespace override for
workers.

Children keep the vars.IMAGE_REGISTRY || ghcr.io/<owner> fallback so the
worker workflows still resolve correctly on their direct push triggers.
Upstream defaults are byte-identical (owner is triggerdotdev).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: d-cs

.github/workflows/publish-webapp.yml

@@ -14,6 +14,11 @@ on:
         type: string
         required: false
         default: ""
+      image_registry:
+        description: The registry namespace to publish under (e.g. ghcr.io/<owner>)
+        type: string
+        required: false
+        default: ""
     outputs:
       version:
         description: The published image tag
@@ -61,10 +66,10 @@ jobs:
       - name: 📛 Set the tags
         id: set_tags
         run: |
-          # The image repo defaults to ghcr.io/<owner>/<repo>, so a fork publishes
-          # to its own package automatically with no extra config. Set the
-          # WEBAPP_IMAGE_REPO repository variable to override it with any
-          # registry/path.
+          # The registry namespace is resolved by the caller (defaulting to
+          # ghcr.io/<owner>, overridable via the IMAGE_REGISTRY repository
+          # variable); the webapp image lives at <registry>/<repo-name>. A fork
+          # therefore publishes to its own package automatically.
           image_tags=$REF_WITHOUT_TAG:${STEPS_GET_TAG_OUTPUTS_TAG}
 
           # when pushing the mutable main tag, also push an immutable-by-convention
@@ -76,7 +81,7 @@ jobs:
           echo "image_tags=${image_tags}" >> "$GITHUB_OUTPUT"
           echo "image_repo=${REF_WITHOUT_TAG}" >> "$GITHUB_OUTPUT"
         env:
-          REF_WITHOUT_TAG: ${{ vars.WEBAPP_IMAGE_REPO || format('ghcr.io/{0}', github.repository) }}
+          REF_WITHOUT_TAG: ${{ format('{0}/{1}', inputs.image_registry || vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner), github.event.repository.name) }}
           STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
           STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}
 

.github/workflows/publish-worker-v4.yml

@@ -8,6 +8,11 @@ on:
         type: string
         required: false
         default: ""
+      image_registry:
+        description: The registry namespace to publish under (e.g. ghcr.io/<owner>)
+        type: string
+        required: false
+        default: ""
   push:
     tags:
       - "re2-test-*"
@@ -65,15 +70,15 @@ jobs:
       - name: 📛 Set tags to push
         id: set_tags
         run: |
-          # Defaults to ghcr.io/<owner>, so a fork publishes to its own namespace
-          # automatically. Set the IMAGE_REGISTRY repository variable to publish
-          # under a different ghcr.io namespace instead.
+          # Resolved by the caller when invoked from publish.yml; falls back to the
+          # IMAGE_REGISTRY repository variable (or ghcr.io/<owner>) for the direct
+          # push triggers above, so a fork publishes to its own namespace.
           ref_without_tag=${IMAGE_REGISTRY}/${STEPS_GET_REPOSITORY_OUTPUTS_REPO}
           image_tags=$ref_without_tag:${STEPS_GET_TAG_OUTPUTS_TAG}
 
           echo "image_tags=${image_tags}" >> "$GITHUB_OUTPUT"
         env:
-          IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
+          IMAGE_REGISTRY: ${{ inputs.image_registry || vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
           STEPS_GET_REPOSITORY_OUTPUTS_REPO: ${{ steps.get_repository.outputs.repo }}
           STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
           STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}

.github/workflows/publish-worker.yml

@@ -8,6 +8,11 @@ on:
         type: string
         required: false
         default: ""
+      image_registry:
+        description: The registry namespace to publish under (e.g. ghcr.io/<owner>)
+        type: string
+        required: false
+        default: ""
     secrets:
       DOCKERHUB_USERNAME:
         required: false
@@ -83,10 +88,10 @@ jobs:
           docker tag infra_image "$REGISTRY/$REPOSITORY:$IMAGE_TAG"
           docker push "$REGISTRY/$REPOSITORY:$IMAGE_TAG"
         env:
-          # Defaults to ghcr.io/<owner>, so a fork publishes worker images to its
-          # own namespace automatically. Set the IMAGE_REGISTRY repository variable
-          # to publish under a different ghcr.io namespace instead.
-          REGISTRY: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
+          # Resolved by the caller when invoked from publish.yml; falls back to the
+          # IMAGE_REGISTRY repository variable (or ghcr.io/<owner>) for the direct
+          # push triggers above, so a fork publishes to its own namespace.
+          REGISTRY: ${{ inputs.image_registry || vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
           REPOSITORY: ${{ steps.get_repository.outputs.repo }}
           IMAGE_TAG: ${{ steps.get_tag.outputs.tag }}
 

.github/workflows/publish.yml

@@ -53,6 +53,22 @@ env:
   AWS_REGION: us-east-1
 
 jobs:
+  # Resolve the target container registry namespace once and pass it down to every
+  # publish job. Defaults to ghcr.io/<owner>, so a fork publishes to its own
+  # namespace automatically; set the IMAGE_REGISTRY repository variable to override.
+  resolve-registry:
+    runs-on: ubuntu-latest
+    outputs:
+      registry: ${{ steps.resolve.outputs.registry }}
+    steps:
+      - name: 🧭 Resolve target registry
+        id: resolve
+        env:
+          IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY }}
+          DEFAULT_REGISTRY: ghcr.io/${{ github.repository_owner }}
+        run: |
+          echo "registry=${IMAGE_REGISTRY:-$DEFAULT_REGISTRY}" >> "$GITHUB_OUTPUT"
+
   typecheck:
     uses: ./.github/workflows/typecheck.yml
 
@@ -63,7 +79,7 @@ jobs:
       DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
 
   publish-webapp:
-    needs: [typecheck]
+    needs: [typecheck, resolve-registry]
     permissions:
       contents: read
       packages: write
@@ -74,9 +90,10 @@ jobs:
       SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
     with:
       image_tag: ${{ inputs.image_tag }}
+      image_registry: ${{ needs.resolve-registry.outputs.registry }}
 
   publish-worker:
-    needs: [typecheck]
+    needs: [typecheck, resolve-registry]
     permissions:
       contents: read
       packages: write
@@ -86,16 +103,18 @@ jobs:
       DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
     with:
       image_tag: ${{ inputs.image_tag }}
+      image_registry: ${{ needs.resolve-registry.outputs.registry }}
 
   publish-worker-v4:
-    needs: [typecheck]
+    needs: [typecheck, resolve-registry]
     permissions:
       contents: read
       packages: write
       id-token: write
     uses: ./.github/workflows/publish-worker-v4.yml
     with:
       image_tag: ${{ inputs.image_tag }}
+      image_registry: ${{ needs.resolve-registry.outputs.registry }}
 
   # OS-level CVE scan of the image just published above. Report-only (writes to
   # the run summary); runs alongside the worker publishes and never blocks them.