Skip to content

Commit 8ce6e42

Browse files
committed
ci: fix ghcr push credential consistency
The GHCR push step used `||` between independent secrets: `BOT_TOKEN || GITHUB_TOKEN` and `BOT_LOGIN || repository_owner`. When only one `BOT_` secret was set, credentials became a mismatched pair (e.g. BOT_TOKEN + repository_owner), causing a `denied: denied` authentication failure from ghcr.io. Now `&&` ensures both `BOT_TOKEN` and `BOT_LOGIN` must exist together to be used; otherwise it falls back to the always-available and consistent `GITHUB_TOKEN` + `github.actor` pair. This is backwards-compatible: setups with both bot secrets keep working. Setups with none or only one now consistently use GITHUB_TOKEN.
1 parent 367f1c9 commit 8ce6e42

1 file changed

Lines changed: 2 additions & 2 deletions

File tree

.github/workflows/ci.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -101,6 +101,6 @@ jobs:
101101
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
102102
env:
103103
REGISTRY_HOST: ghcr.io
104-
REGISTRY_TOKEN: ${{ secrets.BOT_TOKEN || secrets.GITHUB_TOKEN }}
105-
REGISTRY_USERNAME: ${{ secrets.BOT_LOGIN || github.repository_owner }}
104+
REGISTRY_TOKEN: ${{ secrets.BOT_LOGIN && secrets.BOT_TOKEN || secrets.GITHUB_TOKEN }}
105+
REGISTRY_USERNAME: ${{ secrets.BOT_TOKEN && secrets.BOT_LOGIN || github.actor }}
106106
run: ./hooks/push

0 commit comments

Comments
 (0)