Problem
.github/workflows/docker-publish.yml hardcodes the image owner:
images: ghcr.io/peaktwilight/pwnkit
But the repo lives at PwnKit-Labs/pwnkit (org-owned). The default GITHUB_TOKEN issued in a PwnKit-Labs/* repo can only write to packages owned by pwnkit-labs/*, not by the user peaktwilight/*. Any new tag-push or workflow_dispatch will fail with:
denied: permission_denied: The requested installation does not exist.
The current ghcr.io/peaktwilight/pwnkit:latest digest still pulls because it was pushed in the past (probably while the repo still lived under peaktwilight). The image is effectively frozen — new versions will not appear under that name.
Root cause + fix
Same shape as PwnKit-Labs/pwnkit-cloud#? (fixed in PwnKit-Labs/pwnkit-cloud@ab38059). Derive the owner from the repo owner instead of hardcoding it:
- name: Resolve image name
id: image
run: |
set -euo pipefail
OWNER="$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')"
echo "name=ghcr.io/${OWNER}/pwnkit" >> "$GITHUB_OUTPUT"
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ steps.image.outputs.name }}
# ... rest unchangedThat resolves to ghcr.io/pwnkit-labs/pwnkit, which the default GITHUB_TOKEN can write to. No PAT needed. Also worth updating the org.opencontainers.image.source label to point at https://github.com/PwnKit-Labs/pwnkit.
Downstream coordination
pwnkit-cloud's worker-controller references this image via PWNKIT_IMAGE env var in two places:
pwnkit-cloud/infra/k3s/worker-controller.yamlpwnkit-cloud/k8s/apps/pwnkit-cloud/worker-controller-deployment.yaml (in the GitOps repo, peaktwilight/k8s)
Both currently say ghcr.io/peaktwilight/pwnkit:latest. Once this PR merges and the new image lands at ghcr.io/pwnkit-labs/pwnkit:latest, those two refs need to flip — otherwise worker pods will keep pulling the stale digest forever. Easiest is to land the rename here, trigger a publish, then immediately bump PWNKIT_IMAGE on the cloud side in one commit.
Acceptance
Problem
.github/workflows/docker-publish.ymlhardcodes the image owner:But the repo lives at
PwnKit-Labs/pwnkit(org-owned). The defaultGITHUB_TOKENissued in aPwnKit-Labs/*repo can only write to packages owned bypwnkit-labs/*, not by the userpeaktwilight/*. Any new tag-push orworkflow_dispatchwill fail with:The current
ghcr.io/peaktwilight/pwnkit:latestdigest still pulls because it was pushed in the past (probably while the repo still lived underpeaktwilight). The image is effectively frozen — new versions will not appear under that name.Root cause + fix
Same shape as
PwnKit-Labs/pwnkit-cloud#?(fixed in PwnKit-Labs/pwnkit-cloud@ab38059). Derive the owner from the repo owner instead of hardcoding it:That resolves to
ghcr.io/pwnkit-labs/pwnkit, which the defaultGITHUB_TOKENcan write to. No PAT needed. Also worth updating theorg.opencontainers.image.sourcelabel to point athttps://github.com/PwnKit-Labs/pwnkit.Downstream coordination
pwnkit-cloud'sworker-controllerreferences this image viaPWNKIT_IMAGEenv var in two places:pwnkit-cloud/infra/k3s/worker-controller.yamlpwnkit-cloud/k8s/apps/pwnkit-cloud/worker-controller-deployment.yaml(in the GitOps repo,peaktwilight/k8s)Both currently say
ghcr.io/peaktwilight/pwnkit:latest. Once this PR merges and the new image lands atghcr.io/pwnkit-labs/pwnkit:latest, those two refs need to flip — otherwise worker pods will keep pulling the stale digest forever. Easiest is to land the rename here, trigger a publish, then immediately bumpPWNKIT_IMAGEon the cloud side in one commit.Acceptance
docker-publish.ymlresolves owner fromgithub.repository_ownerworkflow_dispatchagainst the updated workflow publishes successfully toghcr.io/pwnkit-labs/pwnkit:latestPwnKit-Labs/pwnkit-cloudretagsPWNKIT_IMAGE(worker-controller manifests, both copies)