From 3126cd4899e278ea3adffe34231575c93e350581 Mon Sep 17 00:00:00 2001 From: Joel Verhagen Date: Thu, 6 Nov 2025 16:00:12 -0500 Subject: [PATCH 1/2] Add support for MCR (Microsoft Container Registry) --- internal/validators/registries/oci.go | 3 +++ internal/validators/registries/oci_test.go | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/internal/validators/registries/oci.go b/internal/validators/registries/oci.go index 211e5785..0f4e3442 100644 --- a/internal/validators/registries/oci.go +++ b/internal/validators/registries/oci.go @@ -33,6 +33,8 @@ var allowedOCIRegistries = map[string]bool{ "index.docker.io": true, // Docker Hub index // GitHub Container Registry "ghcr.io": true, + // Microsoft Container Registry + "mcr.microsoft.com": true, // Google Artifact Registry (*.pkg.dev pattern handled in isAllowedRegistry) } @@ -47,6 +49,7 @@ var allowedOCIRegistries = map[string]bool{ // - Docker Hub (docker.io) // - GitHub Container Registry (ghcr.io) // - Google Artifact Registry (*.pkg.dev) +// - Microsoft Container Registry (mcr.microsoft.com) func ValidateOCI(ctx context.Context, pkg model.Package, serverName string) error { if pkg.Identifier == "" { return ErrMissingIdentifierForOCI diff --git a/internal/validators/registries/oci_test.go b/internal/validators/registries/oci_test.go index 3b02fd24..dbc24957 100644 --- a/internal/validators/registries/oci_test.go +++ b/internal/validators/registries/oci_test.go @@ -39,6 +39,12 @@ func TestValidateOCI_RegistryAllowlist(t *testing.T) { expectError: true, errorMsg: "missing required annotation", }, + { + name: "MCR should be allowed", + identifier: "mcr.microsoft.com/dotnet/aspire-dashboard:9.5.0", + expectError: true, + errorMsg: "missing required annotation", + }, { name: "Artifact Registry regional should be allowed", identifier: "us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:latest", From 269834a38d942f20a19d22cf460b513ea89d6899 Mon Sep 17 00:00:00 2001 From: Joel Verhagen Date: Thu, 6 Nov 2025 16:51:55 -0500 Subject: [PATCH 2/2] Add ACR also --- docs/guides/publishing/publish-server.md | 2 ++ docs/reference/faq.md | 3 +++ .../official-registry-requirements.md | 2 ++ internal/validators/registries/oci.go | 6 ++++++ internal/validators/registries/oci_test.go | 18 ++++++++++++------ 5 files changed, 25 insertions(+), 6 deletions(-) diff --git a/docs/guides/publishing/publish-server.md b/docs/guides/publishing/publish-server.md index 80eefed2..ea0ebaba 100644 --- a/docs/guides/publishing/publish-server.md +++ b/docs/guides/publishing/publish-server.md @@ -317,6 +317,8 @@ The official MCP registry supports: - Docker Hub (`docker.io`) - GitHub Container Registry (`ghcr.io`) - Google Artifact Registry (any `*.pkg.dev` domain) +- Azure Container Registry (`*.azurecr.io`) +- Microsoft Container Registry (`mcr.microsoft.com`) diff --git a/docs/reference/faq.md b/docs/reference/faq.md index 5474a495..034ccb1c 100644 --- a/docs/reference/faq.md +++ b/docs/reference/faq.md @@ -62,6 +62,9 @@ This applies to both locally-run and remote servers. - NuGet.org (.NET packages) - GitHub Container Registry (GHCR) - Docker Hub +- Google Artifact Registry (`*.pkg.dev` domains) +- Azure Container Registry (`*.azurecr.io` domains) +- Microsoft Container Registry (MCR) More can be added as the community desires; feel free to open an issue if you are interested in building support for another registry. diff --git a/docs/reference/server-json/official-registry-requirements.md b/docs/reference/server-json/official-registry-requirements.md index f33ed8cd..6ab23258 100644 --- a/docs/reference/server-json/official-registry-requirements.md +++ b/docs/reference/server-json/official-registry-requirements.md @@ -42,6 +42,8 @@ Only trusted public registries are supported. Private registries and alternative - Docker Hub (`docker.io`) - GitHub Container Registry (`ghcr.io`) - Google Artifact Registry (`*.pkg.dev`) + - Azure Container Registry (`*.azurecr.io`) + - Microsoft Container Registry (`mcr.microsoft.com`) - **MCPB**: `https://github.com` releases and `https://gitlab.com` releases only ## `_meta` Namespace Restrictions diff --git a/internal/validators/registries/oci.go b/internal/validators/registries/oci.go index 0f4e3442..6932d7f3 100644 --- a/internal/validators/registries/oci.go +++ b/internal/validators/registries/oci.go @@ -36,6 +36,7 @@ var allowedOCIRegistries = map[string]bool{ // Microsoft Container Registry "mcr.microsoft.com": true, // Google Artifact Registry (*.pkg.dev pattern handled in isAllowedRegistry) + // Azure Container Registry (*.azurecr.io pattern handled in isAllowedRegistry) } // ValidateOCI validates that an OCI image contains the correct MCP server name annotation. @@ -152,5 +153,10 @@ func isAllowedRegistry(registry string) bool { return true } + // Azure Container Registry: *.azurecr.io + if strings.HasSuffix(registry, ".azurecr.io") { + return true + } + return false } diff --git a/internal/validators/registries/oci_test.go b/internal/validators/registries/oci_test.go index dbc24957..64e319d8 100644 --- a/internal/validators/registries/oci_test.go +++ b/internal/validators/registries/oci_test.go @@ -39,12 +39,6 @@ func TestValidateOCI_RegistryAllowlist(t *testing.T) { expectError: true, errorMsg: "missing required annotation", }, - { - name: "MCR should be allowed", - identifier: "mcr.microsoft.com/dotnet/aspire-dashboard:9.5.0", - expectError: true, - errorMsg: "missing required annotation", - }, { name: "Artifact Registry regional should be allowed", identifier: "us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:latest", @@ -57,6 +51,18 @@ func TestValidateOCI_RegistryAllowlist(t *testing.T) { expectError: true, errorMsg: "missing required annotation", }, + { + name: "MCR should be allowed", + identifier: "mcr.microsoft.com/dotnet/aspire-dashboard:9.5.0", + expectError: true, + errorMsg: "missing required annotation", + }, + { + name: "ACR should be allowed", + identifier: "azurearcjumpstart.azurecr.io/hello-arc:latest", + expectError: true, + errorMsg: "missing required annotation", + }, // Disallowed registries {