feat: adding ghcr image publish support#1161
Conversation
|
I was able to get this image published in https://github.com/bahe-msft/OpenSandbox/pkgs/container/opensandbox%2Fexecd |
There was a problem hiding this comment.
Pull request overview
Adds GitHub Container Registry (GHCR) publishing support alongside existing Docker Hub and Alibaba Cloud ACR image publishing, addressing #1160’s request to reduce Docker Hub rate-limit pressure by providing GHCR-hosted images.
Changes:
- Extend multiple image build scripts to optionally tag/push images to GHCR when
GHCR_REPOis provided. - Update GitHub Actions publishing workflows to log in to GHCR, push GHCR tags, and include GHCR in cosign signing + attestations.
- Document GHCR usage for Kubernetes image builds via
GHCR_REPO.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
server/build.sh |
Adds optional GHCR tagging (GHCR_REPO) for server image builds. |
sandboxes/code-interpreter/build.sh |
Adds optional GHCR tagging (GHCR_REPO) for code-interpreter image builds. |
components/ingress/build.sh |
Adds optional GHCR tagging (including latest on version tags). |
components/execd/build.sh |
Adds optional GHCR tagging (including latest on version tags). |
components/egress/build.sh |
Adds optional GHCR tagging (including latest on version tags). |
kubernetes/build.sh |
Adds optional GHCR tagging for Kubernetes component images when pushing. |
kubernetes/docs/BUILD-IMAGES.md |
Documents logging into GHCR and the new GHCR_REPO env var; updates registry section to mention GHCR. |
.github/workflows/publish-server.yml |
Logs into GHCR, pushes GHCR tags, signs + attests GHCR image. |
.github/workflows/publish-components.yml |
Logs into GHCR, pushes GHCR tags, signs + attests GHCR component images. |
.github/workflows/kubernetes-nightly-build.yml |
Logs into GHCR and publishes nightly latest to GHCR as well. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3584c06fcb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Pangjiping
left a comment
There was a problem hiding this comment.
Review: GHCR Image Publishing Support
Clean, well-structured PR. GHCR added as optional registry alongside existing Docker Hub + ACR. Changes consistent across all 6 build scripts and 3 workflows.
What works well
- Opt-in design —
GHCR_REPOdefaults empty in build scripts, no breakage for existing local builds or forks without GHCR - Consistent pattern — Same conditional tag logic applied uniformly across egress, execd, ingress, server, code-interpreter, kubernetes build scripts
- Full pipeline coverage — Login, build/push, signing (cosign), attestation all updated for GHCR
- Correct permissions —
packages: writeadded to all relevant workflows forGITHUB_TOKENGHCR auth ${GITHUB_REPOSITORY_OWNER,,}lowercase — Correct for GHCR which requires lowercase owner names
Minor observations (non-blocking)
-
GHCR_REPOset viaexportinrun:block — Works fine here since theecho "ghcr_image=..."line is in the samerun:block (same step). Just noting for future maintainers: if these get split into separate steps, the variable won't persist. -
Nightly build has no signing/attestation for GHCR — Consistent with existing behavior (nightly doesn't sign/attest any registry), but worth adding in a follow-up if nightly images become relied upon.
-
code-interpreter/build.shhas no:latestalias logic — Pre-existing gap (not introduced here), but the other build scripts tag:latestwhenTAG == v*. May want to align in a separate PR.
LGTM — approve.
Summary
Adding ghcr images publish process for #1160
Testing
Breaking Changes
Checklist