pathogen-repo-ci: Log in to ghcr.io if possible

This allows the use of docker-base images we transiently stage at ghcr.io before publishing to docker.io. A new "permissions:" block with "packages: read" restricts the ghcr.io access to read-only. This addition requires explicitly enumerating the rest of the required permissions too, which is only "contents: read" for actions/checkout. Related-to: <nextstrain/docker-base#148>
nextstrain · May 5, 2023 · 83e7441 · 83e7441
1 parent c2c37b5
commit 83e7441
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/.github/workflows/pathogen-repo-ci.yaml b/.github/workflows/pathogen-repo-ci.yaml
@@ -44,6 +44,10 @@ on:
         default: ""
         required: false
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -62,6 +66,17 @@ jobs:
           password: ${{ secrets.DOCKER_TOKEN_PUBLIC_READ_ONLY }}
         continue-on-error: true
 
+      # Log in, if possible, to ghcr.io which we use for staging images in
+      # nextstrain/docker-base.  The automatic GITHUB_TOKEN is restricted to
+      # read-only access by the "permissions:" block above.
+      - name: Log in to ghcr.io
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+        continue-on-error: true
+
       # Transforms the inputs.env *string* containing YAML like this:
       #
       #   FOO: bar