ci: migrate to GHCR, harden checkouts, bump promci to v0.8.2

[roidelapluie]

• Push container images to GHCR via ghcr_io_password: github.token
• Add packages: write permission to publish_main and publish_release jobs
• Bump promci composite actions from v0.7.0 to v0.8.2
• Remove standalone actions/checkout steps that directly precede promci publish steps (promci v0.8.2 performs its own checkout)
• Add persist-credentials: false to all kept actions/checkout steps

Pull Request Checklist

Please check all the applicable boxes.

• Please list all open issue(s) discussed with maintainers related to this change
  • Fixes #
• Is this a new Receiver integration?
  • I have already tried to use the Webhook Receiver Integration and 3rd party integrations before adding this new Receiver Integration
• Is this a bugfix?
  • I have added tests that can reproduce the bug which pass with this bugfix applied
• Is this a new feature?
  • I have added tests that test the new feature's functionality
• Does this change affect performance?
  • I have provided benchmarks comparison that shows performance is improved or is not degraded
    • You can use benchstat to compare benchmarks
  • I have added new benchmarks if required or requested by maintainers
• Is this a breaking change?
  • My changes do not break the existing cluster messages
  • My changes do not break the existing api
• I have added/updated the required documentation
• I have signed-off my commits
• I will follow best practices for contributing to this project

Which user-facing changes does this PR introduce?

[ENHANCEMENT] Alertmanager: Push docker images to ghcr docker registry

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflows to disable credential persistence during checkout steps across multiple workflow files.
  • Upgraded CI/CD build and publish action versions to the latest stable releases for improved compatibility.

[coderabbitai]

📝 Walkthrough

Walkthrough

Five GitHub Actions workflow files are updated to disable Git credential persistence in checkout steps and to upgrade Prometheus PromCI actions from v0.7.0 to v0.8.2. The publish workflow also adds explicit package write permissions and updates authentication wiring.

Changes

CI/CD Workflow Configuration Updates

Layer / File(s)	Summary
Checkout credential persistence configuration ​.github/workflows/ci.yml, ​.github/workflows/mixin.yml, ​.github/workflows/ui-ci.yml	actions/checkout steps in test_frontend, test, build, mixin, and ui-ci jobs add persist-credentials: false to prevent Git credentials from persisting in the workflow environment.
Prometheus PromCI action version upgrades ​.github/workflows/publish.yml, ​.github/workflows/release.yml	Prometheus PromCI actions are upgraded from v0.7.0 to v0.8.2 in the build, publish_main, and publish_release job steps. The publish_main job adds permissions: packages: write, removes its checkout step, and adds ghcr_io_password: ${{ github.token }} alongside Docker Hub credentials.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• prometheus/alertmanager#5257: Both PRs modify .github/workflows/release.yml's publish_release job to use ${{ github.token }} and adjust publish permissions.
• prometheus/alertmanager#5115: Both PRs update Prometheus PromCI action revisions across ci.yml, publish.yml, and release.yml workflows.

Suggested reviewers

• SuperQ
• ArthurSens

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the three main changes: migration to GHCR, hardening checkouts, and bumping promci to v0.8.2, matching the actual changeset.
Description check	✅ Passed	The description provides clear bullet points covering all major changes (GHCR migration, permissions, version bump, checkout removal, credential hardening) and includes release notes, though issue linking and sign-off checklist items are not completed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yml:
- Around line 27-29: The publish_main job's permissions only grant packages:
write which prevents actions/checkout from reading the repo; update the
publish_main job's permissions block (permissions:) in
.github/workflows/publish.yml to include contents: read alongside packages:
write so actions/checkout (used by prometheus/promci/publish_main) can access
repository contents.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0f01c263-f053-4d09-9262-fed80515ade6

📥 Commits

Reviewing files that changed from the base of the PR and between 45996cb and b4da9a4.

📒 Files selected for processing (5)

• .github/workflows/ci.yml
• .github/workflows/mixin.yml
• .github/workflows/publish.yml
• .github/workflows/release.yml
• .github/workflows/ui-ci.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether promci publish_main action performs checkout / repo-content reads.
set -euo pipefail

PIN="d9d4f5688814f0b77bf003d07fb8c00507390634"

echo "=== action.yml for prometheus/promci/publish_main@$PIN ==="
curl -fsSL "https://raw.githubusercontent.com/prometheus/promci/${PIN}/publish_main/action.yml" \
  | sed -n '1,220p'

echo
echo "=== Look for checkout/content usage indicators ==="
curl -fsSL "https://raw.githubusercontent.com/prometheus/promci/${PIN}/publish_main/action.yml" \
  | rg -n "actions/checkout|checkout|github\.token|contents|repository|git"

Repository: prometheus/alertmanager

Length of output: 2866

---

Add contents: read to publish_main job permissions.

prometheus/promci/publish_main runs actions/checkout by default (inputs.checkout default is "true"), which requires repository read access; with job permissions limited to packages: write, the publish job can fail.

Suggested patch

   publish_main:
     name: Publish main branch artefacts
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       packages: write

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	packages: write
	needs: build
	permissions:
	contents: read
	packages: write
	needs: build

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 27 - 29, The publish_main job's
permissions only grant packages: write which prevents actions/checkout from
reading the repo; update the publish_main job's permissions block (permissions:)
in .github/workflows/publish.yml to include contents: read alongside packages:
write so actions/checkout (used by prometheus/promci/publish_main) can access
repository contents.