ci: publish Docker images to GHCR alongside Docker Hub#7569
Merged
JohnMcLear merged 2 commits intodevelopfrom Apr 20, 2026
Merged
ci: publish Docker images to GHCR alongside Docker Hub#7569JohnMcLear merged 2 commits intodevelopfrom
JohnMcLear merged 2 commits intodevelopfrom
Conversation
Adds ghcr.io/ether/etherpad as a second publish target on release tags, reusing the existing docker/metadata-action step so the same SemVer tags (e.g. 2.6.1, 2.6, 2, latest) are pushed to both registries. Motivation: downstream consumers (Helm charts in particular) hit Docker Hub anonymous pull rate limits. GHCR has no such limits and the workflow already runs with GITHUB_TOKEN, so this is additive with no new secrets required. Docker Hub remains the primary/canonical source; GHCR is a mirror. Note: this only affects future release tags. The 2.6.1 tag already on Docker Hub will need to be mirrored separately (e.g. via skopeo) if downstream needs it on GHCR before the next release.
Review Summary by QodoPublish Docker images to GHCR alongside Docker Hub
WalkthroughsDescription• Adds GHCR (ghcr.io/ether/etherpad) as secondary Docker image registry • Reuses existing metadata action for consistent SemVer tagging across registries • Adds packages: write permission for GITHUB_TOKEN GHCR push access • Implements GHCR login step using built-in GitHub credentials Diagramflowchart LR
A["Docker metadata-action"] -->|generates tags| B["Docker Hub<br/>etherpad/etherpad"]
A -->|generates tags| C["GHCR<br/>ghcr.io/ether/etherpad"]
D["GITHUB_TOKEN"] -->|authenticates| C
E["DOCKERHUB_TOKEN"] -->|authenticates| B
File Changes1. .github/workflows/docker.yml
|
Code Review by Qodo
1.
|
Two fixes from the qodo code review on #7569: 1. Overprivileged PR token (security). The original change set 'packages: write' at workflow level, which meant pull_request runs (whose Test step executes PR-controlled code) also inherited push access to GHCR. Splits the workflow into two jobs: - build-test: runs on pull_request and push with contents:read only. Does the single-arch load+test as before. - publish: needs build-test, runs only on push with packages:write. Does the multi-arch build-and-push, Docker Hub description update, and ether-charts bump. Docker Hub login is also now gated by job-level 'if' (same effect as the previous step-level 'if'). 2. Docs miss GHCR option. Updates doc/docker.md and README.md to document the GHCR mirror alongside Docker Hub with equivalent pull examples, so downstream users discovering via docs can choose the mirror to avoid Docker Hub rate limits.
This was referenced Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
ghcr.io/ether/etherpadas a second publish target for release tags, reusing the existingdocker/metadata-actionstep so identical SemVer tags (2.6.1,2.6,2,latest) are pushed to both registries.Why
Downstream consumers — notably Helm chart repositories — hit Docker Hub's anonymous pull rate limits in Kubernetes clusters. GHCR has no equivalent limits, and Docker Hub is still under flux re: future pricing changes. Publishing to both gives downstreams a choice and costs us nothing;
GITHUB_TOKENalready has enough scope to push to the org's own GHCR namespace, so no new secrets.Concrete trigger: trueforge-org/truecharts#47234 — TrueCharts maintainers pushed back on a chart update that pointed at Docker Hub, citing rate-limiting pain. Publishing to GHCR solves this for them and for anyone else in the same position.
Changes
.github/workflows/docker.yml:packages: writetopermissions:(required for GHCR push viaGITHUB_TOKEN).ghcr.io/ether/etherpadto theimages:list in thedocker/metadata-actionstep.Log in to GHCRstep using the built-inGITHUB_TOKEN— runs in parallel with the existing Docker Hub login, sameif: github.event_name == 'push'gate.Docker Hub remains the primary/canonical source. GHCR is a mirror.
Testing
build-push-actionstep already supports multiple tags across registries, so no behavioural change for Docker Hub.Follow-up
This only publishes future release tags. If downstream needs
2.6.1on GHCR before the next release, it must be mirrored separately (e.g.skopeo copy --all docker://docker.io/etherpad/etherpad:2.6.1 docker://ghcr.io/ether/etherpad:2.6.1). Happy to do that one-shot after merge.