Skip to content

feat: adding ghcr image publish support#1161

Merged
Pangjiping merged 2 commits into
opensandbox-group:mainfrom
bahe-msft:copilot/1160-issue-fix
Jul 2, 2026
Merged

feat: adding ghcr image publish support#1161
Pangjiping merged 2 commits into
opensandbox-group:mainfrom
bahe-msft:copilot/1160-issue-fix

Conversation

@bcho

@bcho bcho commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Adding ghcr images publish process for #1160

Testing

  • Not run (explain why): image publishing changes
  • Unit tests
  • Integration tests
  • e2e / manual verification

Breaking Changes

  • None
  • Yes (describe impact and migration path)

Checklist

  • Linked Issue or clearly described motivation
  • Added/updated docs (if needed)
  • Added/updated tests (if needed)
  • Security impact considered
  • Backward compatibility considered

@bcho bcho marked this pull request as ready for review June 30, 2026 20:06
Copilot AI review requested due to automatic review settings June 30, 2026 20:06
@bcho

bcho commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

I was able to get this image published in https://github.com/bahe-msft/OpenSandbox/pkgs/container/opensandbox%2Fexecd

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds GitHub Container Registry (GHCR) publishing support alongside existing Docker Hub and Alibaba Cloud ACR image publishing, addressing #1160’s request to reduce Docker Hub rate-limit pressure by providing GHCR-hosted images.

Changes:

  • Extend multiple image build scripts to optionally tag/push images to GHCR when GHCR_REPO is provided.
  • Update GitHub Actions publishing workflows to log in to GHCR, push GHCR tags, and include GHCR in cosign signing + attestations.
  • Document GHCR usage for Kubernetes image builds via GHCR_REPO.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
server/build.sh Adds optional GHCR tagging (GHCR_REPO) for server image builds.
sandboxes/code-interpreter/build.sh Adds optional GHCR tagging (GHCR_REPO) for code-interpreter image builds.
components/ingress/build.sh Adds optional GHCR tagging (including latest on version tags).
components/execd/build.sh Adds optional GHCR tagging (including latest on version tags).
components/egress/build.sh Adds optional GHCR tagging (including latest on version tags).
kubernetes/build.sh Adds optional GHCR tagging for Kubernetes component images when pushing.
kubernetes/docs/BUILD-IMAGES.md Documents logging into GHCR and the new GHCR_REPO env var; updates registry section to mention GHCR.
.github/workflows/publish-server.yml Logs into GHCR, pushes GHCR tags, signs + attests GHCR image.
.github/workflows/publish-components.yml Logs into GHCR, pushes GHCR tags, signs + attests GHCR component images.
.github/workflows/kubernetes-nightly-build.yml Logs into GHCR and publishes nightly latest to GHCR as well.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/kubernetes-nightly-build.yml
Comment thread kubernetes/docs/BUILD-IMAGES.md
Comment thread .github/workflows/publish-server.yml

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3584c06fcb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/kubernetes-nightly-build.yml
Comment thread .github/workflows/publish-components.yml

@Pangjiping Pangjiping left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: GHCR Image Publishing Support

Clean, well-structured PR. GHCR added as optional registry alongside existing Docker Hub + ACR. Changes consistent across all 6 build scripts and 3 workflows.

What works well

  • Opt-in designGHCR_REPO defaults empty in build scripts, no breakage for existing local builds or forks without GHCR
  • Consistent pattern — Same conditional tag logic applied uniformly across egress, execd, ingress, server, code-interpreter, kubernetes build scripts
  • Full pipeline coverage — Login, build/push, signing (cosign), attestation all updated for GHCR
  • Correct permissionspackages: write added to all relevant workflows for GITHUB_TOKEN GHCR auth
  • ${GITHUB_REPOSITORY_OWNER,,} lowercase — Correct for GHCR which requires lowercase owner names

Minor observations (non-blocking)

  1. GHCR_REPO set via export in run: block — Works fine here since the echo "ghcr_image=..." line is in the same run: block (same step). Just noting for future maintainers: if these get split into separate steps, the variable won't persist.

  2. Nightly build has no signing/attestation for GHCR — Consistent with existing behavior (nightly doesn't sign/attest any registry), but worth adding in a follow-up if nightly images become relied upon.

  3. code-interpreter/build.sh has no :latest alias logic — Pre-existing gap (not introduced here), but the other build scripts tag :latest when TAG == v*. May want to align in a separate PR.

LGTM — approve.

@Pangjiping Pangjiping merged commit 753ee45 into opensandbox-group:main Jul 2, 2026
58 of 61 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants