A AisOpsFlow Enterprise Docs Official product documentation and user manual

ghcr-operations-checklist

GHCR Operations Checklist

This checklist is for the private aisopsflow-enterprise repository.

Repository settings

  • repository visibility: private
  • default branch protection enabled
  • tag creation restricted to release operators
  • GitHub Actions enabled
  • GitHub Actions allowed to create and update packages

GitHub Actions permissions

Repository-level defaults:

  • workflow permissions: Read repository contents
  • allow GitHub Actions to create and approve pull requests: off unless explicitly needed

Workflow-level requirements in publish-images.yml:

  • contents: read
  • packages: write

Do not grant broader permissions unless a release workflow actually needs them.

GHCR package settings

Create and retain only these packages:

  • ghcr.io/<org>/aisopsflow-core
  • ghcr.io/<org>/aisopsflow-runner
  • ghcr.io/<org>/aisopsflow-console
  • ghcr.io/<org>/aisopsflow-core-commercial
  • ghcr.io/<org>/aisopsflow-runner-commercial
  • ghcr.io/<org>/aisopsflow-console-commercial

Package policy:

Public package policy:

  • visibility: public
  • package README should state that customer and user environments should pin by digest
  • public package names and commercial package names must stay separate

Commercial package policy:

  • visibility: private
  • inheritance from repository permissions: enabled unless you have a strong reason to decouple it
  • delete/restore package permission limited to release administrators
  • do not expose commercial-only defaults in public package metadata

Secrets and auth

  • prefer GITHUB_TOKEN for package publish from GitHub Actions
  • do not use long-lived personal access tokens for routine image publish
  • if customer pull access is needed, issue scoped credentials only for package read
  • rotate any emergency manual credentials after use

Release tags

Allowed tags:

  • core-vX.Y.Z
  • runner-vX.Y.Z
  • console-vX.Y.Z
  • release-vX.Y.Z
  • commercial-core-vX.Y.Z
  • commercial-runner-vX.Y.Z
  • commercial-console-vX.Y.Z
  • commercial-release-vX.Y.Z

Rules:

  • core-v* publishes only aisopsflow-core
  • runner-v* publishes only aisopsflow-runner
  • console-v* publishes only aisopsflow-console
  • release-v* publishes all images and is the tag-based path that moves latest
  • commercial-core-v* publishes only aisopsflow-core-commercial
  • commercial-runner-v* publishes only aisopsflow-runner-commercial
  • commercial-console-v* publishes only aisopsflow-console-commercial
  • commercial-release-v* publishes all commercial images and is the tag-based path that moves latest for the commercial packages
  • manual workflow_dispatch uses the same workflow and selects public|commercial, core|runner|console|both, optional version, and optional publish_latest
  • production deployment manifests should still pin by digest, not by mutable tag

Operator preflight

Before creating a release tag:

  • core/Dockerfile builds successfully
  • runner/Dockerfile builds successfully
  • console/Dockerfile builds successfully when console is in scope
  • image changes match the intended component release
  • release notes include the exact git commit and expected image tags
  • customer-facing deployment docs reference digest pinning

Operator post-release checks

After workflow completion:

  • both expected GHCR packages exist
  • expected semver tag is present
  • expected git sha tag is present
  • latest moved only for release-v* or an explicit manual dispatch with publish_latest=true
  • package visibility is still private
  • package digest used by deployment manifests is recorded in the release notes

Customer delivery checks

  • share image references by digest, not just by tag
  • share minimal pull credentials if private pull is required
  • do not expose the enterprise source repository
  • direct plugin developers to the public SDK and catalog repositories