fix(#33711): cross-publish docker images to ghcr.io

Signed-off-by: Allen Conlon <[email protected]>

Author: a1994sc

.github/workflows/release-nightly.yml

@@ -59,6 +59,8 @@ jobs:
           aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
   nightly-docker-rootful:
     runs-on: namespace-profile-gitea-release-docker
+    permissions:
+      packages: write # to publish to ghcr.io
     steps:
       - uses: actions/checkout@v4
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
@@ -69,6 +71,7 @@ jobs:
           go-version-file: go.mod
           check-latest: true
       - uses: docker/setup-qemu-action@v3
+      - uses: oras-project/setup-oras@v1
       - uses: docker/setup-buildx-action@v3
       - name: Get cleaned branch name
         id: clean_name
@@ -85,6 +88,12 @@ jobs:
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GHCR using PAT
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: fetch go modules
         run: make vendor
       - name: build rootful docker image
@@ -94,8 +103,14 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           tags: gitea/gitea:${{ steps.clean_name.outputs.branch }}
+      - name: copy rootful docker image to ghcr.io
+        # this will also copy both the amd64 and arm64 versions at the same time
+        run: |-
+          oras cp --recursive docker.io/gitea/gitea:${{ steps.meta.outputs.tags }} ghcr.io/gitea/gitea:${{ steps.meta.outputs.tags }}
   nightly-docker-rootless:
     runs-on: namespace-profile-gitea-release-docker
+    permissions:
+      packages: write # to publish to ghcr.io
     steps:
       - uses: actions/checkout@v4
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
@@ -106,6 +121,7 @@ jobs:
           go-version-file: go.mod
           check-latest: true
       - uses: docker/setup-qemu-action@v3
+      - uses: oras-project/setup-oras@v1
       - uses: docker/setup-buildx-action@v3
       - name: Get cleaned branch name
         id: clean_name
@@ -122,6 +138,12 @@ jobs:
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GHCR using PAT
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: fetch go modules
         run: make vendor
       - name: build rootless docker image
@@ -132,3 +154,7 @@ jobs:
           push: true
           file: Dockerfile.rootless
           tags: gitea/gitea:${{ steps.clean_name.outputs.branch }}-rootless
+      - name: copy rootful docker image to ghcr.io
+        # this will also copy both the amd64 and arm64 versions at the same time
+        run: |-
+          oras cp --recursive docker.io/gitea/gitea:${{ steps.meta.outputs.tags }} ghcr.io/gitea/gitea:${{ steps.meta.outputs.tags }}

.github/workflows/release-tag-rc.yml

@@ -69,13 +69,16 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
   docker-rootful:
     runs-on: namespace-profile-gitea-release-docker
+    permissions:
+      packages: write # to publish to ghcr.io
     steps:
       - uses: actions/checkout@v4
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
       # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
       - run: git fetch --unshallow --quiet --tags --force
       - uses: docker/setup-qemu-action@v3
       - uses: docker/setup-buildx-action@v3
+      - uses: oras-project/setup-oras@v1
       - uses: docker/metadata-action@v5
         id: meta
         with:
@@ -90,6 +93,12 @@ jobs:
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GHCR using PAT
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: build rootful docker image
         uses: docker/build-push-action@v5
         with:
@@ -98,15 +107,22 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - name: copy rootful docker image to ghcr.io
+        # this will also copy both the amd64 and arm64 versions at the same time
+        run: |-
+          oras cp --recursive docker.io/gitea/gitea:${{ steps.meta.outputs.tags }} ghcr.io/gitea/gitea:${{ steps.meta.outputs.tags }}
   docker-rootless:
     runs-on: namespace-profile-gitea-release-docker
+    permissions:
+      packages: write # to publish to ghcr.io
     steps:
       - uses: actions/checkout@v4
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
       # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
       - run: git fetch --unshallow --quiet --tags --force
       - uses: docker/setup-qemu-action@v3
       - uses: docker/setup-buildx-action@v3
+      - uses: oras-project/setup-oras@v1
       - uses: docker/metadata-action@v5
         id: meta
         with:
@@ -123,6 +139,12 @@ jobs:
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GHCR using PAT
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: build rootless docker image
         uses: docker/build-push-action@v5
         with:
@@ -132,3 +154,7 @@ jobs:
           file: Dockerfile.rootless
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - name: copy rootful docker image to ghcr.io
+        # this will also copy both the amd64 and arm64 versions at the same time
+        run: |-
+          oras cp --recursive docker.io/gitea/gitea:${{ steps.meta.outputs.tags }} ghcr.io/gitea/gitea:${{ steps.meta.outputs.tags }}

.github/workflows/release-tag-version.yml

@@ -14,6 +14,8 @@ concurrency:
 jobs:
   binary:
     runs-on: namespace-profile-gitea-release-binary
+    permissions:
+      packages: write # to publish to ghcr.io
     steps:
       - uses: actions/checkout@v4
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
@@ -71,13 +73,16 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
   docker-rootful:
     runs-on: namespace-profile-gitea-release-docker
+    permissions:
+      packages: write # to publish to ghcr.io
     steps:
       - uses: actions/checkout@v4
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
       # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
       - run: git fetch --unshallow --quiet --tags --force
       - uses: docker/setup-qemu-action@v3
       - uses: docker/setup-buildx-action@v3
+      - uses: oras-project/setup-oras@v1
       - uses: docker/metadata-action@v5
         id: meta
         with:
@@ -96,6 +101,12 @@ jobs:
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GHCR using PAT
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: build rootful docker image
         uses: docker/build-push-action@v5
         with:
@@ -104,6 +115,10 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - name: copy rootful docker image to ghcr.io
+        # this will also copy both the amd64 and arm64 versions at the same time
+        run: |-
+          oras cp --recursive docker.io/gitea/gitea:${{ steps.meta.outputs.tags }} ghcr.io/gitea/gitea:${{ steps.meta.outputs.tags }}
   docker-rootless:
     runs-on: namespace-profile-gitea-release-docker
     steps:
@@ -113,6 +128,7 @@ jobs:
       - run: git fetch --unshallow --quiet --tags --force
       - uses: docker/setup-qemu-action@v3
       - uses: docker/setup-buildx-action@v3
+      - uses: oras-project/setup-oras@v1
       - uses: docker/metadata-action@v5
         id: meta
         with:
@@ -134,6 +150,12 @@ jobs:
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GHCR using PAT
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: build rootless docker image
         uses: docker/build-push-action@v5
         with:
@@ -143,3 +165,7 @@ jobs:
           file: Dockerfile.rootless
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - name: copy rootful docker image to ghcr.io
+        # this will also copy both the amd64 and arm64 versions at the same time
+        run: |-
+          oras cp --recursive docker.io/gitea/gitea:${{ steps.meta.outputs.tags }} ghcr.io/gitea/gitea:${{ steps.meta.outputs.tags }}