From 2c95596d70d29ac21ace852e9e8166d280873313 Mon Sep 17 00:00:00 2001
From: "alex.stanfield" <13949480+chaptersix@users.noreply.github.com>
Date: Fri, 21 Nov 2025 08:29:58 -0600
Subject: [PATCH] Improve repository and registry parameterization
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This change makes Docker image publishing fully configurable while maintaining
backward compatibility with both temporalio (Docker Hub) and forks (GHCR).

Changes:
- Add workflow inputs: registry, registry_namespace, and image_name
- Smart defaults: temporalio uses Docker Hub, forks use GHCR
- Conditional authentication for multiple registries
- Standardize image name to "temporal" everywhere
- Proper handling of Docker Hub's no-prefix format

Workflow inputs (all optional with smart defaults):
- registry: Container registry (docker.io, ghcr.io, etc.)
- registry_namespace: Organization/user (defaults to repository_owner)
- image_name: Image name (defaults to "temporal")

Default behavior:
- temporalio/cli → docker.io/temporalio/temporal
- forks → ghcr.io/{owner}/temporal

This design is PR-able to upstream while working for forks out of the box.
---
 .github/docker/docker-bake.hcl          | 16 +++--
 .github/workflows/build-and-publish.yml | 93 +++++++++++++++++++++----
 .github/workflows/goreleaser.yml        |  3 +
 3 files changed, 95 insertions(+), 17 deletions(-)

diff --git a/.github/docker/docker-bake.hcl b/.github/docker/docker-bake.hcl
index c84ddce33..f890ae32e 100644
--- a/.github/docker/docker-bake.hcl
+++ b/.github/docker/docker-bake.hcl
@@ -1,5 +1,13 @@
 variable "IMAGE_REPO" {
-  default = "ghcr.io/chaptersix"
+  default = "ghcr.io"
+}
+
+variable "IMAGE_NAMESPACE" {
+  default = ""
+}
+
+variable "IMAGE_NAME" {
+  default = "temporal"
 }
 
 variable "IMAGE_SHA_TAG" {}
@@ -27,9 +35,9 @@ target "cli" {
   dockerfile = ".github/docker/cli.Dockerfile"
   context = "."
   tags = compact([
-    "${IMAGE_REPO}/temporal-cli:${IMAGE_SHA_TAG}",
-    "${IMAGE_REPO}/temporal-cli:${VERSION}",
-    TAG_LATEST ? "${IMAGE_REPO}/temporal-cli:latest" : "",
+    IMAGE_REPO == "" ? "${IMAGE_NAMESPACE}/${IMAGE_NAME}:${IMAGE_SHA_TAG}" : "${IMAGE_REPO}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:${IMAGE_SHA_TAG}",
+    IMAGE_REPO == "" ? "${IMAGE_NAMESPACE}/${IMAGE_NAME}:${VERSION}" : "${IMAGE_REPO}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:${VERSION}",
+    TAG_LATEST ? (IMAGE_REPO == "" ? "${IMAGE_NAMESPACE}/${IMAGE_NAME}:latest" : "${IMAGE_REPO}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:latest") : "",
   ])
   platforms = ["linux/amd64", "linux/arm64"]
   args = {
diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml
index 61a4194d9..bec203da6 100644
--- a/.github/workflows/build-and-publish.yml
+++ b/.github/workflows/build-and-publish.yml
@@ -11,7 +11,26 @@ on:
         description: "Version tag for the release (required if publish is true)"
         required: false
         type: string
-    secrets: {}
+      registry:
+        description: "Container registry (docker.io, ghcr.io, etc.)"
+        required: false
+        type: string
+        default: ""
+      registry_namespace:
+        description: "Registry namespace/organization"
+        required: false
+        type: string
+        default: ""
+      image_name:
+        description: "Image name"
+        required: false
+        type: string
+        default: "temporal"
+    secrets:
+      DOCKER_USERNAME:
+        required: false
+      DOCKER_PASSWORD:
+        required: false
 
 jobs:
   build:
@@ -80,19 +99,14 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Log in to GitHub Container Registry
-        if: inputs.publish
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Get build metadata
         id: meta
         env:
           INPUT_VERSION: ${{ inputs.version }}
           INPUT_PUBLISH: ${{ inputs.publish }}
+          INPUT_REGISTRY: ${{ inputs.registry }}
+          INPUT_REGISTRY_NAMESPACE: ${{ inputs.registry_namespace }}
+          INPUT_IMAGE_NAME: ${{ inputs.image_name }}
           REPO_OWNER: ${{ github.repository_owner }}
         run: |
           echo "cli_sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
@@ -108,13 +122,62 @@ jobs:
             echo "version=snapshot" >> $GITHUB_OUTPUT
           fi
 
