ci: push ORAS cache to repo-scoped GHCR path

GITHUB_TOKEN can only write to the repository's package namespace. Use ARTEFACT_REPOSITORY=${{ github.repository }} so pushes go to ghcr.io/owner/repo/cached-tarballs/ and avoid permission_denied: write_package. Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-02-22 06:43:41 +00:00 · 2026-02-13 14:12:45 +01:00
3 changed files with 11 additions and 6 deletions
--- a/.github/workflows/push-oras-tarball-cache.yaml
+++ b/.github/workflows/push-oras-tarball-cache.yaml
@@ -1,6 +1,10 @@
 # Push gperf and busybox tarballs to the ORAS cache (ghcr.io) so that
 # download-with-oras-cache.sh can pull them instead of hitting upstream.
 # Runs when versions.yaml changes on main (e.g. after a PR merge) or manually.
+#
+# We use ORAS (same as kata-deploy-binaries.sh for cached-artefacts). GITHUB_TOKEN
+# can only write to the repository's package namespace, so we use
+# ARTEFACT_REPOSITORY=${{ github.repository }} (ghcr.io/owner/repo/cached-tarballs/).
 name: CI | Push ORAS tarball cache
 on:
  push:
@@ -38,6 +42,6 @@ jobs:
        run: ./tools/packaging/scripts/populate-oras-tarball-cache.sh all
        env:
          ARTEFACT_REGISTRY: ghcr.io
-          ARTEFACT_REPOSITORY: kata-containers
+          ARTEFACT_REPOSITORY: ${{ github.repository }}
          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -45,7 +45,8 @@ BUSYBOX_CONF_FILE="${BUSYBOX_CONF_FILE:-}"
 MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
 USE_CACHE="${USE_CACHE:-"yes"}"
 ARTEFACT_REGISTRY="${ARTEFACT_REGISTRY:-ghcr.io}"
-ARTEFACT_REPOSITORY="${ARTEFACT_REPOSITORY:-kata-containers}"
+# Repo-scoped path for GHCR (same as download-with-oras-cache.sh). GITHUB_REPOSITORY is "owner/repo" in CI.
+ARTEFACT_REPOSITORY="${ARTEFACT_REPOSITORY:-${GITHUB_REPOSITORY:-kata-containers/kata-containers}}"
 ARTEFACT_REGISTRY_USERNAME="${ARTEFACT_REGISTRY_USERNAME:-}"
 ARTEFACT_REGISTRY_PASSWORD="${ARTEFACT_REGISTRY_PASSWORD:-}"
 GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME:-}"
--- a/tools/packaging/scripts/download-with-oras-cache.sh
+++ b/tools/packaging/scripts/download-with-oras-cache.sh
@@ -30,9 +30,9 @@ install_oras_script="${script_dir}/../kata-deploy/local-build/dockerbuild/instal

 # ORAS configuration
 ARTEFACT_REGISTRY="${ARTEFACT_REGISTRY:-ghcr.io}"
-# Default to upstream kata-containers org to match cached-artefacts pattern
-# Result: ghcr.io/kata-containers/cached-tarballs/<component>:<version>
-ARTEFACT_REPOSITORY="${ARTEFACT_REPOSITORY:-kata-containers}"
+# Default to repo-scoped path: ghcr.io/<owner>/<repo>/cached-tarballs/
+# GITHUB_REPOSITORY in CI is "owner/repo" (e.g. kata-containers/kata-containers). Same as push workflow.
+ARTEFACT_REPOSITORY="${ARTEFACT_REPOSITORY:-${GITHUB_REPOSITORY:-kata-containers/kata-containers}}"
 # Reuse PUSH_TO_REGISTRY to control cache pushing
 PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-no}"

@@ -454,7 +454,7 @@ if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
 			echo ""
 			echo "Environment variables:"
 			echo "  ARTEFACT_REGISTRY          - Registry to use (default: ghcr.io)"
-			echo "  ARTEFACT_REPOSITORY        - Repository org/path (default: kata-containers)"
+			echo "  ARTEFACT_REPOSITORY        - Repository org/path (default: GITHUB_REPOSITORY or kata-containers/kata-containers)"
 			echo "  PUSH_TO_REGISTRY           - Set to 'yes' to push new artifacts to cache"
 			echo "  ARTEFACT_REGISTRY_USERNAME - Username for registry (required for push)"
 			echo "  ARTEFACT_REGISTRY_PASSWORD - Password for registry (required for push)"