@@ -16,39 +16,34 @@ jobs:
1616 build :
1717 runs-on : ubuntu-latest
1818 timeout-minutes : 60
19+ env :
20+ IMAGE_TAG : ghcr.io/${{ github.repository }}:${{ github.ref_name }}
1921 steps :
2022 - name : Checkout code
2123 uses : actions/checkout@v5
2224
23- - name : Derive image coordinates
24- id : meta
25- run : |
26- set -euo pipefail
27- repo="${GITHUB_REPOSITORY,,}"
28- ref="${GITHUB_REF_NAME}"
29- sanitized_ref=$(echo "${ref}" | tr '[:upper:]' '[:lower:]' | sed 's#[^a-z0-9_.-]#-#g')
30- echo "image=ghcr.io/${repo}:${sanitized_ref}" >> "$GITHUB_OUTPUT"
31-
32- name : Set up Docker Buildx
33- uses : docker/setup-buildx-action@v3
34-
3525 - name : Log in to GitHub Container Registry
3626 uses : docker/login-action@v3
3727 with :
3828 registry : ghcr.io
3929 username : ${{ github.actor }}
4030 password : ${{ secrets.GITHUB_TOKEN }}
4131
32+ - name : Ensure pipeline token is configured
33+ run : |
34+ set -euo pipefail
35+ if [ -z "${{ secrets.PIPELINE_GITHUB_TOKEN }}" ]; then
36+ echo "Set the PIPELINE_GITHUB_TOKEN secret with a classic PAT that has at least public_repo scope." >&2
37+ exit 1
38+ fi
39+
4240name : Build and push image
4341 uses : docker/build-push-action@v6
4442 with :
4543 context : .
4644 file : container/Dockerfile
4745 push : true
4846 platforms : linux/amd64
49- # Optionally replace secrets.GITHUB_TOKEN with a PAT (use the same
50- # secret name or adjust this mapping) to avoid API rate limits when
51- # the pipeline fetches data for many repositories.
5247 secrets : |
53- github_token=${{ secrets.GITHUB_TOKEN }}
54- tags : ${{ steps.meta.outputs.image }}
48+ github_token=${{ secrets.PIPELINE_GITHUB_TOKEN }}
49+ tags : ${{ env.IMAGE_TAG }}
0 commit comments