From 4c66a5a4f3812ad8f38fe7f62a4022cefb93c1ac Mon Sep 17 00:00:00 2001
From: Kailas Mahavarkar <66670953+KailasMahavarkar@users.noreply.github.com>
Date: Fri, 10 Apr 2026 17:57:26 +0530
Subject: [PATCH 1/2] fix(ci): revert to ghcr.io from Docker Hub

Docker Hub PAT had insufficient scopes (read-only). ghcr.io uses
GITHUB_TOKEN with packages:write - no external secrets needed,
no scope issues. Org permissions already updated to allow public packages.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 14 ++++++++++----
 install.md                    |  6 +++---
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 61da07d..44267e5 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,6 +5,10 @@ on:
     branches: ['main']
   pull_request:
 
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
 jobs:
   verify:
     name: Verify (${{ matrix.os }}, Bun ${{ matrix.bun-version }})
@@ -39,6 +43,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      packages: write
 
     steps:
       - name: Checkout repository
@@ -66,19 +71,20 @@ jobs:
             --title "v${{ steps.check.outputs.version }}" \
             --generate-notes
 
-      - name: Log in to Docker Hub
+      - name: Log in to GitHub Container Registry
         if: steps.check.outputs.new == 'true'
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata (tags, labels) for Docker
         if: steps.check.outputs.new == 'true'
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: superorkait/hyperstack
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       - name: Build and push Docker image
         if: steps.check.outputs.new == 'true'
diff --git a/install.md b/install.md
index 199e5e4..67ce11f 100644
--- a/install.md
+++ b/install.md
@@ -49,7 +49,7 @@ If Docker is available, add the following configuration to the appropriate MCP c
         "--rm",
         "--memory=256m",
         "--cpus=0.5",
-        "superorkait/hyperstack:latest"
+        "ghcr.io/orkait/hyperstack:main"
       ]
     }
   }
@@ -110,14 +110,14 @@ If installation failed at any step, report the specific error and what would nee
 
 ### MCP server shows as failed / cannot pull the Docker image
 
-Verify the image is accessible: `docker pull superorkait/hyperstack:latest`
+Verify the image is accessible: `docker pull ghcr.io/orkait/hyperstack:main`
 
 If the pull fails, confirm Docker is running and you have an internet connection. The image is public on Docker Hub - no authentication is required to pull it.
 
 ### MCP server starts but tools return no results
 
 The MCP config file may point to the wrong binary or the server is not running. Verify:
-- Docker: run `docker run -i --rm superorkait/hyperstack:latest` and confirm it starts without error
+- Docker: run `docker run -i --rm ghcr.io/orkait/hyperstack:main` and confirm it starts without error
 - Local Bun: confirm the absolute path in `args` exists (`ls /path/to/hyperstack/bin/hyperstack.mjs`)
 - Restart the CLI/IDE after any config change - MCP servers are loaded at startup
 

From b95eb4c0b0a212dc5d9786495d39496ce3f17ae4 Mon Sep 17 00:00:00 2001
From: Kailas Mahavarkar <66670953+KailasMahavarkar@users.noreply.github.com>
Date: Fri, 10 Apr 2026 18:10:26 +0530
Subject: [PATCH 2/2] fix(ci): auto-set ghcr.io package visibility to public
 after push

Uses GH_PACKAGES_PAT (admin:packages scope) to call GitHub API
and set the container package to public on every new release.
GITHUB_TOKEN alone cannot change visibility.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 44267e5..80d1288 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -94,3 +94,12 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Make package public
+        if: steps.check.outputs.new == 'true'
+        run: |
+          curl -s -X PATCH \
+            -H "Authorization: Bearer ${{ secrets.GH_PACKAGES_PAT }}" \
+            -H "Accept: application/vnd.github+json" \
+            https://api.github.com/orgs/orkait/packages/container/hyperstack \
+            -d '{"visibility":"public"}'