Docker: Mirror images to GitHub Container Registry#3098
Open
Docker: Mirror images to GitHub Container Registry#3098
Conversation
Signed-off-by: Viet Nguyen Duc <nguyenducviet4496@gmail.com>
Contributor
Review Summary by QodoMirror Docker images to GitHub Container Registry
WalkthroughsDescription• Add GitHub Container Registry (GHCR) login to deployment workflows • Mirror Docker images from Docker Hub to GHCR across all release pipelines • Implement new Makefile targets for GHCR image mirroring operations • Support versioned, latest, nightly, and browser-specific image mirroring Diagramflowchart LR
A["Docker Hub Images"] -->|"docker buildx imagetools create"| B["GHCR Images"]
C["Deploy Workflow"] -->|"Login GHCR"| D["Mirror versioned/latest/nightly"]
E["Browser Release Workflows"] -->|"Login GHCR"| F["Mirror browser images"]
D --> B
F --> B
File Changes1. .github/workflows/deploy.yml
|
Contributor
Code Review by Qodo
1. GHCR_NAMESPACE defaults to seleniumhq
|
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
| KEDA_BASED_TAG := $(or $(KEDA_BASED_TAG),$(KEDA_BASED_TAG),2.19.0) | ||
| TEST_PATCHED_KEDA := $(or $(TEST_PATCHED_KEDA),$(TEST_PATCHED_KEDA),false) | ||
| TRACING_EXPORTER_ENDPOINT := $(or $(TRACING_EXPORTER_ENDPOINT),$(TRACING_EXPORTER_ENDPOINT),http://\$$KUBERNETES_NODE_HOST_IP:4317) | ||
| GHCR_NAMESPACE := $(or $(GHCR_NAMESPACE),$(GHCR_NAMESPACE),ghcr.io/seleniumhq) |
Contributor
There was a problem hiding this comment.
1. ghcr_namespace defaults to seleniumhq 📎 Requirement gap ✓ Correctness
The GHCR namespace is set to ghcr.io/seleniumhq, but the compliance requirement specifies publishing under ghcr.io/selenium/.... This can break the expected pull path and fails the required registry naming scheme.
Agent Prompt
## Issue description
The default GHCR namespace is `ghcr.io/seleniumhq`, but compliance requires images be published under `ghcr.io/selenium/...`.
## Issue Context
This PR introduces GHCR mirroring; the registry namespace must match the required org/prefix so users can pull images from the documented location.
## Fix Focus Areas
- Makefile[40-40]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
.github/workflows/deploy.yml
Outdated
| timeout_minutes: 30 | ||
| max_attempts: 5 | ||
| retry_wait_seconds: 300 | ||
| command: GHCR_NAMESPACE="ghcr.io/${{ github.repository_owner }}" VERSION="${GRID_VERSION}" BUILD_DATE=${BUILD_DATE} make release_ghcr |
Contributor
There was a problem hiding this comment.
2. build_date unquoted in command 📘 Rule violation ⛯ Reliability
The workflow passes BUILD_DATE=${BUILD_DATE} without quotes, which can cause
word-splitting/globbing if the value ever contains whitespace or special characters. This violates
the requirement for robust shell quoting in scripts/configured commands.
Agent Prompt
## Issue description
A workflow command assigns `BUILD_DATE=${BUILD_DATE}` without quotes, which is not robust against whitespace/globbing.
## Issue Context
This is part of the GHCR mirroring step; failures here can lead to incomplete releases.
## Fix Focus Areas
- .github/workflows/deploy.yml[166-166]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+472
to
+492
| tag_and_push_browser_images_ghcr: | ||
| for image in node-chrome standalone-chrome \ | ||
| node-chromium standalone-chromium \ | ||
| node-chrome-for-testing standalone-chrome-for-testing \ | ||
| node-edge standalone-edge \ | ||
| node-firefox standalone-firefox; do \ | ||
| docker images --format "{{.Tag}}" "$(NAME)/$$image" | grep -v "^<none>$$" | while IFS= read -r tag; do \ | ||
| docker buildx imagetools create \ | ||
| --tag $(GHCR_NAMESPACE)/$$image:$$tag \ | ||
| docker.io/$(NAME)/$$image:$$tag ; \ | ||
| done ; \ | ||
| done | ||
|
|
||
| mirror_browser_images_ghcr: | ||
| for image in node-$(BROWSER_NAME) standalone-$(BROWSER_NAME); do \ | ||
| docker images --format "{{.Tag}}" "$(NAME)/$$image" | grep -v "^<none>$$" | while IFS= read -r tag; do \ | ||
| docker buildx imagetools create \ | ||
| --tag $(GHCR_NAMESPACE)/$$image:$$tag \ | ||
| docker.io/$(NAME)/$$image:$$tag ; \ | ||
| done ; \ | ||
| done |
Contributor
There was a problem hiding this comment.
4. Mirror can silently no-op 🐞 Bug ✓ Correctness
The new Makefile GHCR mirroring targets can exit successfully without mirroring anything when docker images returns no tags, because the grep | while pipeline returns success even on empty input.
Agent Prompt
### Issue description
`tag_and_push_browser_images_ghcr` / `mirror_browser_images_ghcr` can succeed while mirroring nothing if no local tags are found for the images, due to pipeline exit status behavior.
### Issue Context
Current implementation:
- lists tags with `docker images --format "{{.Tag}}" "$(NAME)/$image"`
- filters with `grep -v "^<none>$"`
- iterates via `while read -r tag; do ...; done`
This pattern returns success even with zero tags.
### Fix Focus Areas
- Makefile[472-492]
### Suggested fix
Capture tags into a variable and explicitly error if empty, e.g.:
```make
mirror_browser_images_ghcr:
for image in node-$(BROWSER_NAME) standalone-$(BROWSER_NAME); do \
tags="$$(docker images --format '{{.Tag}}' '$(NAME)/'$$image | grep -v '^<none>$$' || true)"; \
if [ -z "$$tags" ]; then \
echo "No local tags found for $(NAME)/$$image; cannot mirror" >&2; \
exit 1; \
fi; \
for tag in $$tags; do \
docker buildx imagetools create --tag $(GHCR_NAMESPACE)/$$image:$$tag docker.io/$(NAME)/$$image:$$tag; \
done; \
done
```
Optionally add `set -e`/`pipefail` within the recipe to ensure failures propagate.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
KyleAure
reviewed
Mar 24, 2026
There was a problem hiding this comment.
If space is a concern on ghcr, perhaps we should skip uploading nightly builds to ghcri.
Signed-off-by: Viet Nguyen Duc <nguyenducviet4496@gmail.com>
Signed-off-by: Viet Nguyen Duc <nguyenducviet4496@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Thanks for contributing to the Docker-Selenium project!
A PR well described will help maintainers to quickly review and merge it
Before submitting your PR, please check our contributing guidelines, applied for this repository.
Avoid large PRs, help reviewers by making them as simple and short as possible.
Description
Fixes #2939
Motivation and Context
Types of changes
Checklist