#Image published to the GHCR doesn't get linked to repository

Firstly, I am using Zenith, but in this case it should matter.
I was trying to publish my image to the Github Container Registry (ghcr). I can successfully push/publish the image and I see it under my packages. But I don't see it in the repository, only in my personal packages.
So I looked at the ghcr docs and found out, you have to use the org.opencontainers.image.source label. Ok great, I added the label.
But Github still doesn't link it even when the label is present. I then tried to build the image with a Dockerfile (containing the label) and the ol' docker build. I then pushed the image. To my surprise, it was linked correctly.
I also looked at the docker inspect JSON and they are virtually the same - both also contain the label.
Can someone help me with this? I will attach the inspect JSONs under this post.

Image built with docker build:

[{"Id":"sha256:3cdf2da90bbf79689fab92484b4e2289352c21b43c02ba2412352c07eaf8de62","RepoTags":["be:latest"],"RepoDigests":[],"Parent":"","Comment":"buildkit.dockerfile.v0","Created":"2023-11-29T14:35:36.1281728Z","Container":"","ContainerConfig":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":null,"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"","Author":"","Config":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":null,"Image":"","Volumes":null,"WorkingDir":"/","Entrypoint":["/backend"],"OnBuild":null,"Labels":{"org.opencontainers.image.source":"https://github.com/SaimonWoidig/dagger-ci"}},"Architecture":"amd64","Os":"linux","Size":7265231,"VirtualSize":7265231,"GraphDriver":{"Data":{"MergedDir":"/var/lib/docker/overlay2/jphl6qog6bx3tu95px57vtpf1/merged","UpperDir":"/var/lib/docker/overlay2/jphl6qog6bx3tu95px57vtpf1/diff","WorkDir":"/var/lib/docker/overlay2/jphl6qog6bx3tu95px57vtpf1/work"},"Name":"overlay2"},"RootFS":{"Type":"layers","Layers":["sha256:1a1a01bf0f1b9fd97f15e1030b633e89ea3c4d63e45ac295b61f54b78fc205bb"]},"Metadata":{"LastTagTime":"2023-11-29T14:36:51.267497Z"}}]

Image built with dagger:

[{"Id":"sha256:035130ea6e63e1f71a967f8476cb02195b71824df48a0a669f2836b3aca2410d","RepoTags":[],"RepoDigests":["ghcr.io/saimonwoidig/backend@sha256:d3b4e3c2d735c0ad730648324a1ba9d97fe980b16290b15e4f45ce472c8efefe"],"Parent":"","Comment":"buildkit.exporter.image.v0","Created":"2023-11-29T14:01:13.6298841Z","Container":"","ContainerConfig":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":null,"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"","Author":"","Config":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":{"8080/tcp":{}},"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PORT=8080"],"Cmd":null,"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":["/backend"],"OnBuild":null,"Labels":{"org.opencontainers.image.source":"https://github.com/SaimonWoidig/dagger-ci"}},"Architecture":"amd64","Os":"linux","Size":7265231,"VirtualSize":7265231,"GraphDriver":{"Data":{"MergedDir":"/var/lib/docker/overlay2/05fe8043a0dd4aafada0ffed89fed35ef22c59425ba0ce85ce967e30e8640660/merged","UpperDir":"/var/lib/docker/overlay2/05fe8043a0dd4aafada0ffed89fed35ef22c59425ba0ce85ce967e30e8640660/diff","WorkDir":"/var/lib/docker/overlay2/05fe8043a0dd4aafada0ffed89fed35ef22c59425ba0ce85ce967e30e8640660/work"},"Name":"overlay2"},"RootFS":{"Type":"layers","Layers":["sha256:4908903b89359b3b3461d611ed6624a7dc12513385c77ac86f1309cdc3bed7fd"]},"Metadata":{"LastTagTime":"0001-01-01T00:00:00Z"}}]

I can also attach my Dagger definition if needed.

Also looking at the Dagger json, this seems unrelated but strange: "Metadata":{"LastTagTime":"0001-01-01T00:00:00Z"}.

This is just a wild guess, but were the same credentials used for both pushes? (with and without dagger?)

Yes. I have used docker login with my email and PAT for the manual push. I have used WithRegistryAuth in dagger with the same username and password (email and PAT).
And if the credentials were incorrect, I guess that the push would fail altogether, no?

Yeah sometimes Github is weird with that kind of thing where it will partially work with one set of permissions but not all the permissions. But if you used the same for both then that's not it

I actually noticed it's the same for the dagger engine image. I wonder if github changed something

Ok, thanks. I can link it manually for now I guess but it would be great if we got it working! Will you keep me informed?

Yeah totally I'm digging into this now

Wonderful ❤️

I see the RepoTags aren't set in the dagger one, that feels like something

what does your Publish() look like?

