fix: enforce GITHUB_TOKEN for ghcr.io registry login (#570)

NilashishC · claude[bot] · web-flow · commit 55dc4fa32bd1 · 2026-03-31T13:11:02.000+05:30
The `||` fallback in the container registry login step allowed
REGISTRY_USERNAME/REGISTRY_PASSWORD secrets to override the default
GITHUB_TOKEN credentials even when the target registry was ghcr.io.
Replace the fallback with an explicit branch: ghcr.io always
authenticates with github.actor + secrets.GITHUB_TOKEN; any other
registry uses secrets.REGISTRY_USERNAME + secrets.REGISTRY_PASSWORD.


Made-with: Cursor

Co-authored-by: claude[bot] &lt;209825114+claude[bot]@users.noreply.github.com&gt;
diff --git a/src/ansible_creator/resources/common/ee-ci/.github/workflows/ee-build.yml.j2 b/src/ansible_creator/resources/common/ee-ci/.github/workflows/ee-build.yml.j2
@@ -310,10 +310,17 @@ env:
 
       - name: Login to container registry
         run: |
-          echo "${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" | \
-            buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
-            -u "${{ secrets.REGISTRY_USERNAME || github.actor }}" \
-            --password-stdin "${{ env.REGISTRY }}"
+          if [[ "${{ env.REGISTRY }}" == "ghcr.io" ]]; then
+            echo "${{ secrets.GITHUB_TOKEN }}" | \
+              buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
+              -u "${{ github.actor }}" \
+              --password-stdin "${{ env.REGISTRY }}"
+          else
+            echo "${{ secrets.REGISTRY_PASSWORD }}" | \
+              buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
+              -u "${{ secrets.REGISTRY_USERNAME }}" \
+              --password-stdin "${{ env.REGISTRY }}"
+          fi
 
       - name: Login to Red Hat registry (for base images)
         if: vars.REDHAT_REGISTRY_USERNAME != ''
@@ -431,10 +438,17 @@ env:
     steps:
       - name: Login to container registry
         run: |
-          echo "${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" | \
-            buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
-            -u "${{ secrets.REGISTRY_USERNAME || github.actor }}" \
-            --password-stdin "${{ env.REGISTRY }}"
+          if [[ "${{ env.REGISTRY }}" == "ghcr.io" ]]; then
+            echo "${{ secrets.GITHUB_TOKEN }}" | \
+              buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
+              -u "${{ github.actor }}" \
+              --password-stdin "${{ env.REGISTRY }}"
+          else
+            echo "${{ secrets.REGISTRY_PASSWORD }}" | \
+              buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
+              -u "${{ secrets.REGISTRY_USERNAME }}" \
+              --password-stdin "${{ env.REGISTRY }}"
+          fi
 
       - name: Tag and push release
         env:
diff --git a/tests/fixtures/common/ee-ci/.github/workflows/ee-build.yml b/tests/fixtures/common/ee-ci/.github/workflows/ee-build.yml
@@ -257,10 +257,17 @@ jobs:
 
       - name: Login to container registry
         run: |
-          echo "${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" | \
-            buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
-            -u "${{ secrets.REGISTRY_USERNAME || github.actor }}" \
-            --password-stdin "${{ env.REGISTRY }}"
+          if [[ "${{ env.REGISTRY }}" == "ghcr.io" ]]; then
+            echo "${{ secrets.GITHUB_TOKEN }}" | \
+              buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
+              -u "${{ github.actor }}" \
+              --password-stdin "${{ env.REGISTRY }}"
+          else
+            echo "${{ secrets.REGISTRY_PASSWORD }}" | \
+              buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
+              -u "${{ secrets.REGISTRY_USERNAME }}" \
+              --password-stdin "${{ env.REGISTRY }}"
+          fi
 
       - name: Login to Red Hat registry (for base images)
         if: vars.REDHAT_REGISTRY_USERNAME != ''
@@ -341,10 +348,17 @@ jobs:
     steps:
       - name: Login to container registry
         run: |
-          echo "${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" | \
-            buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
-            -u "${{ secrets.REGISTRY_USERNAME || github.actor }}" \
-            --password-stdin "${{ env.REGISTRY }}"
+          if [[ "${{ env.REGISTRY }}" == "ghcr.io" ]]; then
+            echo "${{ secrets.GITHUB_TOKEN }}" | \
+              buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
+              -u "${{ github.actor }}" \
+              --password-stdin "${{ env.REGISTRY }}"
+          else
+            echo "${{ secrets.REGISTRY_PASSWORD }}" | \
+              buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
+              -u "${{ secrets.REGISTRY_USERNAME }}" \
+              --password-stdin "${{ env.REGISTRY }}"
+          fi
 
       - name: Tag and push release
         env:
diff --git a/tests/fixtures/project/ee_project/.github/workflows/ee-build.yml b/tests/fixtures/project/ee_project/.github/workflows/ee-build.yml
@@ -257,10 +257,17 @@ jobs:
 
       - name: Login to container registry
         run: |
-          echo "${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" | \
-            buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
-            -u "${{ secrets.REGISTRY_USERNAME || github.actor }}" \
-            --password-stdin "${{ env.REGISTRY }}"
+          if [[ "${{ env.REGISTRY }}" == "ghcr.io" ]]; then
+            echo "${{ secrets.GITHUB_TOKEN }}" | \
+              buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
+              -u "${{ github.actor }}" \
+              --password-stdin "${{ env.REGISTRY }}"
+          else
+            echo "${{ secrets.REGISTRY_PASSWORD }}" | \
+              buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
+              -u "${{ secrets.REGISTRY_USERNAME }}" \
+              --password-stdin "${{ env.REGISTRY }}"
+          fi
 
       - name: Login to Red Hat registry (for base images)
         if: vars.REDHAT_REGISTRY_USERNAME != ''
@@ -341,10 +348,17 @@ jobs:
     steps:
       - name: Login to container registry
         run: |
-          echo "${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" | \
-            buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
-            -u "${{ secrets.REGISTRY_USERNAME || github.actor }}" \
-            --password-stdin "${{ env.REGISTRY }}"
+          if [[ "${{ env.REGISTRY }}" == "ghcr.io" ]]; then
+            echo "${{ secrets.GITHUB_TOKEN }}" | \
+              buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
+              -u "${{ github.actor }}" \
+              --password-stdin "${{ env.REGISTRY }}"
+          else
+            echo "${{ secrets.REGISTRY_PASSWORD }}" | \
+              buildah login --tls-verify=${{ env.EE_REGISTRY_TLS_VERIFY }} \
+              -u "${{ secrets.REGISTRY_USERNAME }}" \
+              --password-stdin "${{ env.REGISTRY }}"
+          fi
 
       - name: Tag and push release
         env:
