Download GGUF, package as Docker Model and push it to Hub (#87)

* Use username + pass auth if DOCKER_USERNAME & DOCKER_PASSWORD are defined

* Added GHA to package and push a model

* Install certs

* Don't initialize client twice

Author: ilopezluna

.github/workflows/package-model.yml

@@ -0,0 +1,75 @@
+name: Package Model
+
+on:
+  workflow_dispatch:
+    inputs:
+      gguf_file_url:
+        description: 'URL to the GGUF file (e.g., https://huggingface.co/unsloth/Qwen3-4B-GGUF/resolve/main/Qwen3-4B-Q4_K_M.gguf)'
+        required: true
+        type: string
+      registry_repository:
+        description: 'OCI Registry repository'
+        required: true
+        type: string
+        default: 'qwen3'
+      tag:
+        description: 'Tag for the Docker image (e.g., 4B-Q4_K_M)'
+        required: true
+        type: string
+      input_types:
+        description: 'Comma-separated input types (e.g., text,embedding,image)'
+        required: true
+        type: string
+        default: 'text'
+      output_types:
+        description: 'Comma-separated output types (e.g., text,embedding,image)'
+        required: true
+        type: string
+        default: 'text'
+      tool_usage:
+        description: 'Enable tool usage support'
+        required: false
+        type: boolean
+        default: false
+      license_url:
+        description: 'Url to the license file'
+        required: true
+        type: string
+        default: 'https://huggingface.co/datasets/choosealicense/licenses/resolve/main/markdown/apache-2.0.md'
+
+permissions:
+  contents: read
+
+jobs:
+  package:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USER_STAGING }}
+          password: ${{ secrets.DOCKER_OAT_STAGING }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: cloud
+          endpoint: "${{ secrets.DOCKER_USER_STAGING }}/default"
+          install: true
+
+      - name: Build and push model
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: 'linux/arm64'
+          build-args: |          
+            GGUF_FILE_URL=${{ inputs.gguf_file_url }}
+            LICENSE_URL=${{ inputs.license_url }}
+            HUB_REPOSITORY=${{ secrets.DOCKER_USER_STAGING }}/${{ inputs.registry_repository }}
+            TAG=${{ inputs.tag }}
+          secrets: |
+            DOCKER_USERNAME=${{ secrets.DOCKER_USER_STAGING }}
+            DOCKER_PASSWORD=${{ secrets.DOCKER_OAT_STAGING }}

Dockerfile

@@ -0,0 +1,64 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_VERSION=1.24.2
+ARG GIT_VERSION=v2.47.2
+ARG UBUNTU_VERSION=24.04
+
+FROM golang:${GO_VERSION}-bookworm AS builder
+
+# Install git for go mod download if needed
+RUN apt-get update && apt-get install -y --no-install-recommends git && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+# Copy go mod/sum first for better caching
+COPY --link go.mod go.sum ./
+
+# Download dependencies (with cache mounts)
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go mod download
+
+# Copy the rest of the source code
+COPY --link . .
+
+# Build the application
+RUN make build
+
+FROM ubuntu:${UBUNTU_VERSION} AS downloader
+
+ARG GGUF_FILE_URL
+ARG LICENSE_URL
+
+WORKDIR /app
+
+# Install curl for downloading the files
+RUN apt-get update && apt-get install -y curl ca-certificates && rm -rf /var/lib/apt/lists/*
+
+# Create model directory and download the GGUF file
+RUN mkdir -p /model && \
+    curl -L "$GGUF_FILE_URL" -o /model/model.gguf
+
+# Create licenses directory and download the license file
+RUN mkdir -p /licenses && \
+    curl -L "$LICENSE_URL" -o /licenses/LICENSE
+
+FROM ubuntu:${UBUNTU_VERSION} AS packager
+
+ARG HUB_REPOSITORY
+ARG TAG
+
+COPY --link --from=downloader /model/model.gguf /model/model.gguf
+COPY --link --from=downloader /licenses/LICENSE /licenses/LICENSE
+COPY --from=builder /app/bin/model-distribution-tool /usr/local/bin/model-distribution-tool
+
+# Install ca-certificates for the model-distribution-tool
+RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
+
+# Login to Docker Hub using build secrets
+RUN --mount=type=secret,id=DOCKER_USERNAME,env=DOCKER_USERNAME \
+    --mount=type=secret,id=DOCKER_PASSWORD,env=DOCKER_PASSWORD \
+    model-distribution-tool package \
+    --licenses /licenses/LICENSE \
+    /model/model.gguf \
+    $HUB_REPOSITORY:$TAG

cmd/mdltool/main.go

@@ -62,12 +62,19 @@ func main() {
 		os.Exit(1)
 	}
 
-	// Create the client
-	client, err := distribution.NewClient(
+	// Create the client with auth if environment variables are set
+	clientOpts := []distribution.Option{
 		distribution.WithStoreRootPath(absStorePath),
-		distribution.WithUserAgent("model-distribution-tool/"+version),
-	)
+		distribution.WithUserAgent("model-distribution-tool/" + version),
+	}
+
+	if username := os.Getenv("DOCKER_USERNAME"); username != "" {
+		if password := os.Getenv("DOCKER_PASSWORD"); password != "" {
+			clientOpts = append(clientOpts, distribution.WithRegistryAuth(username, password))
+		}
+	}
 
+	client, err := distribution.NewClient(clientOpts...)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Error creating client: %v\n", err)
 		os.Exit(1)
@@ -176,10 +183,23 @@ func cmdPackage(args []string) int {
 		fmt.Fprintf(os.Stderr, "Continuing anyway, but this may cause issues.\n")
 	}
 
