Run pinned GHCR smoke on every CI push

Author: a-a-k

.github/workflows/ci.yml

@@ -14,9 +14,6 @@ on:
 jobs:
   validate:
     runs-on: ubuntu-latest
-    env:
-      MB3R_GHCR_USERNAME: ${{ secrets.MB3R_GHCR_USERNAME }}
-      MB3R_GHCR_TOKEN: ${{ secrets.MB3R_GHCR_TOKEN }}
     steps:
       - uses: actions/checkout@v4
 
@@ -38,15 +35,8 @@ jobs:
         run: make e2e-adapters
 
       - name: Generic live smoke with pinned GHCR images
-        if: ${{ env.MB3R_GHCR_USERNAME != '' && env.MB3R_GHCR_TOKEN != '' }}
         run: make k8s-smoke-generic-pinned
 
-      - name: Note pinned GHCR smoke precondition
-        if: ${{ env.MB3R_GHCR_USERNAME == '' || env.MB3R_GHCR_TOKEN == '' }}
-        run: |
-          echo "::warning::Pinned GHCR smoke skipped because MB3R_GHCR_USERNAME and MB3R_GHCR_TOKEN are not configured."
-          echo "::warning::Repo-scoped GITHUB_TOKEN does not currently prove cross-repo pull access to upstream Bering/Sheaft GHCR packages."
-
       - name: Package chart
         run: make chart-package
 

README.md

@@ -86,7 +86,7 @@ python scripts/tasks.py e2e-adapters
 python scripts/tasks.py release-dry-run
 ```
 
-`make k8s-smoke-generic` verifies the live generic runtime contract with locally rebuilt images from the pinned release binaries. `make k8s-smoke-generic-pinned` verifies the clean-cluster startup path for the chart's default pinned `ghcr.io/mb3r-lab/bering` and `ghcr.io/mb3r-lab/sheaft` images, using anonymous pull by default and a temporary `imagePullSecret` when `MB3R_GHCR_USERNAME` and `MB3R_GHCR_TOKEN` are set. Repository CI runs that pinned-image smoke only when those explicit cross-repo GHCR credentials are configured; the repo-scoped `GITHUB_TOKEN` is not treated as sufficient proof of upstream package pullability.
+`make k8s-smoke-generic` verifies the live generic runtime contract with locally rebuilt images from the pinned release binaries. `make k8s-smoke-generic-pinned` verifies the clean-cluster startup path for the chart's default pinned `ghcr.io/mb3r-lab/bering` and `ghcr.io/mb3r-lab/sheaft` images. The default path is now anonymous pull against public GHCR packages; optional `MB3R_GHCR_USERNAME` and `MB3R_GHCR_TOKEN` are still supported when you need to validate an authenticated pull path explicitly.
 
 ## Compatibility Notes
 

docs/verification/generic-e2e.md

@@ -18,8 +18,7 @@ What it checks:
 - live-cluster install smoke through `kind` with locally rebuilt images from the pinned release binaries
 - clean-cluster startup of the chart's default pinned `ghcr.io/mb3r-lab/bering` and `ghcr.io/mb3r-lab/sheaft` images
 - anonymous pull by default for pinned-image smoke, with an optional temporary `imagePullSecret` from `MB3R_GHCR_USERNAME` and `MB3R_GHCR_TOKEN`
-- pinned-image smoke wired into repository CI only when explicit `MB3R_GHCR_USERNAME` and `MB3R_GHCR_TOKEN` secrets are configured
-- repo-scoped `GITHUB_TOKEN` is not assumed to prove cross-repo pullability of the upstream Bering/Sheaft GHCR packages
+- pinned-image smoke wired into repository CI on every push now that the upstream Bering and Sheaft GHCR packages are public
 - explicit failure attribution when Kubernetes reports image-pull or auth errors instead of letting them collapse into a generic timeout
 
 If this path fails, generic stack readiness is not proven even if the OTel Demo profile still passes.