As discussed here:
https://chat.google.com/room/AAAAEj9A6Q8/2Yy4gPI--WE

Please make registry.stage.redhat.io internal.

The registry.redhat.io and brew.registry.redhat.io endpoints should remain accessible externally.

The registry.stage.redhat.io endpoint was always intended to be internal-only. This had been previously achieved by publishing our stage container content to the internal-only Crane instance.

Now Project Dynamo eliminates the use of Crane, the stage content is available externally from quay.io/redhat-pending. It is private, and requires a token to access via API. The manifests and blobs are hosted on the CDN used by Quay.io, and this is protected via HMAC (provided when redirecting from Quay.io via API).

Starting 2022-03-01, and finishing around 2022-10-21, repositories in registry.stage.redhat.io were switched over to use the content in quay.io/redhat-pending, rather than the internal Crane instance. This means the container images became gradually available publicly over that period, and remain available today.

Public availability via registry.stage.redhat.io is still dependent on having a valid login. That registry proxy instance uses the stage SSO instance for auth.

To make the stage content internal-only again, the registry.stage.redhat.io endpoint should be made internal-only.