revert: restore flat namespace for container images

GHCR nested namespaces require package-level write permissions that
aren't automatically granted even with repository write access. Revert
to flat namespace to unblock CI releases.

Changes:
- ghcr.io/nvidia/eidos/eidos → ghcr.io/nvidia/eidos
- ghcr.io/nvidia/eidos/eidosd → ghcr.io/nvidia/eidosd
- Update IMAGE_REGISTRY and KO_DOCKER_REPO to ghcr.io/nvidia

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: mchmarny

.github/actions/go-build-release/action.yml

@@ -51,7 +51,7 @@ runs:
       env:
         GITHUB_TOKEN: ${{ github.token }}
         # Force lowercase registry path to avoid ko's uppercase character rejection
-        KO_DOCKER_REPO: ${{ inputs.ko_docker_repo || 'ghcr.io/nvidia/eidos' }}
+        KO_DOCKER_REPO: ${{ inputs.ko_docker_repo || 'ghcr.io/nvidia' }}
       run: |
         set -euo pipefail
         make release

.github/copilot-instructions.md

@@ -551,7 +551,7 @@ eidos bundle -r recipe.yaml -b gpu-operator,network-operator \
 
 - **Kubernetes**: Singleton client via `pkg/k8s/client.GetKubeClient()`
 - **NVIDIA Operators**: GPU Operator, Network Operator, NIM Operator, Nsight Operator
-- **Container Images**: ghcr.io/nvidia/eidos/eidos, ghcr.io/nvidia/eidos/eidosd
+- **Container Images**: ghcr.io/nvidia/eidos, ghcr.io/nvidia/eidosd
 - **Observability**: Prometheus metrics at `/metrics`, structured JSON logs to stderr
 
 ### Key Links
@@ -988,7 +988,7 @@ jobs:
         uses: ./.github/actions/go-build-release
       - uses: ./.github/actions/attest-image-from-tag
         with:
-          image_name: 'ghcr.io/nvidia/eidos/eidos'
+          image_name: 'ghcr.io/nvidia/eidos'
           image_tag: ${{ github.ref_name }}
       - if: steps.release.outputs.release_outcome == 'success'
         uses: ./.github/actions/cloud-run-deploy
@@ -998,7 +998,7 @@ jobs:
 - **SLSA Build Level 3**: GitHub OIDC attestations
 - **SBOMs**: SPDX format via Syft (containers) and GoReleaser (binaries)
 - **Signing**: Cosign keyless signing (Fulcio + Rekor)
-- **Verification**: `gh attestation verify oci://ghcr.io/nvidia/eidos/eidos:${TAG}`
+- **Verification**: `gh attestation verify oci://ghcr.io/nvidia/eidos:${TAG}`
 
 For detailed GitHub Actions architecture, see [actions/README.md](actions/README.md)
 

.github/workflows/on-tag.yaml

@@ -133,14 +133,14 @@ jobs:
       - name: Attest eidos image
         uses: ./.github/actions/attest-image-from-tag
         with:
-          image_name: ghcr.io/nvidia/eidos/eidos
+          image_name: ghcr.io/nvidia/eidos
           tag: ${{ github.ref_name }}
           crane_version: ${{ steps.versions.outputs.crane }}
 
       - name: Attest eidosd image
         uses: ./.github/actions/attest-image-from-tag
         with:
-          image_name: ghcr.io/nvidia/eidos/eidosd
+          image_name: ghcr.io/nvidia/eidosd
           tag: ${{ github.ref_name }}
           crane_version: ${{ steps.versions.outputs.crane }}
 

.goreleaser.yaml

@@ -94,7 +94,7 @@ kos:
   - id: eidos
     build: eidos
     repositories:
-      - ghcr.io/nvidia/eidos/eidos
+      - ghcr.io/nvidia/eidos
     base_image: nvcr.io/nvidia/cuda:13.1.0-runtime-ubuntu24.04
     platforms:
       - linux/amd64
@@ -108,7 +108,7 @@ kos:
   - id: eidosd
     build: eidosd
     repositories:
-      - ghcr.io/nvidia/eidos/eidosd
+      - ghcr.io/nvidia/eidosd
     base_image: gcr.io/distroless/static:nonroot
     platforms:
       - linux/amd64

