Skip to content

ci: publish images to Docker Hub instead of GHCR#132

Merged
marc-barry merged 2 commits into
mainfrom
chore/publish-to-dockerhub
May 7, 2026
Merged

ci: publish images to Docker Hub instead of GHCR#132
marc-barry merged 2 commits into
mainfrom
chore/publish-to-dockerhub

Conversation

@marc-barry

@marc-barry marc-barry commented May 7, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Retargets docker-publish.yml to publish multi-arch images to netboxlabs/netbox-mcp-server on Docker Hub. NetBox Labs publishes its public container images on Docker Hub (e.g. orb-agent); this aligns the MCP server with that convention.
  • Drops QEMU emulation in favour of native linux/amd64 + linux/arm64 runners, push-by-digest, and a manifest merge — same pattern used by netboxlabs/orb-agent.
  • Restricts publish to v*.*.* tag pushes (plus workflow_dispatch). latest now tracks the most recent stable release rather than every commit on main. Container scanning on PRs is unchanged (covered by container-scan.yaml).
  • Pre-release tags (any tag containing -, e.g. v1.2.0-rc1) publish only their full version. They never move :latest, :MAJOR, or :MAJOR.MINOR — those should always point at a stable release.
  • Repoints the daily rescan workflow at the Docker Hub image and adds a "Pre-built Image (Docker Hub)" section to the README.

Prerequisites

Two repository secrets must exist before the workflow can authenticate to Docker Hub:

  • DOCKERHUB_USERNAME
  • DOCKERHUB_TOKEN (Read & Write scope, with access to netboxlabs/netbox-mcp-server)

The Docker Hub repository netboxlabs/netbox-mcp-server must also exist (token scopes typically don't allow creating new repositories in the namespace).

Relationship to #127

#127 hardens the publish pipeline (cosign keyless signatures, SLSA build provenance, base-image digest pin). That hardening is independently valuable and should land before the first public Docker Hub release; it just needs to be rebased onto this branch so the cosign/attest steps target Docker Hub instead of GHCR.

Test plan

  • actionlint passes on the modified workflows
  • End-to-end smoke test: pushed a temporary v0.0.0-test tag at HEAD and confirmed a clean run
    • Build (linux/amd64) and Build (linux/arm64) both green on native runners
    • Merge multi-arch manifest published docker.io/netboxlabs/netbox-mcp-server:0.0.0-test as a multi-arch OCI image index (amd64 + arm64 + buildkit attestation manifests)
    • Pre-release rule held: only the full version was tagged on Docker Hub — no :latest, no :0, no :0.0
    • Test tag deleted from git; the 0.0.0-test Docker Hub tag will be cleaned up manually
  • First non-pre-release tag after merge exercises the :latest / :MAJOR.MINOR / :MAJOR floating-tag path (not covered by the pre-release smoke test)
  • Daily rescan workflow finds and scans the Docker Hub image

Retargets the multi-arch publish workflow at netboxlabs/netbox-mcp-server
on Docker Hub (the convention for NetBox Labs public images, matching
orb-agent). Switches to native amd64/arm64 runners with push-by-digest
and a manifest merge to drop QEMU emulation. Publishes only on v*.*.*
tag pushes; the daily rescan and the README pull instructions are
updated to point at Docker Hub.

Refs #83

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
Pre-release tags (those containing `-`, e.g. v1.2.0-rc1) now publish
only their full version. They no longer overwrite :latest, :MAJOR, or
:MAJOR.MINOR — those should always point at a stable release.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
@marc-barry marc-barry merged commit 674fa77 into main May 7, 2026
21 of 27 checks passed
@marc-barry marc-barry deleted the chore/publish-to-dockerhub branch May 7, 2026 20:37
abubnalitic-nbl added a commit that referenced this pull request May 8, 2026
Adds supply-chain hardening to the Docker Hub publish pipeline introduced
in #132:

- Pin the python:3.14-alpine3.23 base image by digest in both Dockerfile
  stages so a compromised tag cannot substitute the base.
- Sign the published multi-arch manifest with cosign keyless (Sigstore +
  GitHub OIDC) so pullers can verify each image came from this repo's
  Actions.
- Generate SLSA build provenance attestations via
  actions/attest-build-provenance, pushed to the registry alongside the
  manifest, linking any published digest back to the workflow run that
  produced it.
- Document `cosign verify` in the README's Docker Hub section.

Carries over the intent of #127, restructured to fit the matrix-build /
manifest-merge workflow merged in #132. Signing happens once on the
manifest-list digest in the merge job; all aliased tags (latest, X.Y.Z,
X.Y, X) resolve to the same digest, so a single signature covers them.

Co-authored-by: Claude Sonnet 4.6 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants