Skip to content

ci: allow forks to override published container image namespace #3866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
d-cs wants to merge 7 commits into
base: main
Choose a base branch
from
+43 −7
Open

ci: allow forks to override published container image namespace #3866

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
8ea6dba
ci: allow forks to override published container image namespace
d-cs Jun 8, 2026
e8e50a4
Merge branch 'main' into image-registry-overrides
d-cs Jun 8, 2026
7645e6d
ci: make worker image defaults fork-aware
d-cs Jun 8, 2026
2715217
ci: resolve image registry once in parent workflow
d-cs Jun 8, 2026
beb5391
ci: resolve registry inline instead of a dedicated job
d-cs Jun 8, 2026
c564e9d
ci: DRY the registry expression with a YAML anchor
d-cs Jun 8, 2026
f4f3434
ci: inline the registry expression in each publish job
d-cs Jun 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 18 additions & 4 deletions .github/workflows/publish-webapp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,21 @@ on:
type: string
required: false
default: ""
image_registry:
description: The registry namespace to publish under (e.g. ghcr.io/<owner>)
type: string
required: false
default: ""
outputs:
version:
description: The published image tag
value: ${{ jobs.publish.outputs.version }}
short_sha:
description: Short commit SHA of the published build
value: ${{ jobs.publish.outputs.short_sha }}
image_repo:
description: The image repository the build was published to (without tag)
value: ${{ jobs.publish.outputs.image_repo }}
secrets:
SENTRY_AUTH_TOKEN:
required: false
Expand All @@ -33,6 +41,7 @@ jobs:
outputs:
version: ${{ steps.get_tag.outputs.tag }}
short_sha: ${{ steps.get_commit.outputs.sha_short }}
image_repo: ${{ steps.set_tags.outputs.image_repo }}
steps:
- name: 🏭 Setup Depot CLI
uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
Expand All @@ -57,17 +66,22 @@ jobs:
- name: 📛 Set the tags
id: set_tags
run: |
ref_without_tag=ghcr.io/triggerdotdev/trigger.dev
image_tags=$ref_without_tag:${STEPS_GET_TAG_OUTPUTS_TAG}
# The registry namespace is resolved by the caller (defaulting to
# ghcr.io/<owner>, overridable via the IMAGE_REGISTRY repository
# variable); the webapp image lives at <registry>/<repo-name>. A fork
# therefore publishes to its own package automatically.
image_tags=$REF_WITHOUT_TAG:${STEPS_GET_TAG_OUTPUTS_TAG}

# when pushing the mutable main tag, also push an immutable-by-convention
# full-commit-sha tag so a commit can be resolved to a specific digest
if [[ "${STEPS_GET_TAG_OUTPUTS_TAG}" == "main" ]]; then
image_tags=$image_tags,$ref_without_tag:${GITHUB_SHA}
image_tags=$image_tags,$REF_WITHOUT_TAG:${GITHUB_SHA}
fi

echo "image_tags=${image_tags}" >> "$GITHUB_OUTPUT"
echo "image_repo=${REF_WITHOUT_TAG}" >> "$GITHUB_OUTPUT"
env:
REF_WITHOUT_TAG: ${{ format('{0}/{1}', inputs.image_registry || vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner), github.event.repository.name) }}
STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}

Expand Down Expand Up @@ -122,6 +136,6 @@ jobs:
continue-on-error: true
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: ghcr.io/triggerdotdev/trigger.dev
subject-name: ${{ steps.set_tags.outputs.image_repo }}
subject-digest: ${{ steps.build_push.outputs.digest }}
push-to-registry: true
11 changes: 10 additions & 1 deletion .github/workflows/publish-worker-v4.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ on:
type: string
required: false
default: ""
image_registry:
description: The registry namespace to publish under (e.g. ghcr.io/<owner>)
type: string
required: false
default: ""
push:
tags:
- "re2-test-*"
Expand Down Expand Up @@ -65,11 +70,15 @@ jobs:
- name: 📛 Set tags to push
id: set_tags
run: |
ref_without_tag=ghcr.io/triggerdotdev/${STEPS_GET_REPOSITORY_OUTPUTS_REPO}
# Resolved by the caller when invoked from publish.yml; falls back to the
# IMAGE_REGISTRY repository variable (or ghcr.io/<owner>) for the direct
# push triggers above, so a fork publishes to its own namespace.
ref_without_tag=${IMAGE_REGISTRY}/${STEPS_GET_REPOSITORY_OUTPUTS_REPO}
image_tags=$ref_without_tag:${STEPS_GET_TAG_OUTPUTS_TAG}

echo "image_tags=${image_tags}" >> "$GITHUB_OUTPUT"
env:
IMAGE_REGISTRY: ${{ inputs.image_registry || vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
STEPS_GET_REPOSITORY_OUTPUTS_REPO: ${{ steps.get_repository.outputs.repo }}
STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/publish-worker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ on:
type: string
required: false
default: ""
image_registry:
description: The registry namespace to publish under (e.g. ghcr.io/<owner>)
type: string
required: false
default: ""
secrets:
DOCKERHUB_USERNAME:
required: false
Expand Down Expand Up @@ -83,7 +88,10 @@ jobs:
docker tag infra_image "$REGISTRY/$REPOSITORY:$IMAGE_TAG"
docker push "$REGISTRY/$REPOSITORY:$IMAGE_TAG"
env:
REGISTRY: ghcr.io/triggerdotdev
# Resolved by the caller when invoked from publish.yml; falls back to the
# IMAGE_REGISTRY repository variable (or ghcr.io/<owner>) for the direct
# push triggers above, so a fork publishes to its own namespace.
REGISTRY: ${{ inputs.image_registry || vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
REPOSITORY: ${{ steps.get_repository.outputs.repo }}
IMAGE_TAG: ${{ steps.get_tag.outputs.tag }}

Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,9 @@ jobs:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
with:
image_tag: ${{ inputs.image_tag }}
# Target registry namespace. Defaults to ghcr.io/<owner> so a fork publishes
# to its own namespace; set the IMAGE_REGISTRY repository variable to override.
image_registry: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}

publish-worker:
needs: [typecheck]
Expand All @@ -86,6 +89,7 @@ jobs:
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
with:
image_tag: ${{ inputs.image_tag }}
image_registry: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}

publish-worker-v4:
needs: [typecheck]
Expand All @@ -96,6 +100,7 @@ jobs:
uses: ./.github/workflows/publish-worker-v4.yml
with:
image_tag: ${{ inputs.image_tag }}
image_registry: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}

# OS-level CVE scan of the image just published above. Report-only (writes to
# the run summary); runs alongside the worker publishes and never blocks them.
Expand All @@ -106,4 +111,4 @@ jobs:
packages: read # pull the just-published image from GHCR
uses: ./.github/workflows/trivy-image-webapp.yml
with:
image-ref: ghcr.io/triggerdotdev/trigger.dev:${{ needs.publish-webapp.outputs.version }}
image-ref: ${{ needs.publish-webapp.outputs.image_repo }}:${{ needs.publish-webapp.outputs.version }}