Skip to content

Comments

Support OCI#4

Open
cyrillkuettel wants to merge 1 commit intomasterfrom
oci
Open

Support OCI#4
cyrillkuettel wants to merge 1 commit intomasterfrom
oci

Conversation

@cyrillkuettel
Copy link
Member

@cyrillkuettel cyrillkuettel commented Feb 17, 2026
edited
Loading

OCI Image Format Support

Problem

Pulling images from GHCR started failing with:

HEAD https://ghcr.io/v2/onegov/onegov-cloud/manifests/release-2026.6 returned 404 Not Found

Root Cause

If attestations are enabled, this forces images to be pushed in OCI format instead of the traditional Docker
format.

roots only supported Docker manifest types:

  • application/vnd.docker.distribution.manifest.v2+json
  • application/vnd.docker.distribution.manifest.list.v2+json

GHCR rejects requests without proper OCI Accept headers:

TOKEN=$(curl -s "https://ghcr.io/token?scope=repository:onegov/onegov-cloud:pull" | jq -r .token)

# Fails - no OCI Accept header
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://ghcr.io/v2/onegov/onegov-cloud/manifests/release-2026.6"

# {"errors":[{"code":"MANIFEST_UNKNOWN","message":"OCI index found, but Accept header does not support OCI indexes"}]}

# Works - with OCI Accept header
curl -s -H "Authorization: Bearer $TOKEN" \
  -H "Accept: application/vnd.oci.image.index.v1+json" \
  "https://ghcr.io/v2/onegov/onegov-cloud/manifests/release-2026.6"

# Solution

Add OCI media type support:
- application/vnd.oci.image.index.v1+json (multi-arch index)
- application/vnd.oci.image.manifest.v1+json (image manifest)

#  Old releases still use Docker format, new releases use OCI:

TOKEN=$(curl -s "https://ghcr.io/token?scope=repository:onegov/onegov-cloud:pull" | jq -r .token)

# Docker format (old)
curl -s -H "Authorization: Bearer $TOKEN" \
  -H "Accept: application/vnd.docker.distribution.manifest.v2+json, application/vnd.oci.image.index.v1+json" \
  "https://ghcr.io/v2/onegov/onegov-cloud/manifests/release-2025.63" | jq .mediaType
# "application/vnd.docker.distribution.manifest.v2+json"

# OCI format (new)
curl -s -H "Authorization: Bearer $TOKEN" \
  -H "Accept: application/vnd.docker.distribution.manifest.v2+json, application/vnd.oci.image.index.v1+json" \
  "https://ghcr.io/v2/onegov/onegov-cloud/manifests/release-2026.6" | jq .mediaType
# "application/vnd.oci.image.index.v1+json"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cyrillkuettel