refactor(server/store): abstract oci registry interface

[paralta]

This PR decouples the Directory server from Zot-specific APIs, enabling deployment with tested OCI-compatible registries (Docker Hub, GHCR). The implementation adds a registry type configuration that dispatches to registry-specific behavior while maintaining backward compatibility with existing Zot deployments.

Note: This PR only addresses interface abstraction. The Zot registry deployment configuration remains unchanged. While we can now interface with GHCR and Docker Hub for basic operations, sync and sign/verify features are not yet supported for these registries.

Changes

• Add RegistryType configuration (zot, ghcr, dockerhub) via DIRECTORY_SERVER_STORE_OCI_TYPE environment variable
• Implement registry-specific readiness checks: Zot uses /readyz endpoint, GHCR/Docker Hub use OCI tag listing
• Rename VerifyWithZot() → VerifySignature() and dispatch based on registry type (GHCR/Docker Hub verification tracked in [Feature]: Server-side Signature Verification Without Zot #798)
• Conditionally upload public keys to Zot's /v2/_zot/ext/cosign only for Zot registries
• Return Unimplemented error when remote registries don't support OCI delete API (e.g., GHCR returns 405)

Validation Results

Registry	Push	Pull	Search	Delete
Docker Hub	✅	✅	✅	✅
GHCR	✅	✅	✅	⚠️ Not supported via OCI API (known limitation)

Tested with task server:start using the following configuration:

DIRECTORY_SERVER_STORE_OCI_TYPE=ghcr # or dockerhub
DIRECTORY_SERVER_STORE_OCI_REGISTRY_ADDRESS=ghcr.io # or docker.io
DIRECTORY_SERVER_STORE_OCI_REPOSITORY_NAME=<user>/<repo>
DIRECTORY_SERVER_STORE_OCI_AUTH_CONFIG_USERNAME=<github-username>
DIRECTORY_SERVER_STORE_OCI_AUTH_CONFIG_PASSWORD=<github-pat>

Pushed records were verified on both GHCR and Docker Hub web interfaces.

[github-actions]

The latest Buf updates on your PR. Results from workflow Buf CI / verify-proto (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	⏩ skipped	✅ passed	Jan 9, 2026, 4:57 PM