I'm curious about this regarding GCP as well. I have a few Cloud Run Containers set up pulling their image directly from Docker Hub, then injecting my single config file from a Secrets-Manager-backed volume mount. That way I don't have to maintain my own package in GCP's Package Registry when the upstream project only publishes to Docker Hub