shields icon indicating copy to clipboard operation
shields copied to clipboard

Published 20 hours ago verified publisher icon badges

Badge Request: GitHub Container Registry

Open cicirello opened this issue 3 years ago • 28 comments

:clipboard: Description

GitHub recently introduced the GitHub Container Registry (see: https://github.blog/2020-09-01-introducing-github-container-registry/). It would be nice if there were badges available similar to those that shields has for Docker image version, image size, and pulls, but for the new GitHub Container Registry.

:link: Data

I'm not sure if GitHub has an API for this yet.

:microphone: Motivation

Motivation is the same as that of the equivalent badges that already exist for Docker Hub, but targeting the GitHub Container Registry instead. Providing a nice concise visual summary of some of the key statistics one might be interested in with a Docker image, but for images available in the GCR.

cicirello avatar Sep 23 '20 17:09 cicirello

Given this is essentially a feature related to the package registry, I suspect this one is probably going to end up blocked on #4169 (tldr: the github tokens we have don't have the necessary scope to read package metadata) once the API endpoints are available, but we'll see..

chris48s avatar Sep 23 '20 18:09 chris48s

🙏

adriens avatar Oct 20 '21 22:10 adriens

kidager avatar Feb 09 '22 14:02 kidager

To get the pull counter of the image published on ghcr, you can use PackageStatistics or PackageVersionStatistics in GraphQL API (needs auth).

To get information of tags and sizes of public images on ghcr.io, you can use https://ghcr.io/v2/ as Docker Registry HTTP API V2's endpoint like DockerHub.

Here is my example with curl:

# public image's {USER}/{IMAGE}
USER_IMAGE=eggplants/asciiquarium-docker

# get fake token ('{"token":"***"}' -> '***')
TOKEN="$(
  curl "https://ghcr.io/token?scope=repository:${USER_IMAGE}:pull" |
  awk -F'"' '$0=$4'
)"

_curl(){ curl -H "Authorization: Bearer ${TOKEN}" "$1" }

# get tags
_curl "https://ghcr.io/v2/${USER_IMAGE}/tags/list"
# >>> {"name":"eggplants/asciiquarium-docker","tags":["0.0.0","0.0","latest"]}

# get manifest of the latest image
_curl "https://ghcr.io/v2/${USER_IMAGE}/manifests/latest"
# >>>
# {
#    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
#    "schemaVersion": 2,
#    "config": {
#       "mediaType": "application/vnd.docker.container.image.v1+json",
#       "digest": "sha256:fb4552eacdc8e01082f87bae6a0fec6e1b61630f0a1e5a0e6a699d05ff0337fd",
#       "size": 5551
#    },
#    "layers": [
#       {
#          "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
#          "digest": "sha256:4be315f6562fccf08fd6c749557e31e45ab6d987370e20e2c4933ddb04ddd5ff",
#          "size": 27140664
#       }, ...

eggplants avatar May 10 '22 19:05 eggplants

Thank you for sharing @eggplants though to be clear, this is not blocked on the basics of the api request/response, but due to the associated scopes required by github, which our tokens do not have.

This is blocked on that much bigger topic detailed in https://github.com/badges/shields/issues/4169

calebcartwright avatar May 10 '22 19:05 calebcartwright

The number of pulls seems difficult to fetch, but it would be relatively easy to get just the tags and their image sizes, which do not require authentication.

eggplants avatar May 10 '22 20:05 eggplants

The number of pulls seems difficult to fetch, but it would be relatively easy to get just the tags and their image sizes, which do not require authentication.

