Getting Started — Installation

This page gives concrete commands and practices for fetching OpenWit images, checking what you pulled, scanning or signing them, then using them in your local or CI pipelines.

1. Getting images

Public release example

# pull latest stable release (replace with your actual repo/name)
docker pull ghcr.io/yourorg/openwit:latest

# pull a versioned tag
docker pull ghcr.io/yourorg/openwit:v1.2.3

Private registry or Docker Hub

# login
docker login ghcr.io               # or docker.io, registry.example.com, etc.

# pull from a private or internal registry
docker pull registry.example.com/yourorg/openwit:stable

Notes and best practices

• Use versioned tags like v1.2.3 for production. latest is acceptable for local experimentation only
• Prefer immutable tags that include a build identifier such as v1.2.3+sha-abcdef
• Use multi-arch images if you support multiple CPU types and verify the image manifest list
• Always pull from a trusted registry and require authentication for private deployments

2. Verifying images

Quick checks after pulling

docker images | grep openwit
docker inspect ghcr.io/yourorg/openwit:v1.2.3
docker run --rm ghcr.io/yourorg/openwit:v1.2.3 --version

Security and provenance in CI

Scan images with a scanner:

trivy image ghcr.io/yourorg/openwit:v1.2.3

Sign and verify release images with cosign:

cosign sign --key cosign.key ghcr.io/yourorg/openwit:v1.2.3
cosign verify --key cosign.pub ghcr.io/yourorg/openwit:v1.2.3