Merge pull request #140 from blooop/fix/ghcr-package-visibility-docs

Document GHCR package visibility and how to make public

Author: blooop

.devcontainer/devcontainer.json

@@ -1,23 +1,20 @@
 {
     "name": "python_template",
 
-    // Prebuilt image from GHCR (built by .github/workflows/devcontainer.yml)
-    // Features (including claude-code) are baked into this image.
-    "image": "ghcr.io/blooop/python_template/devcontainer:latest",
+    "build": {
+        "dockerfile": "Dockerfile",
+        "context": ".."
+    },
+    "features": {
+        "./claude-code": {},
+        "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+        "ghcr.io/devcontainers/features/common-utils:2": {}
+    },
 
-    // To build locally instead of using the prebuilt image, comment out "image" above
-    // and uncomment the "build" and "features" blocks below:
-    // "build": {
-    //     "dockerfile": "Dockerfile",
-    //     "context": ".."
-    // },
-    // "features": {
-    //     "./claude-code": {}
-    //     "ghcr.io/devcontainers/features/docker-in-docker:2": {}
-    //     "ghcr.io/devcontainers/features/common-utils:2": {},
-    //     "ghcr.io/anthropics/devcontainer-features/claude-code:1.0": {},
-    //     "ghcr.io/jsburckhardt/devcontainer-features/codex:latest": {}
-    // },
+    // To use a prebuilt image instead of building locally (faster startup),
+    // comment out "build" and "features" above, uncomment "image" below,
+    // and ensure the GHCR package is public (see README).
+    // "image": "ghcr.io/blooop/python_template/devcontainer:latest",
 
     "initializeCommand": ".devcontainer/claude-code/init-host.sh",
     "customizations": {

README.md

@@ -57,6 +57,50 @@ source .claude/activate.sh
 
 See [.claude/README.md](.claude/README.md) for detailed information about the Claude Code configuration.
 
+# Devcontainer
+
+By default, the devcontainer builds locally from `.devcontainer/Dockerfile`. This works out of the box for all users, including forks and projects created from this template.
+
+## Switching to a prebuilt image (optional)
+
+A CI workflow (`.github/workflows/devcontainer.yml`) automatically builds and pushes a devcontainer image to GHCR whenever `.devcontainer/` files change on `main`. The image is published as `ghcr.io/<owner>/<repo>/devcontainer:latest`, where `<owner>` is your GitHub username or organization and `<repo>` is the repository name (e.g. `ghcr.io/myuser/myproject/devcontainer:latest`).
+
+You can migrate automatically with:
+
+```bash
+pixi run dev-use-prebuilt
+```
+
+Or manually:
+
+1. Edit `.devcontainer/devcontainer.json`: comment out the `"build"` and `"features"` blocks, uncomment the `"image"` line
+2. Update the image reference to match your repo: `ghcr.io/<owner>/<repo>/devcontainer:latest`
+3. Push to `main` and wait for the CI workflow to complete. For new repos or forks where the workflow hasn't run yet, you can trigger it manually from the Actions tab or via `gh workflow run devcontainer.yml`
+4. **Make the GHCR package public** (see below) — GHCR packages are private by default and will fail with `MANIFEST_UNKNOWN` otherwise
+
+### Making the GHCR package public
+
+**Option 1: GitHub Web UI**
+
+1. Go to your repository's package settings:
+   - Personal repos: `https://github.com/users/<username>/packages/container/<repo>%2Fdevcontainer/settings`
+   - Organization repos: `https://github.com/orgs/<org>/packages/container/<repo>%2Fdevcontainer/settings`
+2. Under "Danger Zone", click **Change visibility**
+3. Select **Public** and confirm
+
+**Option 2: GitHub CLI**
+
+```bash
+# Ensure your token has the write:packages scope
+gh auth refresh -s write:packages
+
+# For personal repos:
+gh api --method PATCH /user/packages/container/<repo>%2Fdevcontainer -f visibility=public
+
+# For organization repos:
+gh api --method PATCH /orgs/<org>/packages/container/<repo>%2Fdevcontainer -f visibility=public
+```
+
 # Github setup
 
 There are github workflows for CI, codecov and automated pypi publishing in `ci.yml` and `publish.yml`.

pyproject.toml

@@ -99,6 +99,7 @@ ci-push = { depends-on = ["format", "ruff-lint", "update-lock", "ci", "push"] }
 clear-pixi = "rm -rf .pixi pixi.lock"
 setup-git-merge-driver = "git config merge.ourslock.driver true"
 update-from-template-repo = "./scripts/update_from_template.sh"
+dev-use-prebuilt = "./scripts/devcontainer_use_prebuilt.sh"
 
