Mirror released image to GCP Artifact Registry [REMOTE-2031]#93
Draft
seemeroland wants to merge 1 commit into
Draft
Mirror released image to GCP Artifact Registry [REMOTE-2031]#93seemeroland wants to merge 1 commit into
seemeroland wants to merge 1 commit into
Conversation
After pushing the worker image to Docker Hub, mirror the same multi-arch manifest into the public GCP Artifact Registry repo (us-east4-docker.pkg.dev/astral-field-294621/warp-public-images) that already hosts warp-agent and the *-sidecar images, so consumers (e.g. self-hosted / enterprise) can pull the worker from the GCP mirror, not just Docker Hub. The mirror step authenticates to GCP via Workload Identity Federation (requires the writer grant added in warp-terraform) and uses `docker buildx imagetools create` to copy the image by digest without rebuilding. It only runs for tagged releases. Co-Authored-By: Oz <oz-agent@warp.dev>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Mirrors the released
oz-agent-workercontainer image to GCP alongsidewarp-agentand the*-sidecarimages (REMOTE-2031).Previously the worker image was only published to Docker Hub. The
warp-agentand*-sidecarimages are already mirrored to a public GCP Artifact Registry repo (warp-public-images); this addsoz-agent-workerto that same mirror so consumers (e.g. self-hosted / enterprise) can pull the worker from the GCP mirror, not just Docker Hub.What changed
.github/workflows/build_release.yml(thedockerjob):id-token: writepermission so the job can mint a GitHub OIDC token.us-east4-docker.pkg.dev.docker buildx imagetools createto copy the just-published multi-arch manifest from Docker Hub tous-east4-docker.pkg.dev/astral-field-294621/warp-public-images/oz-agent-worker, preserving the exact digest. It mirrors the immutable timestamp tag and (when applicable)latest.inputs.docker_tag != '', so they only run for tagged releases (when the image is actually pushed).README.md: documented pulling the worker from the GCP mirror.Dependency / rollout ordering
The mirror step requires the IAM writer grant added in the companion warp-terraform PR (
warpdotdev/warp-terraform#1240). That terraform change must be applied before this merges tomain, otherwise the mirror step will fail to authenticate. The Docker Hub push happens before the mirror step, so the primary release path is unaffected even if the mirror step fails.Verification
Once both changes are live, the next release will publish the worker to the mirror. Confirm with:
Conversation: https://staging.warp.dev/conversation/471d8b43-baef-48dc-9b3e-9b05662e5d2b
Run: https://oz.staging.warp.dev/runs/019f1459-5ace-7e98-b24d-5f7c29ccd9f2
This PR was generated with Oz.