chore: migrate image registry from hkccr to ghcr.io

[AlinsRan]

Summary

Replace hkccr.ccs.tencentyun.com/api7-dev/ with ghcr.io/api7/ across all relevant files.

Changes

• Workflow files (e2e-test.yml, conformance-test.yml, e2e-test-k8s.yml): Replace "Login to Private Registry" step with "Login to GHCR" using GITHUB_TOKEN
• Makefile: Update all image references in pull-infra-images, kind-load-images, kind-load-dashboard-images, kind-load-gateway-image targets
• test/e2e/framework/api7_dashboard.go: Update Helm values template image repositories
• test/e2e/framework/manifests/dp.yaml: Update gateway container image

Summary by CodeRabbit

• Chores
  • Switched CI and build image sources to GitHub Container Registry (ghcr.io) and consolidated registry authentication to use the repository token.
• Tests
  • Updated end-to-end test tooling, manifests, and local cluster image loading to pull GHCR-hosted images for test runs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 75ebb75d-1b7c-4947-9bc1-8356135b8a52

📥 Commits

Reviewing files that changed from the base of the PR and between cfce22b and 65c6747.

📒 Files selected for processing (1)

• .github/workflows/conformance-test.yml

---

📝 Walkthrough

Walkthrough

All CI workflows, Makefile image targets, and test manifests are updated to use ghcr.io image references and a single GHCR login (github.actor + GITHUB_TOKEN) instead of the previous Tencent mirror and custom/private registry login steps.

Changes

Registry Migration to GitHub Container Registry

Layer / File(s)	Summary
GitHub Actions Workflow Authentication .github/workflows/conformance-test.yml, .github/workflows/e2e-test-k8s.yml, .github/workflows/e2e-test.yml	Job permissions added/adjusted; Docker login steps using DOCKER_*/PRIVATE_DOCKER_* removed and replaced with a single GHCR login using docker/login-action@v3, github.actor, and secrets.GITHUB_TOKEN.
Makefile Image Loading Targets Makefile	kind-load-images, kind-load-gateway-image, kind-load-dashboard-images, and pull-infra-images switched API7 image sources from hkccr.ccs.tencentyun.com/api7-dev/* to ghcr.io/api7/*.
Test Framework Configuration test/e2e/framework/api7_dashboard.go, test/e2e/framework/manifests/dp.yaml	Embedded Helm values and Kubernetes Deployment manifest now reference ghcr.io/api7/api7-ee-3-integrated, ghcr.io/api7/api7-ee-dp-manager, and ghcr.io/api7/api7-ee-3-gateway:dev.

Sequence Diagram(s)

sequenceDiagram
  participant CI as GitHub Actions
  participant OldRegistry as hkccr.ccs.tencentyun.com
  participant GHCR as ghcr.io
  participant Kind as Kind Cluster / Build

  CI->>OldRegistry: (old) login/pull using PRIVATE_DOCKER_* / DOCKER_*
  Note over OldRegistry: Removed
  CI->>GHCR: login using github.actor + GITHUB_TOKEN
  GHCR-->>CI: auth success
  CI->>Kind: build/load images from ghcr.io/api7/*

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• api7/api7-ingress-controller#390: Related CI workflow registry authentication adjustments across the same workflow files.

Suggested reviewers

• ronething
• nic-6443

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly summarizes the main change: migrating container image registry from Tencent's hkccr to GitHub Container Registry (ghcr.io), which is the core objective addressed across all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
E2e Test Quality Review	✅ Passed	This PR is not applicable to the E2E Test Quality Review check. It is a chore PR for container registry migration, modifying only workflow files, Makefile, and config—zero E2E test code changes.
Security Check	✅ Passed	Registry migration to GHCR passes security review. No vulnerabilities across all categories. Old credentials removed, GITHUB_TOKEN masked, HTTPS enforced.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/migrate-registry-to-ghcr

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Migrates API7 EE-related container image references used by CI, Kind-based e2e/conformance tests, and test manifests from the legacy hkccr.ccs.tencentyun.com/api7-dev/ registry to ghcr.io/api7/.

