Skip to content

Mirror released image to GCP Artifact Registry [REMOTE-2031]#93

Draft
seemeroland wants to merge 1 commit into
mainfrom
oz-agent/REMOTE-2031-mirror-worker-image
Draft

Mirror released image to GCP Artifact Registry [REMOTE-2031]#93
seemeroland wants to merge 1 commit into
mainfrom
oz-agent/REMOTE-2031-mirror-worker-image

Conversation

@seemeroland

Copy link
Copy Markdown
Contributor

Summary

Mirrors the released oz-agent-worker container image to GCP alongside warp-agent and the *-sidecar images (REMOTE-2031).

Previously the worker image was only published to Docker Hub. The warp-agent and *-sidecar images are already mirrored to a public GCP Artifact Registry repo (warp-public-images); this adds oz-agent-worker to that same mirror so consumers (e.g. self-hosted / enterprise) can pull the worker from the GCP mirror, not just Docker Hub.

What changed

.github/workflows/build_release.yml (the docker job):

  • Added id-token: write permission so the job can mint a GitHub OIDC token.
  • After the existing Docker Hub build/push, added steps to authenticate to GCP via Workload Identity Federation (same provider used by the sidecar release workflow) and log in to us-east4-docker.pkg.dev.
  • Added a mirror step that uses docker buildx imagetools create to copy the just-published multi-arch manifest from Docker Hub to us-east4-docker.pkg.dev/astral-field-294621/warp-public-images/oz-agent-worker, preserving the exact digest. It mirrors the immutable timestamp tag and (when applicable) latest.
  • All mirror steps are gated on inputs.docker_tag != '', so they only run for tagged releases (when the image is actually pushed).

README.md: documented pulling the worker from the GCP mirror.

Dependency / rollout ordering

The mirror step requires the IAM writer grant added in the companion warp-terraform PR (warpdotdev/warp-terraform#1240). That terraform change must be applied before this merges to main, otherwise the mirror step will fail to authenticate. The Docker Hub push happens before the mirror step, so the primary release path is unaffected even if the mirror step fails.

Verification

Once both changes are live, the next release will publish the worker to the mirror. Confirm with:

docker pull us-east4-docker.pkg.dev/astral-field-294621/warp-public-images/oz-agent-worker:latest

Conversation: https://staging.warp.dev/conversation/471d8b43-baef-48dc-9b3e-9b05662e5d2b
Run: https://oz.staging.warp.dev/runs/019f1459-5ace-7e98-b24d-5f7c29ccd9f2

This PR was generated with Oz.

After pushing the worker image to Docker Hub, mirror the same
multi-arch manifest into the public GCP Artifact Registry repo
(us-east4-docker.pkg.dev/astral-field-294621/warp-public-images)
that already hosts warp-agent and the *-sidecar images, so consumers
(e.g. self-hosted / enterprise) can pull the worker from the GCP
mirror, not just Docker Hub.

The mirror step authenticates to GCP via Workload Identity Federation
(requires the writer grant added in warp-terraform) and uses
`docker buildx imagetools create` to copy the image by digest without
rebuilding. It only runs for tagged releases.

Co-Authored-By: Oz <oz-agent@warp.dev>
@seemeroland seemeroland added the from-feedback-bot Linear issue delegated from Feedback Bot label Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

from-feedback-bot Linear issue delegated from Feedback Bot

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant