testing ghcr login

[kpowderly]

test branch

Summary by CodeRabbit

• Chores
  • Updated authentication credentials and workflow conditions for container image build and publish operations.

[coderabbitai]

Walkthrough

GitHub Actions workflows in both build and publish jobs update their GHCR container login steps to use GitHub actor identity and GITHUB_TOKEN instead of separate GHCR credentials. The build workflow includes a temporary comment flagging that PR auth testing should be reverted before merge.

Changes

GHCR Authentication Credential Migration

Layer / File(s)	Summary
GHCR login credential source update .github/workflows/build.yml, .github/workflows/publish.yml	Both containerize jobs update their "Login to GHCR" steps from secrets.GHCR_USER and secrets.PACKAGE_SCOPE to github.actor and secrets.GITHUB_TOKEN. Build workflow includes a temporary comment noting PR auth testing is enabled and must be reverted before merge.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 The token hops, the actor springs—

No secrets hidden anymore!

GHCR gates now open wide,

Just whisper who you are inside! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'testing ghcr login' accurately describes the main change: updating GHCR authentication credentials in two workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch test-ghcr-login

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Around line 40-44: Re-enable the pull_request guard so GHCR auth only runs for
non-PR workflows: restore the conditional (if: ${{ !
startsWith(github.event_name, 'pull_request') }}) above the GHCR auth block that
contains the "with: registry: ghcr.io username: ${{ github.actor }} password:
${{ secrets.GITHUB_TOKEN }}" settings, ensuring the job no longer requests GHCR
authentication on PR runs (leave existing push: false / push: ${{ !
startsWith(github.event_name, 'pull_request') }} behavior unchanged).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0a5deec0-0745-4ef9-a2b3-535911f9ff69

📥 Commits

Reviewing files that changed from the base of the PR and between a161a8a and 41c7c4a.

📒 Files selected for processing (2)

• .github/workflows/build.yml
• .github/workflows/publish.yml

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== build.yml: login step and push behavior =="
sed -n '38,105p' .github/workflows/build.yml

echo
echo "Expected:"
echo "- Login to GHCR has no if-guard today"
echo "- Build Container Image uses push: false"
echo "- Push Image is still disabled on pull_request"

Repository: SpecterOps/AzureHound

Length of output: 3337

---

Restore the PR guard before merging.

Line 40 drops the only pull_request guard, but this job never pushes images on PRs (see push: false on Line 83 and push: ${{ ! startsWith(github.event_name, 'pull_request') }} on Line 102). PR runs execute unnecessary GHCR authentication while the job still requests packages: write.

Suggested fix

-        # if: ${{ ! startsWith(github.event_name, 'pull_request') }} # TEMP: enable on PRs to test GHCR auth — REVERT BEFORE MERGE
+        if: ${{ ! startsWith(github.event_name, 'pull_request') }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# if: ${{ ! startsWith(github.event_name, 'pull_request') }} # TEMP: enable on PRs to test GHCR auth — REVERT BEFORE MERGE
	with:
	registry: ghcr.io
	username: ${{ secrets.GHCR_USER }}
	password: ${{ secrets.PACKAGE_SCOPE }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	if: ${{ ! startsWith(github.event_name, 'pull_request') }}
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 40 - 44, Re-enable the pull_request
guard so GHCR auth only runs for non-PR workflows: restore the conditional (if:
${{ ! startsWith(github.event_name, 'pull_request') }}) above the GHCR auth
block that contains the "with: registry: ghcr.io username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}" settings, ensuring the job no longer
requests GHCR authentication on PR runs (leave existing push: false / push: ${{
! startsWith(github.event_name, 'pull_request') }} behavior unchanged).