From 2d5688064194e188e6bc8ac55d28566b16229a1f Mon Sep 17 00:00:00 2001 From: cjimti Date: Tue, 16 Jun 2026 20:34:49 -0700 Subject: [PATCH] Publish container images to GHCR instead of Docker Hub (#17) The release pushed images to Docker Hub (txn2/rtbeat), which needed DOCKERHUB_USERNAME / DOCKERHUB_TOKEN org secrets that don't exist, so the v1.2.0 release failed at the Docker Hub login step. Switch to the GitHub Container Registry, which authenticates with the built-in GITHUB_TOKEN (no external secret; the release job already has packages: write) and is free for public repos: - release.yml: log in to ghcr.io with github.actor + GITHUB_TOKEN. - .goreleaser.yml: image txn2/rtbeat -> ghcr.io/txn2/rtbeat (Cosign signing, multi-arch, and the image.source repo link are unchanged). - Drop all DOCKERHUB_* references. - Docs (README badge + docker run, docs/index.md, SECURITY.md, CLAUDE.md) point at ghcr.io/txn2/rtbeat. Migration: production pulls txn2/rtbeat:1.1.1 from Docker Hub today; new releases publish to ghcr.io/txn2/rtbeat:, and the package must be set public once so it pulls without a secret. Closes #17 --- .github/workflows/release.yml | 7 ++++--- .goreleaser.yml | 2 +- CLAUDE.md | 2 +- README.md | 4 ++-- SECURITY.md | 6 +++--- docs/index.md | 2 +- 6 files changed, 12 insertions(+), 11 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a076969a..45af76a1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,11 +39,12 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - - name: Login to Docker Hub + - name: Login to GitHub Container Registry uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Install Cosign uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 diff --git a/.goreleaser.yml b/.goreleaser.yml index d1a1da57..ae933273 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -88,7 +88,7 @@ dockers_v2: ids: - rtbeat images: - - txn2/rtbeat + - ghcr.io/txn2/rtbeat tags: - latest - "{{ .Tag }}" diff --git a/CLAUDE.md b/CLAUDE.md index afbfaddd..9caae73b 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -58,5 +58,5 @@ These differ from the pre-modules alpha the project was originally written again ## Release Tag `v*` → GitHub Actions runs GoReleaser v2: signed (Cosign keyless) archives with SBOMs, SLSA -provenance, multi-arch Docker images (`txn2/rtbeat`), and a Homebrew formula. Releases are created as +provenance, multi-arch container images (`ghcr.io/txn2/rtbeat`), and a Homebrew formula. Releases are created as drafts. diff --git a/README.md b/README.md index 82d86693..95d2646e 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ [![codecov](https://codecov.io/gh/txn2/rtbeat/graph/badge.svg)](https://codecov.io/gh/txn2/rtbeat) [![Go Report Card](https://goreportcard.com/badge/github.com/txn2/rtbeat)](https://goreportcard.com/report/github.com/txn2/rtbeat) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/txn2/rtbeat/badge)](https://securityscorecards.dev/viewer/?uri=github.com/txn2/rtbeat) -[![Docker Pulls](https://img.shields.io/docker/pulls/txn2/rtbeat.svg)](https://hub.docker.com/r/txn2/rtbeat/) +[![ghcr.io](https://img.shields.io/badge/ghcr.io-txn2%2Frtbeat-2496ED?logo=github)](https://github.com/txn2/rtbeat/pkgs/container/rtbeat) # Rtbeat @@ -44,7 +44,7 @@ full set of libbeat output and processor options. ```bash docker run --rm -p 8081:8081 -v "$PWD/rtbeat.yml:/rtbeat.yml" \ - txn2/rtbeat -c /rtbeat.yml -e + ghcr.io/txn2/rtbeat -c /rtbeat.yml -e ``` ## Develop diff --git a/SECURITY.md b/SECURITY.md index 5b371116..1d1b8047 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -68,14 +68,14 @@ use the artifact. #### Container images -Container images published to `txn2/rtbeat` are signed with Cosign keyless -signing as well: +Container images published to `ghcr.io/txn2/rtbeat` are signed with Cosign +keyless signing as well: ```bash cosign verify \ --certificate-identity-regexp "https://github.com/txn2/rtbeat" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ - txn2/rtbeat:{VERSION} + ghcr.io/txn2/rtbeat:{VERSION} ``` ### SLSA Provenance diff --git a/docs/index.md b/docs/index.md index 3fa00063..d90804e7 100644 --- a/docs/index.md +++ b/docs/index.md @@ -35,7 +35,7 @@ curl -s localhost:8081/in -d '{"uuid":"demo","size":1,"messages":[{"seq":"1","pa ```bash docker run --rm -p 8081:8081 -v "$PWD/rtbeat.yml:/rtbeat.yml" \ - txn2/rtbeat -c /rtbeat.yml -e + ghcr.io/txn2/rtbeat -c /rtbeat.yml -e ``` See [Configuration](configuration.md) for the output and listener settings.