Artifact Registry — Container & package storage

Artifact Registry is a unified repository for Docker images, OCI artifacts, and language packages (npm, Maven, Python, Go, Apt, Yum). Each repository is regional (single region) or multi-regional, with per-repo IAM.

Authentication: `gcloud auth configure-docker REGION-docker.pkg.dev` sets up Docker to auth via gcloud's active credentials. For CI/CD, the pipeline's service account needs roles/artifactregistry.writer on the repo.

Image URI format: LOCATION-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:TAG. Example: europe-west1-docker.pkg.dev/dualo-prod/apps/dualo:latest. Tags are mutable by default — prefer digests (sha256:...) for deployments to guarantee immutability.

Features: Container Analysis scans pushed images for known CVEs; vulnerability data is accessible via API and integrated with Binary Authorization. Retention/cleanup policies auto-delete old versions by age or count.

Storage cost: $0.10/GB/month. Network egress within the same region (to Cloud Run, GKE, etc.) is free; cross-region pulls incur network charges. Private images are gated by IAM with no 'Docker Hub credentials' sprawl.