feat: add Push and PushImage functions for OCI registry push#8
Conversation
Mesa DescriptionSummaryAdd functions to push images to hypeman's OCI registry, mirroring the functionality of the New Functions
|
![mesa-dot-dev[bot]](https://avatars.githubusercontent.com/in/1050077?s=60&v=4){kind=small}
There was a problem hiding this comment.
Performed full review of 0e8d0f4...a884a3b
Analysis
-
Security Risk - Forced Insecure Communication: Implementation hardcodes
name.Insecureoption, forcing HTTP for all connections without allowing configuration for secure communication (HTTPS), creating a significant security vulnerability. -
Authentication Failure Handling: Silent authentication failures occur when API keys are empty, returning empty
AuthConfigobjects rather than errors, making debugging difficult and potentially masking security issues. -
Target Name Input Validation Issues: Missing validation allows registry-qualified names to create malformed references, while default name handling may include unwanted prefixes.
-
Excessive Dependencies: Integration adds ~40 transitive dependencies including Docker libraries and OpenTelemetry, increasing attack surface and security risk, alongside a potentially premature Go version bump to 1.24.0.
-
Configuration Coupling: The
ExtractPushConfigfunction directly accesses internal request configuration, creating tight coupling to SDK internals that could break with future changes.
Tip
Help
Slash Commands:
/review- Request a full code review/review latest- Review only changes since the last review/describe- Generate PR description. This will update the PR body or issue comment depending on your configuration/help- Get help with Mesa commands and configuration options
4 files reviewed | 0 comments | Edit Agent Settings • Read Docs
Add lib/push.go with functions to push images to hypeman's OCI registry: - PushImage(ctx, cfg, img, targetName): Push any v1.Image to hypeman Works with images from Kaniko, ko, buildpacks, remote registries, tarballs - Push(ctx, cfg, sourceImage, targetName): Convenience wrapper that loads from local Docker daemon (for development workflows) - PushFromURL(ctx, baseURL, apiKey, img, targetName): Standalone helper for scripts that don't need a full client Also adds examples/push/main.go demonstrating usage patterns.
rgarcia
force-pushed
the
raf/add-push-method
branch
from
a884a3b to
7417cc8
Compare
2 participants
Summary
Add functions to push images to hypeman's OCI registry, mirroring the functionality of the
hypeman pushCLI command.New Functions
lib/push.goPushImage(ctx, cfg, img, targetName)- Core function that pushes anyv1.Imageto hypeman. Works with images from:remote.Image()tarball.ImageFromPath()Push(ctx, cfg, sourceImage, targetName)- Convenience wrapper that loads from local Docker daemon (for development workflows)PushFromURL(ctx, baseURL, apiKey, img, targetName)- Standalone helper for scripts that don't need a full clientExtractPushConfig(opts)- Extracts registry host and API key from client optionsExample Usage
Why
lib/Package?The SDK is auto-generated from the OpenAPI spec, but the OCI registry endpoints aren't modeled in OpenAPI. Per CONTRIBUTING.md, manually-maintained code goes in
lib/which the generator won't overwrite.Dependencies
Added
github.com/google/go-containerregistryfor OCI image handling.