ci: use public gha runners

.github/workflows/build.yml

@@ -1,4 +1,3 @@
-permissions: read-all
 on:
   push:
     branches: [ main ]
@@ -9,84 +8,77 @@ name: Build container images
 jobs:
   build:
     name: Build ${{ matrix.tag }}
-    runs-on: self-hosted
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     strategy:
       fail-fast: false
       matrix:
         include:
-          - tag: kriger/kriger
+          - tag: cyberlandslaget/kriger
             path: .
-          - tag: kriger/frontend
+          - tag: cyberlandslaget/kriger-frontend
             path: frontend
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-        id: builder
-        with:
-          # See: https://github.com/docker/buildx/issues/298
-          driver-opts: |
-            network=host
 
       - name: Log in to the Container registry
         uses: docker/login-action@v3
         with:
-          registry: r.o99.no
-          username: ${{ secrets.REGISTRY_USER }}
-          password: ${{ secrets.REGISTRY_PASS }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
           context: ${{ matrix.path }}
           file: ${{ matrix.path }}/Dockerfile
           push: true
-          tags: r.o99.no/${{ matrix.tag }}:latest,r.o99.no/${{ matrix.tag }}:${{ github.run_number }}
-          cache-from: type=registry,ref=r.o99.no/${{ matrix.tag }}:buildcache
-          # See https://github.com/goharbor/harbor/pull/18105#issuecomment-1811951274 for the Harbor workaround
-          cache-to: type=registry,ref=r.o99.no/${{ matrix.tag }}:buildcache,mode=max,image-manifest=true,oci-mediatypes=true
-          builder: ${{ steps.builder.outputs.name }}
+          tags: ghcr.io/${{ matrix.tag }}:main,ghcr.io/${{ matrix.tag }}:main-${{ github.run_number }}
+          cache-from: type=registry,ref=ghcr.io/${{ matrix.tag }}:buildcache
+          cache-to: type=registry,ref=ghcr.io/${{ matrix.tag }}:buildcache,mode=max
 
   build_exploit_base:
     strategy:
       fail-fast: false
       matrix:
         include:
-          - tag: kriger/exploit-base:python
+          - tag: cyberlandslaget/kriger-exploit-base:python
             path: data/base/python
-          - tag: kriger/exploit-base:python-slim
+          - tag: cyberlandslaget/kriger-exploit-base:python-slim
             path: data/base/python-slim
     name: Build exploit base ${{ matrix.tag }}
     runs-on: self-hosted
+    permissions:
+      contents: read
+      packages: write
     needs: [ build ]
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-        id: builder
-        with:
-          driver-opts: |
-            network=host
 
       - name: Log in to the Container registry
         uses: docker/login-action@v3
         with:
-          registry: r.o99.no
-          username: ${{ secrets.REGISTRY_USER }}
-          password: ${{ secrets.REGISTRY_PASS }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
           context: ${{ matrix.path }}
           file: ${{ matrix.path }}/Dockerfile
           push: true
-          tags: r.o99.no/${{ matrix.tag }}
-          cache-from: type=registry,ref=r.o99.no/${{ matrix.tag }}-buildcache
-          # See https://github.com/goharbor/harbor/pull/18105#issuecomment-1811951274 for the Harbor workaround
-          cache-to: type=registry,ref=r.o99.no/${{ matrix.tag }}-buildcache,mode=max,image-manifest=true,oci-mediatypes=true
-          builder: ${{ steps.builder.outputs.name }}
+          tags: ghcr.io/${{ matrix.tag }}
+          cache-from: type=registry,ref=ghcr.io/${{ matrix.tag }}:buildcache
+          cache-to: type=registry,ref=ghcr.io/${{ matrix.tag }}:buildcache,mode=max

.github/workflows/templates.yml

@@ -1,7 +1,6 @@
-permissions: read-all
 on:
   push:
-    branches: [main]
+    branches: [ main ]
     paths:
       - ".github/workflows/templates.yml"
       - "data/templates/**"
@@ -12,7 +11,10 @@ name: Package templates
 jobs:
   package-templates:
     name: Package exploit template ${{ matrix.name }}
-    runs-on: self-hosted
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     strategy:
       fail-fast: false
       matrix:
@@ -28,15 +30,15 @@ jobs:
 