The call itself is Publish(ctx, fullImageRef) - just the minimum. I am guessing I can add the tags with some Opts?

when I publish with a tag format like Publish(ctx, "ttl.sh/kpenfound-dagger-test:1h") I have RepoTags populated:

"RepoTags": [
            "ttl.sh/kpenfound-dagger-test:1h"
        ],
        "RepoDigests": [
            "ttl.sh/kpenfound-dagger-test@sha256:936c3ed21bd2dda836025d07669c5d45edd6366ee5f1daa46e8934f2db43ff18"
        ],

just confirming I'm seeing the same behavior with the Packages list on the repo page

I'll try out with a tag.

Adding the tag didn't help.

[{"Id":"sha256:76c54b191f19d5bf9d5a5639ee309b4f0747cd8a61e80dc2838af965cd98c815","RepoTags":["ghcr.io/saimonwoidig/dagger-ci/backend:develop"],"RepoDigests":["ghcr.io/saimonwoidig/dagger-ci/backend@sha256:a32c607c723843a07531928da1ebcee6bcda31162f87058adaaae039efd1f02b"],"Parent":"","Comment":"buildkit.exporter.image.v0","Created":"2023-11-29T21:38:09.997547653Z","Container":"","ContainerConfig":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":null,"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"","Author":"","Config":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":{"8080/tcp":{}},"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PORT=8080"],"Cmd":null,"Image":"","Volumes":null,"WorkingDir":"/","Entrypoint":["/backend"],"OnBuild":null,"Labels":{"org.opencontainers.image.source":"https://github.com/SaimonWoidig/dagger-ci"}},"Architecture":"amd64","Os":"linux","Size":7212894,"VirtualSize":7212894,"GraphDriver":{"Data":{"MergedDir":"/var/lib/docker/overlay2/49ef678e502276f2d987209cb73bb2f1ea38a5a00d4448a1d825ab2e6f3b82a9/merged","UpperDir":"/var/lib/docker/overlay2/49ef678e502276f2d987209cb73bb2f1ea38a5a00d4448a1d825ab2e6f3b82a9/diff","WorkDir":"/var/lib/docker/overlay2/49ef678e502276f2d987209cb73bb2f1ea38a5a00d4448a1d825ab2e6f3b82a9/work"},"Name":"overlay2"},"RootFS":{"Type":"layers","Layers":["sha256:d63dc29af146f4613e4636482aa945cccc22f176c1c985e920a6b7a87a49be9f"]},"Metadata":{"LastTagTime":"0001-01-01T00:00:00Z"}}]

I see that the RepoTags is now set but sadly, image is not linked to the repo.

@lean heron did you follow this? https://docs.github.com/en/packages/learn-github-packages/connecting-a-repository-to-a-package

if you're using a PAT to publish the package, by default it won't be connected to a repository

Well I am also using a PAT in docker login and the push via docker push works...

oh, I see.. We'll I'm almost sure it works in our case because we're using the GITHUB_TOKEN in CI (GHA) to actually publish the package

Yeah, I wanted to test it locally first before I make a workflow. But I guess I have to try it out.

But the image doesn't show up under packages on the repo page anymore for dagger/dagger. I think something changed on githubs end

strange.. since it is connected to the repo

maybe we changed some setting in the repo by accident?

you can also see them here: https://github.com/dagger/dagger/packages

Yeah exactly. That's what I'm seeing on my test repro too

But docker push will put it on the repo page

something deinitely changed

Maybe the GitHub API will reveal more 🤷‍♂️

Ok, I managed to link it manually. It took some work to get the permissions correct but I managed to push it via an action.
Also, still no luck finding out why it doesn't get linked?

@lean heron if you set the image MediaTypes to Dockermediatypes that should fix the issue:

    ctr.Publish(ctx, "ghcr.io/marcosnils/alpine:latest", dagger.ContainerPublishOpts{
        MediaTypes: dagger.Dockermediatypes,
    })

seems like GHCR is quite tied to the docker specific OCI media types instead of the standards

give it a try and let us know how it goes

Wow, nice find @spiral crow ! What's the best way to document this?

here maybe? https://docs.dagger.io/cookbook#publish-image-to-registry cc @solid falcon ?

Is this different from using OCI metadata? https://docs.dagger.io/cookbook#add-oci-annotations-to-image

Ok, gonna give it a go!

It works like a charm! Thanks. Pretty confusing that GH doesn't support linking for OCI and yet has a label containing opencontainers...

yes it's different. These are the media types: https://github.com/opencontainers/image-spec/blob/main/media-types.md

maybe in the publish cookbook we can add a small note about being mindful about the media types and we can refernece the example of GHCR since I'd assume several users will have the same issue

https://github.com/dagger/dagger/pull/6217

Additional info for this: https://github.com/dagger/dagger/pull/5556

Awesome! Thanks for your help and contribution! 🎉