 [tool.pylint]
 extension-pkg-whitelist = ["numpy"]

scripts/devcontainer_use_prebuilt.sh

@@ -0,0 +1,118 @@
+#!/bin/bash
+set -euo pipefail
+
+# Migrate devcontainer.json from local builds to a prebuilt GHCR image.
+# Also attempts to make the GHCR package public.
+
+DEVCONTAINER_JSON=".devcontainer/devcontainer.json"
+
+# --- Check prerequisites ---
+if ! command -v gh >/dev/null 2>&1; then
+    echo "WARNING: GitHub CLI (gh) not found. Will skip making the package public." >&2
+    GH_AVAILABLE=false
+else
+    GH_AVAILABLE=true
+fi
+
+# --- Resolve GitHub owner/repo from git remote ---
+REMOTE_URL=$(git remote get-url origin 2>/dev/null) || {
+    echo "ERROR: No git remote 'origin' found." >&2
+    exit 1
+}
+
+# Handle common GitHub remote URL formats
+REPO=$(echo "$REMOTE_URL" | sed -E 's#(ssh://git@github\.com/|git@github\.com:|https?://github\.com/|git://github\.com/)##; s/\.git$//')
+
+if [[ -z "$REPO" || "$REPO" != */* ]]; then
+    echo "ERROR: Could not parse owner/repo from remote URL: $REMOTE_URL" >&2
+    exit 1
+fi
+
+IMAGE="ghcr.io/${REPO}/devcontainer:latest"
+echo "Repository: $REPO"
+echo "Image:      $IMAGE"
+
+# --- Check current state: look for an uncommented "image": line ---
+if grep -q '^[[:space:]]*"image"[[:space:]]*:' "$DEVCONTAINER_JSON"; then
+    echo "Already using a prebuilt image. Nothing to do."
+    exit 0
+fi
+
+# --- Replace the file using awk for reliable block manipulation ---
+awk -v image="$IMAGE" '
+    # Comment out uncommented "build" block (4-space indent open/close).
+    # NOTE: assumes no nested {} within these blocks.
+    /^    "build": \{/ { in_build=1 }
+    in_build {
+        sub(/^    /, "    // ")
+        if (/^    \/\/ \}/) in_build=0
+        print; next
+    }
+
+    # Comment out uncommented "features" block (4-space indent open/close).
+    # NOTE: assumes no nested {} within these blocks.
+    /^    "features": \{/ { in_features=1 }
+    in_features {
+        sub(/^    /, "    // ")
+        if (/^    \/\/ \}/) in_features=0
+        print; next
+    }
+
+    # Uncomment the image line and set the correct reference
+    /^    \/\/ "image":/ {
+        printf "    \"image\": \"%s\",\n", image
+        next
+    }
+
+    { print }
+' "$DEVCONTAINER_JSON" > "${DEVCONTAINER_JSON}.tmp" && mv "${DEVCONTAINER_JSON}.tmp" "$DEVCONTAINER_JSON"
+
+echo ""
+echo "Updated $DEVCONTAINER_JSON to use prebuilt image."
+
+# --- Try to make the GHCR package public ---
+echo ""
+echo "Attempting to make GHCR package public..."
+
+OWNER=$(echo "$REPO" | cut -d'/' -f1)
+PACKAGE_NAME=$(echo "$REPO" | cut -d'/' -f2)
+ENCODED_PACKAGE="${PACKAGE_NAME}%2Fdevcontainer"
+
+if ! $GH_AVAILABLE; then
+    echo "Skipping: gh CLI not available."
+    echo ""
+    echo "To make the package public, install gh and run:"
+    echo "  gh auth refresh -s write:packages"
+    echo "  gh api --method PATCH /user/packages/container/${ENCODED_PACKAGE} -f visibility=public"
+    exit 0
+fi
+
+# Determine if owner is an org or a user
+IS_ORG=false
+if gh api "/orgs/${OWNER}" >/dev/null 2>&1; then
+    IS_ORG=true
+fi
+
+if $IS_ORG; then
+    API_PATH="/orgs/${OWNER}/packages/container/${ENCODED_PACKAGE}"
+    SETTINGS_URL="https://github.com/orgs/${OWNER}/packages/container/${ENCODED_PACKAGE}/settings"
+else
+    API_PATH="/user/packages/container/${ENCODED_PACKAGE}"
+    SETTINGS_URL="https://github.com/users/${OWNER}/packages/container/${ENCODED_PACKAGE}/settings"
+fi
+
+if API_OUTPUT=$(gh api --method PATCH "$API_PATH" -f visibility=public 2>&1); then
+    echo "GHCR package is now public."
+else
+    echo "Could not set package visibility automatically."
+    echo "API response: $API_OUTPUT"
+    echo ""
+    echo "To make the package public manually, either:"
+    echo ""
+    echo "  1. Visit: $SETTINGS_URL"
+    echo "     -> Danger Zone -> Change visibility -> Public"
+    echo ""
+    echo "  2. Run:"
+    echo "     gh auth refresh -s write:packages"
+    echo "     gh api --method PATCH $API_PATH -f visibility=public"
+fi