From 6bcafd643ec499c2b37c838364bb06d1b53399ee Mon Sep 17 00:00:00 2001
From: Hongming Wang <hongmingwang.rabbit@users.noreply.github.com>
Date: Tue, 14 Apr 2026 17:05:36 -0700
Subject: [PATCH] feat(ci): mirror platform image to
 registry.fly.io/molecule-tenant
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Keeps ghcr.io/molecule-ai/platform private (per CEO direction — open-
source when full SaaS ships) while still letting the private control
plane's Fly provisioner boot tenant machines: Fly auto-authenticates
same-org machines against registry.fly.io, no per-tenant pull
credentials to wire.

Workflow now logs into both GHCR (using built-in GITHUB_TOKEN) and
Fly registry (using FLY_API_TOKEN secret) and pushes the same image to
four tags total:
- ghcr.io/molecule-ai/platform:latest
- ghcr.io/molecule-ai/platform:sha-<short>
- registry.fly.io/molecule-tenant:latest
- registry.fly.io/molecule-tenant:sha-<short>

Secret added via `gh secret set FLY_API_TOKEN` on the public repo.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish-platform-image.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/workflows/publish-platform-image.yml b/.github/workflows/publish-platform-image.yml
index 814647a5..dc22b2e7 100644
--- a/.github/workflows/publish-platform-image.yml
+++ b/.github/workflows/publish-platform-image.yml
@@ -23,6 +23,12 @@ permissions:
 env:
   # GHCR accepts mixed-case, but most tooling lowercases — keep us consistent.
   IMAGE_NAME: ghcr.io/molecule-ai/platform
+  # Fly registry mirror — tenant machines provisioned by the private
+  # `molecule-controlplane` pull from here (private GHCR image can't be
+  # pulled by Fly machines without auth plumbing we don't want to add).
+  # Fly auto-authenticates same-org machines against registry.fly.io, so
+  # mirroring keeps GHCR private while tenants still boot.
+  FLY_IMAGE_NAME: registry.fly.io/molecule-tenant
 
 jobs:
   build-and-push:
@@ -43,6 +49,15 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Log in to Fly registry
+        # Fly's registry accepts any username as long as the password is a
+        # valid FLY_API_TOKEN. Must be added to repo Secrets first.
+        uses: docker/login-action@v3
+        with:
+          registry: registry.fly.io
+          username: x
+          password: ${{ secrets.FLY_API_TOKEN }}
+
       - name: Compute tags
         id: tags
         # Emit two tags per build: `latest` (floating, always the main tip)
@@ -60,6 +75,8 @@ jobs:
           tags: |
             ${{ env.IMAGE_NAME }}:latest
             ${{ env.IMAGE_NAME }}:sha-${{ steps.tags.outputs.sha }}
+            ${{ env.FLY_IMAGE_NAME }}:latest
+            ${{ env.FLY_IMAGE_NAME }}:sha-${{ steps.tags.outputs.sha }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           labels: |