Document GHCR credential precondition for pinned smoke

a-a-k · a-a-k · commit f887a8bbac20 · 2026-03-15T12:48:13.000+03:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -35,11 +35,18 @@ jobs:
         run: make e2e-adapters
 
       - name: Generic live smoke with pinned GHCR images
+        if: ${{ secrets.MB3R_GHCR_USERNAME != '' && secrets.MB3R_GHCR_TOKEN != '' }}
         env:
-          GITHUB_ACTOR: ${{ github.actor }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          MB3R_GHCR_USERNAME: ${{ secrets.MB3R_GHCR_USERNAME }}
+          MB3R_GHCR_TOKEN: ${{ secrets.MB3R_GHCR_TOKEN }}
         run: make k8s-smoke-generic-pinned
 
+      - name: Note pinned GHCR smoke precondition
+        if: ${{ !(secrets.MB3R_GHCR_USERNAME != '' && secrets.MB3R_GHCR_TOKEN != '') }}
+        run: |
+          echo "::warning::Pinned GHCR smoke skipped because MB3R_GHCR_USERNAME and MB3R_GHCR_TOKEN are not configured."
+          echo "::warning::Repo-scoped GITHUB_TOKEN does not currently prove cross-repo pull access to upstream Bering/Sheaft GHCR packages."
+
       - name: Package chart
         run: make chart-package
 
diff --git a/README.md b/README.md
@@ -86,7 +86,7 @@ python scripts/tasks.py e2e-adapters
 python scripts/tasks.py release-dry-run
 ```
 
-`make k8s-smoke-generic` verifies the live generic runtime contract with locally rebuilt images from the pinned release binaries. `make k8s-smoke-generic-pinned` verifies the clean-cluster startup path for the chart's default pinned `ghcr.io/mb3r-lab/bering` and `ghcr.io/mb3r-lab/sheaft` images, using anonymous pull by default and a temporary `imagePullSecret` when `MB3R_GHCR_USERNAME` and `MB3R_GHCR_TOKEN` are set. Repository CI wires that pinned-image smoke through `GITHUB_TOKEN` with `packages:read` so pull/auth regressions fail on push.
+`make k8s-smoke-generic` verifies the live generic runtime contract with locally rebuilt images from the pinned release binaries. `make k8s-smoke-generic-pinned` verifies the clean-cluster startup path for the chart's default pinned `ghcr.io/mb3r-lab/bering` and `ghcr.io/mb3r-lab/sheaft` images, using anonymous pull by default and a temporary `imagePullSecret` when `MB3R_GHCR_USERNAME` and `MB3R_GHCR_TOKEN` are set. Repository CI runs that pinned-image smoke only when those explicit cross-repo GHCR credentials are configured; the repo-scoped `GITHUB_TOKEN` is not treated as sufficient proof of upstream package pullability.
 
 ## Compatibility Notes
 
diff --git a/docs/verification/generic-e2e.md b/docs/verification/generic-e2e.md
@@ -18,7 +18,8 @@ What it checks:
 - live-cluster install smoke through `kind` with locally rebuilt images from the pinned release binaries
 - clean-cluster startup of the chart's default pinned `ghcr.io/mb3r-lab/bering` and `ghcr.io/mb3r-lab/sheaft` images
 - anonymous pull by default for pinned-image smoke, with an optional temporary `imagePullSecret` from `MB3R_GHCR_USERNAME` and `MB3R_GHCR_TOKEN`
-- pinned-image smoke wired into repository CI through `GITHUB_TOKEN` with `packages:read`
+- pinned-image smoke wired into repository CI only when explicit `MB3R_GHCR_USERNAME` and `MB3R_GHCR_TOKEN` secrets are configured
+- repo-scoped `GITHUB_TOKEN` is not assumed to prove cross-repo pullability of the upstream Bering/Sheaft GHCR packages
 - explicit failure attribution when Kubernetes reports image-pull or auth errors instead of letting them collapse into a generic timeout
 
 If this path fails, generic stack readiness is not proven even if the OTel Demo profile still passes.
diff --git a/scripts/live_k8s_smoke.py b/scripts/live_k8s_smoke.py
@@ -137,11 +137,16 @@ def configure_ghcr_pull_secret(kubectl_bin: Path, credentials: tuple[str, str] |
 
 
 def enrich_failure_message(message: str) -> str:
-    if "401 Unauthorized" in message or "failed to authorize" in message:
+    if (
+        "401 Unauthorized" in message
+        or "403 Forbidden" in message
+        or "failed to authorize" in message
+    ):
         return (
             f"{message} "
             "Set MB3R_GHCR_USERNAME/MB3R_GHCR_TOKEN or GITHUB_ACTOR/GITHUB_TOKEN "
-            "to validate authenticated pulls for pinned GHCR images."
+            "to validate authenticated pulls for pinned GHCR images. "
+            "A 403 usually means the provided token does not have pull access to the upstream package."
         )
     return message
 
