Still trying to wrap my head around who is actually hitting those docker limits

We hit them with our CI processes. Actually, I was a bit surprised that it happened because we only do 10-15 builds a day which shouldn't have triggered the throttle. Maybe there are some background checks that are happening in CircleCI that we don't know about or something.

Most CI systems used GET requests to fetch image manifests, in order to see what the registry's most recent image is. These requests are counted towards the limits in Docker's new rules.

Systems which built on top of the GGCR library[0] are switching to using HEAD requests instead[1]. These don't fetch the entire manifest, instead relying on just headers to detect that a change has occurred.

[0] https://github.com/google/go-containerregistry

[1] https://github.com/concourse/concourse/releases/tag/v6.7.0