ci: push dev images to ghcr (#1591)

* ci: push dev images to ghcr

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* *: use new ghcr images

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* website/docs: use ghcr proxy

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

.github/workflows/ci-main.yml

@@ -299,15 +299,15 @@ jobs:
         uses: docker/login-action@v1
         if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         with:
-          registry: beryju.org
-          username: ${{ secrets.HARBOR_USERNAME }}
-          password: ${{ secrets.HARBOR_PASSWORD }}
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Building Docker Image
         uses: docker/build-push-action@v2
         with:
           push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
           tags: |
-            beryju.org/authentik/server:gh-${{ steps.ev.outputs.branchNameContainer }}
-            beryju.org/authentik/server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.sha }}
+            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}
+            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.sha }}
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}

.github/workflows/ci-outpost.yml

@@ -53,17 +53,17 @@ jobs:
         uses: docker/login-action@v1
         if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         with:
-          registry: beryju.org
-          username: ${{ secrets.HARBOR_USERNAME }}
-          password: ${{ secrets.HARBOR_PASSWORD }}
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Building Docker Image
         uses: docker/build-push-action@v2
         with:
           push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
           tags: |
-            beryju.org/authentik/outpost-${{ matrix.type }}:gh-${{ steps.ev.outputs.branchNameContainer }}
-            beryju.org/authentik/outpost-${{ matrix.type }}:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}
-            beryju.org/authentik/outpost-${{ matrix.type }}:gh-${{ steps.ev.outputs.sha }}
+            ghcr.io/goauthentik/dev-${{ matrix.type }}:gh-${{ steps.ev.outputs.branchNameContainer }}
+            ghcr.io/goauthentik/dev-${{ matrix.type }}:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}
+            ghcr.io/goauthentik/dev-${{ matrix.type }}:gh-${{ steps.ev.outputs.sha }}
           file: ${{ matrix.type }}.Dockerfile
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}

.github/workflows/ghcr-retention.yml

@@ -0,0 +1,21 @@
+name: ghcr-retention
+
+on:
+  schedule:
+    - cron: '0 0 * * *'  # every day at midnight
+
+jobs:
+  clean-ghcr:
+    name: Delete old unused container images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Delete 'dev' containers older than a week
+        uses: sondrelg/container-retention-policy@v1
+        with:
+          image-names: dev-server,dev-ldap,dev-proxy
+          cut-off: One month ago UTC
+          account-type: org
+          org-name: goauthentik
+          untagged-only: false
+          token: ${{ secrets.GHCR_CLEANUP_TOKEN }}
+          skip-tags: gh-next,gh-master

authentik/root/test_runner.py

@@ -18,7 +18,7 @@ class PytestTestRunner:  # pragma: no cover
         CONFIG.y_set("authentik.geoip", "tests/GeoLite2-City-Test.mmdb")
         CONFIG.y_set(
             "outposts.docker_image_base",
-            f"beryju.org/authentik/outpost-%(type)s:{get_docker_tag()}",
+            f"ghcr.io/goauthentik/dev-%(type)s:{get_docker_tag()}",
         )
 
     def run_tests(self, test_labels):

tests/e2e/test_provider_ldap.py

@@ -33,7 +33,7 @@ class TestProviderLDAP(SeleniumTestCase):
         """Start ldap container based on outpost created"""
         client: DockerClient = from_env()
         container = client.containers.run(
-            image=self.get_container_image("beryju.org/authentik/outpost-ldap"),
+            image=self.get_container_image("ghcr.io/goauthentik/dev-ldap"),
             detach=True,
             network_mode="host",
             auto_remove=True,

tests/e2e/test_provider_proxy.py

@@ -42,7 +42,7 @@ class TestProviderProxy(SeleniumTestCase):
         """Start proxy container based on outpost created"""
         client: DockerClient = from_env()
         container = client.containers.run(
-            image=self.get_container_image("beryju.org/authentik/outpost-proxy"),
+            image=self.get_container_image("ghcr.io/goauthentik/dev-proxy"),
             detach=True,
             network_mode="host",
             auto_remove=True,

tests/integration/test_outpost_docker.py

@@ -108,5 +108,5 @@ class OutpostDockerTests(TestCase):
         self.assertEqual(compose["version"], "3.5")
         self.assertEqual(
             compose["services"]["authentik_proxy"]["image"],
-            f"beryju.org/authentik/outpost-proxy:{get_docker_tag()}",
+            f"ghcr.io/goauthentik/dev-proxy:{get_docker_tag()}",
         )

tests/integration/test_proxy_docker.py

@@ -108,5 +108,5 @@ class TestProxyDocker(TestCase):
         self.assertEqual(compose["version"], "3.5")
         self.assertEqual(
             compose["services"]["authentik_proxy"]["image"],
-            f"beryju.org/authentik/outpost-proxy:{get_docker_tag()}",
+            f"ghcr.io/goauthentik/dev-proxy:{get_docker_tag()}",
         )

website/developer-docs/setup/frontend-only-dev-environment.md

@@ -17,9 +17,9 @@ If you want to only make changes on the UI, you don't need a backend running fro
 3. Add the following entry to your `.env` file:
 
     ```
-    AUTHENTIK_IMAGE=beryju.org/authentik/server
+    AUTHENTIK_IMAGE=goauthentik.io/dev-server
     AUTHENTIK_TAG=gh-next
-    AUTHENTIK_OUTPOSTS__DOCKER_IMAGE_BASE=beryju.org/authentik/outpost-%(type)s:gh-next
+    AUTHENTIK_OUTPOSTS__DOCKER_IMAGE_BASE=goauthentik.io/dev-%(type)s:gh-next
     AUTHENTIK_LOG_LEVEL=debug
     AUTHENTIK_WEB_LOAD_LOCAL_FILES=true
     ```

website/docs/installation/beta.mdx

@@ -17,9 +17,9 @@ import TabItem from '@theme/TabItem';
 Add the following block to your `.env` file:
 
 ```shell
-AUTHENTIK_IMAGE=beryju.org/authentik/server
+AUTHENTIK_IMAGE=goauthentik.io/dev-server
 AUTHENTIK_TAG=gh-next
-AUTHENTIK_OUTPOSTS__DOCKER_IMAGE_BASE=beryju.org/authentik/outpost-%(type)s:gh-next
+AUTHENTIK_OUTPOSTS__DOCKER_IMAGE_BASE=goauthentik.io/dev-%(type)s:gh-next
 ```
 
 Afterwards, run the upgrade commands from the latest releasae notes.
@@ -30,9 +30,9 @@ Add the following block to your `values.yml` file:
 ```yaml
 authentik:
   outposts:
-    docker_image_base: beryju.org/authentik/outpost-%(type)s:gh-%(build_hash)s
+    docker_image_base: goauthentik.io/dev-%(type)s:gh-%(build_hash)s
 image:
-  repository: beryju.org/authentik/server
+  repository: goauthentik.io/dev-server
   tag: gh-next
   # pullPolicy: Always to ensure you always get the latest version
   pullPolicy: Always

website/docs/integrations/services/minio/index.md

@@ -39,7 +39,7 @@ Note the Client ID and Client Secret values. Create an application, using the pr
 
 ```
 ~ mc admin config set myminio identity_openid \
-  config_url="https://id.beryju.org/application/o/<applicaiton-slug>/.well-known/openid-configuration" \
+  config_url="https://authentik.company/application/o/<applicaiton-slug>/.well-known/openid-configuration" \
   client_id="<client id from above>" \
   scopes="openid,profile,email,minio"
 ```