Makefile

@@ -3,7 +3,7 @@
 
 REPO_NAME          := eidos
 VERSION            ?= $(shell git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
-IMAGE_REGISTRY     ?= ghcr.io/nvidia/eidos
+IMAGE_REGISTRY     ?= ghcr.io/nvidia
 IMAGE_TAG          ?= latest
 YAML_FILES         := $(shell find . -type f \( -iname "*.yml" -o -iname "*.yaml" \) ! -path "./examples/*" ! -path "./bundles/*" ! -path "./.flox/*")
 COMMIT             := $(shell git rev-parse HEAD)

RELEASING.md

@@ -83,12 +83,12 @@ Built via GoReleaser for multiple platforms:
 
 ### Container Images
 
-Published to GitHub Container Registry (`ghcr.io/nvidia/eidos/`):
+Published to GitHub Container Registry (`ghcr.io/nvidia/`):
 
 | Image | Base | Description |
 |-------|------|-------------|
-| `eidos/eidos` | `nvcr.io/nvidia/cuda:13.1.0-runtime-ubuntu24.04` | CLI with CUDA runtime |
-| `eidos/eidosd` | `gcr.io/distroless/static:nonroot` | Minimal API server |
+| `eidos` | `nvcr.io/nvidia/cuda:13.1.0-runtime-ubuntu24.04` | CLI with CUDA runtime |
+| `eidosd` | `gcr.io/distroless/static:nonroot` | Minimal API server |
 
 Tags: `latest`, `v1.2.3`
 
@@ -119,15 +119,15 @@ All releases must pass:
 export TAG=$(curl -s https://api.github.com/repos/NVIDIA/eidos/releases/latest | jq -r '.tag_name')
 
 # Verify with GitHub CLI (recommended)
-gh attestation verify oci://ghcr.io/nvidia/eidos/eidos:${TAG} --owner nvidia
-gh attestation verify oci://ghcr.io/nvidia/eidos/eidosd:${TAG} --owner nvidia
+gh attestation verify oci://ghcr.io/nvidia/eidos:${TAG} --owner nvidia
+gh attestation verify oci://ghcr.io/nvidia/eidosd:${TAG} --owner nvidia
 
 # Verify with Cosign
 cosign verify-attestation \
   --type spdxjson \
   --certificate-oidc-issuer https://token.actions.githubusercontent.com \
   --certificate-identity-regexp 'https://github.com/NVIDIA/eidos/.github/workflows/.*' \
-  ghcr.io/nvidia/eidos/eidos:${TAG}
+  ghcr.io/nvidia/eidos:${TAG}
 ```
 
 ### Verify Binary Checksums
@@ -144,14 +144,14 @@ sha256sum -c checksums.txt --ignore-missing
 
 ```bash
 # Pull container images
-docker pull ghcr.io/nvidia/eidos/eidos:${TAG}
-docker pull ghcr.io/nvidia/eidos/eidosd:${TAG}
+docker pull ghcr.io/nvidia/eidos:${TAG}
+docker pull ghcr.io/nvidia/eidosd:${TAG}
 
 # Test CLI
-docker run --rm ghcr.io/nvidia/eidos/eidos:${TAG} --version
+docker run --rm ghcr.io/nvidia/eidos:${TAG} --version
 
