.gitea/workflows/docker.yml

@@ -82,8 +82,12 @@ jobs:
              (github.event.pull_request.base.ref == 'main' || github.event.pull_request.base.ref == 'dev'))
         env:
             IMAGE_NAME: aegis-gitea-mcp
+            REGISTRY_IMAGE: ${{ vars.REGISTRY_IMAGE }}
+            REGISTRY_HOST: ${{ vars.REGISTRY_HOST }}
             PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
             PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+            REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
+            REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
         steps:
             - name: Checkout
               uses: actions/checkout@v4
@@ -118,12 +122,36 @@ jobs:
                   echo "stable_tag=${STABLE_TAG}" >> "${GITHUB_OUTPUT}"
 
             - name: Build releasable image
+              id: image
               run: |
-                  docker build -f docker/Dockerfile -t ${IMAGE_NAME}:${{ steps.tags.outputs.sha_tag }} .
-                  docker tag ${IMAGE_NAME}:${{ steps.tags.outputs.sha_tag }} ${IMAGE_NAME}:${{ steps.tags.outputs.stable_tag }}
+                  IMAGE_REF="${REGISTRY_IMAGE:-${IMAGE_NAME}}"
+                  echo "image_ref=${IMAGE_REF}" >> "${GITHUB_OUTPUT}"
+                  docker build -f docker/Dockerfile -t ${IMAGE_REF}:${{ steps.tags.outputs.sha_tag }} .
+                  docker tag ${IMAGE_REF}:${{ steps.tags.outputs.sha_tag }} ${IMAGE_REF}:${{ steps.tags.outputs.stable_tag }}
+
+            - name: Login to registry
+              if: ${{ vars.PUSH_IMAGE == 'true' }}
+              run: |
+                  if [ -z "${REGISTRY_USER}" ] || [ -z "${REGISTRY_TOKEN}" ]; then
+                    echo "REGISTRY_USER and REGISTRY_TOKEN secrets are required when PUSH_IMAGE=true"
+                    exit 1
+                  fi
+
+                  IMAGE_REF="${{ steps.image.outputs.image_ref }}"
+                  LOGIN_HOST="${REGISTRY_HOST}"
+                  if [ -z "${LOGIN_HOST}" ]; then
+                    FIRST_PART="${IMAGE_REF%%/*}"
+                    case "${FIRST_PART}" in
+                      *.*|*:*|localhost) LOGIN_HOST="${FIRST_PART}" ;;
+                      *) LOGIN_HOST="docker.io" ;;
+                    esac
+                  fi
+
+                  printf "%s" "${REGISTRY_TOKEN}" | docker login "${LOGIN_HOST}" --username "${REGISTRY_USER}" --password-stdin
 
             - name: Optional registry push
               if: ${{ vars.PUSH_IMAGE == 'true' }}
               run: |
-                  docker push ${IMAGE_NAME}:${{ steps.tags.outputs.sha_tag }}
-                  docker push ${IMAGE_NAME}:${{ steps.tags.outputs.stable_tag }}
+                  IMAGE_REF="${{ steps.image.outputs.image_ref }}"
+                  docker push ${IMAGE_REF}:${{ steps.tags.outputs.sha_tag }}
+                  docker push ${IMAGE_REF}:${{ steps.tags.outputs.stable_tag }}

docs/deployment.md

@@ -41,6 +41,12 @@ Workflows live in `.gitea/workflows/`:
 - `test.yml`: lint + tests + coverage fail-under `80`.
 - `docker.yml`: lint + test + docker smoke-test gating; image publish on push to `main`/`dev` and on approved PR review targeting `main`/`dev`; tags include commit SHA plus `latest` (`main`) or `dev` (`dev`).
 
+Docker publish settings:
+- `vars.PUSH_IMAGE=true` enables registry push.
+- `vars.REGISTRY_IMAGE` sets the target image name (for example `registry.example.com/org/aegis-gitea-mcp`).
+- `vars.REGISTRY_HOST` is optional and overrides the login host detection.
+- `secrets.REGISTRY_USER` and `secrets.REGISTRY_TOKEN` are required when push is enabled.
+
 ## Production Recommendations
 
 - Place MCP behind TLS reverse proxy.