Log into different registry for pulling and pushing

2026-01-17 10:31:05 +01:00
parent ea713f6675
commit 8d2988f28f
1 changed files with 16 additions and 38 deletions
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@@ -25,40 +25,11 @@ jobs:
        with:
          fetch-depth: 0

-      - name: Show variables and secrets
-        run: |
-          echo "HELLO_SECRET: ${HELLO_SECRET}"
-          echo "CI_GREETING: ${CI_GREETING}"
-          echo "REGISTRY_HOST: ${REGISTRY_HOST}"
-          echo "IMAGE_NAMESPACE: ${IMAGE_NAMESPACE}"
-          echo "IMAGE_NAME: ${IMAGE_NAME}"
-        env:
-          HELLO_SECRET: ${{ secrets.HELLO_SECRET }}
-
      - name: Trust cluster CA
        run: |
          cp /etc/cluster-ca/root-ca.crt /usr/local/share/ca-certificates/cluster-root-ca.crt
          update-ca-certificates

-      - name: Debug CA trust
-        run: |
-          echo "== cluster CA file =="
-          ls -l /etc/cluster-ca || true
-          ls -l /etc/cluster-ca/root-ca.crt || true
-          echo "== ca-certificates directory =="
-          ls -l /usr/local/share/ca-certificates || true
-          ls -l /etc/ssl/certs | grep sk4.nz || true
-          echo "== CA content (cluster) =="
-          openssl x509 -in /etc/cluster-ca/root-ca.crt -noout -subject -issuer -dates -fingerprint -sha256 || true
-          echo "== CA in system trust store? =="
-          grep -R "BEGIN CERTIFICATE" -n /etc/ssl/certs || true
-
-      - name: Debug docker registry trust
-        run: |
-          echo "== docker certs.d (job container) =="
-          ls -l /etc/docker/certs.d || true
-          ls -l /etc/docker/certs.d/harbor.k8s.sk4.nz || true
-
      - name: Install required dependencies
        run: |
          apt-get update
@@ -82,12 +53,12 @@ jobs:
      - name: Verify Docker CLI version
        run: docker --version

-      - name: Login to registry
+      - name: Login to docker-mirror (pull)
        run: |
-          echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${REGISTRY_USERNAME}" --password-stdin
+          echo "${MIRROR_REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${MIRROR_REGISTRY_USERNAME}" --password-stdin
        env:
-          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
-          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+          MIRROR_REGISTRY_USERNAME: ${{ secrets.MIRROR_REGISTRY_USERNAME }}
+          MIRROR_REGISTRY_TOKEN: ${{ secrets.MIRROR_REGISTRY_TOKEN }}

      - name: Build image
        run: |
@@ -95,11 +66,6 @@ jobs:
          echo "IMAGE_REF=${IMAGE_REF}" >> "${GITHUB_ENV}"
          docker build -t "${IMAGE_REF}" .

-
-      - name: Push image
-        run: |
-          docker push "${IMAGE_REF}"
-
      - name: Trivy scan (securecodebox)
        run: |
          docker run --rm \
@@ -123,3 +89,15 @@ jobs:
            -F "active=true"
        env:
          DEFECTDOJO_API_KEY: ${{ secrets.DEFECTDOJO_API_KEY }}
+
+      - name: Login to registry (push)
+        run: |
+          echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${REGISTRY_USERNAME}" --password-stdin
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Push image
+        run: |
+          docker push "${IMAGE_REF}"
+