Introduction
trupu is a lightweight authentication server that enables Trusted Publishing for private Docker registries using GitHub Actions OpenID Connect (OIDC).
The problem
Section titled “The problem”Pushing Docker images from CI to a private registry typically requires storing long-lived credentials as secrets. These tokens can be leaked, require manual rotation, and are hard to scope.
How trupu solves it
Section titled “How trupu solves it”trupu sits between Traefik and your Docker registry as a ForwardAuth middleware. When a GitHub Actions workflow pushes an image:
- The workflow requests a short-lived OIDC token from GitHub
- Docker sends the token as credentials when pushing
- Traefik forwards the request to trupu’s
/authendpoint - trupu verifies the token against GitHub’s JWKS and checks the
repositoryandworkflowclaims against your allow-list - On success, the request is proxied to the registry
No static tokens. No secrets to rotate. Only the specific owner/repo:workflow.yml you’ve trusted can push.
Architecture
Section titled “Architecture”GitHub Actions ──► Traefik (:5000) ──► trupu (/auth) ──► Docker Registry (:5000) ForwardAuth OIDC verify stores imagesAll three services run on the same Docker network.
When to use it
Section titled “When to use it”- You run a self-hosted Docker registry
- You want to push images from GitHub Actions without storing registry credentials
- You want workflow-level access control (not just repo-level)