Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds an Azure-hosted fallback registry for updater/proxy container images, intended to improve resilience when pulls from GHCR fail and to gate behavior via experiment flags.
Changes:
- Add experiment-gated fallback logic in
run()to retry image pulls from an Azure registry when the primary pull fails. - Extend
ImageServicerepository allowlist to permit*.azure-api.netimage sources. - Update unit tests and documentation to reflect the new fallback registry behavior.
Reviewed changes
Copilot reviewed 5 out of 7 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| src/main.ts | Implements experiment-gated primary/fallback pull logic and passes the successfully pulled image references into Updater. |
| src/image-service.ts | Updates allowed image repository validation to include Azure registry hosts. |
| docker/README.md | Documents existence of the Azure fallback registry. |
| dist/main/index.js | Updates the compiled Action bundle (but currently appears inconsistent with src/ changes). |
| tests/main.test.ts | Adds/adjusts tests around image-pull failure scenarios. |
| tests/image-service.test.ts | Updates error message expectation and adds an Azure-related pull test (currently focused on retry helper). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
137abc2 to
1ec5ef8
Compare
jakecoffman
reviewed
Feb 27, 2026
|
|
||
| if (!imagesPulled && experiments[FEATURE_PULL_FROM_AZURE]) { | ||
| core.warning('Primary image pull failed, attempting fallback') | ||
| updaterImage = `${FALLBACK_CONTAINER_REGISTRY}/${updaterImage}` |
Member
There was a problem hiding this comment.
Won't this be, for example
dependabot-acr-apim-production.azure-api.net/ghcr.io/dependabot/dependabot-updater-gomod:123
Is that the expected URL or did I get it wrong?
Contributor
Author
There was a problem hiding this comment.
That is correct. We prefixed everything so the images are at the same image location with the Azure api prepended.
$ docker pull dependabot-acr-apim-production.azure-api.net/ghcr.io/dependabot/dependabot-updater-gomod
Using default tag: latest
latest: Pulling from ghcr.io/dependabot/dependabot-updater-gomod
...
Digest: sha256:399027984e3437acb2e107726d8678b1b4eec5a383ee5281820542baaeff162e
Status: Downloaded newer image for dependabot-acr-apim-production.azure-api.net/ghcr.io/dependabot/dependabot-updater-gomod:latest
dependabot-acr-apim-production.azure-api.net/ghcr.io/dependabot/dependabot-updater-gomod:latest
rickreyhsig
reviewed
Feb 27, 2026
* Allow images to be pulled from azure-api.net * Fallback to pulling images from Azure api * Tests
a4a13be to
9d2808c
Compare
9d2808c to
b7d44ea
Compare
rickreyhsig
approved these changes
Feb 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
We have added a fallback container registry in Azure that hosts a copy of all the container images we pull in this repo. This PR makes use of this fallback registry by,
azure-api.netUpdatercode with the image that successfully pulledBoth the backup pull from Azure and a pull from GHCR are gated by experiment flags. This will allow us to opt-in to pulling from Azure and opt-out to pulling from GHCR which will allow us to confirm the feature is working outside of an incident.