Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🌱 publish docker images to GitHub Container Registry #1453

Merged
merged 2 commits into from
Nov 13, 2024

Conversation

spencerschrock
Copy link
Member

@spencerschrock spencerschrock commented Oct 7, 2024

The goal is to use GHCR to replace Google Container Registry (GCR) for future Scorecard Action releases to reduce network egress costs. These workflows will build two types of images:

  1. Release images, which are tagged following a v1.2.3 pattern. These container images will be retained indefinitely.
  2. Per-commit images for each push to main. These images are used when testing the action, and will be removed after a week.

The workflow was primarily based on GitHub's example workflow. You can see this working in my fork:

  • A normal push to main, generating a latest image, with no attestation workflow
  • A tagged image, generating a release image, with an attestation. workflow
  • The cleanup workflow, deleting untagged images on schedule, or on dispatch.

The goal is to use GHCR to replace Google Container Registry (GCR) for
future versions of Scorecard Action releases. These workflows will build
two types of images:

  1. Release images, which are tagged following a v1.2.3 pattern. These
  container images will be retained indefinitely.
  2. Per-commit images for each push to main. These images are used when
     testing the action, and will be removed after a week.

Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock spencerschrock requested review from a team, naveensrinivasan and justaugustus and removed request for a team October 7, 2024 17:56
Copy link

@raghavkaul raghavkaul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the network egress cost and why does it not apply with GHCR?

.github/workflows/ghcr-retention.yml Show resolved Hide resolved
@spencerschrock
Copy link
Member Author

What is the network egress cost

When someone runs the action, it pulls our gcr.io image, which has pricing associated with it

General network usage applies for any data read from your Cloud Storage bucket that does not fall into one of the above categories or the Always Free usage limits. For example, general network usage applies when data moves from a Cloud Storage bucket to the Internet.

Monthly Usage Data transfer to Worldwide Destinations (excluding Asia & Australia)(per GB) Data transfer to Asia Destinations (excluding China, but including Hong Kong)(per GB) Data transfer to China Destinations (excluding Hong Kong)(per GB) Data transfer to Australia Destinations and Data transfer from Cloud Storage regions located in Australia(per GB) Inbound data transfer
0-1 TB $0.12 $0.12 $0.23 $0.19 Free
1-10 TB $0.11 $0.11 $0.22 $0.18 Free
10+ TB $0.08 $0.08 $0.20 $0.15 Free

why does it not apply with GHCR?

GHCR is free for public packages. And also has a section later on about GitHub Actions

All data transferred out, when triggered by GitHub Actions, and data transferred in from any source is free. We determine you are downloading packages using GitHub Actions when you log in to GitHub Packages using a GITHUB_TOKEN.

@spencerschrock spencerschrock enabled auto-merge (squash) November 13, 2024 17:03
@spencerschrock spencerschrock merged commit 3a26553 into ossf:main Nov 13, 2024
9 checks passed
@spencerschrock spencerschrock deleted the ghcr branch November 13, 2024 17:07
spencerschrock added a commit to spencerschrock/scorecard-webapp that referenced this pull request Nov 13, 2024
With the switch to GHCR we'll need to support both images for e2e testing.
Eventually we can remove the gcr.io case if needed.

ossf/scorecard-action#1453

Signed-off-by: Spencer Schrock <sschrock@google.com>
spencerschrock added a commit to ossf/scorecard-webapp that referenced this pull request Nov 13, 2024
With the switch to GHCR we'll need to support both images for e2e testing.
Eventually we can remove the gcr.io case if needed.

ossf/scorecard-action#1453

Signed-off-by: Spencer Schrock <sschrock@google.com>
spencerschrock added a commit to ossf-tests/scorecard-action that referenced this pull request Nov 13, 2024
ossf#1453
Signed-off-by: Spencer Schrock <sschrock@google.com>
spencerschrock added a commit to ossf-tests/scorecard-action that referenced this pull request Nov 13, 2024
ossf#1453

Signed-off-by: Spencer Schrock <sschrock@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants