Add GitHub Container Registry (GHCR) support for MCP servers #439
+244
−56
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Gaurav-Gosain
force-pushed
the
feature/add-ghcr-support
branch
from
e0a64d1 to
721faff
Compare
rdimitrov
reviewed
Sep 12, 2025
There was a problem hiding this comment.
@Gaurav-Gosain - Thank you very much for addressing this! 💯
I like that it was implemented in a way that makes it easy to extend in the future. I left a small comment, but overall it looks great 👍
This commit implements support for publishing MCP servers to GitHub Container Registry (ghcr.io) in addition to the existing Docker Hub support, addressing Docker Hub rate limiting concerns as requested in modelcontextprotocol#393. Key changes: - Add RegistryURLGHCR constant for https://ghcr.io - Refactor OCI validation to support multiple container registries - Create registry-agnostic authentication system that handles: - Docker Hub token-based authentication - GHCR anonymous access (no token required) - Update validation logic to accept both docker.io and ghcr.io URLs - Add comprehensive tests for both registries - Update documentation with GHCR examples and usage instructions The implementation maintains backward compatibility with existing Docker Hub usage while providing a future-proof architecture for adding additional container registries. Fixes modelcontextprotocol#393
- Extract helper functions to reduce ValidateOCI complexity from 21 to under 20 - Remove unused getDockerIoAuthToken function - Fix rate limiting handling to avoid nilnil linter issue - Maintain all existing functionality while improving code quality
- Add proper GHCR token authentication with correct service parameter - Update accept headers to support OCI image indexes for multi-arch images - Add working test with real GitHub MCP server image from GHCR - Verify GHCR connectivity and proper error handling for missing annotations - Update documentation to accurately reflect authentication requirements
- Document the current state of MCP ecosystem regarding container annotations - Add TODO for future success test case when properly annotated images exist - Explain that the current test with github-mcp-server proves GHCR integration works - Provide template for future test cases with expectError: false
…entication - Update publishing guide to specify both registries use token-based auth - Remove any implication that GHCR supports anonymous access - Add details about which token service each registry uses - Ensure documentation matches the implementation
- Replaced TODO with descriptive note about adding test cases when properly annotated MCP images are available in GHCR - The MCP ecosystem is still new and such test cases will be added when the ecosystem matures
- Remove separate TestValidateOCI_GHCR_Integration function - Add GHCR test cases to main TestValidateOCI_RealPackages table - Include successful validation test case with nkapila6/mcp-local-rag - Maintain clean table-driven test pattern from main branch - Preserve skip logic for rate limiting protection
- Use fmt.Sprintf to construct AuthURL from ghcrAPIBaseURL constant - Improves consistency with registry configuration pattern - Addresses PR feedback from @rdimitrov
- Add explicit ErrRateLimited error type for clear rate limiting detection - Update ValidateOCI to handle rate limiting explicitly via error checking - Remove empty manifest logic from getConfigDigestFromManifest - Make genuinely empty manifests fail validation with clear error message - Ensure rate limiting only skips validation when HTTP 429 is encountered - Address PR feedback about distinguishing rate limits from broken responses This change ensures: - HTTP 429 → ErrRateLimited → skip validation (intended behavior) - Empty/broken manifest → validation fails with error (correct behavior) - No false positives where broken responses are treated as rate limiting
Gaurav-Gosain
force-pushed
the
feature/add-ghcr-support
branch
from
721faff to
9a9783f
Compare
Thank you for the positive feedback 🙏! The implementation now properly separates concerns and ensures that only explicit rate limiting (HTTP 429) results in skipped validation, while broken or empty responses properly fail validation. |
rdimitrov
approved these changes
Sep 13, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit implements support for publishing MCP servers to GitHub Container
Registry (ghcr.io) in addition to the existing Docker Hub support, addressing
Docker Hub rate limiting concerns as requested in #393.
Key changes:
The implementation maintains backward compatibility with existing Docker Hub
usage while providing a future-proof architecture for adding additional
container registries. All authentication is now handled through proper token
services for both registries.
Fixes #393
Motivation and Context
Docker Hub rate limiting has been causing issues for the MCP registry when validating OCI images. Adding GHCR support provides an alternative container registry that many MCP server authors are already using, reducing the load on Docker Hub and providing more options for the community.
How Has This Been Tested?
Breaking Changes
None. This is a purely additive change that maintains full backward compatibility with existing Docker Hub configurations.
Types of changes
Checklist
Additional context
The implementation uses a RegistryConfig struct to abstract registry-specific details like API endpoints, authentication URLs, and token services. This design makes it straightforward to add support for additional container registries in the future (such as AWS ECR, Azure Container Registry, etc.) by simply adding new cases to the getRegistryConfig function.
The authentication system properly handles the different token services used by each registry:
Both registries now support the full OCI specification including multi-arch images via OCI image indexes.