ci: resolve registry inline instead of a dedicated job

Drop the resolve-registry job to avoid its runner startup cost. GitHub
doesn't expose the env context to a reusable workflow's with: block, so
inline the resolution expression directly in each publish job's
image_registry input instead. Behavior and upstream defaults unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: d-cs

.github/workflows/publish.yml

@@ -53,22 +53,6 @@ env:
   AWS_REGION: us-east-1
 
 jobs:
-  # Resolve the target container registry namespace once and pass it down to every
-  # publish job. Defaults to ghcr.io/<owner>, so a fork publishes to its own
-  # namespace automatically; set the IMAGE_REGISTRY repository variable to override.
-  resolve-registry:
-    runs-on: ubuntu-latest
-    outputs:
-      registry: ${{ steps.resolve.outputs.registry }}
-    steps:
-      - name: 🧭 Resolve target registry
-        id: resolve
-        env:
-          IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY }}
-          DEFAULT_REGISTRY: ghcr.io/${{ github.repository_owner }}
-        run: |
-          echo "registry=${IMAGE_REGISTRY:-$DEFAULT_REGISTRY}" >> "$GITHUB_OUTPUT"
-
   typecheck:
     uses: ./.github/workflows/typecheck.yml
 
@@ -79,7 +63,7 @@ jobs:
       DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
 
   publish-webapp:
-    needs: [typecheck, resolve-registry]
+    needs: [typecheck]
     permissions:
       contents: read
       packages: write
@@ -90,10 +74,13 @@ jobs:
       SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
     with:
       image_tag: ${{ inputs.image_tag }}
-      image_registry: ${{ needs.resolve-registry.outputs.registry }}
+      # Target registry namespace, resolved once here and passed to every publish
+      # job. Defaults to ghcr.io/<owner> so a fork publishes to its own namespace;
+      # set the IMAGE_REGISTRY repository variable to override.
+      image_registry: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
 
   publish-worker:
-    needs: [typecheck, resolve-registry]
+    needs: [typecheck]
     permissions:
       contents: read
       packages: write
@@ -103,18 +90,18 @@ jobs:
       DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
     with:
       image_tag: ${{ inputs.image_tag }}
-      image_registry: ${{ needs.resolve-registry.outputs.registry }}
+      image_registry: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
 
   publish-worker-v4:
-    needs: [typecheck, resolve-registry]
+    needs: [typecheck]
     permissions:
       contents: read
       packages: write
       id-token: write
     uses: ./.github/workflows/publish-worker-v4.yml
     with:
       image_tag: ${{ inputs.image_tag }}
-      image_registry: ${{ needs.resolve-registry.outputs.registry }}
+      image_registry: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
 
   # OS-level CVE scan of the image just published above. Report-only (writes to
   # the run summary); runs alongside the worker publishes and never blocks them.