public/registry-mirror
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Weekly mirror of upstream container images into git.tu-po.com/tu-po/*
9 commits 1 branch 0 tags 47 KiB
Find a file
Exact
Quik2007 e1199ece5e
All checks were successful
Mirror images / Mirror (amd64) (push) Successful in 2m12s
Details
chore: migrate git host to code.podesta.ai 
Rename git.tu-po.com -> code.podesta.ai and reorganize orgs
(auralang -> PodestaAI/akribes, runner image -> public/runner-image,
brew tap -> public/brew-tap, mirrored bases -> public/*). Product
domains aura/akribes.tu-po.com -> api.akribes.ai, studio -> podesta.studio.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 13:54:30 +02:00
.forgejo/workflows chore: migrate git host to code.podesta.ai 2026-05-31 13:54:30 +02:00
images.yaml chore: migrate git host to code.podesta.ai 2026-05-31 13:54:30 +02:00
README.md chore: migrate git host to code.podesta.ai 2026-05-31 13:54:30 +02:00

README.md

registry-mirror

Weekly mirror of upstream container images into code.podesta.ai/public/*.

Why

Anonymous pulls from docker.io are rate-limited to 100/6h/IP and take out unrelated CI jobs when a runner's quota is spent. Authenticated pulls raise that to 200/6h/user but don't eliminate the failure mode. Mirroring the small set of images we actually depend on into our own registry removes the dependency entirely — CI pulls code.podesta.ai/public/postgres:17 and never talks to Docker Hub at all.

What gets mirrored

Source of truth is images.yaml. The destination name is the last path segment of src, so:

Upstream Mirrored to
docker.io/library/postgres:17 code.podesta.ai/public/postgres:17
docker.io/minio/minio:latest code.podesta.ai/public/minio:latest
docker.io/minio/mc:latest code.podesta.ai/public/mc:latest
quay.io/docling-project/docling-serve-cpu:latest code.podesta.ai/public/docling-serve-cpu:latest

Platform: linux/amd64 only (matches our cluster nodes).

When it runs

  • Weekly — Mondays 04:00 UTC (cron).
  • On change — any push to main that touches images.yaml or the workflow runs an immediate mirror.
  • Manuallyworkflow_dispatch via the UI or fgj actions run list.

Adding an image

Open a PR that adds an entry to images.yaml:

- src: docker.io/library/redis
  tags: ["7", "7-alpine"]

Merge to main → the mirror workflow fires on the push. New tag appears at code.podesta.ai/public/redis:7 a few minutes later. No registry admin work.

Adding an upstream registry beyond docker.io / quay.io

quay.io is unauthenticated (public read); docker.io uses the DOCKERHUB_USERNAME / DOCKERHUB_TOKEN repo secrets. If we need a third registry, add a login step in .forgejo/workflows/mirror.yml and set the credentials as repo secrets.

What this repo deliberately does not do

  • No garbage collection. Removing a tag from images.yaml does not delete the already-mirrored image — keeps stale references working.
  • No arch beyond amd64. Our nodes are all amd64; arm64 doubles storage and egress for no runtime benefit.
  • No version pinning by digest. We mirror the current upstream tag each week; that's the whole point (kept fresh). If a specific digest is load- bearing, pin it at the consumer end, not here.
  • No solution to docling model downloads. The mirrored docling-serve-cpu image ships the same model subset as upstream — CI still has to download CodeFormulaV2 at first use. That's a separate follow-up (bake a preloaded variant).