Publish Docker Containers used on CI to GHCR (#1152)

MatkovIvan · web-flow · commit 548fed39145d · 2026-01-28T17:17:15.000+01:00
Fixes [SKIKO-1081](https://youtrack.jetbrains.com/issue/SKIKO-1081) Make docker images for building skiko publicly available The Skiko project previously used a private Docker registry (`registry.jetbrains.team/p/ui/skiko-docker`) for build containers, which required secrets for authentication. This prevented CI verification from fork PRs even after manual approval. The change migrates to GitHub Container Registry (GHCR), making containers publicly accessible and enabling CI to run on fork PRs. Containers built: https://github.com/orgs/JetBrains/packages?repo_name=skiko Triggers: - Push to master: Automatically builds and publishes all Docker images - Pull requests: Builds images in dry-run mode (no publishing) for verification - Manual workflow dispatch: Option to publish or just build - File changes: Triggers on changes to `skiko/docker/**` or the workflow itself
diff --git a/.github/actions/docker-publish/action.yml b/.github/actions/docker-publish/action.yml
@@ -0,0 +1,61 @@
+name: 'Docker Publish'
+description: 'Build and optionally publish a Docker image to a registry'
+
+inputs:
+  registry:
+    description: 'Docker registry (e.g., ghcr.io)'
+    required: true
+  namespace:
+    description: 'Image namespace (e.g., owner/repo)'
+    required: true
+  image_name:
+    description: 'Image name (e.g., linux-amd64)'
+    required: true
+  context:
+    description: 'Build context path (e.g., ./skiko/docker/linux-amd64)'
+    required: true
+  platforms:
+    description: 'Target platforms (e.g., linux/amd64 or linux/amd64,linux/arm64)'
+    required: true
+  tag:
+    description: 'Image tag (e.g., ubuntu-2004)'
+    required: true
+  should_publish:
+    description: 'Whether to push the image to the registry'
+    required: true
+  github_token:
+    description: 'GitHub token for authentication'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: 'Set up Docker Buildx'
+      uses: docker/setup-buildx-action@v3
+
+    - name: 'Log into registry'
+      if: inputs.should_publish == 'true'
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ inputs.registry }}
+        username: ${{ github.actor }}
+        password: ${{ inputs.github_token }}
+
+    - name: 'Extract metadata'
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ inputs.registry }}/${{ inputs.namespace }}/${{ inputs.image_name }}
+        tags: |
+          type=raw,value=${{ inputs.tag }}
+
+    - name: 'Build and push'
+      uses: docker/build-push-action@v5
+      with:
+        context: ${{ inputs.context }}
+        platforms: ${{ inputs.platforms }}
+        push: ${{ inputs.should_publish == 'true' }}
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -0,0 +1,188 @@
+name: Docker Build and Publish
+
+on:
+  workflow_dispatch:
+    inputs:
+      publish:
+        description: 'Publish to registry (if false, only dry-run build)'
+        required: false
+        type: boolean
+        default: true
+  push:
+    branches:
+      - master
+    paths:
+      - 'skiko/docker/**'
+      - '.github/workflows/docker-publish.yml'
+  pull_request:
+    paths:
+      - 'skiko/docker/**'
+      - '.github/workflows/docker-publish.yml'
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  # Determine if we should publish (only on push to master or manual trigger with publish=true)
+  config:
+    name: 'Configuration'
+    runs-on: ubuntu-24.04
+    outputs:
+      should_publish: ${{ steps.vars.outputs.should_publish }}
+      image_namespace: ${{ steps.vars.outputs.image_namespace }}
+    steps:
+      - id: vars
+        name: 'Set Variables'
+        run: |
+          if [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/master" ]]; then
+            echo "should_publish=true" >> $GITHUB_OUTPUT
+          elif [[ "${{ github.event_name }}" == "workflow_dispatch" && "${{ github.event.inputs.publish }}" == "true" ]]; then
+            echo "should_publish=true" >> $GITHUB_OUTPUT
+          else
+            echo "should_publish=false" >> $GITHUB_OUTPUT
