# docker

## registry

images are published to [atcr.io](https://atcr.io) - a distributed container registry built on AT Protocol.

```
atcr.io/zzstoatzz.io/prefect-server:latest
```

## publishing

```bash
just docker-publish           # push :latest
just docker-publish v0.1.0    # push specific tag
```

requires authentication via `docker-credential-atcr`:
```bash
# install credential helper
curl -fsSL https://github.com/mary-ext/atcr/releases/latest/download/docker-credential-atcr-darwin-arm64 \
  -o /usr/local/bin/docker-credential-atcr && chmod +x /usr/local/bin/docker-credential-atcr

# add to ~/.docker/config.json
# "credHelpers": { "atcr.io": "atcr" }

# first push triggers browser auth
ATCR_AUTO_AUTH=1 docker push atcr.io/zzstoatzz.io/prefect-server:latest
```

## CI (future)

ATCR.io uses device authorization (browser-based) for initial auth, then stores a device token:
```
atcr_device_<random>
```

**potential CI approach** (not yet tested):
1. authenticate locally to generate device token
2. extract token: `docker-credential-atcr get <<< "atcr.io"`
3. store as CI secret (e.g., `ATCR_TOKEN`)
4. in CI, write credentials before push:
   ```bash
   echo '{"ServerURL":"atcr.io","Username":"zzstoatzz.io","Secret":"$ATCR_TOKEN"}' | docker-credential-atcr store
   ```

**open questions:**
- token expiration/rotation policy
- whether ATCR.io will add app passwords or CI-specific auth
- official GitHub Actions support

check [atcr.io](https://atcr.io) for updates on CI/CD support.

## image details

- base: `alpine:3.20`
- size: ~47MB
- healthcheck: `curl -f http://localhost:4200/api/health`
- multi-arch: amd64, arm64