Container Registry: Will the be rate limits for public package manifest queries?

As reading GitHub Package billing (stated to be same for Container Registry in the future), Container Registry is said to be free for storage and transferring for public repositories.

Docker or (OCI) manifests are used to check if the image is still same, or just for querying meta information from the selected container. Will there be any rate-limits based on IP address for this, or this is also included the free statement? (amount of queries coming from same place)

Current workflow for getting manifest information requires getting token from ghcr.io/auth which is further used for getting the manifest information.

Knowing, whether manifest queries are staying limitless (or high count) for anonymous users, is important factor for me that registry would be usable.

(Sidenote: I noticed that auth tokens are lasting for very long time (at least more than 24 hours), I’m not sure if this is intended. )

There are some abuse rate limits on all Packages (Container Registry included) and they look to volume and bandwidth. So high volume requests for manifests could trigger timeouts and high bandwidth pulls as well.

Is there a specific service or use case you have in mind?

An example use case would be following:

I have at least 200 different public packages in Container Registry.
There is external tool, which is getting meta information about the state of these packages. This tool is potentially used by anonymous users.
Updating information related to containers requires following steps for each package:

  • Get auth token (pull access for package)
  • Get manifest (You seem to support only the latest Docker manifest version 2.2, which requires following extra request)
  • Based on the manifest, get digest for container configuration file, and download this configuration file

Basically, 3 requests is required per package, which would be in this case 600 requests in short time to update meta information about the containers. Is this at risk for reaching the abuse rate limits? What if I have 500 packages?