fix(ci): enforce public GHCR visibility for docker image pulls (#798)

* ci(docker): allow manual dispatch for publish job * ci(docker): run smoke job on manual dispatch * fix(ci): enforce public GHCR visibility and verify anonymous pulls
2026-02-18 07:25:45 -05:00 · 2026-02-18 07:25:45 -05:00 · b13e230942
commit b13e230942
parent 58a99abb96
1 changed files with 61 additions and 0 deletions
--- a/.github/workflows/pub-docker-img.yml
+++ b/.github/workflows/pub-docker-img.yml
@ -129,3 +129,64 @@ jobs:
                  push: true
                  tags: ${{ steps.meta.outputs.tags }}
                  platforms: ${{ startsWith(github.ref, 'refs/tags/v') && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
+
+            - name: Set GHCR package visibility to public
+              shell: bash
+              env:
+                  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              run: |
+                  set -euo pipefail
+                  owner="${GITHUB_REPOSITORY_OWNER,,}"
+                  repo="${GITHUB_REPOSITORY#*/}"
+
+                  # Package path can be either "<repo>" or URL-encoded "<owner>/<repo>".
+                  candidates=(
+                    "$repo"
+                    "${owner}%2F${repo}"
+                  )
+
+                  for pkg in "${candidates[@]}"; do
+                    code="$(curl -sS -o /tmp/ghcr-visibility.json -w "%{http_code}" \
+                      -X PATCH \
+                      -H "Authorization: Bearer ${GH_TOKEN}" \
+                      -H "Accept: application/vnd.github+json" \
+                      -H "X-GitHub-Api-Version: 2022-11-28" \
+                      "https://api.github.com/orgs/${owner}/packages/container/${pkg}/visibility" \
+                      -d '{"visibility":"public"}' || true)"
+
+                    if [ "$code" = "200" ] || [ "$code" = "204" ]; then
+                      echo "GHCR package visibility is public for ${pkg}."
+                      exit 0
+                    fi
+
+                    echo "Attempt for ${pkg} returned HTTP ${code}."
+                    cat /tmp/ghcr-visibility.json || true
+                  done
+
+                  echo "::error::Failed to set GHCR package visibility to public."
+                  exit 1
+
+            - name: Verify anonymous GHCR pull access
+              shell: bash
+              run: |
+                  set -euo pipefail
+                  token_resp="$(curl -sS "https://ghcr.io/token?scope=repository:${GITHUB_REPOSITORY}:pull")"
+                  token="$(echo "$token_resp" | sed -n 's/.*"token":"\([^"]*\)".*/\1/p')"
+
+                  if [ -z "$token" ]; then
+                    echo "::error::Anonymous GHCR token request failed: $token_resp"
+                    exit 1
+                  fi
+
+                  code="$(curl -sS -o /tmp/ghcr-manifest.json -w "%{http_code}" \
+                    -H "Authorization: Bearer ${token}" \
+                    -H "Accept: application/vnd.oci.image.index.v1+json, application/vnd.docker.distribution.manifest.v2+json" \
+                    "https://ghcr.io/v2/${GITHUB_REPOSITORY}/manifests/latest")"
+
+                  if [ "$code" != "200" ]; then
+                    echo "::error::Anonymous manifest pull failed with HTTP ${code}"
+                    cat /tmp/ghcr-manifest.json || true
+                    exit 1
+                  fi
+
+                  echo "Anonymous GHCR pull access verified."