From dad6b31eafc9dad52950650e8efa63735fb3fa60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kan=C3=A1sz-Nagy=20Zolt=C3=A1n?= Date: Thu, 14 May 2026 12:14:26 +0200 Subject: [PATCH 1/3] QREPO-406 Only attempt the login on the upstream repository: dspace/dspace-angular --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 57b367f291d..cf6a63eeee4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -122,8 +122,12 @@ jobs: retention-days: 14 # Login to our Docker registry, so that we can access private Docker images using "docker compose" below. + # Only attempt the login on the upstream repository: forks cannot authenticate against + # ghcr.io/dspace/* with their own GITHUB_TOKEN. The DSpace test images are public on GHCR, + # so anonymous pulls in the subsequent "docker compose" steps work fine on forks. - name: Login to ${{ env.DOCKER_REGISTRY }} uses: docker/login-action@v4 + if: github.repository == 'dspace/dspace-angular' with: registry: ${{ env.DOCKER_REGISTRY }} username: ${{ github.repository_owner }} From a43843ec198880f3659e73efd782220cb0af246c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kan=C3=A1sz-Nagy=20Zolt=C3=A1n?= Date: Thu, 14 May 2026 12:38:45 +0200 Subject: [PATCH 2/3] QREPO-406 use ghcr.io only on the upstream reposity: dspace/dspace-angular --- .github/workflows/build.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cf6a63eeee4..d525926c70f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -40,8 +40,11 @@ jobs: # Project name to use when running "docker compose" prior to e2e tests COMPOSE_PROJECT_NAME: 'ci' # Docker Registry to use for Docker compose scripts below. - # We use GitHub's Container Registry to avoid aggressive rate limits at DockerHub. - DOCKER_REGISTRY: ghcr.io + # On the upstream dspace/dspace-angular repository we use GitHub's Container Registry + # (ghcr.io) to avoid aggressive rate limits at DockerHub. Forks cannot authenticate + # against ghcr.io/dspace/* with their own GITHUB_TOKEN (and the images there require + # auth), so on forks we fall back to docker.io where the same images are public. + DOCKER_REGISTRY: ${{ github.repository == 'dspace/dspace-angular' && 'ghcr.io' || 'docker.io' }} strategy: # Create a matrix of Node versions to test against (in parallel) matrix: From 8b779f0d0c20352c7688343e7ad9138230e77466 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kan=C3=A1sz-Nagy=20Zolt=C3=A1n?= Date: Thu, 14 May 2026 13:19:53 +0200 Subject: [PATCH 3/3] QREPO-406 running codecov only in the upstream repository: dspace/dspace-angular --- .github/workflows/build.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d525926c70f..5149ca904e1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -124,10 +124,11 @@ jobs: path: 'coverage/dspace-angular/lcov.info' retention-days: 14 - # Login to our Docker registry, so that we can access private Docker images using "docker compose" below. - # Only attempt the login on the upstream repository: forks cannot authenticate against - # ghcr.io/dspace/* with their own GITHUB_TOKEN. The DSpace test images are public on GHCR, - # so anonymous pulls in the subsequent "docker compose" steps work fine on forks. + # Login to our Docker registry, so that we can access Docker images using "docker compose" below. + # This login is required on the upstream repository because DOCKER_REGISTRY is set to ghcr.io + # and pulling ghcr.io/dspace/* requires authentication. On forks, DOCKER_REGISTRY falls back to + # docker.io (see env block above) where the same images are publicly pullable without a login, + # and forks cannot authenticate against ghcr.io/dspace/* with their own GITHUB_TOKEN anyway. - name: Login to ${{ env.DOCKER_REGISTRY }} uses: docker/login-action@v4 if: github.repository == 'dspace/dspace-angular' @@ -321,6 +322,9 @@ jobs: codecov: # Must run after 'tests' job above needs: tests + # Only run on the upstream repository: forks do not have the CODECOV_TOKEN secret, + # and Codecov refuses to create a commit on a protected branch without a token. + if: github.repository == 'dspace/dspace-angular' runs-on: ubuntu-latest steps: - name: Checkout