+          fi
+          echo "image_namespace=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
+
+  linux-amd64:
+    name: 'Docker Linux (x64)'
+    runs-on: ubuntu-24.04
+    needs: config
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+        name: 'Check out code'
+
+      - uses: ./.github/actions/docker-publish
+        name: 'Build and Publish Docker Image'
+        with:
+          registry: ${{ env.REGISTRY }}
+          namespace: ${{ needs.config.outputs.image_namespace }}
+          image_name: linux-amd64
+          context: ./skiko/docker/linux-amd64
+          platforms: linux/amd64
+          tag: ubuntu-2004
+          should_publish: ${{ needs.config.outputs.should_publish }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+  linux-arm64:
+    name: 'Docker Linux (arm64)'
+    runs-on: ubuntu-24.04
+    needs: config
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+        name: 'Check out code'
+
+      - uses: ./.github/actions/docker-publish
+        name: 'Build and Publish Docker Image'
+        with:
+          registry: ${{ env.REGISTRY }}
+          namespace: ${{ needs.config.outputs.image_namespace }}
+          image_name: linux-arm64
+          context: ./skiko/docker/linux-arm64
+          platforms: linux/arm64
+          tag: ubuntu-2004
+          should_publish: ${{ needs.config.outputs.should_publish }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+  linux-android-amd64:
+    name: 'Docker Linux with Android SDK (x64)'
+    runs-on: ubuntu-24.04
+    needs: config
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+        name: 'Check out code'
+
+      - uses: ./.github/actions/docker-publish
+        name: 'Build and Publish Docker Image'
+        with:
+          registry: ${{ env.REGISTRY }}
+          namespace: ${{ needs.config.outputs.image_namespace }}
+          image_name: linux-android-amd64
+          context: ./skiko/docker/linux-android-amd64
+          platforms: linux/amd64
+          tag: ubuntu-2004
+          should_publish: ${{ needs.config.outputs.should_publish }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+  linux-emscripten-amd64:
+    name: 'Docker Linux with Emscripten (x64)'
+    runs-on: ubuntu-24.04
+    needs: config
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+        name: 'Check out code'
+
+      - uses: ./.github/actions/docker-publish
+        name: 'Build and Publish Docker Image'
+        with:
+          registry: ${{ env.REGISTRY }}
+          namespace: ${{ needs.config.outputs.image_namespace }}
+          image_name: linux-emscripten-amd64
+          context: ./skiko/docker/linux-emscripten-amd64
+          platforms: linux/amd64
+          tag: ubuntu-2004
+          should_publish: ${{ needs.config.outputs.should_publish }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+  linux-compat:
+    name: 'Docker Linux (Compatibility)'
+    runs-on: ubuntu-24.04
+    needs: config
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+        name: 'Check out code'
+
+      - uses: ./.github/actions/docker-publish
+        name: 'Build and Publish Docker Image'
+        with:
+          registry: ${{ env.REGISTRY }}
+          namespace: ${{ needs.config.outputs.image_namespace }}
+          image_name: linux-compat
+          context: ./skiko/docker/linux-compat
+          platforms: linux/amd64,linux/arm64
+          tag: amazonlinux2-latest
+          should_publish: ${{ needs.config.outputs.should_publish }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+  windows:
+    name: 'Docker Windows'
+    runs-on: windows-2022
+    needs: config
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+        name: 'Check out code'
+
+      - name: 'Log in to GitHub Container Registry'
+        if: needs.config.outputs.should_publish == 'true'
+        shell: pwsh
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin
+
+      - name: 'Build Image'
+        shell: pwsh
+        working-directory: ./skiko/docker/windows
+        run: |
+          docker build -t ${{ env.REGISTRY }}/${{ needs.config.outputs.image_namespace }}/windows-amd64:ltsc2022 -m 2G .
+
+      - name: 'Push Image'
+        if: needs.config.outputs.should_publish == 'true'
+        shell: pwsh
+        run: |
+          docker push ${{ env.REGISTRY }}/${{ needs.config.outputs.image_namespace }}/windows-amd64:ltsc2022
diff --git a/.github/workflows/publish-dry-run.yml b/.github/workflows/publish-dry-run.yml
@@ -10,10 +10,7 @@ jobs:
   Android:
     runs-on: ubuntu-24.04
     container:
-      image: registry.jetbrains.team/p/ui/skiko-docker/skiko-build-linux-android-amd64:ubuntu-2004
-      credentials:
-        username: ${{ secrets.SPACE_DOCKER_REGISTRY_USER }}
-        password: ${{ secrets.SPACE_DOCKER_REGISTRY_TOKEN }}
+      image: ghcr.io/jetbrains/skiko/linux-android-amd64:ubuntu-2004
     steps:
       - uses: actions/checkout@v3
         name: 'Check out code'
@@ -38,10 +35,7 @@ jobs:
   Web:
     runs-on: ubuntu-24.04
     container:
-      image: registry.jetbrains.team/p/ui/skiko-docker/skiko-build-linux-emscripten-amd64:ubuntu-2004
-      credentials:
-        username: ${{ secrets.SPACE_DOCKER_REGISTRY_USER }}
-        password: ${{ secrets.SPACE_DOCKER_REGISTRY_TOKEN }}
+      image: ghcr.io/jetbrains/skiko/linux-emscripten-amd64:ubuntu-2004
     steps:
       - uses: actions/checkout@v3
         name: 'Check out code'
@@ -59,10 +53,7 @@ jobs:
   Linux:
     runs-on: ubuntu-24.04
     container:
-      image: registry.jetbrains.team/p/ui/skiko-docker/skiko-build-linux-amd64:ubuntu-2004
-      credentials:
-        username: ${{ secrets.SPACE_DOCKER_REGISTRY_USER }}
-        password: ${{ secrets.SPACE_DOCKER_REGISTRY_TOKEN }}
+      image: ghcr.io/jetbrains/skiko/linux-amd64:ubuntu-2004
     steps:
       - uses: actions/checkout@v3
         name: 'Check out code'
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -162,10 +162,7 @@ jobs:
     name: 'Linux (x64)'
     runs-on: ubuntu-24.04
     container:
-      image: registry.jetbrains.team/p/ui/skiko-docker/skiko-build-linux-amd64:ubuntu-2004
-      credentials:
-        username: ${{ secrets.SPACE_DOCKER_REGISTRY_USER }}
-        password: ${{ secrets.SPACE_DOCKER_REGISTRY_TOKEN }}
+      image: ghcr.io/jetbrains/skiko/linux-amd64:ubuntu-2004
     steps:
       - uses: actions/checkout@v3
         name: 'Check out code'
@@ -217,10 +214,7 @@ jobs:
     name: 'Cross-compile Linux (arm) on x64'
     runs-on: ubuntu-24.04
     container:
-      image: registry.jetbrains.team/p/ui/skiko-docker/skiko-build-linux-amd64:ubuntu-2004
-      credentials:
-        username: ${{ secrets.SPACE_DOCKER_REGISTRY_USER }}
-        password: ${{ secrets.SPACE_DOCKER_REGISTRY_TOKEN }}
+      image: ghcr.io/jetbrains/skiko/linux-amd64:ubuntu-2004
     steps:
       - uses: actions/checkout@v3
         name: 'Check out code'
@@ -249,10 +243,7 @@ jobs:
     needs: linux-cross-compile
     runs-on: ubuntu-24.04-arm
     container:
-      image: registry.jetbrains.team/p/ui/skiko-docker/skiko-build-linux-arm64:ubuntu-2004
-      credentials:
-        username: ${{ secrets.SPACE_DOCKER_REGISTRY_USER }}
-        password: ${{ secrets.SPACE_DOCKER_REGISTRY_TOKEN }}
+      image: ghcr.io/jetbrains/skiko/linux-arm64:ubuntu-2004
     steps:
       - uses: actions/checkout@v3
         name: 'Check out code'
