.github/workflows/ghcr.yml - rust - Git at Google

 # Mirror DockerHub images used by the Rust project to ghcr.io.
 # Images are available at https://github.com/orgs/rust-lang/packages.
 #
 # In some CI jobs, we pull images from ghcr.io instead of Docker Hub because
 # Docker Hub has a rate limit, while ghcr.io doesn't.
 # Those images are pushed to ghcr.io by this job.
 #
 # While Docker Hub rate limit *shouldn't* be an issue on GitHub Actions,
 # it certainly is for AWS codebuild.
 #
 # Note that authenticating to DockerHub or other registries isn't possible
 # for PR jobs, because forks can't access secrets.
 # That's why we use ghcr.io: it has no rate limit and it doesn't require authentication.

 name: GHCR image mirroring

 on:
   workflow_dispatch:
   schedule:
     # Run daily at midnight UTC
     - cron: '0 0 * * *'

 jobs:
   mirror:
     name: DockerHub mirror
     runs-on: ubuntu-24.04
     if: github.repository == 'rust-lang/rust'
     permissions:
       # Needed to write to the ghcr.io registry
       packages: write
     steps:
       - uses: actions/checkout@v5
         with:
           persist-credentials: false

       - name: Log in to registry
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin

       # Download crane in the current directory.
       # We use crane because it copies the docker image for all the architectures available in
       # DockerHub for the image.
       # Learn more about crane at
       # https://github.com/google/go-containerregistry/blob/main/cmd/crane/README.md
       - name: Download crane
         run: |
           curl -sL "https://github.com/google/go-containerregistry/releases/download/${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" | tar -xzf -
         env:
           VERSION: v0.20.2
           OS: Linux
           ARCH: x86_64

       - name: Mirror DockerHub
         run: |
           # List of DockerHub images to mirror to ghcr.io
           images=(
             # Mirrored because used by the tidy job, which doesn't cache Docker images
             "ubuntu:22.04"
             # Mirrored because used by all linux CI jobs, including tidy
             "moby/buildkit:buildx-stable-1"
             # Mirrored because used when CI is running inside a Docker container
             "alpine:3.4"
             # Mirrored because used by dist-x86_64-linux
             "centos:7"
           )

           # Mirror each image from DockerHub to ghcr.io
           for img in "${images[@]}"; do
             echo "Mirroring ${img}..."
             # Remove namespace from the image if any.
             # E.g. "moby/buildkit:buildx-stable-1" becomes "buildkit:buildx-stable-1"
             dest_image=$(echo "${img}" | cut -d'/' -f2-)
             ./crane copy \
               "docker.io/${img}" \
               "ghcr.io/${{ github.repository_owner }}/${dest_image}"
           done
	# Mirror DockerHub images used by the Rust project to ghcr.io.
	# Images are available at https://github.com/orgs/rust-lang/packages.
	#
	# In some CI jobs, we pull images from ghcr.io instead of Docker Hub because
	# Docker Hub has a rate limit, while ghcr.io doesn't.
	# Those images are pushed to ghcr.io by this job.
	#
	# While Docker Hub rate limit shouldn't be an issue on GitHub Actions,
	# it certainly is for AWS codebuild.
	#
	# Note that authenticating to DockerHub or other registries isn't possible
	# for PR jobs, because forks can't access secrets.
	# That's why we use ghcr.io: it has no rate limit and it doesn't require authentication.

	name: GHCR image mirroring

	on:
	workflow_dispatch:
	schedule:
	# Run daily at midnight UTC
	- cron: '0 0 * * *'

	jobs:
	mirror:
	name: DockerHub mirror
	runs-on: ubuntu-24.04
	if: github.repository == 'rust-lang/rust'
	permissions:
	# Needed to write to the ghcr.io registry
	packages: write
	steps:
	- uses: actions/checkout@v5
	with:
	persist-credentials: false

	- name: Log in to registry
	run: echo "${{ secrets.GITHUB_TOKEN }}" \| docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin

	# Download crane in the current directory.
	# We use crane because it copies the docker image for all the architectures available in
	# DockerHub for the image.
	# Learn more about crane at
	# https://github.com/google/go-containerregistry/blob/main/cmd/crane/README.md
	- name: Download crane
	run: \|
	curl -sL "https://github.com/google/go-containerregistry/releases/download/${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" \| tar -xzf -
	env:
	VERSION: v0.20.2
	OS: Linux
	ARCH: x86_64

	- name: Mirror DockerHub
	run: \|
	# List of DockerHub images to mirror to ghcr.io
	images=(
	# Mirrored because used by the tidy job, which doesn't cache Docker images
	"ubuntu:22.04"
	# Mirrored because used by all linux CI jobs, including tidy
	"moby/buildkit:buildx-stable-1"
	# Mirrored because used when CI is running inside a Docker container
	"alpine:3.4"
	# Mirrored because used by dist-x86_64-linux
	"centos:7"
	)

	# Mirror each image from DockerHub to ghcr.io
	for img in "${images[@]}"; do
	echo "Mirroring ${img}..."
	# Remove namespace from the image if any.
	# E.g. "moby/buildkit:buildx-stable-1" becomes "buildkit:buildx-stable-1"
	dest_image=$(echo "${img}" \| cut -d'/' -f2-)
	./crane copy \
	"docker.io/${img}" \
	"ghcr.io/${{ github.repository_owner }}/${dest_image}"
	done