feat(ci): mirror platform image to registry.fly.io/molecule-tenant

Keeps ghcr.io/molecule-ai/platform private (per CEO direction — open- source when full SaaS ships) while still letting the private control plane's Fly provisioner boot tenant machines: Fly auto-authenticates same-org machines against registry.fly.io, no per-tenant pull credentials to wire. Workflow now logs into both GHCR (using built-in GITHUB_TOKEN) and Fly registry (using FLY_API_TOKEN secret) and pushes the same image to four tags total: - ghcr.io/molecule-ai/platform:latest - ghcr.io/molecule-ai/platform:sha-<short> - registry.fly.io/molecule-tenant:latest - registry.fly.io/molecule-tenant:sha-<short> Secret added via `gh secret set FLY_API_TOKEN` on the public repo. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 17:05:36 -07:00 · 2026-04-14 17:05:36 -07:00 · 6bcafd643e
commit 6bcafd643e
parent c3cc8e8725
1 changed files with 17 additions and 0 deletions
--- a/.github/workflows/publish-platform-image.yml
+++ b/.github/workflows/publish-platform-image.yml
@ -23,6 +23,12 @@ permissions:
 env:
  # GHCR accepts mixed-case, but most tooling lowercases — keep us consistent.
  IMAGE_NAME: ghcr.io/molecule-ai/platform
+  # Fly registry mirror — tenant machines provisioned by the private
+  # `molecule-controlplane` pull from here (private GHCR image can't be
+  # pulled by Fly machines without auth plumbing we don't want to add).
+  # Fly auto-authenticates same-org machines against registry.fly.io, so
+  # mirroring keeps GHCR private while tenants still boot.
+  FLY_IMAGE_NAME: registry.fly.io/molecule-tenant

 jobs:
  build-and-push:
@ -43,6 +49,15 @@ jobs:
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

+      - name: Log in to Fly registry
+        # Fly's registry accepts any username as long as the password is a
+        # valid FLY_API_TOKEN. Must be added to repo Secrets first.
+        uses: docker/login-action@v3
+        with:
+          registry: registry.fly.io
+          username: x
+          password: ${{ secrets.FLY_API_TOKEN }}
+
      - name: Compute tags
        id: tags
        # Emit two tags per build: `latest` (floating, always the main tip)
@ -60,6 +75,8 @@ jobs:
          tags: |
            ${{ env.IMAGE_NAME }}:latest
            ${{ env.IMAGE_NAME }}:sha-${{ steps.tags.outputs.sha }}
+            ${{ env.FLY_IMAGE_NAME }}:latest
+            ${{ env.FLY_IMAGE_NAME }}:sha-${{ steps.tags.outputs.sha }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          labels: |