Guide
Pick a starting point.
Try it locally
If you just want to see the system run, jump to the Quickstart. It boots Postgres + Redis + MinIO via Docker Compose, applies the migration tree, and starts the API and the frontend. Total time-to-working-registry is about five minutes on a warm laptop.
Then Getting started with the API walks the same flow end-to-end against the REST surface — sign in, mint a service-account token, push an artifact, pull it back, promote it, and end on a .gitlab-ci.yml snippet that drops the same calls into a real pipeline. This is the right page to share with the developer who'll wire OrbitalReg into your CI.
Install for real
Installation walks through the supported deployment shapes:
- Helm chart (the recommended path)
- Manual manifests for non-Helm clusters
- Single-binary install behind a reverse proxy
- Air-gapped install — chart pull, image bundle, license envelope
Each shape is fully self-hosted; nothing calls home.
Build your mental model
Before you wire OrbitalReg into your CI, read Architecture and Core concepts. The shape of the data model — projects, repositories, artifacts, scans, findings, blocks, retention — informs every decision your platform team will make about how to model their package estate.
Loading states + pagination contract
Loading states documents the four shared UI primitives (Skeleton / Spinner / ProgressBar / LoadingBar), which list endpoints speak the cursor-paginated {items, next_cursor, has_more} envelope, and the poll-vs-stream rule for long-running backend jobs (bulk imports, pull-gate refresh, geo-sync).
Move between versions
Upgrading covers the version-to-version migration story. The short version: every release is forward-compatible at the API level within a major. Major bumps document each breaking change with a migration recipe.
Glossary
The terms used throughout this guide:
| Term | Meaning |
|---|---|
| Project | A logical grouping of repositories with shared owners and governance settings. |
| Repository | A typed package store inside a project (one Maven repo, one npm repo, …). |
| Artifact | A single uploaded package version. Identity is (repo_id, path, version). |
| Scan | A single run of one scanner (Trivy / Grype / Syft / OSV) against an artifact. |
| Finding | An individual vulnerability or license issue produced by a scan. |
| Security block | An admin-authored rule that prevents downloads matching a pattern. |
| Retention policy | A rule that prunes old versions from a repository on a schedule. |
| Service account | A non-human principal that holds API tokens for CI / automation. |
| Promotion | Moving an artifact between repositories under a gate (CVE / license / scan). |