@@ -241,9 +241,10 @@ The token is never stored in plaintext inside the sandbox. See
241241
242242### Docker registry
243243
244- To let the agent push images it builds to a private registry, store registry
245- credentials on your host. The agent can then run ` docker build ` and
246- ` docker push ` without any extra authentication:
244+ To push or pull private images, including [ templates] ( customize/templates.md ) ,
245+ configure registry credentials for ` sbx ` to use. The agent can then run `docker
246+ build` and ` docker push` , and ` sbx` can resolve private image references,
247+ without any extra authentication:
247248
248249``` console
249250$ gh auth token | sbx secret set --registry ghcr.io \
@@ -254,8 +255,11 @@ $ echo "$ACR_PASSWORD" | sbx secret set --registry myregistry.azurecr.io \
254255
255256Images and containers built inside the sandbox run on the sandbox's private
256257Docker daemon, not your host's. They're deleted when the sandbox is removed.
257- See [ Registry credentials] ( security/credentials.md#registry-credentials ) for
258- the full reference.
258+
259+ Docker Hub needs no registry credentials; ` sbx ` reuses your ` sbx login `
260+ session. For information on how registry credentials differ from other secrets,
261+ per-registry username requirements, and global versus per-sandbox scoping, see
262+ [ Registry credentials] ( security/credentials.md#registry-credentials ) .
259263
260264### Sourcing credentials from 1Password
261265
0 commit comments