Skip to content

add registry-login input for optional registry auth before build#117

Open
crazy-max wants to merge 1 commit intomainfrom
registry-login
Open

add registry-login input for optional registry auth before build#117
crazy-max wants to merge 1 commit intomainfrom
registry-login

Conversation

@crazy-max
Copy link
Member

@crazy-max crazy-max commented Feb 16, 2026

This PR adds an explicit registry-login input to both reusable workflows. It allows logging in to registries before the build step when users need to pull private images even if push is false or output is not image. The input supports auto, true, and false, with auto keeping current behavior by logging in only when output is image and push is true. The workflows now validate this input and fail when login is enabled but registry-auths is not provided.

@crazy-max crazy-max force-pushed the registry-login branch 3 times, most recently from 1f53313 to 97e2afd Compare February 16, 2026 15:09
@crazy-max
add registry-login input for optional registry auth before build
e36e467 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@crazy-max crazy-max marked this pull request as ready for review February 16, 2026 15:13
@crazy-max crazy-max requested a review from a team as a code owner February 16, 2026 15:13
tonistiigi
tonistiigi reviewed Feb 20, 2026
View reviewed changes
Copy link
Member

@tonistiigi tonistiigi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure why this isn't the default.

If this is to prevent early login for public pull then that could be handled with the scope property.

If this is needed, then why isn't it in registry auth config, per-registry?

@crazy-max
Copy link
Member Author

crazy-max commented Feb 20, 2026
edited
Loading

I'm not sure why this isn't the default.

If this is to prevent early login for public pull then that could be handled with the scope property.

If this is needed, then why isn't it in registry auth config, per-registry?

Good point. I tested this and registry-auths presence is not a safe signal: on fork PRs the YAML can still be non-empty while secret values inside resolve to empty, so login fails. scope is useful per-registry, but it doesn't solve event/fork gating. For that reason I kept registry-login explicit (default auto to preserve current behavior), and callers can opt-in with a fork-safe condition like:

registry-login: ${{ github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork }}

This is similar to what we do in our repos like https://github.com/moby/buildkit-bench/blob/0ba0908a5f906bc469d6ebdca9731942432c81c9/.github/workflows/ci.yml#L81 but here we gate the login-action.

Alternatively we would have a new skip attribute in registry-auths yaml object like:

    secrets:
      registry-auths: |
        - registry: docker.io
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
          skip: ${{ github.event_name = 'pull_request' }}

Or enable:

    secrets:
      registry-auths: |
        - registry: docker.io
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
          enable: ${{ github.event_name != 'pull_request' }}

WDYT?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tonistiigi tonistiigi tonistiigi left review comments

@jsternberg jsternberg Awaiting requested review from jsternberg

At least 1 approving review is required to merge this pull request.

Assignees

@crazy-max crazy-max

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow registry auth for local output Docker Login not just for push?

2 participants

@crazy-max @tonistiigi

Comments