Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish release images to GHCR #1385

Open
chenbh opened this issue Nov 22, 2023 · 3 comments
Open

Publish release images to GHCR #1385

chenbh opened this issue Nov 22, 2023 · 3 comments

Comments

@chenbh
Copy link
Contributor

chenbh commented Nov 22, 2023

We're currently publishing to Google Container Registry under a VMware account because of legacy reasons. We should migrate to GitHub Container Registry
@ollie-kane-CB
Copy link
Contributor

The Google Container Registry is slated for shutdown on March 18th, 2025. After this point, kpack will no longer be installable.

https://cloud.google.com/artifact-registry/docs/transition/prepare-gcr-shutdown

I've been looking into this project a bit but don't yet know enough about how the current images are built and deployed. Once I learn a bit more, I can try my hand at updating this. Should the Maintainers provide links to relevant source code, that'd help my review process.

@chenbh
Copy link
Contributor Author

chenbh commented Oct 17, 2024
edited
Loading

The images are built and released using GHA. We first build dev images on every push to main and run tests using these images. If they pass acceptance, and we trigger a new release by pushing a new tag (see RELEASE.md), the GHA will promote all the images from the dev repo to the official repo.

The registry location and creds is currently passed in using repository GHA variables and secrets (so inaccessible to non-maintainers). But I think publishing directly to GHCR from GHA has some first class support and can be done without configuring any secrets (and so makes it possible for non-maintainers to contribute).

The main caveats I see is that:

  1. We use pack to build and publish the images in a single step, this might have to be broken up into pieces (pack builds an OCI tarball, and we use some action to upload the tarball into GHCR) if we don't want to pass creds around. Or maybe the runner just has magical powers to write images without creds. IDK, I haven't played with GHCR at all.
  2. We generate dev images all the time which might be broken. While these are currently public (so the community can play around with nightly and pre-release builds), it's uploaded to a different namespace to avoid confusion (gcr.io/cf-build-service-public/kpack-dev vs gcr.io/cf-build-service-public/kpack). From my 30 seconds skim of the docs, I'm not sure if we can do that level of separation with GHCR.

@ollie-kane-CB
Copy link
Contributor

Fantastic response, if not a bit disappointingly complex issue.

It also answered a follow up I was going to ask which was "how can a guy try out the most recent bleeding-edge pushes that got accepted in my PR?"

I live entirely in the universe of GitLab. I'll try my hand at this github flavored way of doing things. perhaps i can help. I know how to do this in a jiffy in the other world, but I'm sure swapping providers is far too big of an investment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chenbh @ollie-kane-CB