Changes:

• Updated GitHub Actions workflows to authenticate to GHCR (replacing the legacy private registry login).
• Updated Makefile Kind image pull/load targets to use ghcr.io/api7/* images.
• Updated e2e test Helm values template and Kubernetes deployment manifest to reference GHCR image repositories.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
.github/workflows/e2e-test.yml	Switches container registry login from legacy private registry to GHCR for CI pulls.
.github/workflows/e2e-test-k8s.yml	Switches container registry login to GHCR for the self-hosted Kubernetes 1.18 e2e job.
.github/workflows/conformance-test.yml	Switches container registry login to GHCR for conformance test image pulls.
Makefile	Updates Kind load/pull targets to use GHCR-based EE image references.
test/e2e/framework/api7_dashboard.go	Updates Helm values template repositories for dashboard and dp-manager images to GHCR.
test/e2e/framework/manifests/dp.yaml	Updates the gateway Deployment image reference to GHCR.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/conformance-test.yml:
- Around line 66-71: Remove the legacy "Login to Registry" step that still uses
secrets.DOCKER_REGISTRY/USERNAME/PASSWORD and retain only the new GHCR auth step
(the docker/login-action@v3 step with registry: ghcr.io, username: ${{
github.actor }}, password: ${{ secrets.GITHUB_TOKEN }}); delete the old step
named "Login to Registry" and any references to those legacy secrets, and ensure
subsequent jobs that pushed/pulled images use the existing GHCR login ("Login to
GHCR") instead.

In @.github/workflows/e2e-test.yml:
- Around line 75-80: Remove the legacy registry authentication step named "Login
to Registry" so the job only uses the GHCR login step ("Login to GHCR" which
uses docker/login-action@v3 with registry: ghcr.io). Locate and delete the step
that references the old registry credentials/secrets (e.g., REGISTRY_USERNAME /
REGISTRY_PASSWORD or similar) to avoid depending on legacy secrets, leaving only
the GHCR login in the workflow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6b023298-6877-4a22-a7f5-cdddf2b53c4d

📥 Commits

Reviewing files that changed from the base of the PR and between b02e842 and ce3ecb4.

📒 Files selected for processing (6)

• .github/workflows/conformance-test.yml
• .github/workflows/e2e-test-k8s.yml
• .github/workflows/e2e-test.yml
• Makefile
• test/e2e/framework/api7_dashboard.go
• test/e2e/framework/manifests/dp.yaml

[github-actions]

conformance test report - apisix mode

apiVersion: gateway.networking.k8s.io/v1
date: "2026-05-07T09:05:48Z"
gatewayAPIChannel: experimental
gatewayAPIVersion: v1.3.0
implementation:
  contact: null
  organization: APISIX
  project: apisix-ingress-controller
  url: https://github.com/apache/apisix-ingress-controller.git
  version: v2.0.0
kind: ConformanceReport
mode: default
profiles:
- core:
    result: partial
    skippedTests:
    - TLSRouteSimpleSameNamespace
    statistics:
      Failed: 0
      Passed: 10
      Skipped: 1
  name: GATEWAY-TLS
  summary: Core tests partially succeeded with 1 test skips.
- core:
    result: success
    statistics:
      Failed: 0
      Passed: 12
      Skipped: 0
  name: GATEWAY-GRPC
  summary: Core tests succeeded.
- core:
    failedTests:
    - HTTPRouteInvalidBackendRefUnknownKind
    result: failure
    skippedTests:
    - HTTPRouteHTTPSListener
    statistics:
      Failed: 1
      Passed: 31
      Skipped: 1
  extended:
    result: partial
    skippedTests:
    - HTTPRouteRedirectPortAndScheme
    statistics:
      Failed: 0
      Passed: 11
      Skipped: 1
    supportedFeatures:
    - GatewayAddressEmpty
    - GatewayPort8080
    - HTTPRouteBackendProtocolWebSocket
    - HTTPRouteDestinationPortMatching
    - HTTPRouteHostRewrite
    - HTTPRouteMethodMatching
    - HTTPRoutePathRewrite
    - HTTPRoutePortRedirect
    - HTTPRouteQueryParamMatching
    - HTTPRouteRequestMirror
    - HTTPRouteResponseHeaderModification
    - HTTPRouteSchemeRedirect
    unsupportedFeatures:
    - GatewayHTTPListenerIsolation
    - GatewayInfrastructurePropagation
    - GatewayStaticAddresses
    - HTTPRouteBackendProtocolH2C
    - HTTPRouteBackendRequestHeaderModification
    - HTTPRouteBackendTimeout
    - HTTPRouteParentRefPort
    - HTTPRoutePathRedirect
    - HTTPRouteRequestMultipleMirrors
    - HTTPRouteRequestPercentageMirror
    - HTTPRouteRequestTimeout
  name: GATEWAY-HTTP
  summary: Core tests failed with 1 test failures. Extended tests partially succeeded
    with 1 test skips.

