fix(supply-chain): authenticate promote-core scan job to authenticated upstreams#237
Conversation
…d upstreams The scan job pulls the candidate bytes with crane (mirror-verify only resolves the digest, deliberately not copying, to preserve scan-before-publish RT-4). For an authenticated upstream like dhi.io that pull 401s, because the scan job had no upstream credentials. A bake run of the dhi-postgres-17 mirror caller failed here: GET https://dhi.io/token?scope=repository:postgres:pull: 401 Unauthorized Add optional UPSTREAM_REGISTRY_USERNAME / UPSTREAM_REGISTRY_TOKEN secrets and, when supplied, crane auth login to the registry host derived from source_ref before the pull. Anonymous upstreams (e.g. gcr.io distroless) are unaffected since login is skipped when creds are absent. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Warning Review limit reached
Next review available in: 18 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
PR ReviewPREMISE OK — legitimate forward fix, third in the #234→#236 promote-core hardening series. No regression, no colliding PRs, and the scan job's trust boundary ( No Critical or Important findings. SonarCloud quality gate passed (0 new issues); all CI checks green. Suggested (optional): Verified clean: secrets passed via step Note: CodeRabbit's check is green but its review did not run (rate-limited). Re-trigger with 🤖 Generated with Claude Code |
|
✅ Action performedReview finished.
|



Summary
A bake run of the
dhi-postgres-17mirror caller (container-images #29, merged) failed inpromote-core's scan job:The scan job pulls the candidate bytes with
crane(mirror-verify only resolves the digest, deliberately not copying, to keep scan-before-publish, RT-4). For an authenticated upstream likedhi.iothat pull 401s, because the scan job carried no upstream credentials. The design was correct for anonymous upstreams (gcr.io distroless) and silently broken for authenticated ones.Fix
UPSTREAM_REGISTRY_USERNAME/UPSTREAM_REGISTRY_TOKENsecrets topromote-core.source_ref(${SOURCE_REF%%/*}) andcrane auth loginbefore the pull. The password is--add-masked and passed via--password-stdin.Validation
yaml.safe_loadclean;actionlintclean; all pre-commit hooks pass.promote-corecorrectness fix surfaced by validating the first real caller end-to-end (after fix(supply-chain): pass --source-digest from promote-core to the lock updater #235 source-digest and refactor(supply-chain): replace Trivy with Grype in promote-core scan gate #236 Trivy->Grype). All three are runtime-only failures invisible to static review of the caller.Follow-up
After merge, the caller (container-images
supply-chain-mirror.yml) needs to pass DHI creds to the new secrets and re-pin to the post-merge.githubSHA, then re-run the bake.Generated with Claude Code