 # Test API server
-docker run --rm -p 8080:8080 ghcr.io/nvidia/eidos/eidosd:${TAG} &
+docker run --rm -p 8080:8080 ghcr.io/nvidia/eidosd:${TAG} &
 curl http://localhost:8080/health
 ```
 

SECURITY.md

@@ -67,7 +67,7 @@ export TAG=$(curl -s https://api.github.com/repos/NVIDIA/eidos/releases/latest |
 echo "Using tag: $TAG"
 
 # Resolve tag to immutable digest (requires crane or docker)
-export IMAGE="ghcr.io/nvidia/eidos/eidos"
+export IMAGE="ghcr.io/nvidia/eidos"
 export DIGEST=$(crane digest "${IMAGE}:${TAG}" 2>/dev/null || docker inspect "${IMAGE}:${TAG}" --format='{{index .RepoDigests 0}}' | cut -d'@' -f2)
 echo "Resolved digest: $DIGEST"
 
@@ -84,12 +84,12 @@ export IMAGE_DIGEST="${IMAGE}@${DIGEST}"
 gh attestation verify oci://${IMAGE_DIGEST} --owner nvidia
 
 # Verify the eidosd image
-export IMAGE_API="ghcr.io/nvidia/eidos/eidosd"
+export IMAGE_API="ghcr.io/nvidia/eidosd"
 export DIGEST_API=$(crane digest "${IMAGE_API}:${TAG}")
 gh attestation verify oci://${IMAGE_API}@${DIGEST_API} --owner nvidia
 
 # Note: You can still use tags, but tools may show warnings about mutability
-# gh attestation verify oci://ghcr.io/nvidia/eidos/eidos:${TAG} --owner nvidia
+# gh attestation verify oci://ghcr.io/nvidia/eidos:${TAG} --owner nvidia
 ```
 
 **Method 2: Cosign (SBOM Attestations)**
@@ -147,7 +147,7 @@ Export variables for the image you want to verify:
 # Get latest release tag
 export TAG=$(curl -s https://api.github.com/repos/NVIDIA/eidos/releases/latest | jq -r '.tag_name')
 
-export IMAGE="ghcr.io/nvidia/eidos/eidos"
+export IMAGE="ghcr.io/nvidia/eidos"
 export IMAGE_TAG="$IMAGE:$TAG"
 
 # Get digest for the tag (requires crane or docker)
@@ -252,7 +252,7 @@ Generated by Syft/Anchore, attached as Cosign attestations in SPDX v2.3 JSON for
 ```shell
 # Get latest release tag and resolve digest
 export TAG=$(curl -s https://api.github.com/repos/NVIDIA/eidos/releases/latest | jq -r '.tag_name')
-export IMAGE="ghcr.io/nvidia/eidos/eidosd"
+export IMAGE="ghcr.io/nvidia/eidosd"
 export DIGEST=$(crane digest "${IMAGE}:${TAG}")
 export IMAGE_DIGEST="${IMAGE}@${DIGEST}"
 
@@ -343,7 +343,7 @@ SLSA is a security framework that protects against supply chain attacks by ensur
 ```shell
 # Get latest release tag and resolve digest
 export TAG=$(curl -s https://api.github.com/repos/NVIDIA/eidos/releases/latest | jq -r '.tag_name')
-export IMAGE="ghcr.io/nvidia/eidos/eidos"
+export IMAGE="ghcr.io/nvidia/eidos"
 export DIGEST=$(crane digest "${IMAGE}:${TAG}")
 export IMAGE_DIGEST="${IMAGE}@${DIGEST}"
 
@@ -427,7 +427,7 @@ metadata:
   name: eidos-images-require-attestation
 spec:
   images:
-  - glob: "ghcr.io/nvidia/eidos/eidos*"
+  - glob: "ghcr.io/nvidia/eidos*"
   authorities:
   - keyless:
       url: https://fulcio.sigstore.dev
@@ -462,7 +462,7 @@ spec:
           - Pod
     verifyImages:
     - imageReferences:
-      - "ghcr.io/nvidia/eidos/eidos*"
+      - "ghcr.io/nvidia/eidos*"
       attestations:
       - predicateType: https://slsa.dev/provenance/v1
         attestors:
@@ -479,7 +479,7 @@ spec:
 export TAG=$(curl -s https://api.github.com/repos/NVIDIA/eidos/releases/latest | jq -r '.tag_name')
 
 # This should succeed (image with valid attestation)
-kubectl run test-valid --image=ghcr.io/nvidia/eidos/eidos:${TAG}
+kubectl run test-valid --image=ghcr.io/nvidia/eidos:${TAG}
 
