MCPcopy Index your code
hub / github.com/concourse/registry-image-resource

github.com/concourse/registry-image-resource @v1.17.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.17.0 ↗ · + Follow
113 symbols 427 edges 19 files 19 documented · 17% updated 5d agov1.17.0 · 2026-05-01★ 9038 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Registry Image Resource

Supports checking, fetching, and pushing of images to Docker registries.

Build Status

This resource can be used in three ways: with tag specified, with tag_regex specified, or with neither tag nor tag_regex specified.

With tag specified, check will detect changes to the digest the tag points to, and out will always push to the specified tag. This is to be used in simpler cases where no real versioning exists.

With tag_regex specified, check will instead detect tags based on the regex provided. If created_at_sort is set to true, the tags will be sorted in descending order by the creation time. This is useful when you want to get the latest tag based on the regex (see Docker registry issue here).

With tag and tag_regex both omitted, check will instead detect tags based on semver versions (e.g. 1.2.3) and return them in semver order. With variant included, check will only detect semver tags that include the variant suffix (e.g. 1.2.3-stretch).

This resource comes with Concourse by default. You can override the version you use within your pipeline if the built-in one is not working for you for some reason

Comparison to docker-image resource

This resource is intended as a replacement for the Docker Image resource. Here are the key differences:

  • This resource is implemented in pure Go and does not use the Docker daemon or CLI. This makes it safer (no need for privileged: true), more efficient, and less error-prone (now that we're using Go APIs and not parsing docker CLI output).

  • This resource has stronger test coverage.

  • This resource does not and will never support building - only registry image pushing/pulling. Building should instead be done with something like the oci-build task (or anything that can produce OCI image tarballs).

  • A goal of this resource is to stay as focused and simple as possible. The Docker Image resource grew way too large and complicated. There are simply too many ways to build and publish Docker images. It will be easier to support many smaller resources + tasks rather than one huge interface.

