From e8f4044f8c2ba903f9757f20b5aaf5a206dcecaa Mon Sep 17 00:00:00 2001
From: deepend <deepend@tilde.club>
Date: Wed, 18 Feb 2026 10:44:45 -0700
Subject: [PATCH] Updated the Solus workflow to grant packages: read (alongside
 contents: read) at workflow scope, so the Actions token can authenticate for
 GHCR package pulls.

Added a conditional GHCR login step (docker/login-action@v3) that runs when the selected image is under ghcr.io/*, using ${{ github.actor }} and ${{ github.token }} before docker pull.

Left the existing build/pull flow intact after authentication, so behavior is unchanged except for fixing anonymous-pull denial cases.
---
 .github/workflows/solus-eopkg-build.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/solus-eopkg-build.yml b/.github/workflows/solus-eopkg-build.yml
index d2cfc1b5..780c9072 100644
--- a/.github/workflows/solus-eopkg-build.yml
+++ b/.github/workflows/solus-eopkg-build.yml
@@ -16,6 +16,10 @@ on:
       - main
       - master
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   build-eopkg:
     runs-on: ubuntu-latest
@@ -26,6 +30,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Log in to GHCR (for ghcr.io images)
+        if: startsWith(env.SOLUS_IMAGE, 'ghcr.io/')
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
       - name: Build eopkg package in Solus container
         run: |
           if [ ! -f "$PACKAGE_YML" ]; then