From 18b1d4f4cd31eb15bd8e66927eb06d0c6f2cc670 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Thu, 14 May 2026 19:07:06 +0200
Subject: [PATCH] fix CI not being allowed to push container image

---
 .forgejo/workflows/container.yml | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/.forgejo/workflows/container.yml b/.forgejo/workflows/container.yml
index 554b2e9..06d75ba 100644
--- a/.forgejo/workflows/container.yml
+++ b/.forgejo/workflows/container.yml
@@ -4,9 +4,6 @@ on:
   workflow_dispatch: {}
   push: {}
 
-permissions:
-  packages: write
-
 jobs:
   build-container:
     name: Build Container
@@ -14,24 +11,30 @@ jobs:
     container:
       image: ghcr.io/osscontainertools/kaniko:alpine
     steps:
-      - name: Install NodeJS for actions compatibility
+      - name: Install required system packages
         run: apk add --no-cache nodejs
+      
       - name: Checkout source code
         uses: actions/checkout@v6
-      - name: Login to container registry (prod only)
-        if: ${{ forgejo.ref_name == 'main' }}
-        run: /kaniko/executor login --username="forgejo-actions" --password="${{ forgejo.token }}" git.hamburg.ccc.de
+
       - name: Build Container
-        env:
-          KANIKO_NO_PUSH: ${{ forgejo.ref_name != 'main' }}
+        # env:
+        #   KANIKO_NO_PUSH: ${{ forgejo.ref_name != 'main' }}
         run: /kaniko/executor
           --dockerfile="${{forgejo.workspace }}/Containerfile"
           --context="dir://${{ forgejo.workspace }}"
           --destination=git.hamburg.ccc.de/ccchh/dooris:latest
-          --credential-helpers=env
+          --tar-path=${{ forgejo.workspace }}/image.tar
+          --no-push
           --no-push-cache
           --annotation=org.opencontainers.image.ref.name=dooris
           --annotation=org.opencontainers.image.url=${{ forgejo.server_url }}/${{ forgejo.repository }}
           --annotation=org.opencontainers.image.source=${{ forgejo.server_url }}/${{ forgejo.repository }}
           --annotation=org.opencontainers.image.licenses=AGPL-3.0
 
+      - name: Push Container (prod-only)
+        if: ${{ forgejo.ref_name == 'main' }}
+        run: |
+          apk add --no-cache skopeo
+          skopeo copy "docker-archive:${{ forgejo.workspace }}/image.tar" docker://git.hamburg.ccc.de/ccchh/dooris:latest --dest-creds="forgejo-actions:${{ secrets.PACKAGES_TOKEN }}"
+