ci: mirror CI service images to GHCR (fork-safe Docker Hub pulls, groundwork)

[rusackas]

SUMMARY

Groundwork for fixing CI's Docker Hub service-pull flakes without breaking fork PRs — the failure mode that #40875 hit and #40879 reverts.

Root cause of the #40875 fork breakage: adding credentials: to a services: container looks safe, but on fork PRs the DOCKERHUB_USER/DOCKERHUB_TOKEN secrets are unavailable, so the templated values resolve to empty strings. GitHub Actions validates the credentials: block at job-setup time and rejects an empty username/password with a hard template error:

The template is not valid. superset-python-integrationtest.yml
(Line 55,56,69,70): Unexpected value ''

So every fork PR's Python-Integration / E2E / Presto-Hive job died at "Set up job". Empty creds do not fall back to anonymous pulls — they fail to parse. (See run 27179055813 on a fork.)

This PR (groundwork): add a scheduled/dispatchable workflow that mirrors the four Docker Hub service-container images CI relies on — postgres:17-alpine, redis:7-alpine, mysql:8.0, starburstdata/presto:350-e.6 — into this repo's GHCR namespace under a ci/ prefix (ghcr.io/apache/superset/ci/<name>).

Why GHCR fixes it for everyone: public GHCR images are pulled without Docker Hub's anonymous rate limit and without any credentials. Once CI points at the mirrored copies, the consuming workflows can drop their credentials: blocks entirely → no empty-secret parse error → forks work unchanged, and same-repo/master stop flaking.

This PR adds only the mirror workflow. The repoint of the services.*.image refs is the follow-up (ready-to-go diff below), staged so CI never points at images that don't exist yet.

⚠️ One-time bootstrap (maintainer) — do these before the repoint

• Merge this PR so the workflow is on the default branch (workflow_dispatch requires that).
• Run "Mirror service images to GHCR" once (Actions → Run workflow).
• Confirm ghcr.io/apache/superset/* push works under ASF infra. This is the key unknown — the first run will tell us whether the repo's GITHUB_TOKEN has packages: write to the apache GHCR namespace. If it doesn't, that's the blocker to resolve with ASF infra (apache/airflow et al. publish to GHCR, so it's likely fine).
• Set the four mirrored packages' visibility to public (this is what lets fork CI pull without auth).
• Open the repoint follow-up (diff below).

Follow-up repoint (PR B) — for reference, NOT in this PR

For each services: image across superset-e2e.yml, superset-python-integrationtest.yml, superset-python-presto-hive.yml:

       postgres:
-        image: postgres:17-alpine
+        image: ghcr.io/apache/superset/ci/postgres:17-alpine
-        credentials:
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}

(…same for redis:7-alpine → ci/redis:7-alpine, mysql:8.0 → ci/mysql:8.0, starburstdata/presto:350-e.6 → ci/presto:350-e.6. Every credentials: block on a mirrored service is removed.)

Out of scope

The bde2020/hive-metastore-postgresql image is pulled via docker compose (not a services: block), so it never hit the parse error. Mirroring it is a separate, optional follow-up.

TESTING INSTRUCTIONS

The mirror workflow is exercised by running it from the Actions tab; its job summary lists each docker.io/... → ghcr.io/... copy. The repoint is validated by the existing integration/E2E/Presto-Hive suites once it lands.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration

🤖 Generated with Claude Code

[rusackas]

Follow-up repoint is staged as a draft in #40882 — ready to rebase + un-draft once this merges, the mirror runs, and the four ci/* packages are made public.