Merge pull request #1555 from crazy-max/e2e-dockerhub

ci(e2e): use org-owned Docker Hub credentials for e2e pushes
2026-06-09 02:23:00 +03:00 · 2026-06-08 19:08:26 +02:00 · 2026-06-04 16:03:24 +02:00 · 2026-06-04 16:00:12 +02:00 · 2026-06-02 14:18:39 +02:00
3 changed files with 17 additions and 12 deletions
@@ -1,9 +1,6 @@
 # reusable workflow
 name: .e2e-run

-permissions:
-  contents: read
-
 on:
  workflow_call:
    inputs:
@@ -117,8 +114,8 @@ jobs:
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          registry: ${{ env.REGISTRY_FQDN || inputs.registry }}
-          username: ${{ env.REGISTRY_USER || secrets.registry_username }}
-          password: ${{ env.REGISTRY_PASSWORD || secrets.registry_password }}
+          username: ${{ env.REGISTRY_USER || secrets.registry_username || (inputs.registry == 'ghcr.io' && github.actor) || '' }}
+          password: ${{ env.REGISTRY_PASSWORD || secrets.registry_password || (inputs.registry == 'ghcr.io' && secrets.GITHUB_TOKEN) || '' }}
          scope: ${{ inputs.type == 'remote' && inputs.registry == '' && '@push' || '' }}
      -
        name: Build and push
@@ -20,6 +20,9 @@ on:
 jobs:
  build:
    uses: ./.github/workflows/.e2e-run.yml
+    permissions:
+      contents: read
+      packages: write # to push image to GHCR
    strategy:
      fail-fast: false
      matrix:
@@ -32,13 +35,13 @@ jobs:
          -
            name: Docker Hub
            registry: ''
-            slug: ghactionstest/ghactionstest
+            slug: dockereng/build-push-action-test
            auth: dockerhub
            type: remote
          -
            name: GitHub
            registry: ghcr.io
-            slug: ghcr.io/docker-ghactiontest/test
+            slug: ghcr.io/docker/build-push-action-test
            auth: ghcr
            type: remote
          -
@@ -100,11 +103,11 @@ jobs:
      registry: ${{ matrix.registry }}
      slug: ${{ matrix.slug }}
    secrets:
-      # Pass only the two secrets needed by each matrix entry.
+      # Pass only the registry-specific secrets needed by each matrix entry.
+      # GHCR uses the called workflow's GITHUB_TOKEN fallback.
      registry_username: >-
        ${{
-          matrix.auth == 'dockerhub' && secrets.DOCKERHUB_USERNAME ||
-          matrix.auth == 'ghcr' && secrets.GHCR_USERNAME ||
+          matrix.auth == 'dockerhub' && vars.DOCKERPUBLICBOT_USERNAME ||
          matrix.auth == 'gitlab' && secrets.GITLAB_USERNAME ||
          matrix.auth == 'aws' && secrets.AWS_ACCESS_KEY_ID ||
          matrix.auth == 'gar' && secrets.GAR_USERNAME ||
@@ -115,8 +118,7 @@ jobs:
        }}
      registry_password: >-
        ${{
-          matrix.auth == 'dockerhub' && secrets.DOCKERHUB_TOKEN ||
-          matrix.auth == 'ghcr' && secrets.GHCR_PAT ||
+          matrix.auth == 'dockerhub' && secrets.DOCKERPUBLICBOT_WRITE_PAT ||
          matrix.auth == 'gitlab' && secrets.GITLAB_TOKEN ||
          matrix.auth == 'aws' && secrets.AWS_SECRET_ACCESS_KEY ||
          matrix.auth == 'gar' && secrets.GAR_JSON_KEY ||
@@ -0,0 +1,6 @@
+rules:
+  # rule does not apply to reusable worfklows where permissions are defined by
+  # the caller workflow and not the reusable workflow itself
+  excessive-permissions:
+    ignore:
+      - .e2e-run.yml
Author	SHA1	Message	Date
CrazyMax	f72b3cf665	Merge pull request #1555 from crazy-max/e2e-dockerhub ci(e2e): use org-owned Docker Hub credentials for e2e pushes	2026-06-08 19:08:26 +02:00
CrazyMax	405b217da0	ci(e2e): use org-owned Docker Hub credentials for e2e pushes Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-06-04 16:03:24 +02:00
CrazyMax	7b93b2b85c	Merge pull request #1554 from crazy-max/e2e-ghcr ci(e2e): use GITHUB_TOKEN for GHCR e2e	2026-06-04 16:00:12 +02:00
CrazyMax	f55bd083f2	ci(e2e): use GITHUB_TOKEN for GHCR e2e Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-06-02 14:18:39 +02:00