fix(ci): remove GHCR cache (org blocks GITHUB_TOKEN package writes)

The huggingface org restricts GHCR package creation via GITHUB_TOKEN,
causing 403 on cache export. Remove all registry caching and GHCR
login. The Dockerfile layer split (deps vs source) still helps when
the runner has a warm Docker daemon.

Also fix the metaworld job which had a stale conditional Docker Hub
login and was missing the GHCR login entirely.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/benchmark_tests.yml

@@ -67,9 +67,6 @@ jobs:
   # Isolated image: lerobot[libero] only (hf-libero, dm-control, mujoco chain)
   libero-integration-test:
     name: Libero — build image + 1-episode eval
-    permissions:
-      contents: read
-      packages: write
     runs-on:
       group: aws-g6-4xlarge-plus
     env:
@@ -92,17 +89,9 @@ jobs:
           username: ${{ secrets.DOCKERHUB_LEROBOT_USERNAME }}
           password: ${{ secrets.DOCKERHUB_LEROBOT_PASSWORD }}
 
-      - name: Login to GHCR (for layer cache)
-        uses: docker/login-action@v3 # zizmor: ignore[unpinned-uses]
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      # Build the benchmark-specific image. Layer cache pushed to GHCR
-      # (type=registry, no size limit, GITHUB_TOKEN has automatic write access).
-      # The Dockerfile separates dep-install from source-copy, so code-only
-      # changes skip the slow uv-sync layer.
+      # Build the benchmark-specific image. The Dockerfile separates dep-install
+      # from source-copy, so code-only changes skip the slow uv-sync layer
+      # when the runner has a warm Docker daemon cache.
       - name: Build Libero benchmark image
         uses: docker/build-push-action@v6 # zizmor: ignore[unpinned-uses]
         with:
@@ -111,8 +100,6 @@ jobs:
           push: false
           load: true
           tags: lerobot-benchmark-libero:ci
-          cache-from: type=registry,ref=ghcr.io/huggingface/lerobot/cache-benchmark:libero
-          cache-to: type=registry,ref=ghcr.io/huggingface/lerobot/cache-benchmark:libero,mode=max
 
       - name: Login to Hugging Face
         if: env.HF_USER_TOKEN != ''
@@ -241,9 +228,6 @@ jobs:
   # Isolated image: lerobot[metaworld] only (metaworld==3.0.0, mujoco>=3 chain)
   metaworld-integration-test:
     name: MetaWorld — build image + 1-episode eval
-    permissions:
-      contents: read
-      packages: write
     runs-on:
       group: aws-g6-4xlarge-plus
     env:
@@ -261,9 +245,6 @@ jobs:
           cache-binary: false
 
       - name: Login to Docker Hub
-        if: env.DOCKERHUB_LEROBOT_USERNAME != ''
-        env:
-          DOCKERHUB_LEROBOT_USERNAME: ${{ secrets.DOCKERHUB_LEROBOT_USERNAME }}
         uses: docker/login-action@v3 # zizmor: ignore[unpinned-uses]
         with:
           username: ${{ secrets.DOCKERHUB_LEROBOT_USERNAME }}
@@ -277,8 +258,6 @@ jobs:
           push: false
           load: true
           tags: lerobot-benchmark-metaworld:ci
-          cache-from: type=registry,ref=ghcr.io/huggingface/lerobot/cache-benchmark:metaworld
-          cache-to: type=registry,ref=ghcr.io/huggingface/lerobot/cache-benchmark:metaworld,mode=max
 
       - name: Run MetaWorld smoke eval (1 episode)
         run: |