Publish prebuilt Apptainer SIFs to GHCR via ORAS

[t0mdavid-m]

Summary

Add CI/CD pipeline to publish prebuilt Apptainer SIF (Singularity Image Format) containers to GHCR via ORAS, eliminating the need for HPC users to perform on-the-fly OCI→SIF conversion. This significantly improves startup time and user experience for HPC deployments.

Key Changes

• build-and-test.yml:

  • Added artifact upload step to save validated SIF files after successful test runs (push events only)
  • Added new publish-apptainer job that downloads validated SIFs and pushes them to GHCR as OCI artifacts via ORAS
  • Configured tag strategy matching Docker image scheme: latest, main-{full,simple}, v*-{full,simple}, and per-commit SHAs
  • Implemented apptainer registry login and multi-tag push loop with case normalization

• ghcr-cleanup.yml:

  • Added cleanup-sif-images job to manage SIF artifact retention
  • Keeps semver tags, main branch tags, and latest; deletes old commit-tagged SIFs after 30 days
  • Removes untagged SIF manifests after 7 days

• README.md:

  • Updated Apptainer/Singularity section with new ORAS pull instructions
  • Documented available tag schemes and fallback to on-the-fly conversion for unprebuilt tags
  • Added version requirements (apptainer 1.1+ or singularity-ce 3.10+)
  • Clarified that prebuilt SIFs eliminate the 5-15 minute conversion overhead

Implementation Details

• SIFs are kept in a separate GHCR package (ghcr.io/<owner>/<repo>/sif) to keep tag lists clean and distinct from Docker images
• Artifacts are retained for only 1 day (sufficient for the publish job to consume them)
• ORAS authentication uses apptainer's native ~/.apptainer/remote.yaml rather than Docker config
• Tag computation uses docker/metadata-action for consistency with existing Docker image tagging
• Lowercase conversion is applied to all tags (belt-and-braces, as GHCR is strict about OCI reference casing)

https://claude.ai/code/session_01NumLyfkQ3w3JF3TU8jM1iX

[coderabbitai]

Warning

Rate limit exceeded

@t0mdavid-m has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 6 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 92cf3c34-66fa-4d20-8183-8578e34eda27

📥 Commits

Reviewing files that changed from the base of the PR and between bce2e27 and 1a17170.

📒 Files selected for processing (3)

• .github/workflows/build-and-test.yml
• .github/workflows/ghcr-cleanup.yml
• README.md

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/singularity-github-hosting-eH5Gh

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}