3a279212ef
Run #122 finished green-on-everything-that-matters: indexing, docker login (REGISTRY_TOKEN fix worked), build + push, and the package-link API call all succeeded. The image is published with all four expected tags: latest,c5ed5560fc, corpus-2026.05.24,a97107de46(manual earlier push). Only the final GC step failed with HTTP 403 enumerating /packages/.../versions — the PAT we use as REGISTRY_TOKEN has push/pull scope but not the broader package-admin scope needed to list + delete old versions. GC is housekeeping, not part of the publish path. Marking it continue-on-error: true keeps the whole run green so monitoring can rely on "red = real problem." Both workflows get the same treatment. Followup TODO baked into the workflow comments: mint a separate PAT with admin:package scope and add it as a second secret (PACKAGES_ADMIN_TOKEN) — then point the GC step at it. Then remove continue-on-error. Workflow-only commit, doesn't trigger image-only.yml (path filter excludes .gitea/**). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>