Skip to main content
Version: 1.2

Distributing OCI Artifacts to Remote Registries

Remote OCI registries allow you to share container images and other artifacts. There are many public and private remote registries available, but this example uses GitHub Container Registry (GHCR). This document covers the steps you need to preform to share artifacts on a remote registry. You may also experiment with ORAS using a local container registry on your computer.

Authentication

Most remote registry will require you to authenticate before you can push or pull artifacts. The oras login command is used for authentication.

On GHCR, you can get an authentication token by going to user Settings, Developer Settings, Personal Access Tokens, and Tokens (classic). GHCR currently only supports classic tokens for authentication. Click on Generate New Token (classic) and allow read, write and delete packages. Copy the generated token and set it to an environment variable. The URL for GHCR is ghcr.io.

GHCR_USER='my_github_username'
GHCR_TOKEN='ghp_MYTOKEN'
echo "${GHCR_TOKEN}" | oras login --username "${GHCR_USER}" --password-stdin ghcr.io

Create an artifact

An artifact shared on a registry could be a container image, helm chart or just a simple file. This example will use a simple file:

echo "hello world" > artifact.txt

Push the artifact

The oras push is used to push artifacts to registries.

oras push ghcr.io/${GHCR_USER}/my-repository:v1 artifact.txt

The output will look something like this:

✓ Uploaded  application/vnd.oci.empty.v1+json                                                                2/2  B 100.00%  913ms
└─ sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
✓ Uploaded artifact.txt 12/12 B 100.00% 912ms
└─ sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
✓ Uploaded application/vnd.oci.image.manifest.v1+json 591/591 B 100.00% 717ms
└─ sha256:b557297d52ec1bee854717827994fb616bffe936c583c7ce66fb21eb0c557df6
Pushed [registry] ghcr.io/my_github_username/my-repository:v1
ArtifactType: application/vnd.unknown.artifact.v1
Digest: sha256:b557297d52ec1bee854717827994fb616bffe936c583c7ce66fb21eb0c557df6

Pull the artifact

Use the oras pull command to download the artifact.

oras pull ghcr.io/${GHCR_USER}/my-repository:v1

The output will look something like this:

✓ Pulled      artifact.txt                                                                                 12/12  B 100.00%    2ms
└─ sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
✓ Pulled application/vnd.oci.image.manifest.v1+json 591/591 B 100.00% 329µs
└─ sha256:b557297d52ec1bee854717827994fb616bffe936c583c7ce66fb21eb0c557df6
Pulled [registry] ghcr.io/my_github_username/my-repository:v1
Digest: sha256:b557297d52ec1bee854717827994fb616bffe936c583c7ce66fb21eb0c557df6

The file will be recreated if you deleted it:

% cat artifact.txt 
hello world
%

Referencing an artifact

Use the oras attach command to add a reference to another artifact.

oras attach ghcr.io/${GHCR_USER}/my-repository:v1 --artifact-type 'doc/example' --annotation 'key=val' ref-artifact.txt 

The output will look something like this:

✓ Uploaded  ref-artifact.txt                                                                                           13/13  B 100.00%  490ms
└─ sha256:9e820c753b29c9ea7b85a7d1b9d88107330d625546c216facba451effe1b8dbd
✓ Exists application/vnd.oci.empty.v1+json 2/2 B 100.00% 0s
└─ sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
✓ Uploaded application/vnd.oci.image.manifest.v1+json 746/746 B 100.00% 930ms
└─ sha256:a461956f5500056ca03ee325c4c607ef421dfff6ad1902eeb2da67686c62004b
Attached to [registry] ghcr.io/my_github_username/my-repository@sha256:b557297d52ec1bee854717827994fb616bffe936c583c7ce66fb21eb0c557df6
Digest: sha256:a461956f5500056ca03ee325c4c607ef421dfff6ad1902eeb2da67686c62004b

View referrers

Use oras discover to view referrers.

oras discover ghcr.io/${GHCR_USER}/my-repository:v1

The output will look something like this:

ghcr.io/my_github_username/my-repository@sha256:b557297d52ec1bee854717827994fb616bffe936c583c7ce66fb21eb0c557df6
└── doc/example
└── sha256:a461956f5500056ca03ee325c4c607ef421dfff6ad1902eeb2da67686c62004b