rust/.github/workflows/ghcr.yml

# Mirror DockerHub images used by the Rust project to ghcr.io.
# Images are available at https://github.com/orgs/rust-lang/packages.
#
# In some CI jobs, we pull images from ghcr.io instead of Docker Hub because
# Docker Hub has a rate limit, while ghcr.io doesn't.
# Those images are pushed to ghcr.io by this job.
#
# While Docker Hub rate limit *shouldn't* be an issue on GitHub Actions,
# it certainly is for AWS codebuild.
#
# Note that authenticating to DockerHub or other registries isn't possible
# for PR jobs, because forks can't access secrets.
# That's why we use ghcr.io: it has no rate limit and it doesn't require authentication.

name: GHCR image mirroring

on:
  workflow_dispatch:
  schedule:
    # Run daily at midnight UTC
    - cron: '0 0 * * *'

jobs:
  mirror:
    name: DockerHub mirror
    runs-on: ubuntu-24.04
    if: github.repository == 'rust-lang/rust'
    permissions:
      # Needed to write to the ghcr.io registry
      packages: write
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Log in to registry
        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin

      # Download crane in the current directory.
      # We use crane because it copies the docker image for all the architectures available in
      # DockerHub for the image.
      # Learn more about crane at
      # https://github.com/google/go-containerregistry/blob/main/cmd/crane/README.md
      - name: Download crane
        run: |
          curl -sL "https://github.com/google/go-containerregistry/releases/download/${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" | tar -xzf -
        env:
          VERSION: v0.20.2
          OS: Linux
          ARCH: x86_64

      - name: Mirror DockerHub
        run: |
          # List of DockerHub images to mirror to ghcr.io
          images=(
            # Mirrored because used by the mingw-check-tidy, which doesn't cache Docker images
            "ubuntu:22.04"
            # Mirrored because used by all linux CI jobs, including mingw-check-tidy
            "moby/buildkit:buildx-stable-1"
            # Mirrored because used when CI is running inside a Docker container
            "alpine:3.4"
            # Mirrored because used by dist-x86_64-linux
            "centos:7"
          )

          # Mirror each image from DockerHub to ghcr.io
          for img in "${images[@]}"; do
            echo "Mirroring ${img}..."
            # Remove namespace from the image if any.
            # E.g. "moby/buildkit:buildx-stable-1" becomes "buildkit:buildx-stable-1"
            dest_image=$(echo "${img}" | cut -d'/' -f2-)
            ./crane copy \
              "docker.io/${img}" \
              "ghcr.io/${{ github.repository_owner }}/${dest_image}"
          done