-	// Parse the reference
-	target, err := registry.NewClient(
+	// Prepare registry client options
+	registryClientOpts := []registry.ClientOption{
 		registry.WithUserAgent("model-distribution-tool/" + version),
-	).NewTarget(reference)
+	}
+
+	// Add auth if available
+	if username := os.Getenv("DOCKER_USERNAME"); username != "" {
+		if password := os.Getenv("DOCKER_PASSWORD"); password != "" {
+			registryClientOpts = append(registryClientOpts, registry.WithAuthConfig(username, password))
+		}
+	}
+
+	// Create registry client once with all options
+	registryClient := registry.NewClient(registryClientOpts...)
+
+	// Parse the reference
+	target, err := registryClient.NewTarget(reference)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Error parsing reference: %v\n", err)
 		return 1

distribution/client.go

@@ -36,6 +36,8 @@ type options struct {
 	logger        *logrus.Entry
 	transport     http.RoundTripper
 	userAgent     string
+	username      string
+	password      string
 }
 
 // WithStoreRootPath sets the store root path
@@ -74,6 +76,16 @@ func WithUserAgent(ua string) Option {
 	}
 }
 
+// WithRegistryAuth sets the registry authentication credentials
+func WithRegistryAuth(username, password string) Option {
+	return func(o *options) {
+		if username != "" && password != "" {
+			o.username = username
+			o.password = password
+		}
+	}
+}
+
 func defaultOptions() *options {
 	return &options{
 		logger:    logrus.NewEntry(logrus.StandardLogger()),
@@ -100,14 +112,22 @@ func NewClient(opts ...Option) (*Client, error) {
 		return nil, fmt.Errorf("initializing store: %w", err)
 	}
 
+	// Create registry client options
+	registryOpts := []registry.ClientOption{
+		registry.WithTransport(options.transport),
+		registry.WithUserAgent(options.userAgent),
+	}
+
+	// Add auth if credentials are provided
+	if options.username != "" && options.password != "" {
+		registryOpts = append(registryOpts, registry.WithAuthConfig(options.username, options.password))
+	}
+
 	options.logger.Infoln("Successfully initialized store")
 	return &Client{
-		store: s,
-		log:   options.logger,
-		registry: registry.NewClient(
-			registry.WithTransport(options.transport),
-			registry.WithUserAgent(options.userAgent),
-		),
+		store:    s,
+		log:      options.logger,
+		registry: registry.NewClient(registryOpts...),
 	}, nil
 }
 

registry/client.go

@@ -26,6 +26,7 @@ type Client struct {
 	transport http.RoundTripper
 	userAgent string
 	keychain  authn.Keychain
+	auth      authn.Authenticator
 }
 
 type ClientOption func(*Client)
@@ -46,6 +47,17 @@ func WithUserAgent(userAgent string) ClientOption {
 	}
 }
 
+func WithAuthConfig(username, password string) ClientOption {
+	return func(c *Client) {
+		if username != "" && password != "" {
+			c.auth = &authn.Basic{
+				Username: username,
+				Password: password,
+			}
+		}
+	}
+}
+
 func NewClient(opts ...ClientOption) *Client {
 	client := &Client{
 		transport: remote.DefaultTransport,
@@ -65,13 +77,22 @@ func (c *Client) Model(ctx context.Context, reference string) (types.ModelArtifa
 		return nil, NewReferenceError(reference, err)
 	}
 
-	// Return the artifact at the given reference
-	remoteImg, err := remote.Image(ref,
+	// Set up authentication options
+	authOpts := []remote.Option{
 		remote.WithContext(ctx),
-		remote.WithAuthFromKeychain(c.keychain),
 		remote.WithTransport(c.transport),
 		remote.WithUserAgent(c.userAgent),
-	)
+	}
+
+	// Use direct auth if provided, otherwise fall back to keychain
+	if c.auth != nil {
+		authOpts = append(authOpts, remote.WithAuth(c.auth))
+	} else {
+		authOpts = append(authOpts, remote.WithAuthFromKeychain(c.keychain))
+	}
+
+	// Return the artifact at the given reference
+	remoteImg, err := remote.Image(ref, authOpts...)
 	if err != nil {
 		errStr := err.Error()
 		if strings.Contains(errStr, "UNAUTHORIZED") {
@@ -93,6 +114,7 @@ type Target struct {
 	transport http.RoundTripper
 	userAgent string
 	keychain  authn.Keychain
+	auth      authn.Authenticator
 }
 
 func (c *Client) NewTarget(tag string) (*Target, error) {
@@ -105,20 +127,30 @@ func (c *Client) NewTarget(tag string) (*Target, error) {
 		transport: c.transport,
 		userAgent: c.userAgent,
 		keychain:  c.keychain,
+		auth:      c.auth,
 	}, nil
 }
 
 func (t *Target) Write(ctx context.Context, model types.ModelArtifact, progressWriter io.Writer) error {
 	pr := progress.NewProgressReporter(progressWriter, progress.PushMsg, nil)
 	defer pr.Wait()
 
-	if err := remote.Write(t.reference, model,
+	// Set up authentication options
+	authOpts := []remote.Option{
 		remote.WithContext(ctx),
-		remote.WithAuthFromKeychain(t.keychain),
 		remote.WithTransport(t.transport),
 		remote.WithUserAgent(t.userAgent),
 		remote.WithProgress(pr.Updates()),
-	); err != nil {
+	}
+
+	// Use direct auth if provided, otherwise fall back to keychain
+	if t.auth != nil {
+		authOpts = append(authOpts, remote.WithAuth(t.auth))
+	} else {
+		authOpts = append(authOpts, remote.WithAuthFromKeychain(t.keychain))
+	}
+
+	if err := remote.Write(t.reference, model, authOpts...); err != nil {
 		return fmt.Errorf("write to registry %q: %w", t.reference.String(), err)
 	}
 	return nil