From atum-workflows
Docker image registries deployment pattern library — push and pull images to Docker Hub (public + private), GitHub Container Registry (GHCR with GitHub Actions integration), AWS Elastic Container Registry (ECR with IAM auth + ECR Public Gallery), Google Artifact Registry (GAR replacement for GCR), Azure Container Registry (ACR), GitLab Container Registry, and self-hosted options (Harbor, Nexus). Covers multi-arch builds with buildx (linux/amd64 + linux/arm64 for Apple Silicon + Graviton), build caching strategies, layer optimization, image signing with cosign, vulnerability scanning with Trivy / Snyk / Docker Scout, tag conventions (semver, git sha, latest), and automated publishing via GitHub Actions and GitLab CI. Use when publishing Docker images to a registry, setting up multi-arch builds, automating image publication via CI, scanning for vulnerabilities, or signing images for supply chain security. Differentiates from other deploy skills by targeting the image registry step that sits between local build and runtime deployment.
npx claudepluginhub arnwaldn/atum-plugins-collection --plugin atum-workflowsThis skill uses the workspace's default tool permissions.
Patterns pour builder, signer, scanner et pousser des images Docker vers les principaux registries en 2025.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.
Executes pre-written implementation plans: critically reviews, follows bite-sized steps exactly, runs verifications, tracks progress with checkpoints, uses git worktrees, stops on blockers.
Patterns pour builder, signer, scanner et pousser des images Docker vers les principaux registries en 2025.
docker login
# Tag
docker build -t myorg/myapp:1.0.0 .
docker tag myorg/myapp:1.0.0 myorg/myapp:latest
# Push
docker push myorg/myapp:1.0.0
docker push myorg/myapp:latest
Rate limits pour anonymous pulls : 100 pulls / 6h / IP → utiliser un login même pour pull public.
# Login avec PAT (scope write:packages)
echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin
# Tag
docker tag myapp:latest ghcr.io/username/myapp:1.0.0
# Push
docker push ghcr.io/username/myapp:1.0.0
# .github/workflows/docker-publish.yml
name: Build and push Docker image
on:
push:
branches: [main]
tags: ['v*']
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository }}
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha,prefix=sha-
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
Avantages GHCR :
GITHUB_TOKEN auto-fourni, pas de PAT custom# Login via AWS CLI
aws ecr get-login-password --region eu-west-3 | \
docker login --username AWS --password-stdin 123456789012.dkr.ecr.eu-west-3.amazonaws.com
# Créer un repo (une fois)
aws ecr create-repository --repository-name myapp --region eu-west-3
# Tag + push
docker tag myapp:latest 123456789012.dkr.ecr.eu-west-3.amazonaws.com/myapp:1.0.0
docker push 123456789012.dkr.ecr.eu-west-3.amazonaws.com/myapp:1.0.0
Pour des images publiques hébergées sur AWS gratuitement :
aws ecr-public get-login-password --region us-east-1 | \
docker login --username AWS --password-stdin public.ecr.aws
docker tag myapp:latest public.ecr.aws/myorg/myapp:1.0.0
docker push public.ecr.aws/myorg/myapp:1.0.0
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/gh-actions-ecr
aws-region: eu-west-3
- name: Login to ECR
uses: aws-actions/amazon-ecr-login@v2
Configurer l'IAM role avec trust policy GitHub OIDC pour éviter les AWS_ACCESS_KEY_ID dans les secrets.
GCR est déprécié en 2024+ → utiliser Artifact Registry.
