From 5ca801bdd19edbf6b35b8563be0b5c85cb5fd06a Mon Sep 17 00:00:00 2001 From: Christbru Date: Sat, 18 Oct 2025 20:54:55 -0500 Subject: [PATCH] Switch to GITHUB_TOKEN allowing only the action to trigger an update. Not necessary if public but doesn't harm anything and can cover if private. --- .github/workflows/build-and-deploy.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index d11733e..c3c50dc 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -72,8 +72,8 @@ jobs: - name: Deploy to server via SSH ☁️ uses: appleboy/ssh-action@v1.0.3 env: - GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }} - GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }} + RUNNER_GH_ACTOR: ${{ github.actor }} + RUNNER_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: host: ${{ secrets.SERVER_HOST }} username: ${{ secrets.SERVER_USERNAME }} @@ -83,9 +83,9 @@ jobs: cd /home/github-actions/codered-astra # wrapper to support both Docker Compose v2 and legacy v1 compose() { docker compose "$@" || docker-compose "$@"; } - # Log in to GHCR to pull private images (requires GHCR_USERNAME and GHCR_TOKEN envs) - if [ -n "$GHCR_USERNAME" ] && [ -n "$GHCR_TOKEN" ]; then - echo "$GHCR_TOKEN" | docker login ghcr.io -u "$GHCR_USERNAME" --password-stdin + # Log in to GHCR using the run's GITHUB_TOKEN so compose can pull images. + if [ -n "$RUNNER_GITHUB_TOKEN" ] && [ -n "$RUNNER_GH_ACTOR" ]; then + echo "$RUNNER_GITHUB_TOKEN" | docker login ghcr.io -u "$RUNNER_GH_ACTOR" --password-stdin || true fi export REPO_NAME_LOWER='${{ steps.repo_name.outputs.name }}' export GEMINI_API_KEY='${{ secrets.GEMINI_API_KEY }}'