Elastic Container Registry (ECR) for example supports Tag Immutability (TI). TI implies that docker tags cannot be overwritten if they exist in a docker-registry.
The settings of the organization and the ones from a repository were inspected, but no TI setting was found.
Questions
At first glance, it seems that tag immutability is not a feature provided by Quay. You can enable "Trust and Signing" in the "settings" of the repo:
Please note that this will not prevent users from overwriting signed tags without updating signatures. This means that:
- Any tag operations in the UI or client can cause inconsistency
- Builds should not push to signed tags
We recommend you maintain a strict separation between signed and unsigned tags to avoid any issues with garbage collection.
So, you can sign tags, but you can't prevent them from being updated.