# Auth via gcloud
gcloud auth configure-docker europe-west1-docker.pkg.dev
# Créer un repo
gcloud artifacts repositories create myapp-repo \
--repository-format=docker \
--location=europe-west1 \
--description="My app images"
# Tag + push
docker tag myapp:latest europe-west1-docker.pkg.dev/my-gcp-project/myapp-repo/myapp:1.0.0
docker push europe-west1-docker.pkg.dev/my-gcp-project/myapp-repo/myapp:1.0.0
# Login
az acr login --name myregistry
# Créer un ACR (une fois)
az acr create --resource-group myRG --name myregistry --sku Basic
# Tag + push
docker tag myapp:latest myregistry.azurecr.io/myapp:1.0.0
docker push myregistry.azurecr.io/myapp:1.0.0
Intégré gratuitement dans chaque project GitLab :
# Login via CI/CD token
docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
# Tag
docker tag myapp:latest $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
# Push
docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
Les variables $CI_REGISTRY* sont auto-injectées dans les jobs GitLab CI.
En 2025, les M1/M2/M3 Macs et AWS Graviton nécessitent des images linux/arm64. Les serveurs classiques restent linux/amd64.
# Setup buildx
docker buildx create --use --name multiarch
# Build multi-arch en un seul push
docker buildx build \
--platform linux/amd64,linux/arm64 \
--tag myorg/myapp:1.0.0 \
--push \
.
FROM --platform=$BUILDPLATFORM node:20-alpine AS builder
ARG TARGETPLATFORM
WORKDIR /app
COPY package.json pnpm-lock.yaml ./
RUN corepack enable && pnpm install --frozen-lockfile
COPY . .
RUN pnpm build
FROM node:20-alpine AS runner
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
CMD ["node", "dist/index.js"]
$BUILDPLATFORM = la plateforme de la machine qui build (rapide), $TARGETPLATFORM = la plateforme cible.
# Install cosign
brew install cosign # macOS
# ou https://docs.sigstore.dev/cosign/installation/
# Générer une paire de clés
cosign generate-key-pair
# Signer
cosign sign --key cosign.key myorg/myapp:1.0.0
# Vérifier
cosign verify --key cosign.pub myorg/myapp:1.0.0
# Signer avec OIDC identity (GitHub, Google, Microsoft)
cosign sign myorg/myapp:1.0.0
# → ouvre un navigateur pour OAuth
# → signature stockée dans Rekor transparency log
Dans GitHub Actions :
- uses: sigstore/cosign-installer@v3
- run: cosign sign --yes ghcr.io/${{ github.repository }}:${{ github.sha }}
env:
COSIGN_EXPERIMENTAL: "true"
# Install
brew install aquasecurity/trivy/trivy
# Scan
trivy image myorg/myapp:1.0.0
# Fail si HIGH ou CRITICAL
trivy image --severity HIGH,CRITICAL --exit-code 1 myorg/myapp:1.0.0
En GitHub Actions :
- name: Scan image with Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }}
format: sarif
output: trivy-results.sarif
severity: HIGH,CRITICAL
exit-code: 1
docker scout cves myorg/myapp:1.0.0
docker scout recommendations myorg/myapp:1.0.0
snyk container test myorg/myapp:1.0.0
snyk container monitor myorg/myapp:1.0.0
| Tag | Usage |
|---|---|
latest | À éviter en prod — pointe vers le dernier push, pas immuable |
1.2.3 (semver) | Version stable immuable |
1.2 (minor) | Auto-update vers le dernier patch |
1 (major) | Auto-update vers le dernier minor.patch |
sha-abc1234 (commit) | Reproducible, utile en CI |
main / develop | Dernier build de la branche |
pr-123 | Build par PR |
Règle prod : déployer avec un tag immuable (1.2.3 ou sha-abc1234), jamais latest.
latest en prod → surprise au prochain docker pull, pas de reproductibilitéARG SECRET=xxx apparaît dans l'image finale.dockerignore → upload node_modules, .git, secretsUSER non-root → security issueamd64) → cassé sur M1 Macs et Gravitonmyapp:prod qui change chaque deploy, difficile à rollbackUSER non-root.dockerignore committélatest en prod)deploy-railway, deploy-fly, deploy-cloudflaredevops-expertsecurity-reviewer + supply-chain-risk-auditor