       - name: Log in to the OCI registry
         run: |
-          oras login -u "$REGISTRY_USER" --password-stdin r.o99.no <<<"$REGISTRY_PASS"
+          oras login -u "$REGISTRY_USER" --password-stdin ghcr.io <<<"$REGISTRY_PASS"
         env:
-          REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
-          REGISTRY_PASS: ${{ secrets.REGISTRY_PASS }}
+          REGISTRY_USER: ${{ github.actor }}
+          REGISTRY_PASS: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Archive the template
         run: |
           tar czfh template.tar.gz -C "data/templates/${{ matrix.name }}" .
 
       - name: Push the template
         run: |
-          oras push r.o99.no/kriger/exploit-templates:${{ matrix.name }} template.tar.gz:application/vnd.kriger.exploit.template.v1.tar+gzip
+          oras push ghcr.io/cyberlandslaget/kriger-exploit-templates:${{ matrix.name }} template.tar.gz:application/vnd.kriger.exploit.template.v1.tar+gzip

crates/kriger/src/cli/commands/deploy.rs

@@ -127,6 +127,7 @@ pub(crate) async fn main(args: args::Deploy) -> Result<()> {
     ));
 
     // Prepare build arguments
+    // TODO: Provide a way to deal with custom registries - this is currently unused by the Dockerfile
     let mut build_args: HashMap<&str, &str> = HashMap::new();
     build_args.insert("REGISTRY", &cli_config.registry.registry);
 

data/base/python-slim/Dockerfile

@@ -1,9 +1,7 @@
-ARG REGISTRY="r.o99.no"
-
 # https://github.com/astral-sh/uv/pkgs/container/uv
 FROM ghcr.io/astral-sh/uv:0.3.3 AS uv
 
-FROM $REGISTRY/kriger/kriger AS runner
+FROM ghcr.io/cyberlandslaget/kriger AS runner
 
 FROM python:3.12-slim-bookworm
 COPY --from=uv /uv /usr/bin/uv

data/base/python/Dockerfile

@@ -1,9 +1,7 @@
-ARG REGISTRY="r.o99.no"
-
 # https://github.com/astral-sh/uv/pkgs/container/uv
 FROM ghcr.io/astral-sh/uv:0.3.3 AS uv
 
-FROM $REGISTRY/kriger/kriger AS runner
+FROM ghcr.io/cyberlandslaget/kriger AS runner
 
 # Note that we SHOULD NOT use the slim variant due to some Python packages relying on native compilation (eg. gcc)
 FROM python:3.12-bookworm

data/examples/python-test/Dockerfile

@@ -1,6 +1,5 @@
-ARG REGISTRY="r.o99.no"
-
-FROM $REGISTRY/kriger/exploit-base:python
+ARG REPOSITORY="ghcr.io/cyberlandslaget/kriger-exploit-base"
+FROM $REPOSITORY:python
 
 COPY requirements.txt .
 RUN /usr/bin/uv pip install --system -r requirements.txt

data/templates/python-slim/Dockerfile

@@ -1,6 +1,5 @@
-ARG REGISTRY="r.o99.no"
-
-FROM $REGISTRY/kriger/exploit-base:python-slim
+ARG REPOSITORY="ghcr.io/cyberlandslaget/kriger-exploit-base"
+FROM $REPOSITORY:python-slim
 
 COPY requirements.txt .
 RUN /usr/bin/uv pip install --system -r requirements.txt

data/templates/python/Dockerfile

@@ -1,6 +1,5 @@
-ARG REGISTRY="r.o99.no"
-
-FROM $REGISTRY/kriger/exploit-base:python
+ARG REPOSITORY="ghcr.io/cyberlandslaget/kriger-exploit-base"
+FROM $REPOSITORY:python
 
 COPY requirements.txt .
 RUN /usr/bin/uv pip install --system -r requirements.txt