ci(eng-prod): publish container images to public GHCR [CLK-1148049]#3
Merged
Conversation
Replace the three duplicated push-ci-* jobs with a single push-images matrix job that publishes ci-storage, ci-scaler, and ci-runner only to ghcr.io/<owner>/<image> via the built-in GITHUB_TOKEN (packages: write), dropping all Docker Hub login and dockerhub-description steps. Publishing is decoupled from the self-hosted integration tests (which need CI_PAT and runner infra) so a missing secret no longer blocks images. PRs build the images across the platform matrix without pushing; merges to main and v* tags build and push. Docs updated for the GHCR flow, including the one-time manual step to make each package public.
iamjaekim
approved these changes
Jun 2, 2026
xnap
approved these changes
Jun 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Fixes the broken CI publishing path so this repo (now
time-loop/ci-storage, a mirror ofdimikot/ci-storage) publishes its three container images — ci-storage, ci-scaler, ci-runner — to GHCR under the org.Why it was broken
push-ci-*jobs logged in to Docker Hub asdimikotwithsecrets.DOCKERHUB_PAT, which doesn't exist in this org — every publish step failed.needs:the self-hosted integration tests (ci-scaler-test,build-and-boot-containers,spawn-job-test), which fail immediately becausesecrets.CI_PATis unset. So publishing never even started.Changes
push-ci-*jobs into onepush-imagesmatrix job over[ci-storage, ci-scaler, ci-runner].ghcr.io/${{ github.repository_owner }}/<image>using the built-inGITHUB_TOKENwithpermissions: packages: write— no registry PAT needed. All Docker Hub login anddockerhub-descriptionsteps removed.needs:is now just[ci-storage-tool-test, ci-storage-action-test].linux/amd64,linux/arm64,linux/arm64/v8(validating the Dockerfiles) but do not push; GHCR login is skipped on PRs. Merges tomain/v*tags build and push.PUBLISH.mdfor the GHCR flow; repoint consumer image refs in the docker READMEsghcr.io/dimikot/*→ghcr.io/time-loop/*.Required manual follow-ups (cannot be done in CI)
main/a tag, switch each of the 3 GHCR packages to public (Org → Packages → package → settings → change visibility). New packages are private by default; there is no REST API for visibility, so this is a one-time UI step and may need org admin.time-loop/sdto repointghcr.io/dimikot/*→ghcr.io/time-loop/*once the public packages exist. (sdkeeps working off dimikot's public images until then.)Out of scope
The self-hosted integration test jobs stay red until
CI_PAT+ runner infra are set up — tracked separately.