Merge pull request #5224 from oasisprotocol/kostko/feature/ghcr

docker: Switch to ghcr.io for container registry

.buildkite/benchmarks.pipeline.yml

@@ -1,6 +1,6 @@
 # Copied from pipeline.yml.
 docker_plugin_default_config: &docker_plugin_default_config
-  image: "oasisprotocol/oasis-core-ci:master"
+  image: "ghcr.io/oasisprotocol/oasis-core-ci:master"
   always_pull: true
   workdir: /workdir
   volumes:

.buildkite/code.pipeline.yml

@@ -6,7 +6,7 @@
 #
 
 docker_plugin_default_config: &docker_plugin_default_config
-  image: "oasisprotocol/oasis-core-ci:${DOCKER_OASIS_CORE_CI_BASE_TAG}"
+  image: "ghcr.io/oasisprotocol/oasis-core-ci:${DOCKER_OASIS_CORE_CI_BASE_TAG}"
   always_pull: true
   workdir: /workdir
   volumes:

.buildkite/longtests.pipeline.yml

@@ -1,6 +1,6 @@
 # Copied from pipeline.yml.
 docker_plugin_default_config: &docker_plugin_default_config
-  image: "oasisprotocol/oasis-core-ci:master"
+  image: "ghcr.io/oasisprotocol/oasis-core-ci:master"
   always_pull: true
   workdir: /workdir
   volumes:

.buildkite/pipeline.sh

@@ -51,10 +51,10 @@ pr_and_docker_changes() {
     'docker/'
 }
 
-# Helper that checks if the given tag of the oasisprotocol/oasis-core-ci Docker image exists.
+# Helper that checks if the given tag of the ghcr.io/oasisprotocol/oasis-core-ci Docker image exists.
 check_docker_ci_image_tag_exists() {
   local tag=$1
-  curl --silent -f --head -lL "https://hub.docker.com/v2/repositories/oasisprotocol/oasis-core-ci/tags/${tag}/"
+  docker manifest inspect ghcr.io/oasisprotocol/oasis-core-ci:${tag}
 }
 
 # Determine the oasis-core-ci Docker image tag to use for tests.
@@ -77,7 +77,7 @@ if pr_and_docker_changes; then
 fi
 
 if ! check_docker_ci_image_tag_exists "${docker_tag}"; then
-    echo 1>&2 "Docker image 'oasisprotocol/oasis-core-ci:${docker_tag}' does not exist."
+    echo 1>&2 "Docker image 'ghcr.io/oasisprotocol/oasis-core-ci:${docker_tag}' does not exist."
     exit 1
 fi
 

.changelog/5224.internal.md

@@ -0,0 +1 @@
+docker: Switch to ghcr.io for container registry

.github/workflows/docker.yml

@@ -58,54 +58,91 @@ jobs:
             branch=pr-$(git describe --always --match '' --abbrev=7)
           fi
           branch=${branch//\//-}
-          echo "::set-output name=tag::${branch}"
-          echo "::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+          echo "tag=${branch}" >> $GITHUB_OUTPUT
+          echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
 
       - name: Login to DockerHub
         uses: docker/login-action@v2
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: "Rebuild oasisprotocol/oasis-core-dev:${{ steps.determine_tag.outputs.tag }}"
-        uses: docker/build-push-action@v3.2.0
+      - name: "Rebuild ghcr.io/oasisprotocol/oasis-core-dev:${{ steps.determine_tag.outputs.tag }}"
+        uses: docker/build-push-action@v4
         with:
           context: docker/oasis-core-dev
           file: docker/oasis-core-dev/Dockerfile
-          tags: oasisprotocol/oasis-core-dev:${{ steps.determine_tag.outputs.tag }}
+          tags: ghcr.io/oasisprotocol/oasis-core-dev:${{ steps.determine_tag.outputs.tag }}
           pull: true
           push: true
+          provenance: false
           labels: |
             org.opencontainers.image.source=${{ github.event.repository.html_url }}
             org.opencontainers.image.created=${{ steps.determine_tag.outputs.created }}
             org.opencontainers.image.revision=${{ github.sha }}
 
-      - name: "Rebuild oasisprotocol/oasis-core-ci:${{ steps.determine_tag.outputs.tag }}"
-        uses: docker/build-push-action@v3.2.0
+      - name: "Rebuild ghcr.io/oasisprotocol/oasis-core-ci:${{ steps.determine_tag.outputs.tag }}"
+        uses: docker/build-push-action@v4
         with:
           context: docker/oasis-core-ci
           file: docker/oasis-core-ci/Dockerfile
-          tags: oasisprotocol/oasis-core-ci:${{ steps.determine_tag.outputs.tag }}
+          tags: ghcr.io/oasisprotocol/oasis-core-ci:${{ steps.determine_tag.outputs.tag }}
           pull: true
           push: true
+          provenance: false
           build-args: OASIS_CORE_DEV_BASE_TAG=${{ steps.determine_tag.outputs.tag }}
           labels: |
             org.opencontainers.image.source=${{ github.event.repository.html_url }}
             org.opencontainers.image.created=${{ steps.determine_tag.outputs.created }}
             org.opencontainers.image.revision=${{ github.sha }}
 
