[Bug]: Forks cannot push images

[KevinMind]

What happened?

In github actions, workflows triggered by forks (and dependabot which is treated as a fork) do not have access to secrets and have a read only github token. This limits what workflows can do when triggered by events from forks.

Workflow runs triggered by Dependabot pull requests run as if they are from a forked repository, and therefore use a read-only GITHUB_TOKEN. These workflow runs cannot access any secrets. For information about strategies to keep these workflows secure, see "[Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)."

https://docs.github.com/en/actions/security-guides/automatic-token-authentication https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

This forces us to rebuild the image in any jobs that use the run-docker action. It's not the end of the world, but it is not very good DX and does cause forks to run in a slightly different way than origin.

What did you expect to happen?

There should be a way to authenticate forked users to push images to their own package registry or to configure the workflow to push to the forks github pacagke registry namespace. Or we should consider not pushing images in CI and instead building, but this is less attractive as it is a performance hit and reduces the validity of CI.

Is there an existing issue for this?

• [X] I have searched the existing issues

┆Issue is synchronized with this Jira Task