From 8b74cd5a4e922a2b90951364231392f0f0f19f01 Mon Sep 17 00:00:00 2001
From: Josh Knapp <jknapp85@gmail.com>
Date: Wed, 3 Jun 2026 10:08:19 -0700
Subject: [PATCH] ci: mirror image pushes to ghcr.io/shadowdao
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a second registry login + tag to both build-push workflows so each
build publishes to ghcr.io alongside the in-house Gitea registry. Single
build, two destinations — docker/build-push-action handles the multi-tag
push in one step.

Requires Gitea Actions secret GHCR_TOKEN (a classic PAT with
write:packages on the shadowdao user).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/build-push-coraza.yaml | 10 ++++++++++
 .gitea/workflows/build-push.yaml        | 14 +++++++++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/build-push-coraza.yaml b/.gitea/workflows/build-push-coraza.yaml
index 83ff63c..66e31e0 100644
--- a/.gitea/workflows/build-push-coraza.yaml
+++ b/.gitea/workflows/build-push-coraza.yaml
@@ -34,6 +34,15 @@ jobs:
           username: ${{ secrets.CI_USER }}
           password: ${{ secrets.CI_TOKEN }}
 
+      # Mirror to GitHub Container Registry — see build-push.yaml for the
+      # secret/username convention.
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: shadowdao
+          password: ${{ secrets.GHCR_TOKEN }}
+
       - name: Build Image
         uses: docker/build-push-action@v6
         with:
@@ -42,3 +51,4 @@ jobs:
           push: true
           tags: |
             repo.anhonesthost.net/cloud-hosting-platform/coraza-spoa:latest
+            ghcr.io/shadowdao/coraza-spoa:latest
diff --git a/.gitea/workflows/build-push.yaml b/.gitea/workflows/build-push.yaml
index 3f0708d..609b28f 100644
--- a/.gitea/workflows/build-push.yaml
+++ b/.gitea/workflows/build-push.yaml
@@ -24,7 +24,18 @@ jobs:
           registry: repo.anhonesthost.net
           username: ${{ secrets.CI_USER }}
           password: ${{ secrets.CI_TOKEN }}
-      
+
+      # Second push target so the image is also available from GitHub Container
+      # Registry under the user's account. The PAT only needs write:packages
+      # (and read:packages if the package is private). Stored in Gitea as
+      # secrets.GHCR_TOKEN; username is the literal GitHub login.
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: shadowdao
+          password: ${{ secrets.GHCR_TOKEN }}
+
       - name: Build Image
         uses: docker/build-push-action@v6
         with:
@@ -32,3 +43,4 @@ jobs:
           push: true
           tags: |
             repo.anhonesthost.net/cloud-hosting-platform/haproxy-manager-base:latest
+            ghcr.io/shadowdao/haproxy-manager-base:latest