Gotcha, thanks for the clarification! In that case think it would probably make sense at this point to extract a separate issue for version and size badges to discuss the viability of the proposed approach, and we narrow the scope of this blocked one to pulls

calebcartwright avatar May 10 '22 20:05 calebcartwright

I have implemented eggplants/ghcr-badge on a trial basis: latest_tag size tags

eggplants avatar May 12 '22 23:05 eggplants

you can also hard code the token per image:

curl -H "Authorization: Bearer $(echo "v1:$USER_IMAGE:0" | base64)" "https://ghcr.io/v2/$USER_IMAGE/tags/list"

asssaf avatar May 15 '22 18:05 asssaf

@asssaf Thanks! https://github.com/eggplants/ghcr-badge/commit/f5504c4bbe03fbc8e0899fb8c2ba917f5b68c06e

eggplants avatar May 15 '22 18:05 eggplants

With the coming shutdown of free organizations on Docker Hub, we also plan to migrate to ghcr.io - what is the state of this implementation right now? I really do not want to stress this :grin: ! Take your time :heart_on_fire:

simonmicro avatar Mar 14 '23 20:03 simonmicro

+1 on this

trajan0x avatar Sep 11 '23 06:09 trajan0x

i'm trying with GraphQL api, and even with a Personal Access Token set in headers, I don't receive any package in the results Would anyone have a tip ? :)

  • Request

Authorization: bearer XXXXXXXXX

query {
  organization(login: "oxsecurity") {
      name
      isVerified
    packages(first: 100) {
        nodes {
            name
            packageType
            statistics {
                downloadsTotalCount
            }
        }
    }
  }
}
  • Result
{
    "data": {
        "organization": {
            "name": "OX Security",
            "isVerified": true,
            "packages": {
                "nodes": []
            }
        }
    }
}

nvuillam avatar Oct 20 '23 17:10 nvuillam

@nvuillam It doesn't seem to work. https://github.com/eggplants/ghcr-badge/issues/72#issuecomment-1665988472

eggplants avatar Oct 21 '23 08:10 eggplants

@nvuillam It doesn't seem to work. eggplants/ghcr-badge#72 (comment)

That' really sad :(

Thanks for the reply !

nvuillam avatar Oct 21 '23 10:10 nvuillam

@nvuillam It doesn't seem to work. eggplants/ghcr-badge#72 (comment)

That' really sad :(

Thanks for the reply !

@nvuillam try a repository query (instead of an organization query) to get the packages for the megalinter repository. It looks like all of your public packages are associated with that repository, so that might work. I didn't try this so I don't know for sure if it will work, but I think it might.

cicirello avatar Oct 21 '23 12:10 cicirello

@cicirello You can try this query from https://docs.github.com/en/graphql/overview/explorer. And repository.packages is also empty.

query {
  repository(owner: "oxsecurity", name: "megalinter") {
    name    
    packages(first: 1) {
      nodes {
        name
        packageType
        statistics {
          downloadsTotalCount
        }
      }
    }
  }
}

image

Note that oxsecurity/megalinter has 165 Packages.

eggplants avatar Dec 09 '23 21:12 eggplants

I confirm, I still did not find any way to query stats for MegaLinter packages :/

nvuillam avatar Dec 09 '23 22:12 nvuillam

It's sad that the GraphQL API from GitHub doesn't work.

I ended up with a tool to parse the HTML page and list only named versions

range 1 5 page
|| open https://github.com/timeplus-io/proton/pkgs/container/proton/versions?page=$page$ --cache false --html --hashtml|| filter "(nodeName=='LI') and attributes.class =='Box-row'" || sequence
|| html innerHTML || filter "(_html.nodeName == 'A')" ||rename _html.innerText version || startswith version '1.3.'  || html innerHTML || filter "(_html.nodeName == 'SPAN' and _html.attributes.style =='white-space:nowrap;')"||rename _html.innerText downloads || replace downloads 'Version downloads' ''||table version downloads
image

jovezhong avatar Dec 10 '23 22:12 jovezhong

I thought to build something similar, like github-dependent-infos scraps to get the number and list of dependent repos...

But a working API would be the best, we're just looking for simple numbers :(

nvuillam avatar Dec 10 '23 22:12 nvuillam