feat: add ban_tags_enabled/ban_tags to docker remotes to block named tags #43

Merged
unkinben merged 1 commits from feat/docker-ban-tags into master 2026-05-10 22:13:11 +10:00

1 Commits

Author SHA1 Message Date
unkinben af28631a41 feat: add ban_tags_enabled/ban_tags to docker remotes to block named tags
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/build Pipeline was successful
Adds two per-remote config keys for docker remotes:

  ban_tags_enabled: false   # opt-in, default off
  ban_tags:
    - latest
    - edge

When ban_tags_enabled is true and a manifest request arrives for a named
tag in ban_tags, the proxy returns 403. sha256-addressed pulls are never
blocked, so images already pulled can still be referenced by digest.
Blob requests are unaffected.
2026-05-10 21:55:12 +10:00