Fix GHCR Permissions of GHA Runners (#28)

olivia-banks · web-flow · commit a8f9d606222b · 2026-03-31T16:42:31.000-06:00
* [gha] fix ghcr permissions

* [gha] set copilot workflow checkout fetch depth

* [gha] remove dual sync

* [gha] fix ghcr image names

* [gha] fix ghcr image names

* [gha] remove latest tag on publication

* [gha] add `--no-install-project`
diff --git a/.github/workflows/containerfile.yml b/.github/workflows/containerfile.yml
@@ -12,7 +12,7 @@ on:
 
 env:
   REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
+  IMAGE_NAME: epiforesite/epiworldpythonstreamlit
 
 jobs:
   build-and-push:
diff --git a/.github/workflows/copilot.yml b/.github/workflows/copilot.yml
@@ -3,23 +3,38 @@ name: GitHub Copilot Dev Environment
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   copilot:
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/${{ github.repository }}:latest
+      image: ghcr.io/epiforesite/epiworldpythonstreamlit:latest
       credentials:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - name: Sync dependencies
-        run: uv sync --frozen
+        run: uv sync --frozen --group dev --no-install-project
+
+      - name: Install development dependencies and tools
+        run: |
+          sudo apt-get update && sudo apt-get install -y \
+            git \
+            vim \
+            nano \
+            curl \
+            wget
 
-      - name: Setup Copilot environment
+      - name: Verify development environment
         run: |
           echo "Development environment ready for GitHub Copilot"
           echo "Python version: $(python --version)"
diff --git a/.github/workflows/on_pr.yml b/.github/workflows/on_pr.yml
@@ -4,15 +4,15 @@ on:
   pull_request:
     branches: [main]
 
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
+permissions:
+  contents: read
+  packages: read
 
 jobs:
   test:
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/${{ github.repository }}:latest
+      image: ghcr.io/epiforesite/epiworldpythonstreamlit:latest
       credentials:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
