From 155bacec9fe1195d4efdfecfc530ac58f75a4e2a Mon Sep 17 00:00:00 2001 From: Stiftung Development Date: Tue, 16 Sep 2025 09:53:57 +0200 Subject: [PATCH] Fix GHCR authentication: add fallback to local build + improved error handling --- .github/workflows/ci-cd.yml | 24 +++++++++++++++---- GHCR_AUTH_SETUP.md | 48 +++++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+), 4 deletions(-) create mode 100644 GHCR_AUTH_SETUP.md diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index fed9472..c24fb71 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -219,11 +219,27 @@ jobs: # Copy production docker compose file to the active compose.yml cp deploy-production/docker-compose.prod.yml compose.yml - # Login to GitHub Container Registry - echo $GITHUB_TOKEN | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin + # Try to login to GitHub Container Registry and pull images + echo "Attempting to pull images from GitHub Container Registry..." + if echo $DEPLOY_TOKEN | docker login ghcr.io -u remmerinio --password-stdin; then + echo "✅ Successfully logged into GHCR" + if docker-compose -f compose.yml pull; then + echo "✅ Successfully pulled images from GHCR" + USE_REMOTE_IMAGES=true + else + echo "⚠️ Failed to pull images from GHCR, will build locally" + USE_REMOTE_IMAGES=false + fi + else + echo "⚠️ Failed to login to GHCR, will build locally" + USE_REMOTE_IMAGES=false + fi - # Pull latest images - docker-compose -f compose.yml pull + # If we couldn't pull from GHCR, build locally + if [ "$USE_REMOTE_IMAGES" = "false" ]; then + echo "🔨 Building images locally from source code..." + docker build -t ghcr.io/remmerinio/stiftung-management-system:latest ./app + fi # Stop containers docker-compose -f compose.yml down diff --git a/GHCR_AUTH_SETUP.md b/GHCR_AUTH_SETUP.md new file mode 100644 index 0000000..5c3b24c --- /dev/null +++ b/GHCR_AUTH_SETUP.md @@ -0,0 +1,48 @@ +# GitHub Container Registry Authentication Setup + +## Problem +The deployment pipeline fails to pull Docker images from GitHub Container Registry (GHCR) with error: +``` +Error response from daemon: Head "https://ghcr.io/v2/remmerinio/stiftung-management-system/manifests/latest": denied: denied +``` + +## Root Cause +The `GITHUB_TOKEN` used in GitHub Actions has limited permissions and cannot access private container packages. + +## Solution: Create Personal Access Token + +### 1. Create GitHub Personal Access Token +1. Go to GitHub → Settings → Developer settings → Personal access tokens → Tokens (classic) +2. Click "Generate new token (classic)" +3. Select these scopes: + - ✅ `read:packages` - Download packages from GitHub Package Registry + - ✅ `write:packages` - Upload packages to GitHub Package Registry + - ✅ `repo` - Full control of private repositories (if repo is private) + +### 2. Add Token to Repository Secrets +1. Go to your repository → Settings → Secrets and variables → Actions +2. Click "New repository secret" +3. Name: `DEPLOY_TOKEN` +4. Value: Your personal access token +5. Click "Add secret" + +### 3. Verify Token Works +Test the token manually: +```bash +echo "YOUR_TOKEN_HERE" | docker login ghcr.io -u YOUR_USERNAME --password-stdin +docker pull ghcr.io/remmerinio/stiftung-management-system:latest +``` + +## Alternative: Make Container Package Public +1. Go to GitHub → Your Profile → Packages +2. Find `stiftung-management-system` package +3. Click on it → Package settings +4. Change visibility to "Public" +5. No authentication needed for public packages + +## Deployment Script Improvements +The updated deployment script now: +- ✅ Uses `DEPLOY_TOKEN` instead of `GITHUB_TOKEN` +- ✅ Has fallback to local build if GHCR pull fails +- ✅ Provides clear error messages +- ✅ Continues deployment even if registry is unavailable \ No newline at end of file