From 03c35a49442e184ab62f164814134932b60a4124 Mon Sep 17 00:00:00 2001
From: Greg Logan <gregorydlogan@gmail.com>
Date: Thu, 11 Jun 2026 12:06:01 -0600
Subject: [PATCH 1/5] Using org secret to enable writing to ghcr in PRs

---
 .github/workflows/pr-deploy-container-image.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pr-deploy-container-image.yml b/.github/workflows/pr-deploy-container-image.yml
index 9e14e7d2cd..4118c4c7e6 100644
--- a/.github/workflows/pr-deploy-container-image.yml
+++ b/.github/workflows/pr-deploy-container-image.yml
@@ -27,7 +27,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.SUBMODULE_PR_DOCKER_WRITE }}
 
       - name: Extract metadata (tags, labels)
         id: meta
@@ -42,6 +42,7 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          github-token: ${{ secrets.SUBMODULE_PR_DOCKER_WRITE }}
 
       - name: Add comment
         if: github.event_name == 'pull_request'

From ea0257ff173d01b0a622eeb5b3c061c79415ce1a Mon Sep 17 00:00:00 2001
From: Greg Logan <gregorydlogan@gmail.com>
Date: Thu, 11 Jun 2026 13:10:42 -0600
Subject: [PATCH 2/5] Setting the ghcr user

---
 .github/workflows/pr-deploy-container-image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pr-deploy-container-image.yml b/.github/workflows/pr-deploy-container-image.yml
index 4118c4c7e6..ca3d7d84f6 100644
--- a/.github/workflows/pr-deploy-container-image.yml
+++ b/.github/workflows/pr-deploy-container-image.yml
@@ -26,7 +26,7 @@ jobs:
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
-          username: ${{ github.actor }}
+          username: opencastproject
           password: ${{ secrets.SUBMODULE_PR_DOCKER_WRITE }}
 
       - name: Extract metadata (tags, labels)

From c8ff253e5d4bafc50d532eb9c1ce4a9d0f30bd53 Mon Sep 17 00:00:00 2001
From: Greg Logan <gregorydlogan@gmail.com>
Date: Thu, 11 Jun 2026 15:37:16 -0600
Subject: [PATCH 3/5] Breaking this into two

---
 .../workflows/pr-build-container-image.yml    | 35 +++++++++++++++++
 .../workflows/pr-deploy-container-image.yml   | 39 ++++++++-----------
 2 files changed, 52 insertions(+), 22 deletions(-)
 create mode 100644 .github/workflows/pr-build-container-image.yml

diff --git a/.github/workflows/pr-build-container-image.yml b/.github/workflows/pr-build-container-image.yml
new file mode 100644
index 0000000000..9c1070d8f9
--- /dev/null
+++ b/.github/workflows/pr-build-container-image.yml
@@ -0,0 +1,35 @@
+name: PRs » Build container image
+
+on:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+  pull_request:
+    types:
+      - opened
+      - synchronize
+
+jobs:
+  container-image-build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+
+      - name: Build and push images
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false # This is handled in another workflow!
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          outputs: type=docker,dest=${{ runner.temp }}/build.tar
+
+      - name: Upload docker image to GHA
+        uses: actions/upload-artifact@v4
+        with:
+          name: build
+          path: ${{ runner.temp }}/build.tar
diff --git a/.github/workflows/pr-deploy-container-image.yml b/.github/workflows/pr-deploy-container-image.yml
index ca3d7d84f6..d8cdb016fb 100644
--- a/.github/workflows/pr-deploy-container-image.yml
+++ b/.github/workflows/pr-deploy-container-image.yml
@@ -1,33 +1,25 @@
-name: PRs » Publish container image
+name: PRs » Push container image
 
 on:
-  push:
-    branches-ignore:
-      - 'dependabot/**'
-  pull_request:
+  workflow_run:
+    workflows: ["PRs » Build container image"]
     types:
-      - opened
-      - synchronize
+      - completed
 
 jobs:
-  container-image:
+  container-image-deploy:
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
       pull-requests: write
     steps:
-      - uses: actions/checkout@v5
-
-      - name: Prepare commit hash
-        run: git rev-parse HEAD > commit
-
       - name: Log in to the container registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
-          username: opencastproject
-          password: ${{ secrets.SUBMODULE_PR_DOCKER_WRITE }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata (tags, labels)
         id: meta
@@ -35,14 +27,17 @@ jobs:
         with:
           images: ghcr.io/${{ github.repository }}
 
-      - name: Build and push images
-        uses: docker/build-push-action@v6
+      - name: Download docker image from GHA
+        uses: actions/download-artifact@v4
         with:
-          context: .
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          github-token: ${{ secrets.SUBMODULE_PR_DOCKER_WRITE }}
+          name: build
+          path: ${{ runner.temp }}
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: Load image
+        run: |
+          docker load --input ${{ runner.temp }}/build.tar
+          docker push ghcr.io/${{ github.repository }}
 
       - name: Add comment
         if: github.event_name == 'pull_request'

From adccabe694c07716c792d42a3c198ba4e992f54d Mon Sep 17 00:00:00 2001
From: Greg Logan <gregorydlogan@gmail.com>
Date: Fri, 12 Jun 2026 10:35:43 -0600
Subject: [PATCH 4/5] This is required to be able to write the docker image to
 the tarball

---
 .github/workflows/pr-build-container-image.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/pr-build-container-image.yml b/.github/workflows/pr-build-container-image.yml
index 9c1070d8f9..7413f5d85a 100644
--- a/.github/workflows/pr-build-container-image.yml
+++ b/.github/workflows/pr-build-container-image.yml
@@ -19,6 +19,9 @@ jobs:
         with:
           images: ghcr.io/${{ github.repository }}
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Build and push images
         uses: docker/build-push-action@v6
         with:

From 02fc2f8d1a693b8d314d89ba3448753c1545c050 Mon Sep 17 00:00:00 2001
From: Greg Logan <gregorydlogan@gmail.com>
Date: Fri, 12 Jun 2026 10:35:54 -0600
Subject: [PATCH 5/5] Removing the custom context since this breaks things

---
 .github/workflows/pr-build-container-image.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/pr-build-container-image.yml b/.github/workflows/pr-build-container-image.yml
index 7413f5d85a..f9ec8a1d81 100644
--- a/.github/workflows/pr-build-container-image.yml
+++ b/.github/workflows/pr-build-container-image.yml
@@ -25,7 +25,6 @@ jobs:
       - name: Build and push images
         uses: docker/build-push-action@v6
         with:
-          context: .
           push: false # This is handled in another workflow!
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}