Skip to content

Release/3.0.1#2

Merged
vladukdev merged 3 commits intomasterfrom
release/3.0.1
Aug 1, 2025
Merged

Release/3.0.1#2
vladukdev merged 3 commits intomasterfrom
release/3.0.1

Conversation

@vladukdev
Copy link

@vladukdev vladukdev commented Aug 1, 2025
edited by pull-request-agent bot
Loading

PR Type

Enhancement

Description

  • Switch to multi-stage Docker build compiling from source

  • Use latest Go version to address vulnerabilities

  • Remove architecture-specific binary download logic

  • Simplify and harden Dockerfile build process

Diagram Walkthrough

flowchart LR
  A["Dockerfile: Download prebuilt binaries"] -- "Remove" --> B["Dockerfile: Multi-stage build from source"]
  B -- "Compile with Go 1.23" --> C["Copy binary to runtime image"]
  C -- "Simplified, secure build" --> D["Final minimal image"]
Loading

File Walkthrough
Relevant files
Enhancement
Dockerfile
Refactor Dockerfile to build registry from source using Go 1.23

Dockerfile

  • Replace binary download with multi-stage build from source
  • Use Go 1.23-alpine as builder for latest Go security
  • Remove architecture and hash logic for prebuilt binaries
  • Copy compiled binary into minimal Alpine runtime image
 +17/-21 

@pull-request-agent
Copy link

pull-request-agent bot commented Aug 1, 2025

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪
🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

Build Reliability

The Dockerfile now builds the registry from source using a specific git branch and Go version. The reviewer should verify that the build process is reproducible and that the correct version of the registry is being built as intended.

 
FROM golang:1.23-alpine AS builder

RUN apk add --no-cache git ca-certificates

# Clone and build the registry from source with latest Go (fixes vulnerability)
WORKDIR /src
RUN git clone --depth 1 --branch v3.0.0 https://github.com/distribution/distribution.git .
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /registry ./cmd/registry
Binary Verification

The previous architecture-specific SHA256 verification of downloaded binaries has been removed. The reviewer should ensure that building from source provides equivalent security and that the resulting binary is trusted and not tampered with.

 
RUN git clone --depth 1 --branch v3.0.0 https://github.com/distribution/distribution.git .
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /registry ./cmd/registry

# Test the binary works in builder
RUN /registry --version
Entrypoint and CMD Consistency

The CMD has been changed to explicitly specify the config file. The reviewer should confirm that this change does not break existing entrypoint logic or runtime expectations.

 
CMD ["/etc/distribution/config.yml"]

@pull-request-agent
Copy link

pull-request-agent bot commented Aug 1, 2025

PR Code Suggestions ✨

No code suggestions found for the PR.

@vladukdev vladukdev merged commit afc138f into master Aug 1, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Review effort 3/5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vladukdev