Host container image at ghcr.io/bpurinton/* via GHCR_PAT

The source repo lives at uw-cryo but the package needs admin rights to flip
visibility, which Ben doesn't have on the uw-cryo org. Switching the image
to bpurinton's namespace where Ben controls the package. Workflow now
authenticates with a classic PAT (GHCR_PAT secret) instead of GITHUB_TOKEN
since cross-owner pushes need explicit auth.

Author: bpurinton

.devcontainer/devcontainer.json

@@ -7,11 +7,11 @@
   //
   // First-launch time drops from ~5 min (build) to ~30-90 s (pull) because
   // ASP binaries + the conda env are already baked in.
-  "image": "ghcr.io/uw-cryo/stereopipeline-quickstart:latest",
+  "image": "ghcr.io/bpurinton/stereopipeline-quickstart:latest",
 
   // Local-build fallback — uncomment this `build:` block (and comment out the
   // `image:` line above) if you've forked the repo and don't have access to
-  // the uw-cryo/* GHCR namespace, or want to rebuild offline. Note the
+  // the bpurinton/* GHCR namespace, or want to rebuild offline. Note the
   // context: ".." — it makes the build context the repo root so the
   // Dockerfile's `COPY .devcontainer/environment.yml ...` resolves correctly.
   //

.github/workflows/asp-version-check.yml

@@ -172,4 +172,4 @@ jobs:
             - [ ] Read the [ASP release notes](https://github.com/NeoGeographyToolkit/StereoPipeline/releases/tag/${{ steps.asp.outputs.version }}) for breaking changes that might affect the tutorial notebooks (CLI flag renames, new sensor-prep paths, output-file renames).
             - [ ] Skim `notebooks/01_aster_rainier.ipynb` and `notebooks/02_worldview_ucsd.ipynb` for any flag this release changes.
             - [ ] Close any older auto-bump PRs from this workflow that this one supersedes — the workflow doesn't do that for you.
-            - [ ] Once merged, watch `Build & push container image` complete — the new image lands at `ghcr.io/uw-cryo/stereopipeline-quickstart:asp-${{ steps.asp.outputs.version }}` and `:latest`.
+            - [ ] Once merged, watch `Build & push container image` complete — the new image lands at `ghcr.io/bpurinton/stereopipeline-quickstart:asp-${{ steps.asp.outputs.version }}` and `:latest`.

.github/workflows/build-image.yml

@@ -4,14 +4,18 @@ name: Build & push container image
 # + dev tools) and pushes it to GHCR so Codespaces can pull it instead of
 # building from source on first launch.
 #
-# Image lives at ghcr.io/uw-cryo/stereopipeline-quickstart, matching the
-# repo owner — that means the default GITHUB_TOKEN has the push rights it
-# needs (no PAT secret required). If you ever fork/move this repo to a
-# different namespace and want the image to follow, just change IMAGE_NAME
-# below; the rest works automatically. If you want the image to live in a
-# different namespace than the repo owner, you'll need a PAT with
-# `write:packages` scope on that account, stored as a repo secret, and the
-# `username:`/`password:` lines below swapped to use it.
+# Image lives at ghcr.io/bpurinton/stereopipeline-quickstart — a different
+# namespace from the source repo (uw-cryo/stereopipeline-quickstart). The
+# default GITHUB_TOKEN can only push to packages owned by this repo's owner,
+# so we use a PAT instead:
+#
+#   1. On bpurinton's GitHub account, create a classic PAT at
+#      https://github.com/settings/tokens with at least `write:packages`
+#      scope (and `read:packages` for buildcache pulls).
+#   2. Add it to this repo as an Actions secret named `GHCR_PAT`
+#      (Settings → Secrets and variables → Actions → New repository secret).
+#   3. The `Log in to GHCR` step below uses `username: bpurinton` and
+#      `password: ${{ secrets.GHCR_PAT }}`.
 #
 # Tags pushed: `latest`, the short git SHA, and `asp-${ASP_VERSION}` so users
 # can pin to a specific ASP release if needed.
@@ -40,10 +44,10 @@ on:
 
 env:
   REGISTRY: ghcr.io
-  # Image namespace matches the repo owner so GITHUB_TOKEN is sufficient.
-  # Change this (and the devcontainer.json `image:` line) if you ever move
-  # hosting; cross-namespace pushes need a PAT secret (see header comment).
-  IMAGE_NAME: uw-cryo/stereopipeline-quickstart
+  # Image hosted under bpurinton's GHCR namespace (separate from the source
+  # repo's owner). Push auth uses the GHCR_PAT secret — see header comment
+  # for setup. Change this if you ever move hosting.
+  IMAGE_NAME: bpurinton/stereopipeline-quickstart
 
 jobs:
   build:
@@ -63,8 +67,8 @@ jobs:
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          username: bpurinton
+          password: ${{ secrets.GHCR_PAT }}
 
       - name: Resolve ASP build args
         id: asp

docs/start/codespaces.md

@@ -12,7 +12,7 @@
    Open in GitHub Codespaces
    ```
 
-2. **First boot takes ~1-2 minutes.** GitHub pulls a pre-built container image from [GHCR](https://ghcr.io/uw-cryo/stereopipeline-quickstart) — ASP binaries and the `asp_plot` conda env are already baked in. Subsequent launches reuse the cached image and start in under 30 seconds. (If you've forked the repo and don't have access to the `uw-cryo/*` GHCR namespace, the devcontainer.json includes a commented-out `build:` block you can flip on — first boot then takes ~5 minutes for the from-source build.)
+2. **First boot takes ~1-2 minutes.** GitHub pulls a pre-built container image from [GHCR](https://ghcr.io/bpurinton/stereopipeline-quickstart) — ASP binaries and the `asp_plot` conda env are already baked in. Subsequent launches reuse the cached image and start in under 30 seconds. (If the image isn't accessible from your fork, the devcontainer.json includes a commented-out `build:` block you can flip on — first boot then takes ~5 minutes for the from-source build.)
 
 3. When VS Code opens in your browser, the terminal will show a friendly banner:
 
@@ -64,7 +64,7 @@ If you'd rather not use Codespaces, see [the local install guide](installation.m
 
 ::::{dropdown} The Codespace fails to pull the image (manifest unknown / unauthorized)
 :icon: alert
-The default `image:` in `.devcontainer/devcontainer.json` points at `ghcr.io/uw-cryo/stereopipeline-quickstart:latest`. If that image hasn't been built yet, was deleted, or has restrictive visibility, the pull will fail. Two paths forward:
+The default `image:` in `.devcontainer/devcontainer.json` points at `ghcr.io/bpurinton/stereopipeline-quickstart:latest`. If that image hasn't been built yet, was deleted, or its visibility is private, the pull will fail. Two paths forward:
 1. **Build from source instead.** Edit `.devcontainer/devcontainer.json`: comment out the `image:` line and uncomment the `build:` block. The Codespace will run `docker build` against the in-repo `Dockerfile` on first launch (~5 min).
 2. **Trigger the image build.** Run the `Build & push container image` workflow under Actions in your fork — once it succeeds the `latest` tag will exist and the pull will work. Make sure the repo's package settings allow public pulls if you want the image accessible without auth.
 ::::