Dark Mode

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

authentication token scopes support#73

Merged
crazy-max merged 1 commit intomainfrom
scope-auth
Jan 28, 2026
Merged

authentication token scopes support#73
crazy-max merged 1 commit intomainfrom
scope-auth

Conversation

Copy link
Member

crazy-max commented Jan 8, 2026 *
edited
Loading

github-actions bot assigned crazy-max Jan 8, 2026
crazy-max force-pushed the scope-auth branch 2 times, most recently from 229f7d6 to a9d4e13 Compare January 8, 2026 11:28
crazy-max commented Jan 8, 2026
Comment on lines +636 to +643
-
name: Login to registry for signing
if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }}
uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported
with:
registry-auth: ${{ secrets.registry-auths }}
env:
DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login
Copy link
Member Author

crazy-max Jan 8, 2026 *
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tonistiigi Needs extra login without scope after build so cosign can use auth from vanilla docker config when signing attestation manifests, otherwise it fails with: https://github.com/docker/github-builder-experimental/actions/runs/20814314320/job/59786046485#step:12:96

Error: Signing BuildKit attestation manifests failed: Cosign sign command failed with errors:
- [UNAUTHORIZED] authentication required : [object Object],[object Object]

Fyi cosign is using google/go-containerregistry to get auth: https://github.com/google/go-containerregistry/blob/e075f209120b2467fd1b7d24727f1890a0edb74a/pkg/authn/keychain.go#L87

crazy-max requested a review from tonistiigi January 8, 2026 13:44
crazy-max force-pushed the scope-auth branch from a9d4e13 to c4b9332 Compare January 8, 2026 13:53
crazy-max added this to the GA milestone Jan 13, 2026
crazy-max force-pushed the scope-auth branch 2 times, most recently from bcee16a to 9491fd3 Compare January 27, 2026 15:28
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
crazy-max force-pushed the scope-auth branch from 9491fd3 to e5766cb Compare January 28, 2026 13:06
crazy-max marked this pull request as ready for review January 28, 2026 14:20
Copy link
Member Author

crazy-max commented Jan 28, 2026

@tonistiigi Ready for review after releasing https://github.com/docker/login-action/releases/tag/v3.7.0

tonistiigi approved these changes Jan 28, 2026
crazy-max merged commit 7256a7a into main Jan 28, 2026
301 of 302 checks passed
crazy-max deleted the scope-auth branch January 28, 2026 15:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

tonistiigi tonistiigi approved these changes

Assignees

crazy-max

Labels

None yet

Projects

None yet

Milestone

GA

Development

Successfully merging this pull request may close these issues.

2 participants