ci: allow forks to override published container image namespace

d-cs · d-cs · commit 8ea6dbaf0df7 · 2026-06-08T12:51:05.000+01:00
The publish workflows hardcoded ghcr.io/triggerdotdev/... as the image
destination, so a fork building on push-to-main would attempt to push to
(and attest) the upstream packages.

Derive the webapp image repo from github.repository (overridable via the
WEBAPP_IMAGE_REPO variable) and read the worker namespace from the
IMAGE_REGISTRY variable, both defaulting to the current values so upstream
behaviour is unchanged.
diff --git a/.github/workflows/publish-webapp.yml b/.github/workflows/publish-webapp.yml
@@ -21,6 +21,9 @@ on:
       short_sha:
         description: Short commit SHA of the published build
         value: ${{ jobs.publish.outputs.short_sha }}
+      image_repo:
+        description: The image repository the build was published to (without tag)
+        value: ${{ jobs.publish.outputs.image_repo }}
     secrets:
       SENTRY_AUTH_TOKEN:
         required: false
@@ -33,6 +36,7 @@ jobs:
     outputs:
       version: ${{ steps.get_tag.outputs.tag }}
       short_sha: ${{ steps.get_commit.outputs.sha_short }}
+      image_repo: ${{ steps.set_tags.outputs.image_repo }}
     steps:
       - name: 🏭 Setup Depot CLI
         uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
@@ -57,17 +61,22 @@ jobs:
       - name: 📛 Set the tags
         id: set_tags
         run: |
-          ref_without_tag=ghcr.io/triggerdotdev/trigger.dev
-          image_tags=$ref_without_tag:${STEPS_GET_TAG_OUTPUTS_TAG}
+          # The image repo defaults to ghcr.io/<owner>/<repo>, so a fork publishes
+          # to its own package automatically with no extra config. Set the
+          # WEBAPP_IMAGE_REPO repository variable to override it with any
+          # registry/path.
+          image_tags=$REF_WITHOUT_TAG:${STEPS_GET_TAG_OUTPUTS_TAG}
 
           # when pushing the mutable main tag, also push an immutable-by-convention
           # full-commit-sha tag so a commit can be resolved to a specific digest
           if [[ "${STEPS_GET_TAG_OUTPUTS_TAG}" == "main" ]]; then
-            image_tags=$image_tags,$ref_without_tag:${GITHUB_SHA}
+            image_tags=$image_tags,$REF_WITHOUT_TAG:${GITHUB_SHA}
           fi
 
           echo "image_tags=${image_tags}" >> "$GITHUB_OUTPUT"
+          echo "image_repo=${REF_WITHOUT_TAG}" >> "$GITHUB_OUTPUT"
         env:
+          REF_WITHOUT_TAG: ${{ vars.WEBAPP_IMAGE_REPO || format('ghcr.io/{0}', github.repository) }}
           STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
           STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}
 
@@ -122,6 +131,6 @@ jobs:
         continue-on-error: true
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
-          subject-name: ghcr.io/triggerdotdev/trigger.dev
+          subject-name: ${{ steps.set_tags.outputs.image_repo }}
           subject-digest: ${{ steps.build_push.outputs.digest }}
           push-to-registry: true
diff --git a/.github/workflows/publish-worker-v4.yml b/.github/workflows/publish-worker-v4.yml
@@ -65,11 +65,15 @@ jobs:
       - name: 📛 Set tags to push
         id: set_tags
         run: |
-          ref_without_tag=ghcr.io/triggerdotdev/${STEPS_GET_REPOSITORY_OUTPUTS_REPO}
+          # Defaults to the public namespace. Set the IMAGE_REGISTRY repository
+          # variable to publish under a different namespace (e.g. in a fork)
+          # instead of the default packages.
+          ref_without_tag=${IMAGE_REGISTRY}/${STEPS_GET_REPOSITORY_OUTPUTS_REPO}
           image_tags=$ref_without_tag:${STEPS_GET_TAG_OUTPUTS_TAG}
 
           echo "image_tags=${image_tags}" >> "$GITHUB_OUTPUT"
         env:
+          IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'ghcr.io/triggerdotdev' }}
           STEPS_GET_REPOSITORY_OUTPUTS_REPO: ${{ steps.get_repository.outputs.repo }}
           STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
           STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}
diff --git a/.github/workflows/publish-worker.yml b/.github/workflows/publish-worker.yml
@@ -83,7 +83,10 @@ jobs:
           docker tag infra_image "$REGISTRY/$REPOSITORY:$IMAGE_TAG"
           docker push "$REGISTRY/$REPOSITORY:$IMAGE_TAG"
         env:
-          REGISTRY: ghcr.io/triggerdotdev
+          # Defaults to the public namespace. Set the IMAGE_REGISTRY repository
+          # variable to publish worker images under a different namespace (e.g.
+          # in a fork) instead of the default packages.
+          REGISTRY: ${{ vars.IMAGE_REGISTRY || 'ghcr.io/triggerdotdev' }}
           REPOSITORY: ${{ steps.get_repository.outputs.repo }}
           IMAGE_TAG: ${{ steps.get_tag.outputs.tag }}
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -106,4 +106,4 @@ jobs:
       packages: read # pull the just-published image from GHCR
     uses: ./.github/workflows/trivy-image-webapp.yml
     with:
-      image-ref: ghcr.io/triggerdotdev/trigger.dev:${{ needs.publish-webapp.outputs.version }}
+      image-ref: ${{ needs.publish-webapp.outputs.image_repo }}:${{ needs.publish-webapp.outputs.version }}