[github-actions]

conformance test report - apisix-standalone mode

apiVersion: gateway.networking.k8s.io/v1
date: "2026-05-07T09:05:22Z"
gatewayAPIChannel: experimental
gatewayAPIVersion: v1.3.0
implementation:
  contact: null
  organization: APISIX
  project: apisix-ingress-controller
  url: https://github.com/apache/apisix-ingress-controller.git
  version: v2.0.0
kind: ConformanceReport
mode: default
profiles:
- core:
    result: success
    statistics:
      Failed: 0
      Passed: 12
      Skipped: 0
  name: GATEWAY-GRPC
  summary: Core tests succeeded.
- core:
    result: partial
    skippedTests:
    - HTTPRouteHTTPSListener
    statistics:
      Failed: 0
      Passed: 32
      Skipped: 1
  extended:
    result: partial
    skippedTests:
    - HTTPRouteRedirectPortAndScheme
    statistics:
      Failed: 0
      Passed: 11
      Skipped: 1
    supportedFeatures:
    - GatewayAddressEmpty
    - GatewayPort8080
    - HTTPRouteBackendProtocolWebSocket
    - HTTPRouteDestinationPortMatching
    - HTTPRouteHostRewrite
    - HTTPRouteMethodMatching
    - HTTPRoutePathRewrite
    - HTTPRoutePortRedirect
    - HTTPRouteQueryParamMatching
    - HTTPRouteRequestMirror
    - HTTPRouteResponseHeaderModification
    - HTTPRouteSchemeRedirect
    unsupportedFeatures:
    - GatewayHTTPListenerIsolation
    - GatewayInfrastructurePropagation
    - GatewayStaticAddresses
    - HTTPRouteBackendProtocolH2C
    - HTTPRouteBackendRequestHeaderModification
    - HTTPRouteBackendTimeout
    - HTTPRouteParentRefPort
    - HTTPRoutePathRedirect
    - HTTPRouteRequestMultipleMirrors
    - HTTPRouteRequestPercentageMirror
    - HTTPRouteRequestTimeout
  name: GATEWAY-HTTP
  summary: Core tests partially succeeded with 1 test skips. Extended tests partially
    succeeded with 1 test skips.
- core:
    result: partial
    skippedTests:
    - TLSRouteSimpleSameNamespace
    statistics:
      Failed: 0
      Passed: 10
      Skipped: 1
  name: GATEWAY-TLS
  summary: Core tests partially succeeded with 1 test skips.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/conformance-test.yml:
- Around line 38-39: The workflow sets permissions only to "packages: read" but
actions/checkout@v4 also requires "contents: read", so update the permissions
block to include "contents: read" alongside "packages: read"; additionally,
implement the custom action at ./.github/actions/add-pr-comment (it currently
has no entrypoint or action.yml) or remove/replace that step to avoid runtime
failure—look for the workflow step referencing actions/checkout@v4 and the step
that calls ./.github/actions/add-pr-comment and either add the action
metadata/entrypoint (action.yml and implementation script) or switch to an
existing marketplace action that posts PR comments.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1a25f0d0-6aaf-4a62-a2d1-041df98716f9

📥 Commits

Reviewing files that changed from the base of the PR and between 9d8ecb6 and cfce22b.

📒 Files selected for processing (1)

• .github/workflows/conformance-test.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) Show current job permissions block"
rg -n -A8 -B2 '^\s*permissions:' .github/workflows/conformance-test.yml

echo
echo "2) Inspect add-pr-comment action to infer required token scopes"
fd -a 'action.y*ml' .github/actions/add-pr-comment --exec sed -n '1,220p' {}
rg -n -C3 'createComment|issues\.|pulls\.|github-script|gh api|octokit' .github/actions/add-pr-comment

Repository: api7/api7-ingress-controller

Length of output: 439

---

🏁 Script executed:

echo "1) Show the full conformance-test job to see all steps"
rg -n -A 150 'job: conformance-test' .github/workflows/conformance-test.yml | head -200

echo
echo "2) Search for add-pr-comment usage in all workflow files"
fd -e yml -e yaml .github/workflows --exec rg -l 'add-pr-comment' {}

echo
echo "3) List all directories under .github/actions"
fd -type d . .github/actions --maxdepth 1

echo
echo "4) Check if add-pr-comment action exists anywhere"
find .github -name '*add-pr*' -o -name '*comment*'

Repository: api7/api7-ingress-controller

Length of output: 877

---

🏁 Script executed:

echo "1) Show job section starting at line 36"
sed -n '36,150p' .github/workflows/conformance-test.yml

echo
echo "2) Search for add-pr-comment in the entire workflow file"
grep -n 'add-pr-comment' .github/workflows/conformance-test.yml

echo
echo "3) View the add-pr-comment action definition"
cat .github/actions/add-pr-comment/action.yml

echo
echo "4) Check what this action actually does"
head -50 .github/actions/add-pr-comment/action.yml

