Set GHCR package visibility to public on every release#965
Open
chrisyoung2005 wants to merge 1 commit intoRightNow-AI:mainfrom
Open
Set GHCR package visibility to public on every release#965chrisyoung2005 wants to merge 1 commit intoRightNow-AI:mainfrom
chrisyoung2005 wants to merge 1 commit intoRightNow-AI:mainfrom
Conversation
GHCR defaults new packages to private, so docker pull ghcr.io/rightnow-ai/openfang:... returned 401 for unauthenticated users despite the repo being public. Two changes to the docker job in release.yml: 1. Add OCI labels to the build — links the package to the repo so GHCR associates it correctly, and is standard practice for container images. 2. After each push, call the GitHub Packages API (PATCH /orgs/RightNow-AI/packages/container/openfang) to set visibility to public. The workflow already holds packages: write, which is the required scope. This runs on every release tag so visibility cannot regress if the package is ever reset. Fixes RightNow-AI#961
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Fixes #961.
docker pull ghcr.io/rightnow-ai/openfang:<tag>returned 401 for unauthenticated users because GHCR defaults new packages to private, even when the repository is public. The release workflow was pushing the image but never setting visibility.How
Two additions to the
dockerjob inrelease.yml:1. OCI labels on the build — links the package to the repository so GHCR associates them correctly. Standard practice for container images, and a prerequisite for the visibility API call to work reliably.
2. Post-push visibility step — calls the GitHub Packages API after each push to explicitly set the package public. The workflow already declares
packages: write, which is the required scope. Running on every release tag means visibility cannot silently regress.CI note
This PR touches only
release.yml— no Rust code changes. The cargo check/test/clippy/fmt jobs will run but any failures are due to the pre-existingmcp.rsbuild blocker (tracked in #926, fix open in #927), not this PR.Note on existing packages
This fix takes effect on the next release. The existing v0.5.6/v0.5.7 packages need a one-time manual change: GitHub → Packages → openfang → Package settings → Change visibility → Public. After that, this workflow step keeps them public automatically.
Verification
After the next release tag is pushed:
docker pull ghcr.io/rightnow-ai/openfang:latest # succeeds without auth