fix: add GHCR authentication for image copy

mchmarny · claude · mchmarny · commit b51fff7eab32 · 2026-01-31T10:59:02.000-08:00
The crane copy command needs authentication to pull from GHCR.
Add ghcr_token input and authenticate before copying.

Also add test-deploy.yaml workflow for isolated testing of the
deploy action without running the full release pipeline.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.github/actions/cloud-run-deploy/action.yml b/.github/actions/cloud-run-deploy/action.yml
@@ -41,6 +41,9 @@ inputs:
     description: 'Image name in target registry (e.g., eidosd)'
     required: false
     default: 'eidosd'
+  ghcr_token:
+    description: 'GitHub token for GHCR authentication (use github.token)'
+    required: true
 
 runs:
   using: 'composite'
@@ -98,6 +101,13 @@ runs:
         sudo chmod +x /usr/local/bin/crane
         rm -rf "$CRANE_TMP"
 
+    - name: Authenticate to GHCR
+      shell: bash
+      env:
+        GHCR_TOKEN: ${{ inputs.ghcr_token }}
+      run: |
+        echo "${GHCR_TOKEN}" | crane auth login ghcr.io -u oauth2accesstoken --password-stdin
+
     - name: Copy image to Artifact Registry
       id: copy
       shell: bash
diff --git a/.github/workflows/on-tag.yaml b/.github/workflows/on-tag.yaml
@@ -184,7 +184,7 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
-      - name: Deploy API to Cloud Run
+      - name: Deploy Demo API Server
         uses: ./.github/actions/cloud-run-deploy
         with:
           project_id: ${{ env.PROJECT_ID }}
@@ -195,3 +195,4 @@ jobs:
           source_image: "${{ env.SOURCE_IMAGE }}:${{ github.ref_name }}"
           target_registry: ${{ env.TARGET_REGISTRY }}
           image_name: 'eidosd'
+          ghcr_token: ${{ github.token }}
diff --git a/.github/workflows/test-deploy.yaml b/.github/workflows/test-deploy.yaml
@@ -0,0 +1,58 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Test Deploy Action
+
+on:
+  workflow_dispatch:
+    inputs:
+      image_tag:
+        description: 'Image tag to deploy (e.g., v0.1.4)'
+        required: true
+        default: 'v0.1.4'
+
+permissions:
+  contents: read
+  id-token: write
+  packages: read
+
+jobs:
+  deploy:
+    name: Test Deploy
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    env:
+      IDENTITY_PROVIDER: 'projects/116689922666/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
+      SERVICE_ACCOUNT: 'github-actions'
+      PROJECT_ID: 'eidosx'
+      RUN_REGION: 'us-west1'
+      RUN_SERVICE: 'api'
+      SOURCE_IMAGE: 'ghcr.io/nvidia/eidosd'
+      TARGET_REGISTRY: 'us-docker.pkg.dev/eidosx/demo'
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - name: Deploy Demo API Server
+        uses: ./.github/actions/cloud-run-deploy
+        with:
+          project_id: ${{ env.PROJECT_ID }}
+          workload_identity_provider: ${{ env.IDENTITY_PROVIDER }}
+          service_account: "${{ env.SERVICE_ACCOUNT }}@${{ env.PROJECT_ID }}.iam.gserviceaccount.com"
+          region: ${{ env.RUN_REGION }}
+          service: ${{ env.RUN_SERVICE }}
+          source_image: "${{ env.SOURCE_IMAGE }}:${{ inputs.image_tag }}"
+          target_registry: ${{ env.TARGET_REGISTRY }}
+          image_name: 'eidosd'
+          ghcr_token: ${{ github.token }}
