Fix GHCR authentication: add fallback to local build + improved error handling

.github/workflows/ci-cd.yml

@@ -219,11 +219,27 @@ jobs:
           # Copy production docker compose file to the active compose.yml
           cp deploy-production/docker-compose.prod.yml compose.yml
           
-          # Login to GitHub Container Registry
-          echo $GITHUB_TOKEN | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin
+          # Try to login to GitHub Container Registry and pull images
+          echo "Attempting to pull images from GitHub Container Registry..."
+          if echo $DEPLOY_TOKEN | docker login ghcr.io -u remmerinio --password-stdin; then
+            echo "✅ Successfully logged into GHCR"
+            if docker-compose -f compose.yml pull; then
+              echo "✅ Successfully pulled images from GHCR"
+              USE_REMOTE_IMAGES=true
+            else
+              echo "⚠️ Failed to pull images from GHCR, will build locally"
+              USE_REMOTE_IMAGES=false
+            fi
+          else
+            echo "⚠️ Failed to login to GHCR, will build locally"
+            USE_REMOTE_IMAGES=false
+          fi
           
-          # Pull latest images
-          docker-compose -f compose.yml pull
+          # If we couldn't pull from GHCR, build locally
+          if [ "$USE_REMOTE_IMAGES" = "false" ]; then
+            echo "🔨 Building images locally from source code..."
+            docker build -t ghcr.io/remmerinio/stiftung-management-system:latest ./app
+          fi
           
           # Stop containers
           docker-compose -f compose.yml down

GHCR_AUTH_SETUP.md

@@ -0,0 +1,48 @@
+# GitHub Container Registry Authentication Setup
+
+## Problem
+The deployment pipeline fails to pull Docker images from GitHub Container Registry (GHCR) with error:
+```
+Error response from daemon: Head "https://ghcr.io/v2/remmerinio/stiftung-management-system/manifests/latest": denied: denied
+```
+
+## Root Cause
+The `GITHUB_TOKEN` used in GitHub Actions has limited permissions and cannot access private container packages.
+
+## Solution: Create Personal Access Token
+
+### 1. Create GitHub Personal Access Token
+1. Go to GitHub → Settings → Developer settings → Personal access tokens → Tokens (classic)
+2. Click "Generate new token (classic)"
+3. Select these scopes:
+   - ✅ `read:packages` - Download packages from GitHub Package Registry
+   - ✅ `write:packages` - Upload packages to GitHub Package Registry
+   - ✅ `repo` - Full control of private repositories (if repo is private)
+
+### 2. Add Token to Repository Secrets
+1. Go to your repository → Settings → Secrets and variables → Actions
+2. Click "New repository secret"
+3. Name: `DEPLOY_TOKEN`
+4. Value: Your personal access token
+5. Click "Add secret"
+
+### 3. Verify Token Works
+Test the token manually:
+```bash
+echo "YOUR_TOKEN_HERE" | docker login ghcr.io -u YOUR_USERNAME --password-stdin
+docker pull ghcr.io/remmerinio/stiftung-management-system:latest
+```
+
+## Alternative: Make Container Package Public
+1. Go to GitHub → Your Profile → Packages
+2. Find `stiftung-management-system` package
+3. Click on it → Package settings
+4. Change visibility to "Public"
+5. No authentication needed for public packages
+
+## Deployment Script Improvements
+The updated deployment script now:
+- ✅ Uses `DEPLOY_TOKEN` instead of `GITHUB_TOKEN`
+- ✅ Has fallback to local build if GHCR pull fails
+- ✅ Provides clear error messages
+- ✅ Continues deployment even if registry is unavailable