add gh-scoped-creds #44

	name: build image

	on:
	pull_request:
	paths-ignore:
	- docs/**
	- '**.md'
	- '**.rst'
	- .github/workflows/*
	- '!.github/workflows/publish.yaml'
	push:
	paths-ignore:
	- docs/**
	- '**.md'
	- '**.rst'
	- .github/workflows/*
	- '!.github/workflows/publish.yaml'
	branches-ignore:
	- dependabot/**
	- pre-commit-ci-update-config
	tags:
	- '**'
	workflow_dispatch:

	jobs:
	publish-image:
	runs-on: ubuntu-22.04
	timeout-minutes: 20

	services:
	# So that we can test this in PRs/branches
	local-registry:
	image: registry:2
	ports:
	- 5000:5000

	steps:
	- name: Should we push this image to a public registry?
	run: \|
	if [ "${{ startsWith(github.ref, 'refs/tags/') \|\| (github.ref == 'refs/heads/main') }}" = "true" ]; then
	echo "REGISTRY=quay.io/" >> $GITHUB_ENV
	else
	echo "REGISTRY=localhost:5000/" >> $GITHUB_ENV
	fi

	- uses: actions/checkout@v4

	- name: Setup push rights to Docker Hub
	# This was setup by...
	# 1. Creating a [Robot Account](https://quay.io/organization/jupyterhealth?tab=robots) in the JupyterHub
	# . Quay.io org
	# 2. Giving it enough permissions to push to the singleuser images
	# 3. Putting the robot account's username and password in GitHub actions environment
	if: env.REGISTRY != 'localhost:5000/'
	run: \|
	docker login -u "${{ secrets.QUAY_USERNAME }}" -p "${{ secrets.QUAY_PASSWORD }}" "${{ env.REGISTRY }}"

	- name: Build and push
	uses: docker/build-push-action@v5
	with:
	context: .
	platforms: linux/amd64
	push: true
	tags: ${{ env.REGISTRY }}jupyterhealth/singleuser-premvp

Provide feedback