mirrors/archlinux-docker
1
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/archlinux-docker.git synced 2026-05-13 09:46:14 +02:00
Code Issues Projects Releases Wiki Activity

Pull Alpine images from Google's public pull-through cache proxy during build

Browse Source 
The CI is pulling the Alpine Linux image during `podman build` (via the [Dockerfile](https://gitlab.archlinux.org/archlinux/archlinux-docker/-/blob/master/Dockerfile.template?ref_type=heads#L13)) for each built images.

With the 3 image versions we have right now (`base`, `base-devel`, `multilib-devel`) plus the new / incoming [`repro` image](https://gitlab.archlinux.org/archlinux/archlinux-docker/-/merge_requests/96) (which is built twice during the CI), that's a total of 5 pull requests made to Docker Hub per CI.

Docker Hub has a rate limit of 100 pull requests per 6 hours for unauthenticated requests (see https://www.docker.com/increase-rate-limit). That means that 20 CI runs within 6 hours (including from forks) would get us blocked (which eventually happened during my *numerous* tests with the repro image MR...).

This commit aims to configure podman to pull the image from [Google's public pull-through cache proxy](https://docs.cloud.google.com/artifact-registry/docs/pull-cached-dockerhub-images) instead (and fallback to Docker Hub if needed), reducing the number of requestis we send to Docker Hub and avoiding being rate limited.

Closes https://gitlab.archlinux.org/archlinux/infrastructure/-/work_items/817
This commit is contained in:
Robin Candau 2026-04-03 19:24:17 +02:00
parent 7161278aa0
commit af60f44b1a
No known key found for this signature in database
GPG Key ID: FDC3040B92ACA748
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitlab-ci.yml
View File

@ -106,6 +106,8 @@ rootfs:secure:
SIGSTORE_ID_TOKEN:
aud: sigstore
script:
- echo -e '[aliases]\n "alpine" = ""' > /etc/containers/registries.conf.d/99-no-alpine-alias.conf
- echo 'unqualified-search-registries = ["mirror.gcr.io", "docker.io"]' > /etc/containers/registries.conf
- |
if [[ "$GROUP" == "repro" ]]; then
SOURCE_DATE_EPOCH=$(date -u -d "00:00:00" +%s)
@ -161,6 +163,8 @@ image:build:secure:
- cat repro-output/repro.tar.zst.SHA256
- diffoscope output/repro.tar.zst repro-output/repro.tar.zst
- echo "RootFS is reproducible!"
- echo -e '[aliases]\n "alpine" = ""' > /etc/containers/registries.conf.d/99-no-alpine-alias.conf
- echo 'unqualified-search-registries = ["mirror.gcr.io", "docker.io"]' > /etc/containers/registries.conf
- |
SOURCE_DATE_EPOCH=$(date -u -d "00:00:00" +%s)
podman build \
@ -221,6 +225,8 @@ image:publish:secure:
- podman login -u "$GHCR_USERNAME" -p "$GHCR_PASSWORD" "ghcr.io"
- 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml'
script:
- echo -e '[aliases]\n "alpine" = ""' > /etc/containers/registries.conf.d/99-no-alpine-alias.conf
- echo 'unqualified-search-registries = ["mirror.gcr.io", "docker.io"]' > /etc/containers/registries.conf
- |
if [[ "$GROUP" == "repro" ]]; then
SOURCE_DATE_EPOCH=$(date -u -d "00:00:00" +%s)