Skip to content

Timoni mod push

timoni mod push

Push a module to a container registry


The push command packages the module as an OCI artifact and pushes it to the container registry using the version as the image tag.

timoni mod push [MODULE PATH] [MODULE URL] [flags]


  # Push a module to Docker Hub using the credentials from '~/.docker/config.json'
  echo $DOCKER_PAT | docker login --username timoni --password-stdin
  timoni mod push ./path/to/module oci:// -v 1.0.0

  # Push a module to GitHub Container Registry using a GitHub token
  timoni mod push ./path/to/module oci:// \
    --version=1.0.0 \
    --creds timoni:$GITHUB_TOKEN

  # Push a release candidate without marking it as the latest stable
  timoni mod push ./path/to/module oci:// \
    --version=2.0.0-rc.1 \

  # Push a module with custom OCI annotations
  timoni mod push ./path/to/module oci:// \
    --version=1.0.0 \
    --annotation='org.opencontainers.image.licenses=Apache-2.0' \
    --annotation='org.opencontainers.image.documentation=' \
    --annotation='org.opencontainers.image.description=A module for my app.'

  # Push and sign with Cosign (the cosign binary must be present in PATH)
  echo $GITHUB_TOKEN | timoni registry login -u timoni --password-stdin
  export COSIGN_PASSWORD=password
  timoni mod push ./path/to/module oci:// \
    --version=1.0.0 \
    --sign=cosign \

  # Push a module and sign it with Cosign Keyless (the cosign binary must be present in PATH)
  echo $GITHUB_TOKEN | timoni registry login -u timoni --password-stdin
  timoni mod push ./path/to/module oci:// \
    --version=1.0.0 \


  -a, --annotation stringArray   Set custom OCI annotations in the format '<key>=<value>'.
      --cosign-key string        The Cosign private key for signing the module.
      --creds creds              The credentials for the container registry in the format '<username>[:<password>]'.
  -h, --help                     help for push
      --latest                   Tags the current version as the latest stable release. (default true)
  -o, --output string            The format in which the artifact digest should be printed, can be 'yaml' or 'json'.
      --sign string              Signs the module with the specified provider.
  -v, --version version          The version of the module e.g. '1.0.0' or '1.0.0-rc.1'.

Options inherited from parent commands

      --cache-dir string                    Artifacts cache dir, can be disable with 'TIMONI_CACHING=false' env var. (defaults to "$HOME/.timoni/cache")
      --kube-as string                      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
      --kube-as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
      --kube-as-uid string                  UID to impersonate for the operation.
      --kube-certificate-authority string   Path to a cert file for the certificate authority.
      --kube-client-certificate string      Path to a client certificate file for TLS.
      --kube-client-key string              Path to a client key file for TLS.
      --kube-context string                 The name of the kubeconfig context to use.
      --kube-insecure-skip-tls-verify       if true, the Kubernetes API server's certificate will not be checked for validity. This will make your HTTPS connections insecure.
      --kube-server string                  The address and port of the Kubernetes API server.
      --kube-tls-server-name string         Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used.
      --kube-token string                   Bearer token for authentication to the API server.
      --kubeconfig string                   Path to the kubeconfig file.
      --log-color                           Adds colorized output to the logs. (defaults to false when no tty)
      --log-pretty                          Adds timestamps to the logs. (default true)
  -n, --namespace string                    The the namespace scope for the operation. (default "default")
      --registry-insecure                   If true, allows connecting to a container registry without TLS or with a self-signed certificate.
      --timeout duration                    The length of time to wait before giving up on the current operation. (default 5m0s)