pathogen-repo-ci: Log in to docker.io and ghcr.io if possible

For docker.io, this lifts low rate limits on image pulls. For ghcr.io, this allows the use of docker-base images we transiently stage there before publishing to docker.io. DOCKER_TOKEN_PUBLIC_READ_ONLY is an org-level secret available to all our public GitHub repos. On Docker Hub, it's granted "public read-only" access as nextstrainbot. Related-to: <nextstrain/docker-base#148>
nextstrain · May 5, 2023 · ae31ddb · ae31ddb
1 parent 2eb4a54
commit ae31ddb
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/.github/workflows/pathogen-repo-ci.yaml b/.github/workflows/pathogen-repo-ci.yaml
@@ -44,10 +44,35 @@ on:
         default: ""
         required: false
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
+      # Log in, if possible, to docker.io (Docker Hub), since authenticated
+      # requests get higher rate limits (e.g. for image pulls).
+      - name: Log in to docker.io
+        uses: docker/login-action@v2
+        with:
+          registry: docker.io
+          username: nextstrainbot
+          password: ${{ secrets.DOCKER_TOKEN_PUBLIC_READ_ONLY }}
+        continue-on-error: true
+
+      # Log in, if possible, to ghcr.io which we use for staging images in
+      # nextstrain/docker-base.  The automatic GITHUB_TOKEN is restricted to
+      # read-only access by the "permissions:" block above.
+      - name: Log in to ghcr.io
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+        continue-on-error: true
+
       # Transforms the inputs.env *string* containing YAML like this:
       #
       #   FOO: bar