Skip to main content

Artifact Repositories

Artifact Repositories collect package and binary artifacts that authors need to build, validate, and run governed data work. Qarion supports private Python package repositories, hosted OCI repositories, and model artifact storage.

Python Packages

Private Python package repositories expose PyPI-compatible endpoints for pip and twine. Use them for internal wheels, CLI packages, SDK builds, and controlled dependency mirrors.

Repository admins can:

  • Create space-wide or project-scoped repositories.
  • Upload, yank, archive, or delete package files.
  • Import exact package releases from public PyPI.
  • Enable vulnerability scanning and install blocking policy.

Use an API key with Basic auth username __token__ when configuring package clients.

OCI Repositories

OCI repositories can host Docker images, Helm charts, and generic OCI artifacts. Repositories can be space-wide or attached to project scopes with explicit user/team grants.

Repository users can:

  • Log in with Docker or Helm using a Qarion API key.
  • Push and pull Docker images or Helm charts.
  • Browse artifacts, tags, manifests, and blobs.
  • Import exact public Docker or Helm OCI references into a private repository.

Public import supports Docker Hub and Artifact Hub search helpers, but imports always require an exact source reference with a tag or digest.

Access And Safety

Use project-scoped repositories when a package or image should be limited to a specific project. Space-wide repositories are better for shared platform tools.

Keep package indexes and OCI repositories private by default. Missing or inaccessible packages, repositories, and artifacts return not-found responses to package and registry clients to avoid leaking scope details.

Maintainers can find deployment-level details in the repository operations docs: docs/operations/oci-registries.md and docs/operations/python-package-repositories.md.