Build&publish the base container to GHCR + point to it from action

[webknjaz]

Example image build+publish workflow: https://github.com/ansible/pylibssh/blob/devel/.github/workflows/build-manylinux-container-images.yml

Example of an action pointer: https://github.com/fedora-python/tox-github-action/blob/9f7d1ff/action.yaml#L14

[richard-engineering]

More needed now that 2FA is being enforced as the build times are quite long.

[webknjaz]

What does it have to do with 2FA?

[richard-engineering]

This Github Action is officially recommended by the official PyPI docs linked to by the article on 2FA enforcement. Previously prior to 2FA enforcement uploading could be done via username/password (eg via flit publish) in CI which is a rather quick process. It's unfortunate that the recommended reference solution linked in the documentation can take up to 5+ minutes to build. Putting this on GHCR would avoid the need to build the images.

[webknjaz]

Using API tokens still works, it hasn't gone anywhere. Putting shared username+password pairs online was always problematic, and everyone should've switched to scoped API tokens like 5 years ago.

[shenxianpeng]

To speed up user workflows, another option is using composite action, it is faster than building Dockerfile, probably the same as pulling a prepared docker image from GHCR.

Composite action will drop using docker to make GitHub action simpler, and it would support non-Linux OS.

I can draft a PR kindly for your review If you would like to have a look.

[webknjaz]

No, there are legit reasons for not doing that. I don't want to encourage antipatterns, for example. And the level of control/side effects is unacceptable.