Security wise, PR's cross org are not allowed to deploy to ghcr.io package system unless that user is a 'member' of said org.

This could be improved to use local org ckan if the tag matches (usually it would) but if there is schema changes we won't have a tag and would need to reference the container made by the incoming user if possible. (there is some risk on this that its been 'poisoned' by a bad actor but unsure what it could do if anything)

Since schema changes are so rare we would be referencing the exact tagged version from repo owner majority of the time.

(unsure if a pr rasied by an actor would be encoded into the github_token to allow a push { it could but needs further testing} )

This is now working for PR from user to org and should also do org to org.

It will need more testing on creating containers inside the ckan org (as well as possible settings if not enabled in the org/repo level)

Its also a pita that they made a differentiation between user and orgs for package api.

This could could be moved into a shell script and have ENV_ARGS passed through but I've spent enough time today on this and need to give it a rest.

I also investigated having the docker container locally built and not use a container manager but due to running the build in a container image (not root gh) it would not be possible to add it to auto dns resolution and would then need some hackery with /etc/hosts and local port forwarding to 'emulate' it being on ckan-solr