-      - name: "Rebuild oasisprotocol/aesmd:${{ steps.determine_tag.outputs.tag }}"
-        uses: docker/build-push-action@v3.2.0
+      - name: "Rebuild ghcr.io/oasisprotocol/aesmd:${{ steps.determine_tag.outputs.tag }}"
+        uses: docker/build-push-action@v4
         with:
           context: docker/aesmd
           file: docker/aesmd/Dockerfile
-          tags: oasisprotocol/aesmd:${{ steps.determine_tag.outputs.tag }}
+          tags: ghcr.io/oasisprotocol/aesmd:${{ steps.determine_tag.outputs.tag }}
           pull: true
           push: true
+          provenance: false
           labels: |
             org.opencontainers.image.source=${{ github.event.repository.html_url }}
             org.opencontainers.image.created=${{ steps.determine_tag.outputs.created }}
             org.opencontainers.image.revision=${{ github.sha }}
+
+      - name: Prune old ghcr.io/oasisprotocol/oasis-core-dev images
+        uses: vlaurin/action-ghcr-prune@v0.5.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          organization: oasisprotocol
+          container: oasis-core-dev
+          keep-younger-than: 7 # days
+          keep-last: 2
+          prune-untagged: true
+          prune-tags-regexes: ^pr-
+
+      - name: Prune old ghcr.io/oasisprotocol/oasis-core-ci images
+        uses: vlaurin/action-ghcr-prune@v0.5.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          organization: oasisprotocol
+          container: oasis-core-ci
+          keep-younger-than: 7 # days
+          keep-last: 2
+          prune-untagged: true
+          prune-tags-regexes: ^pr-
+
+      - name: Prune old ghcr.io/oasisprotocol/aesmd images
+        uses: vlaurin/action-ghcr-prune@v0.5.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          organization: oasisprotocol
+          container: aesmd
+          keep-younger-than: 7 # days
+          keep-last: 2
+          prune-untagged: true
+          prune-tags-regexes: ^pr-

Makefile

@@ -212,7 +212,7 @@ docker-shell:
 	  --security-opt seccomp=unconfined \
 	  -v $(shell pwd):/code \
 	  -w /code \
-	  oasisprotocol/oasis-core-dev:master \
+	  ghcr.io/oasisprotocol/oasis-core-dev:master \
 	  bash
 
 # List of targets that are not actual files.

docker/Makefile

@@ -1,4 +1,4 @@
-IMG_ORG ?= oasisprotocol
+IMG_ORG ?= ghcr.io/oasisprotocol
 IMG_VER ?= master
 
 IMAGES = oasis-core-dev oasis-core-ci aesmd

docker/oasis-core-ci/Dockerfile

@@ -1,6 +1,6 @@
 ARG OASIS_CORE_DEV_BASE_TAG=master
 
-FROM oasisprotocol/oasis-core-dev:${OASIS_CORE_DEV_BASE_TAG}
+FROM ghcr.io/oasisprotocol/oasis-core-dev:${OASIS_CORE_DEV_BASE_TAG}
 
 RUN apt-get install -y \
     unzip jq \

docs/development-setup/building.md

@@ -64,7 +64,7 @@ To run an Oasis node under SGX make sure:
     --device /dev/isgx \
     --volume /var/run/aesmd:/var/run/aesmd \
     --name aesmd \
-    fortanix/aesmd
+    ghcr.io/oasisprotocol/aesmd:master
   ```
 
 Run `sgx-detect` (part of fortanix rust tools) to verify that everything is

docs/development-setup/prerequisites.md

@@ -253,7 +253,7 @@ you have a [recent version of Docker installed](
 https://docs.docker.com/install/).
 
 Oasis development environment with all the dependencies preinstalled is
-available in the `oasisprotocol/oasis-core-dev:master` image.
+available in the `ghcr.io/oasisprotocol/oasis-core-dev:master` image.
 To run a container, do the following in the top-level directory:
 
 ```bash
@@ -269,7 +269,7 @@ docker run -t -i \
   --security-opt seccomp=unconfined \
   -v $(pwd):/code \
   -w /code \
-  oasisprotocol/oasis-core-dev:master \
+  ghcr.io/oasisprotocol/oasis-core-dev:master \
   bash
 ```