From a9b9522d383a42f4e3712fe903e0265b0ff4fe31 Mon Sep 17 00:00:00 2001
From: Viktor Petersson <vpetersson@screenly.io>
Date: Thu, 30 Apr 2026 05:51:03 +0000
Subject: [PATCH] fix(webview): trixie apt rename + adopt GHCR for Qt 5 builder
 image
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two intertwined fixes in webview/Dockerfile + the workflow that
publishes/consumes its image. CI never caught either because the
Docker-build step in build-webview.yaml is gated to push events, so
this Trixie-targeted Dockerfile has not yet built on master.

apt: drop the renamed-on-Trixie packages
  Stage 1 (armhf sysroot, archive.raspbian.org + deb.debian.org):
  * libgst-dev          → gone, libgstreamer1.0-dev (already listed)
                          replaces it
  * libsqlite0-dev      → gone, libsqlite3-dev (already listed) replaces
  * libsrtp0-dev        → gone in deb.debian.org/main; libsrtp2-dev
                          (already listed) is the trixie default
  * libpng16-16         → renamed libpng16-16t64 under the time_t
                          transition; old name is fully gone
  Stage 2 (amd64 runtime/builder, deb.debian.org):
  * libpng16-16         → libpng16-16t64
  Verified by GET on
  {deb.debian.org,archive.raspbian.org,archive.raspberrypi.org}/dists/
  trixie/main/binary-{armhf,amd64}/Packages.gz: every removed name is
  MISSING, every replacement is FOUND. Without this fix the first
  master push would die in stage 1's apt-get install.

GHCR migration: screenly/ose-qt-builder → ghcr.io/screenly/anthias-...
  Move the published Qt 5 builder image off Docker Hub and into the
  same GHCR namespace as the rest of the anthias-* artifacts. New ref
  is ghcr.io/screenly/anthias-webview-qt5-builder:latest (image) +
  :buildcache (cache, set up in eadd83d1) — one repo, two tags, same
  auth flow.
  * build-docker-image: drop the Docker Hub login step, retag the
    push target to the GHCR ref via an IMAGE_REF env var.
  * compile-webview-part-1: declare permissions: { contents: read,
    packages: read }, add the GHCR login (gated on non-PR), point the
    `docker run` at the GHCR ref.
  Migration window: the GHCR package is created private on first push
  and needs to be flipped public so fork-PR runners (no GHCR auth) can
  pull. Same one-shot operational step as the existing anthias-*
  packages.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build-webview.yaml | 39 +++++++++++++++++-----------
 webview/Dockerfile                   |  7 ++---
 2 files changed, 26 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/build-webview.yaml b/.github/workflows/build-webview.yaml
index 4261a4a4..cfd9edb8 100644
--- a/.github/workflows/build-webview.yaml
+++ b/.github/workflows/build-webview.yaml
@@ -38,13 +38,6 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
-      - name: Login to Docker Hub
-        if: success() && github.event_name != 'pull_request'
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-
       - name: Login to GitHub Container Registry
         if: success() && github.event_name != 'pull_request'
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
@@ -56,12 +49,14 @@ jobs:
       - name: Building container
         if: github.event_name != 'pull_request'
         env:
-          # Mirrors docker-build.yaml's registry-cache pattern. Cache lives
-          # at ghcr.io/screenly/anthias-webview-qt5-builder:buildcache and
-          # is reused across runs of this job. mode=max writes every layer
-          # (not just the final manifest) so apt + Qt cross-build state
-          # survives. image-manifest=true is what GHCR requires; legacy
-          # standalone-cache manifests are rejected on ghcr.io/screenly/*.
+          # Image and cache live at the same GHCR repo:
+          #   ghcr.io/screenly/anthias-webview-qt5-builder:latest      (image)
+          #   ghcr.io/screenly/anthias-webview-qt5-builder:buildcache  (cache)
+          # Replaces the old screenly/ose-qt-builder:latest on Docker Hub
+          # — same image, new home. Mirrors the anthias-* GHCR namespace
+          # so auth, public-flip, and registry-cache mode=max all share
+          # the same operational pattern as docker-build.yaml.
+          IMAGE_REF: ghcr.io/screenly/anthias-webview-qt5-builder:latest
           CACHE_REF: ghcr.io/screenly/anthias-webview-qt5-builder:buildcache
         run: |
           cd webview
@@ -74,7 +69,7 @@ jobs:
             --build-arg "GIT_HASH=${GIT_SHORT_HASH}" \
             --build-arg "GIT_SHORT_HASH=${GIT_SHORT_HASH}" \
             --build-arg "GIT_BRANCH=${GITHUB_REF_NAME}" \
-            -t screenly/ose-qt-builder:latest .
+            -t "${IMAGE_REF}" .
 
   compile-webview-part-1:
     name: Compile Webview (Pi 2-3 / Qt 5)
@@ -83,6 +78,12 @@ jobs:
       matrix:
         board: ['pi2', 'pi3']
     runs-on: ubuntu-24.04
+    # `packages: read` so the GHCR login below can pull the Qt 5 builder
+    # image. Read is the GITHUB_TOKEN default; declared explicitly to
+    # match the per-job permission scoping convention.
+    permissions:
+      contents: read
+      packages: read
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -94,6 +95,14 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
+      - name: Login to GitHub Container Registry
+        if: success() && github.event_name != 'pull_request'
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Cache build layers
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         id: cache
@@ -134,7 +143,7 @@ jobs:
             -v $(pwd):/webview:ro \
             -e TARGET=${{ matrix.board }} \
             -e WEBVIEW_VERSION="$WEBVIEW_VERSION" \
-            screenly/ose-qt-builder:latest
+            ghcr.io/screenly/anthias-webview-qt5-builder:latest
           docker exec -it qt-builder /webview/build_webview_with_qt5.sh
           docker rm -f qt-builder
 
diff --git a/webview/Dockerfile b/webview/Dockerfile
index defdf6cf..0a920055 100644
--- a/webview/Dockerfile
+++ b/webview/Dockerfile
@@ -62,7 +62,6 @@ RUN apt-get update && \
         libgcrypt20-dev \
         libgles2-mesa-dev \
         libglib2.0-dev \
-        libgst-dev \
         libgstreamer-plugins-base1.0-dev \
         libgstreamer1.0-dev \
         libicu-dev \
@@ -75,16 +74,14 @@ RUN apt-get update && \
         libopus-dev \
         libpci-dev \
         libpng-dev \
-        libpng16-16 \
+        libpng16-16t64 \
         libpq-dev \
         libpulse-dev \
         libraspberrypi-bin \
         libraspberrypi0 \
         librsvg2-common \
         libsnappy-dev \
-        libsqlite0-dev \
         libsqlite3-dev \
-        libsrtp0-dev \
         libsrtp2-dev \
         libssl-dev \
         libswscale-dev \
@@ -187,7 +184,7 @@ RUN apt-get update && \
         libnss3-dev \
         libopus-dev \
         libpci-dev \
-        libpng16-16 \
+        libpng16-16t64 \
         libpulse-dev \
         libsecret-1-0 \
         libsnappy-dev \