feat (cli): Introduce Enola container image for end-users

[vorburger]

Relates to #180 re. #181.

This PR does not actually publish the container image to ghcr.io/enola-dev/enola:latest just yet.

[vorburger]

This PR does not actually publish the container image to ghcr.io/enola-dev/enola:latest just yet.

Hm, I added a new workflow for that in a 2nd commit on this PR, and it fails with:

#9 pushing layer 6f4d4102c049 0.4s done
#9 ERROR: denied: installation not allowed to Create organization package
------
 > pushing ghcr.io/enola-dev/enola:pr-396 with docker:
------
ERROR: denied: installation not allowed to Create organization package
Error: buildx failed with: ERROR: denied: installation not allowed to Create organization package

Should I already merge this as-is (without doc?), and then create another PR to sort that out later?

[vorburger]

#9 ERROR: denied: installation not allowed to Create organization package

Enabling Public instead of Private only Package Creation Permissions on https://github.com/organizations/enola-dev/settings/packages did not help for this. That still smells like it's probably the correct setting, so I'll keep that.

Disabling Inherit access from source repository on the Default package settings (hear: "This setting will be applied to new Container, npm, rubygems and NuGet packages.") does not help either; and in fact may be dumb/wrong? I've played with undoing it again, but it doesn't work either way (even after the manual package creation, below).

Adding labels does not seem to help.

Attempting to manually publishing an initial package's first version, from local workstation instead of GitHub Action, to see if that works... https://github.com/organizations/enola-dev/settings/personal-access-tokens-onboarding says "By default, fine-grained personal access tokens cannot access content owned by your organization via the Public API or Git. This includes both public and private resources such as repositories." so I've enabled that, for now. But when creating a (new style) PAT on https://github.com/settings/personal-access-tokens/new, there are no Package related permissions shown?! So I granted Admin and Repo write etc. but it's NOK; fails with Error: writing blob: initiating layer upload to /v2/enola-dev/enola/blobs/uploads/ in ghcr.io: denied: permission_denied: The token provided does not match expected scopes. Hm, I guess https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-with-a-personal-access-token-classic really saying that you still need a "classic" not "new" PAT - that worked, and finally created https://github.com/orgs/enola-dev/packages/container/package/enola!

echo ghp_... | podman login ghcr.io -u vorburger --password-stdin
podman tag 174c61a973f9 ghcr.io/enola-dev/enola:test
podman push ghcr.io/enola-dev/enola:test

It was private not public by default; I've changed that, via Package settings. Then I've also Manage Actions access > Added Repository for https://github.com/enola-dev/enola on that Package. Lastly I've also Connected Repository to the Package (and it now shows e.g. the README.md). Unfortunately none of this helped, and this PR build is still red, with the same error.

I have hunch that perhaps this is blocked from PRs, and only works after merge? I'll go ahead and see if that helps...

[vorburger]

I have hunch that perhaps this is blocked from PRs, and only works after merge? I'll go ahead and see if that helps...

That was it indeed! https://github.com/enola-dev/enola/pkgs/container/enola now has it.

Except it's :main instead of :latest, make sense, from the branch name, based on https://github.com/docker/metadata-action/. I'll raise a small follow up PR to fix that in a moment.

https://github.com/organizations/enola-dev/settings/personal-access-tokens-onboarding says "By default, fine-grained personal access tokens cannot access content owned by your organization via the Public API or Git. This includes both public and private resources such as repositories." so I've enabled that, for now.

I've reverted that again on https://github.com/organizations/enola-dev/settings/personal-access-tokens.

Disabling Inherit access from source repository on the Default package settings

This is re-enabled on https://github.com/organizations/enola-dev/settings/packages .