Publish to ghcr.io #478
Publish to ghcr.io #478
Conversation
|
Do you expect some people to run workflows of this repo in their fork? If so, the part where the image name is predefined to be for ghcr.io/node-red/node-red might not work when authenticating with the ghcr from the fork (the github.repository_owner would be different). It should fail for an external user in their fork. However, for GitHub packages (specifically for the docker registry), there's two types of permission handling, whether it is linked to a repo or not. (Packages don't have to be linked to a repo, but appear owned by an org). Note that other repos of the org could push. It's not clear for me yet what happens when a user (who has write access to a package in a org) tries to push to from an action in his fork. There's some info here Additionnally, it's a better practice to explicitly clear the permissions at the workflow level, and add back the ones needed per job. Here, it would additionally require the "packages", plus maybe "contents" (if the setting in Actions > General > Workflow permissions is set to "read repository contents and packages", the default for new repos and forks, which is generally enough for common, non-dangerous use cases. The unrestricted default should be changed if it isn't already). |
|
No, we do not expect others to run this action, it only runs when we cut a Node-RED release. |
Also publish to GitHub's Docker container repository
part of #268