docs: add blog post on GitOps with OCI registries as a Flux source using KSail

[Copilot]

Polished and added the blog post from ksail#3368.

Polish applied:

• Fixed escaped GitHub Actions template syntax ($\{\{ → ${{)
• Replaced redacted/broken links with proper URLs
• Clarified "redacted paths" → "local file paths" in the Flux limitation sentence
• Added cover image (oci-artifacts.webp), AI attribution footer
• Used .md extension and capitalized headings to match existing blog conventions
• Added ksail tag and mkdir && cd step matching other blog posts

Restructured to recommend KSail's local registry for local dev instead of GHCR:

• Rewrote the local dev walkthrough to use KSail's auto-provisioned local Docker-based OCI registry — no GHCR token or manual registry config needed
• Simplified prerequisites to Docker only (no GHCR setup for local dev)
• Moved GHCR to a dedicated "Extending to GHCR for CI" section, positioned for CI pipelines and cloud clusters (e.g., Hetzner) where a local registry isn't available
• Documented the full registry and tag resolution priority chains from KSail's source code
• Added --local-registry flag usage for cloud providers
• Updated title to "OCI Registries as a Flux Source" (not GHCR-specific)
• Renamed file from GHCR-specific slug to gitops-without-the-git-server-oci-registries-as-a-flux-source-with-ksail so the URL matches the title
• Removed workload reconcile from CI snippets since it requires cluster access (kubeconfig) unavailable on typical GitHub Actions runners; clarified Flux polls on its own interval

Original prompt

Create a PR where you polish and add the blog post in devantler-tech/ksail#3368 to my blog.

[devantler]

@copilot the blog post wrongly recommends to use GHCR with ksail for local dev workflows. It supports using a local registry, so there is no need to use GHCR to obtain the workflow. Please investigate this a little and then make changes to the blog to reflect the better practice. Also look for other possibilities to improve the blog now that you are at it.

[Copilot]

@copilot the blog post wrongly recommends to use GHCR with ksail for local dev workflows. It supports using a local registry, so there is no need to use GHCR to obtain the workflow. Pl...

Rewrote the blog post in a9cc423. After investigating KSail's source code (pkg/cli/setup/localregistry/, pkg/cli/cmd/workload/push.go, and the cluster API types), I found that KSail auto-provisions a local Docker-based OCI registry for local clusters and workload push auto-detects it — no GHCR needed for local dev.

Key changes:

• Local dev workflow now uses the auto-provisioned local registry — prerequisites simplified to just Docker, no GHCR token, no manual registry config in ksail.yaml
• GHCR moved to a dedicated "Extending to GHCR for CI" section — positioned for CI pipelines and cloud clusters (Hetzner) where a local registry isn't available
• Documented the full registry resolution priority chain from the source code (CLI arg → env var → config → GitOps resources → Docker container auto-detection)
• Added --local-registry flag usage for cloud providers, cross-referencing the Hetzner blog post pattern
• Updated title to "OCI Registries as a Flux Source" (not GHCR-specific)
• Added ksail tag and mkdir && cd step matching other blog posts

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• ksail.devantler.tech
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
• telemetry.astro.build
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/.npm/_npx/aa98e6899c6baff3/node_modules/.bin/astro build (dns block)
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node ./node_modules/.bin/astro build (dns block)
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node ./node_modules/.bin/astro preview --port 4322 tent/docs/templates/index.md toring-secrets-in-zshrc-with-macos-keychain.md (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Adds a new blog post to the docs site explaining how to use OCI registries (including KSail’s local registry) as a Flux source, with an additional section on extending the workflow to GHCR for CI/cloud use cases.

Changes:

• Added a full walkthrough for local GitOps iteration using Flux + OCI artifacts via ksail workload push / ksail workload reconcile.
• Documented registry/tag resolution behavior and provided examples for both local registry and GHCR-based flows.
• Included post metadata (tags, excerpt, cover image reference) consistent with existing blog posts.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[devantler]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied both review comments in a25f819:

1. Renamed file from ...using-ghcr-as-a-flux-source... → ...oci-registries-as-a-flux-source... so the URL slug matches the OCI-general title. No slug frontmatter field used since no other blog posts in this repo use one.

2. Removed workload reconcile from CI snippets and added clarification that Flux picks up changes on its regular polling interval — reconcile requires cluster access (kubeconfig) which is typically unavailable on GitHub Actions runners.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• telemetry.astro.build
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node ./node_modules/.bin/astro build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)