GHCR image mirroring #51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Mirror DockerHub images used by the Rust project to ghcr.io. | |
# Images are available at https://github.com/orgs/rust-lang/packages. | |
# | |
# In some CI jobs, we pull images from ghcr.io instead of Docker Hub because | |
# Docker Hub has a rate limit, while ghcr.io doesn't. | |
# Those images are pushed to ghcr.io by this job. | |
# | |
# While Docker Hub rate limit *shouldn't* be an issue on GitHub Actions, | |
# it certainly is for AWS codebuild. | |
# | |
# Note that authenticating to DockerHub or other registries isn't possible | |
# for PR jobs, because forks can't access secrets. | |
# That's why we use ghcr.io: it has no rate limit and it doesn't require authentication. | |
name: GHCR image mirroring | |
on: | |
workflow_dispatch: | |
schedule: | |
# Run daily at midnight UTC | |
- cron: '0 0 * * *' | |
jobs: | |
mirror: | |
name: DockerHub mirror | |
runs-on: ubuntu-24.04 | |
if: github.repository == 'rust-lang/rust' | |
permissions: | |
# Needed to write to the ghcr.io registry | |
packages: write | |
steps: | |
- uses: actions/checkout@v5 | |
with: | |
persist-credentials: false | |
- name: Log in to registry | |
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin | |
# Download crane in the current directory. | |
# We use crane because it copies the docker image for all the architectures available in | |
# DockerHub for the image. | |
# Learn more about crane at | |
# https://github.com/google/go-containerregistry/blob/main/cmd/crane/README.md | |
- name: Download crane | |
run: | | |
curl -sL "https://github.com/google/go-containerregistry/releases/download/${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" | tar -xzf - | |
env: | |
VERSION: v0.20.2 | |
OS: Linux | |
ARCH: x86_64 | |
- name: Mirror DockerHub | |
run: | | |
# List of DockerHub images to mirror to ghcr.io | |
images=( | |
# Mirrored because used by the tidy job, which doesn't cache Docker images | |
"ubuntu:22.04" | |
# Mirrored because used by all linux CI jobs, including tidy | |
"moby/buildkit:buildx-stable-1" | |
# Mirrored because used when CI is running inside a Docker container | |
"alpine:3.4" | |
# Mirrored because used by dist-x86_64-linux | |
"centos:7" | |
) | |
# Mirror each image from DockerHub to ghcr.io | |
for img in "${images[@]}"; do | |
echo "Mirroring ${img}..." | |
# Remove namespace from the image if any. | |
# E.g. "moby/buildkit:buildx-stable-1" becomes "buildkit:buildx-stable-1" | |
dest_image=$(echo "${img}" | cut -d'/' -f2-) | |
./crane copy \ | |
"docker.io/${img}" \ | |
"ghcr.io/${{ github.repository_owner }}/${dest_image}" | |
done |