Source Configuration

Field Name Description
repository (Required) The URI of the image repository, e.g. alpine or ghcr.io/package/image. Defaults to checking docker.io if no hostname is provided in the URI. Note: If using ecr you only need the repository name, not the full URI e.g. alpine not 012345678910.dkr.ecr.us-east-1.amazonaws.com/alpine. ECR usage is NOT automatically detected. You must set the aws_region to tell the resource to automatically use ECR.
insecure (Optional) Default: false Allow insecure registry.
tag (Optional) Default: latest Instead of monitoring semver tags, monitor a single tag for changes (based on digest).
tag_regex (Optional) Instead of monitoring semver tags, monitor for tags based on a regex provided. The syntax of the regular expressions accepted is the same general syntax used by Perl, Python, and other languages. More precisely, it is the syntax accepted by RE2 and described at https://golang.org/s/re2syntax Note if used, this will override all Semver constraints and features. By default, order of tags is not guaranteed. If you want to sort the tags in descending order, set `created_at_sort` to `true`.
created_at_sort (Optional) Default: false If set to `true`, the tags will be sorted in descending order using the creation time from the image history. This is useful when you want to get the latest tag based on the tag_regex.
variant (Optional) Detect only tags matching this variant suffix, and push version tags with this suffix applied. For example, a value of stretch would be used for tags like 1.2.3-stretch. This is typically used without tag - if it is set, this value will only used for pushing, not checking.
semver_constraint (Optional) Constrain the returned semver tags according to a semver constraint, e.g. "~1.2.x", ">= 1.2 < 3.0.0 || >= 4.2.3". Follows the rules outlined in https://github.com/Masterminds/semver#checking-version-constraints If the value appends with -0 for pre-release versions, pre_releases needs to be true.
pre_releases (Optional) By default, pre-release versions are ignored. With `pre_releases: true`, they will be included. Note however that variants and pre-releases both use the same syntax: `1.2.3-alpine` is technically also valid syntax for a Semver prerelease. For this reason, the resource will only consider prerelease data starting with `alpha`, `beta`, or `rc` as a proper prerelease, or values provided by `pre_release_prefixes`, treating anything else as a variant.
pre_release_prefixes (Optional) An array of strings, where each string is an additional pre-release prefix that should be found (e.g. `build.3`). `pre_releases` must be set to `true`.
username and password (Optional) A username and password to use when authenticating to the registry. Must be specified for private repos or when using put.
aws_access_key_id (Optional) The access key ID to use for authenticating with ECR.
aws_secret_access_key (Optional) The secret access key to use for authenticating with ECR.
aws_session_token (Optional) The session token to use for authenticating with STS credentials with ECR.
aws_region (Optional) The region to use for accessing ECR. This is required if you are using ECR. This region will help determine the full repository URL you are accessing (e.g., 012345678910.dkr.ecr.us-east-1.amazonaws.com)
aws_role_arn (Optional) If set, then this role will be assumed before authenticating to ECR. An error will occur if aws_role_arns is also specified. This is kept for backward compatibility.
aws_role_arns (Optional) An array of AWS IAM roles. If set, these roles will be assumed in the specified order before authenticating to ECR. An error will occur if aws_role_arn is also specified.
aws_account_id (Optional) The AWS Account ID that the image is located in. Useful if interacting with images in another account. If omitted then the current AWS account ID will be used. Be sure to wrap the account ID in quotes so it is parsed as a string instead of a number.
azure_acr (Optional) Default: false Set to true to authenticate to Azure Container Registry (ACR) using Azure Managed Identity. When enabled, the resource will acquire an Azure AD token via Managed Identity and exchange it for ACR credentials automatically. The repository must be the full ACR URL (e.g. myregistry.azurecr.io/myimage).
azure_client_id (Optional) The Client ID of a User-Assigned Managed Identity to use for ACR authentication. Only applicable when azure_acr is true. When omitted, System-Assigned Managed Identity is used.
azure_tenant_id (Optional) The tenant ID of the ACR registry (not the VM or cluster tenant). Only applicable when azure_acr is true. When set, the resource skips the challenge roundtrip to the ACR /v2/ endpoint, saving one HTTP request per check, get, and put invocation. When omitted, the tenant is auto-discovered from the registry's Www-Authenticate challenge header. Find the ACR tenant ID with: az acr show --name <registry> --query identity.tenantId -o tsv or from the Azure Portal under the registry's properties. Note: In cross-tenant scenarios, this must be the ACR registry's tenant, not the VM or cluster tenant.
azure_environment (Optional) The Azure cloud environment to authenticate against. Only applicable when azure_acr is true. Accepted values: AzurePublic (default), AzureGovernment, AzureChina. When omitted, the environment is auto-detected from the registry domain suffix (.azurecr.io → Commercial, .azurecr.us → Government, .azurecr.cn → China).
platform (Optional)
  • architecture (Optional): Architecture the image is built for (e.g. `amd64`, `arm64/v8`). If not specified, will default to https://pkg.go.dev/runtime#GOARCH.
  • os (Optional): OS the image is built for (e.g. `linux`, `darwin`, `windows`). If not specified, will default to https://pkg.go.dev/runtime#GOOS.
debug (Optional) Default: false If set, progress bars will be disabled and debugging output will be printed instead.
registry_mirror (Optional)
  • host (Required): A hostname pointing to a Docker registry mirror service. Note that this is only used if no registry hostname prefix is specified in the repository key. If the repository contains a registry hostname, such as my-registry.com/foo/bar, the registry_mirror is ignored and the explicitly declared registry in the repository key is used.
  • username and password (Optional): A username and password to use when authenticating to the mirror.
content_trust (Optional)
  • server (Optional): URL for the notary server. (equal to DOCKER_CONTENT_TRUST_SERVER)
  • repository_key_id (Required): Target key's ID used to sign the trusted collection, could be retrieved by notary key list
  • repository_key (Required): Target key used to sign the trusted collection.
  • repository_passphrase (Required): The passphrase of the signing/target key. (equal to DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE)
  • tls_key (Optional): TLS key for the notary server.
  • tls_cert (Optional): TLS certificate for the notary server.
  • username (Optional): Username for authorize Docker Registry with a Notary server(`content_trust.server`) attached.
  • password (Optional): Password for authorize Docker Registry with a Notary server(`content_trust.server`) attached.
  • scopes (Optional): What access for the resources requested, should be one of ['pull', 'push,pull'

Extension points exported contracts — how you extend this code

Core symbols most depended-on inside this repo

String
called by 53
types.go
Digest
called by 37
commands/oci_layout.go
Name
called by 17
types.go
NewRepository
called by 10
types.go
Platform
called by 6
types.go
AuthOptions
called by 4
types.go
NewIndexImageFromImage
called by 4
commands/oci_layout.go
headOrGet
called by 4
commands/check.go

Shape

Function 50
Method 31
Struct 28
TypeAlias 3
FuncType 1

Languages

Go100%

Modules by API surface

types.go41 symbols
commands/check.go14 symbols
commands/in.go12 symbols
commands/oci_layout.go11 symbols
commands/out.go10 symbols
suite_test.go7 symbols
out_test.go4 symbols
commands/rootfs.go4 symbols
check_test.go4 symbols
backoff.go2 symbols
commands/logging.go1 symbols
cmd/out/main.go1 symbols

For agents

$ claude mcp add registry-image-resource \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page