Repository: api7/api7-ingress-controller

Length of output: 3428

---

🏁 Script executed:

echo "1) List files in add-pr-comment directory"
ls -la .github/actions/add-pr-comment/

echo
echo "2) Check for action files with different extensions"
find .github/actions/add-pr-comment -type f | head -20

echo
echo "3) Read the main action file (check for .js, .sh, or index files)"
ls -la .github/actions/add-pr-comment/

Repository: api7/api7-ingress-controller

Length of output: 452

---

🏁 Script executed:

echo "1) Check if there are any other files in .github/actions directory"
find .github/actions -type f

echo
echo "2) Check the git status of add-pr-comment to see if files were supposed to be added"
git ls-files .github/actions/add-pr-comment/

echo
echo "3) Verify what the workflow expects from add-pr-comment parameters"
sed -n '130,140p' .github/workflows/conformance-test.yml

Repository: api7/api7-ingress-controller

Length of output: 631

---

Add missing contents: read permission; note that ./.github/actions/add-pr-comment has no implementation.

The job sets only packages: read, which omits the contents: read scope needed by actions/checkout@v4 at line 42. Additionally, the add-pr-comment action referenced at line 134 is an empty directory with no implementation files—the PR comment step will fail.

Suggested permissions fix

     permissions:
+      contents: read
       packages: read
+      pull-requests: write

The add-pr-comment custom action must be implemented before the workflow can complete successfully.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	packages: read
	permissions:
	contents: read
	packages: read
	pull-requests: write

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/conformance-test.yml around lines 38 - 39, The workflow
sets permissions only to "packages: read" but actions/checkout@v4 also requires
"contents: read", so update the permissions block to include "contents: read"
alongside "packages: read"; additionally, implement the custom action at
./.github/actions/add-pr-comment (it currently has no entrypoint or action.yml)
or remove/replace that step to avoid runtime failure—look for the workflow step
referencing actions/checkout@v4 and the step that calls
./.github/actions/add-pr-comment and either add the action metadata/entrypoint
(action.yml and implementation script) or switch to an existing marketplace
action that posts PR comments.

[github-actions]

conformance test report

apiVersion: gateway.networking.k8s.io/v1
date: "2026-05-07T09:26:22Z"
gatewayAPIChannel: experimental
gatewayAPIVersion: v1.3.0
implementation:
  contact: null
  organization: APISIX
  project: apisix-ingress-controller
  url: https://github.com/apache/apisix-ingress-controller.git
  version: v2.0.0
kind: ConformanceReport
mode: default
profiles:
- core:
    failedTests:
    - GatewayModifyListeners
    result: failure
    skippedTests:
    - HTTPRouteHTTPSListener
    statistics:
      Failed: 1
      Passed: 31
      Skipped: 1
  extended:
    failedTests:
    - HTTPRouteBackendProtocolWebSocket
    result: failure
    skippedTests:
    - HTTPRouteRedirectPortAndScheme
    statistics:
      Failed: 1
      Passed: 10
      Skipped: 1
    supportedFeatures:
    - GatewayAddressEmpty
    - GatewayPort8080
    - HTTPRouteBackendProtocolWebSocket
    - HTTPRouteDestinationPortMatching
    - HTTPRouteHostRewrite
    - HTTPRouteMethodMatching
    - HTTPRoutePathRewrite
    - HTTPRoutePortRedirect
    - HTTPRouteQueryParamMatching
    - HTTPRouteRequestMirror
    - HTTPRouteResponseHeaderModification
    - HTTPRouteSchemeRedirect
    unsupportedFeatures:
    - GatewayHTTPListenerIsolation
    - GatewayInfrastructurePropagation
    - GatewayStaticAddresses
    - HTTPRouteBackendProtocolH2C
    - HTTPRouteBackendRequestHeaderModification
    - HTTPRouteBackendTimeout
    - HTTPRouteParentRefPort
    - HTTPRoutePathRedirect
    - HTTPRouteRequestMultipleMirrors
    - HTTPRouteRequestPercentageMirror
    - HTTPRouteRequestTimeout
  name: GATEWAY-HTTP
  summary: Core tests failed with 1 test failures. Extended tests failed with 1 test
    failures.
- core:
    failedTests:
    - GatewayModifyListeners
    - TLSRouteSimpleSameNamespace
    result: failure
    statistics:
      Failed: 2
      Passed: 9
      Skipped: 0
  name: GATEWAY-TLS
  summary: Core tests failed with 2 test failures.
- core:
    failedTests:
    - GRPCExactMethodMatching
    - GRPCRouteHeaderMatching
    - GRPCRouteListenerHostnameMatching
    - GatewayModifyListeners
    result: failure
    statistics:
      Failed: 4
      Passed: 8
      Skipped: 0
  name: GATEWAY-GRPC
  summary: Core tests failed with 4 test failures.