No static tokens
Uses GitHub’s OIDC tokens instead of long-lived credentials. Tokens are short-lived and scoped to a specific workflow run.
trupu
Authenticate CI pushes to your private Docker registry using GitHub Actions OIDC — no long-lived tokens needed.
Why trupu?
Section titled “Why trupu?”Workflow-level trust
Define trusted publishers as owner/repo:workflow.yml — only the exact
workflow you authorize can push images.
Traefik ForwardAuth
Plugs into Traefik as a ForwardAuth middleware. Sits in front of any Docker registry without modifying the registry itself.
Dev mode
Test the full flow locally with a static dev token — no GitHub Actions required.