feat: add ban_tags_enabled/ban_tags to docker remotes to block named tags #43

Merged
unkinben merged 1 commits from feat/docker-ban-tags into master 2026-05-10 22:13:11 +10:00
Owner

Adds two per-remote config keys for docker remotes:

ban_tags_enabled: false # opt-in, default off
ban_tags:
- latest
- edge

When ban_tags_enabled is true and a manifest request arrives for a named
tag in ban_tags, the proxy returns 403. sha256-addressed pulls are never
blocked, so images already pulled can still be referenced by digest.
Blob requests are unaffected.

Adds two per-remote config keys for docker remotes: ban_tags_enabled: false # opt-in, default off ban_tags: - latest - edge When ban_tags_enabled is true and a manifest request arrives for a named tag in ban_tags, the proxy returns 403. sha256-addressed pulls are never blocked, so images already pulled can still be referenced by digest. Blob requests are unaffected.
unkinben added 1 commit 2026-05-10 21:56:31 +10:00
feat: add ban_tags_enabled/ban_tags to docker remotes to block named tags
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/build Pipeline was successful
af28631a41
Adds two per-remote config keys for docker remotes:

  ban_tags_enabled: false   # opt-in, default off
  ban_tags:
    - latest
    - edge

When ban_tags_enabled is true and a manifest request arrives for a named
tag in ban_tags, the proxy returns 403. sha256-addressed pulls are never
blocked, so images already pulled can still be referenced by digest.
Blob requests are unaffected.
unkinben merged commit ff2aefeef4 into master 2026-05-10 22:13:11 +10:00
unkinben deleted branch feat/docker-ban-tags 2026-05-10 22:13:12 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/artifactapi#43