 # This should fail (unsigned image)
 kubectl run test-invalid --image=nginx:latest
@@ -512,7 +512,7 @@ gh run view 20642050863 --repo NVIDIA/eidos --log
 
 ```shell
 # Search Rekor for attestations
-rekor-cli search --artifact ghcr.io/nvidia/eidos/eidos:v0.8.12
+rekor-cli search --artifact ghcr.io/nvidia/eidos:v0.8.12
 
 # Get entry details
 rekor-cli get --uuid <entry-uuid>

deployments/eidos-agent/2-job.yaml

@@ -56,7 +56,7 @@ spec:
         fsGroupChangePolicy: "OnRootMismatch"
       containers:
         - name: eidos
-          image: ghcr.io/nvidia/eidos/eidos:latest
+          image: ghcr.io/nvidia/eidos:latest
           command: ["/bin/sh", "-c"]
           env:
             - name: EIDOS_LOG_PREFIX

docs/architecture/README.md

@@ -1160,14 +1160,14 @@ Checkout → Validate (Go CI) → Build & Release → Attest Images → Deploy
 export TAG=$(curl -s https://api.github.com/repos/NVIDIA/eidos/releases/latest | jq -r '.tag_name')
 
 # Verify image attestations
-gh attestation verify oci://ghcr.io/nvidia/eidos/eidos:${TAG} --owner nvidia
+gh attestation verify oci://ghcr.io/nvidia/eidos:${TAG} --owner nvidia
 
 # Verify with Cosign
 cosign verify-attestation \
   --type spdxjson \
   --certificate-oidc-issuer https://token.actions.githubusercontent.com \
   --certificate-identity-regexp 'https://github.com/NVIDIA/eidos/.github/workflows/.*' \
-  ghcr.io/nvidia/eidos/eidos:${TAG}
+  ghcr.io/nvidia/eidos:${TAG}
 ```
 
 **Transparency**:

docs/architecture/api-server.md

@@ -544,7 +544,7 @@ flowchart LR
     C --> D["Build Image<br/>(ko + goreleaser)"]
     D --> E["Generate SBOM<br/>(Syft)"]  
     E --> F["Sign Attestations<br/>(Cosign keyless)"]
-    F --> G["Push to GHCR<br/>ghcr.io/nvidia/eidos/eidosd"]
+    F --> G["Push to GHCR<br/>ghcr.io/nvidia/eidosd"]
     G --> H["Deploy to Cloud Run<br/>(WIF auth)"]
     H --> I["Health Check<br/>Verification"]
 ```
@@ -553,7 +553,7 @@ flowchart LR
 - **SLSA Build Level 3** compliance
 - **Signed SBOMs** in SPDX format
 - **Attestations** logged in Rekor transparency log  
-- **Verification**: `gh attestation verify oci://ghcr.io/nvidia/eidos/eidosd:TAG --owner nvidia`
+- **Verification**: `gh attestation verify oci://ghcr.io/nvidia/eidosd:TAG --owner nvidia`
 
 **Monitoring:**
 - Health endpoint: `/health`
@@ -654,7 +654,7 @@ spec:
     spec:
       containers:
       - name: server
-        image: ghcr.io/nvidia/eidos/eidosd:v1.0.0
+        image: ghcr.io/nvidia/eidosd:v1.0.0
         ports:
         - containerPort: 8080
           name: http
@@ -1045,7 +1045,7 @@ func TestRecipeHandler(t *testing.T) {
 export TAG=$(curl -s https://api.github.com/repos/NVIDIA/eidos/releases/latest | jq -r '.tag_name')
 
 # Verify attestations
-gh attestation verify oci://ghcr.io/nvidia/eidos/eidosd:${TAG} --owner nvidia
+gh attestation verify oci://ghcr.io/nvidia/eidosd:${TAG} --owner nvidia
 ```
 
 For detailed CI/CD architecture, see [../CONTRIBUTING.md#github-actions--cicd](../../CONTRIBUTING.md#github-actions--cicd) and [README.md](README.md#cicd-architecture).
@@ -1401,7 +1401,7 @@ spec:
         fsGroup: 1000
       containers:
       - name: api-server
-        image: ghcr.io/nvidia/eidos/eidosd:latest  # Or use specific tag like v0.8.12
+        image: ghcr.io/nvidia/eidosd:latest  # Or use specific tag like v0.8.12
         ports:
         - name: http
           containerPort: 8080