-          # Determine image repo based on repository owner
-          if [[ "$REPO_OWNER" == "temporalio" ]]; then
-            echo "image_repo=temporalio" >> $GITHUB_OUTPUT
+          # Determine registry (with auto-detection for temporalio vs forks)
+          REGISTRY="$INPUT_REGISTRY"
+          if [[ -z "$REGISTRY" ]]; then
+            if [[ "$REPO_OWNER" == "temporalio" ]]; then
+              REGISTRY="docker.io"
+            else
+              REGISTRY="ghcr.io"
+            fi
+          fi
+
+          # Determine registry type for authentication
+          if [[ "$REGISTRY" == "ghcr.io" ]]; then
+            echo "registry_type=ghcr" >> $GITHUB_OUTPUT
+          elif [[ "$REGISTRY" == "docker.io" ]]; then
+            echo "registry_type=dockerhub" >> $GITHUB_OUTPUT
           else
-            echo "image_repo=ghcr.io/$REPO_OWNER" >> $GITHUB_OUTPUT
+            echo "registry_type=other" >> $GITHUB_OUTPUT
           fi
 
+          # Set namespace (defaults to repository owner)
+          NAMESPACE="$INPUT_REGISTRY_NAMESPACE"
+          if [[ -z "$NAMESPACE" ]]; then
+            NAMESPACE="$REPO_OWNER"
+          fi
+
+          # Set image name (defaults to 'temporal')
+          IMAGE_NAME="$INPUT_IMAGE_NAME"
+          if [[ -z "$IMAGE_NAME" ]]; then
+            IMAGE_NAME="temporal"
+          fi
+
+          # For Docker Hub, use empty string as registry (special case)
+          if [[ "$REGISTRY" == "docker.io" ]]; then
+            echo "image_repo=" >> $GITHUB_OUTPUT
+          else
+            echo "image_repo=${REGISTRY}" >> $GITHUB_OUTPUT
+          fi
+
+          echo "image_namespace=${NAMESPACE}" >> $GITHUB_OUTPUT
+          echo "image_name=${IMAGE_NAME}" >> $GITHUB_OUTPUT
+
+      - name: Log in to GitHub Container Registry
+        if: inputs.publish && steps.meta.outputs.registry_type == 'ghcr'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to Docker Hub
+        if: inputs.publish && steps.meta.outputs.registry_type == 'dockerhub'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
       - name: Check if release is latest
         if: inputs.publish
         id: check_latest
@@ -144,6 +207,8 @@ jobs:
           VERSION: ${{ steps.meta.outputs.version }}
           TAG_LATEST: ${{ steps.check_latest.outputs.tag_latest }}
           IMAGE_REPO: ${{ steps.meta.outputs.image_repo }}
+          IMAGE_NAMESPACE: ${{ steps.meta.outputs.image_namespace }}
+          IMAGE_NAME: ${{ steps.meta.outputs.image_name }}
 
       - name: Build Docker image
         if: ${{ !inputs.publish }}
@@ -158,6 +223,8 @@ jobs:
           VERSION: ${{ steps.meta.outputs.version }}
           TAG_LATEST: false
           IMAGE_REPO: ${{ steps.meta.outputs.image_repo }}
+          IMAGE_NAMESPACE: ${{ steps.meta.outputs.image_namespace }}
+          IMAGE_NAME: ${{ steps.meta.outputs.image_name }}
 
       - name: Upload build artifacts
         if: ${{ !inputs.publish }}
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
index a01b97044..dfd79cedd 100644
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@@ -15,3 +15,6 @@ jobs:
     with:
       publish: true
       version: ${{ github.ref_name }}
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}