Skip to content

Support pulling a private image; dogfood the action in CI#3

Merged
satsura merged 1 commit into
mainfrom
feat/private-registry
Jul 11, 2026
Merged

Support pulling a private image; dogfood the action in CI#3
satsura merged 1 commit into
mainfrom
feat/private-registry

Conversation

@satsura

@satsura satsura commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

The published image is private (the organization disallows public packages), so an unauthenticated pull 403s. Rather than block on that policy, make both wrappers able to pull a private image.

  • GitHub action: logs in to the image's registry before running. Defaults to the job's GITHUB_TOKEN, which is enough for an image in the same organization (permissions: packages: read); pass registry-token for anything else, or leave it empty for a public image.
  • GitLab template: documented DOCKER_AUTH_CONFIG (group-level variable holding a base64 user:PAT with read:packages) — GitLab hands it to the runner automatically.
  • url / secret are now optional so mode: off runs (scan-only, no upload) work without them.
  • Dogfood job: CI now runs the published image on this repo through the action itself — which exercises the private-pull path end to end, so a broken pull fails the PR instead of the first pipeline that consumes it.

Once the org allows public packages the login is a no-op for consumers who drop the token.

@satsura satsura merged commit 4ca1e01 into main Jul 11, 2026
3 checks passed
@satsura satsura deleted the feat/private-registry branch July 11, 2026 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants