From 80b60d7b70cf5cc823c28a9ffeddbef2fec0a6cb Mon Sep 17 00:00:00 2001
From: Will Sarg <12886992+willsarg@users.noreply.github.com>
Date: Wed, 18 Feb 2026 07:34:25 -0500
Subject: [PATCH] fix(ci): verify anonymous GHCR pull even when visibility API
 is unavailable (#801)

---
 .github/workflows/pub-docker-img.yml | 34 ++++++++++++++--------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/pub-docker-img.yml b/.github/workflows/pub-docker-img.yml
index fe79a4a..15ea8aa 100644
--- a/.github/workflows/pub-docker-img.yml
+++ b/.github/workflows/pub-docker-img.yml
@@ -139,32 +139,32 @@ jobs:
                   owner="${GITHUB_REPOSITORY_OWNER,,}"
                   repo="${GITHUB_REPOSITORY#*/}"
 
-                  # Package path can be either "<repo>" or URL-encoded "<owner>/<repo>".
+                  # Package path can vary depending on repository/package linkage.
                   candidates=(
                     "$repo"
                     "${owner}%2F${repo}"
                   )
 
-                  for pkg in "${candidates[@]}"; do
-                    code="$(curl -sS -o /tmp/ghcr-visibility.json -w "%{http_code}" \
-                      -X PATCH \
-                      -H "Authorization: Bearer ${GH_TOKEN}" \
-                      -H "Accept: application/vnd.github+json" \
-                      -H "X-GitHub-Api-Version: 2022-11-28" \
-                      "https://api.github.com/orgs/${owner}/packages/container/${pkg}/visibility" \
-                      -d '{"visibility":"public"}' || true)"
+                  for scope in orgs users; do
+                    for pkg in "${candidates[@]}"; do
+                      code="$(curl -sS -o /tmp/ghcr-visibility.json -w "%{http_code}" \
+                        -X PATCH \
+                        -H "Authorization: Bearer ${GH_TOKEN}" \
+                        -H "Accept: application/vnd.github+json" \
+                        -H "X-GitHub-Api-Version: 2022-11-28" \
+                        "https://api.github.com/${scope}/${owner}/packages/container/${pkg}/visibility" \
+                        -d '{"visibility":"public"}' || true)"
 
-                    if [ "$code" = "200" ] || [ "$code" = "204" ]; then
-                      echo "GHCR package visibility is public for ${pkg}."
-                      exit 0
-                    fi
+                      if [ "$code" = "200" ] || [ "$code" = "204" ]; then
+                        echo "GHCR package visibility is public (${scope}/${owner}/${pkg})."
+                        exit 0
+                      fi
 
-                    echo "Attempt for ${pkg} returned HTTP ${code}."
-                    cat /tmp/ghcr-visibility.json || true
+                      echo "Visibility attempt ${scope}/${owner}/${pkg} returned HTTP ${code}."
+                    done
                   done
 
-                  echo "::error::Failed to set GHCR package visibility to public."
-                  exit 1
+                  echo "::warning::Unable to update GHCR visibility via API in this run; proceeding to direct anonymous pull verification."
 
             - name: Verify anonymous GHCR pull access
               shell: bash