From af60f44b1a5b4afcd0929fd259e46934e32447b2 Mon Sep 17 00:00:00 2001
From: Robin Candau <antiz@archlinux.org>
Date: Fri, 3 Apr 2026 19:24:17 +0200
Subject: [PATCH] Pull Alpine images from Google's public pull-through cache
 proxy during build

The CI is pulling the Alpine Linux image during `podman build` (via the [Dockerfile](https://gitlab.archlinux.org/archlinux/archlinux-docker/-/blob/master/Dockerfile.template?ref_type=heads#L13)) for each built images.

With the 3 image versions we have right now (`base`, `base-devel`, `multilib-devel`) plus the new / incoming [`repro` image](https://gitlab.archlinux.org/archlinux/archlinux-docker/-/merge_requests/96) (which is built twice during the CI), that's a total of 5 pull requests made to Docker Hub per CI.

Docker Hub has a rate limit of 100 pull requests per 6 hours for unauthenticated requests (see https://www.docker.com/increase-rate-limit). That means that 20 CI runs within 6 hours (including from forks) would get us blocked (which eventually happened during my *numerous* tests with the repro image MR...).

This commit aims to configure podman to pull the image from [Google's public pull-through cache proxy](https://docs.cloud.google.com/artifact-registry/docs/pull-cached-dockerhub-images) instead (and fallback to Docker Hub if needed), reducing the number of requestis we send to Docker Hub and avoiding being rate limited.

Closes https://gitlab.archlinux.org/archlinux/infrastructure/-/work_items/817
---
 .gitlab-ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index eb56175..ed90db2 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -106,6 +106,8 @@ rootfs:secure:
     SIGSTORE_ID_TOKEN:
       aud: sigstore
   script:
+    - echo -e '[aliases]\n  "alpine" = ""' > /etc/containers/registries.conf.d/99-no-alpine-alias.conf
+    - echo 'unqualified-search-registries = ["mirror.gcr.io", "docker.io"]' > /etc/containers/registries.conf
     - |
       if [[ "$GROUP" == "repro" ]]; then
         SOURCE_DATE_EPOCH=$(date -u -d "00:00:00" +%s)
@@ -161,6 +163,8 @@ image:build:secure:
     - cat repro-output/repro.tar.zst.SHA256
     - diffoscope output/repro.tar.zst repro-output/repro.tar.zst
     - echo "RootFS is reproducible!"
+    - echo -e '[aliases]\n  "alpine" = ""' > /etc/containers/registries.conf.d/99-no-alpine-alias.conf
+    - echo 'unqualified-search-registries = ["mirror.gcr.io", "docker.io"]' > /etc/containers/registries.conf
     - |
       SOURCE_DATE_EPOCH=$(date -u -d "00:00:00" +%s)
       podman build \
@@ -221,6 +225,8 @@ image:publish:secure:
     - podman login -u "$GHCR_USERNAME" -p "$GHCR_PASSWORD" "ghcr.io"
     - 'echo -e "default-docker:\n  use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml'
   script:
+    - echo -e '[aliases]\n  "alpine" = ""' > /etc/containers/registries.conf.d/99-no-alpine-alias.conf
+    - echo 'unqualified-search-registries = ["mirror.gcr.io", "docker.io"]' > /etc/containers/registries.conf
     - |
       if [[ "$GROUP" == "repro" ]]; then
         SOURCE_DATE_EPOCH=$(date -u -d "00:00:00" +%s)