From 86c51a5663e2876e6a1387c9f6abeb388912c62c Mon Sep 17 00:00:00 2001
From: Pepijn <pepijn@huggingface.co>
Date: Fri, 10 Apr 2026 10:01:12 +0200
Subject: [PATCH] fix(ci): remove GHCR cache (org blocks GITHUB_TOKEN package
 writes)

The huggingface org restricts GHCR package creation via GITHUB_TOKEN,
causing 403 on cache export. Remove all registry caching and GHCR
login. The Dockerfile layer split (deps vs source) still helps when
the runner has a warm Docker daemon.

Also fix the metaworld job which had a stale conditional Docker Hub
login and was missing the GHCR login entirely.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/benchmark_tests.yml | 27 +++------------------------
 1 file changed, 3 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/benchmark_tests.yml b/.github/workflows/benchmark_tests.yml
index 6b8b52ce9..c38d124dc 100644
--- a/.github/workflows/benchmark_tests.yml
+++ b/.github/workflows/benchmark_tests.yml
@@ -67,9 +67,6 @@ jobs:
   # Isolated image: lerobot[libero] only (hf-libero, dm-control, mujoco chain)
   libero-integration-test:
     name: Libero — build image + 1-episode eval
-    permissions:
-      contents: read
-      packages: write
     runs-on:
       group: aws-g6-4xlarge-plus
     env:
@@ -92,17 +89,9 @@ jobs:
           username: ${{ secrets.DOCKERHUB_LEROBOT_USERNAME }}
           password: ${{ secrets.DOCKERHUB_LEROBOT_PASSWORD }}
 
-      - name: Login to GHCR (for layer cache)
-        uses: docker/login-action@v3 # zizmor: ignore[unpinned-uses]
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      # Build the benchmark-specific image. Layer cache pushed to GHCR
-      # (type=registry, no size limit, GITHUB_TOKEN has automatic write access).
-      # The Dockerfile separates dep-install from source-copy, so code-only
-      # changes skip the slow uv-sync layer.
+      # Build the benchmark-specific image. The Dockerfile separates dep-install
+      # from source-copy, so code-only changes skip the slow uv-sync layer
+      # when the runner has a warm Docker daemon cache.
       - name: Build Libero benchmark image
         uses: docker/build-push-action@v6 # zizmor: ignore[unpinned-uses]
         with:
@@ -111,8 +100,6 @@ jobs:
           push: false
           load: true
           tags: lerobot-benchmark-libero:ci
-          cache-from: type=registry,ref=ghcr.io/huggingface/lerobot/cache-benchmark:libero
-          cache-to: type=registry,ref=ghcr.io/huggingface/lerobot/cache-benchmark:libero,mode=max
 
       - name: Login to Hugging Face
         if: env.HF_USER_TOKEN != ''
@@ -241,9 +228,6 @@ jobs:
   # Isolated image: lerobot[metaworld] only (metaworld==3.0.0, mujoco>=3 chain)
   metaworld-integration-test:
     name: MetaWorld — build image + 1-episode eval
-    permissions:
-      contents: read
-      packages: write
     runs-on:
       group: aws-g6-4xlarge-plus
     env:
@@ -261,9 +245,6 @@ jobs:
           cache-binary: false
 
       - name: Login to Docker Hub
-        if: env.DOCKERHUB_LEROBOT_USERNAME != ''
-        env:
-          DOCKERHUB_LEROBOT_USERNAME: ${{ secrets.DOCKERHUB_LEROBOT_USERNAME }}
         uses: docker/login-action@v3 # zizmor: ignore[unpinned-uses]
         with:
           username: ${{ secrets.DOCKERHUB_LEROBOT_USERNAME }}
@@ -277,8 +258,6 @@ jobs:
           push: false
           load: true
           tags: lerobot-benchmark-metaworld:ci
-          cache-from: type=registry,ref=ghcr.io/huggingface/lerobot/cache-benchmark:metaworld
-          cache-to: type=registry,ref=ghcr.io/huggingface/lerobot/cache-benchmark:metaworld,mode=max
 
       - name: Run MetaWorld smoke eval (1 episode)
         run: |