Container Images¶

The runtime container image (Pulp 3 control plane) for linux-update-cds is published to the GitHub Container Registry (GHCR) on every tagged release (v*).

Image: ghcr.io/<owner>/linux-update-cds-pulp
Platforms: linux/amd64, linux/arm64
Provenance: SLSA build provenance attestation pushed to the registry
SBOM: SPDX SBOM attached as an OCI referrer
Signature: Keyless cosign signature (Sigstore / Fulcio)

The published image is the public, internet-reachable counterpart to the Azure Container Registry build path documented in .github/copilot-instructions.md (which uses az acr build and remains the authoritative path for ACR-only / air-gapped environments).

1. Public consumers (commercial cloud, dev workstation)¶

docker pull ghcr.io/<owner>/linux-update-cds-pulp:latest
# or pin to a specific release
docker pull ghcr.io/<owner>/linux-update-cds-pulp:v1.2.3

Replace <owner> with the GitHub organization or user that owns this repository.

2. Air-gapped / Azure Government consumers¶

For air-gapped or Azure Government targets, mirror the GHCR image into your internal ACR rather than pulling directly. Use one of:

`az acr import` (preferred when source registry is reachable from Azure)¶

az acr import \
  --name <internal-acr-name> \
  --source ghcr.io/<owner>/linux-update-cds-pulp:v1.2.3 \
  --image linux-update-cds/pulp:v1.2.3

`skopeo copy` (for fully disconnected transfer via secure media)¶

# On connected side: copy to OCI layout on disk
skopeo copy --all \
  docker://ghcr.io/<owner>/linux-update-cds-pulp:v1.2.3 \
  oci:linux-update-cds-pulp:v1.2.3

# Transfer the OCI directory across the boundary, then on the air-gapped side:
skopeo copy --all \
  oci:linux-update-cds-pulp:v1.2.3 \
  docker://<internal-acr-name>.azurecr.us/linux-update-cds/pulp:v1.2.3

Per .github/copilot-instructions.md, the authoritative ACR-side build is still az acr build --registry <acr-name> --image linux-update-cds/pulp:<tag> runtime/container-apps/. The GHCR mirror exists for public/commercial consumers and as a hardened source for downstream mirroring; it is not a replacement for the internal az acr build workflow.

3. Verifying the image signature (cosign)¶

GHCR images are signed keyless via the GitHub Actions OIDC issuer. To verify:

cosign verify \
  --certificate-identity-regexp "^https://github.com/<owner>/linux-update-cds/.github/workflows/ghcr-publish.yml@.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/<owner>/linux-update-cds-pulp:v1.2.3

Successful verification prints the certificate subject (the workflow ref) and the Rekor transparency-log entry.

4. Verifying SBOM and provenance¶

SBOM (attached as OCI referrer)¶

docker buildx imagetools inspect \
  ghcr.io/<owner>/linux-update-cds-pulp:v1.2.3 \
  --format '{{ json .SBOM }}'

SLSA build provenance¶

gh attestation verify \
  oci://ghcr.io/<owner>/linux-update-cds-pulp:v1.2.3 \
  --owner <owner>

Or with cosign:

cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity-regexp "^https://github.com/<owner>/linux-update-cds/.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/<owner>/linux-update-cds-pulp:v1.2.3

5. Tagging strategy¶

Trigger	Tags pushed
`git push` of `v1.2.3`	`1.2.3`, `1.2`, `1`, `latest`
`git push` of `v1.2.3-rc1`	`1.2.3-rc1` (no `latest`)
`workflow_dispatch`	`sha-<full-sha>`

latest is only updated for stable (non-prerelease) semver tags.

6. License inventory (transitive base layers)¶

The published image manifest is the source of truth for transitive base-layer licenses. See THIRD_PARTY_NOTICES.md for project-level attribution; for the full per-image inventory, run syft ghcr.io/<owner>/linux-update-cds-pulp:<tag> or inspect the SBOM referrer as shown above.