-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🌱 publish docker images to GitHub Container Registry #1453
Conversation
The goal is to use GHCR to replace Google Container Registry (GCR) for future versions of Scorecard Action releases. These workflows will build two types of images: 1. Release images, which are tagged following a v1.2.3 pattern. These container images will be retained indefinitely. 2. Per-commit images for each push to main. These images are used when testing the action, and will be removed after a week. Signed-off-by: Spencer Schrock <sschrock@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the network egress cost and why does it not apply with GHCR?
When someone runs the action, it pulls our gcr.io image, which has pricing associated with it
GHCR is free for public packages. And also has a section later on about GitHub Actions
|
With the switch to GHCR we'll need to support both images for e2e testing. Eventually we can remove the gcr.io case if needed. ossf/scorecard-action#1453 Signed-off-by: Spencer Schrock <sschrock@google.com>
With the switch to GHCR we'll need to support both images for e2e testing. Eventually we can remove the gcr.io case if needed. ossf/scorecard-action#1453 Signed-off-by: Spencer Schrock <sschrock@google.com>
ossf#1453 Signed-off-by: Spencer Schrock <sschrock@google.com>
ossf#1453 Signed-off-by: Spencer Schrock <sschrock@google.com>
The goal is to use GHCR to replace Google Container Registry (GCR) for future Scorecard Action releases to reduce network egress costs. These workflows will build two types of images:
The workflow was primarily based on GitHub's example workflow. You can see this working in my fork:
latest
image, with no attestation workflow