Skip to content

fix(supply-chain): authenticate promote-core scan job to authenticated upstreams#237

Merged
williaby merged 1 commit into
mainfrom
fix/promote-core-upstream-auth
Jun 30, 2026
Merged

fix(supply-chain): authenticate promote-core scan job to authenticated upstreams#237
williaby merged 1 commit into
mainfrom
fix/promote-core-upstream-auth

Conversation

@williaby

Copy link
Copy Markdown
Collaborator

Summary

A bake run of the dhi-postgres-17 mirror caller (container-images #29, merged) failed in promote-core's scan job:

Error: GET https://dhi.io/token?scope=repository:postgres:pull: 401 Unauthorized

The scan job pulls the candidate bytes with crane (mirror-verify only resolves the digest, deliberately not copying, to keep scan-before-publish, RT-4). For an authenticated upstream like dhi.io that pull 401s, because the scan job carried no upstream credentials. The design was correct for anonymous upstreams (gcr.io distroless) and silently broken for authenticated ones.

Fix

  • Add optional UPSTREAM_REGISTRY_USERNAME / UPSTREAM_REGISTRY_TOKEN secrets to promote-core.
  • In the scan job's materialize step, when both are supplied, derive the registry host from source_ref (${SOURCE_REF%%/*}) and crane auth login before the pull. The password is --add-masked and passed via --password-stdin.
  • Anonymous upstreams are unaffected: login is skipped when creds are absent.

Validation

Follow-up

After merge, the caller (container-images supply-chain-mirror.yml) needs to pass DHI creds to the new secrets and re-pin to the post-merge .github SHA, then re-run the bake.

Generated with Claude Code

…d upstreams

The scan job pulls the candidate bytes with crane (mirror-verify only resolves
the digest, deliberately not copying, to preserve scan-before-publish RT-4).
For an authenticated upstream like dhi.io that pull 401s, because the scan job
had no upstream credentials. A bake run of the dhi-postgres-17 mirror caller
failed here:

  GET https://dhi.io/token?scope=repository:postgres:pull: 401 Unauthorized

Add optional UPSTREAM_REGISTRY_USERNAME / UPSTREAM_REGISTRY_TOKEN secrets and,
when supplied, crane auth login to the registry host derived from source_ref
before the pull. Anonymous upstreams (e.g. gcr.io distroless) are unaffected
since login is skipped when creds are absent.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@williaby, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 18 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3fd694e1-6c3e-45a9-9b9e-32667032e683

📥 Commits

Reviewing files that changed from the base of the PR and between bec4d9f and ad11eac.

📒 Files selected for processing (1)
  • .github/workflows/supply-chain-promote-core.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/promote-core-upstream-auth

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

Copy link
Copy Markdown

@williaby

Copy link
Copy Markdown
Collaborator Author

PR Review

PREMISE OK — legitimate forward fix, third in the #234#236 promote-core hardening series. No regression, no colliding PRs, and the scan job's trust boundary (contents: read + security-events: write, no packages:write/id-token) is preserved while it gains upstream read credentials only.

No Critical or Important findings. SonarCloud quality gate passed (0 new issues); all CI checks green.

Suggested (optional): supply-chain-promote-core.yml L185-190 — the credential guard requires both UPSTREAM_USER and UPSTREAM_PASS. If a caller wires exactly one, login is silently skipped and crane pull fails later with the same opaque 401 Unauthorized this PR fixes, masking the real cause (a half-configured caller). Consider a both-or-neither guard that errors when exactly one is set.

Verified clean: secrets passed via step env: (no inline interpolation, no shell-injection surface); token masked and fed to crane --password-stdin (not base64-derived, never echoed); derived registry host used quoted (no command injection); both new secrets required: false (anonymous upstreams unaffected); PR description matches the diff.

Note: CodeRabbit's check is green but its review did not run (rate-limited). Re-trigger with @coderabbitai review after the window resets if you want its second opinion.

🤖 Generated with Claude Code

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

@williaby Thanks for the thorough review and the clear callout on the optional both-or-neither credential guard. I'll run a fresh review now for a second opinion.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@williaby williaby added this pull request to the merge queue Jun 30, 2026
Merged via the queue into main with commit 5825ec5 Jun 30, 2026
34 checks passed
@williaby williaby deleted the fix/promote-core-upstream-auth branch June 30, 2026 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant