Skip to content

authentication token scopes support #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
crazy-max merged 1 commit into from
Jan 28, 2026
Merged

authentication token scopes support #73

crazy-max merged 1 commit into from
Jan 28, 2026

Conversation

@crazy-max
Copy link
Member

@crazy-max crazy-max commented Jan 8, 2026
edited
Loading

@crazy-max crazy-max force-pushed the scope-auth branch 2 times, most recently from 229f7d6 to a9d4e13 Compare January 8, 2026 11:28
crazy-max
crazy-max commented Jan 8, 2026
View reviewed changes
.github/workflows/bake.yml
Comment on lines 636 to 716
-
name: Login to registry for signing
if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }}
uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported
with:
registry-auth: ${{ secrets.registry-auths }}
env:
DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login
Copy link
Member Author

@crazy-max crazy-max Jan 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tonistiigi Needs extra login without scope after build so cosign can use auth from vanilla docker config when signing attestation manifests, otherwise it fails with: https://github.com/docker/github-builder-experimental/actions/runs/20814314320/job/59786046485#step:12:96

Error: Signing BuildKit attestation manifests failed: Cosign sign command failed with errors:
- [UNAUTHORIZED] authentication required : [object Object],[object Object]

Fyi cosign is using google/go-containerregistry to get auth: https://github.com/google/go-containerregistry/blob/e075f209120b2467fd1b7d24727f1890a0edb74a/pkg/authn/keychain.go#L87

@crazy-max crazy-max requested a review from tonistiigi January 8, 2026 13:44
@crazy-max crazy-max added this to the GA milestone Jan 13, 2026
@crazy-max crazy-max force-pushed the scope-auth branch 2 times, most recently from bcee16a to 9491fd3 Compare January 27, 2026 15:28
@crazy-max crazy-max marked this pull request as ready for review January 28, 2026 14:20
@crazy-max
Copy link
Member Author

crazy-max commented Jan 28, 2026

@tonistiigi Ready for review after releasing https://github.com/docker/login-action/releases/tag/v3.7.0

@crazy-max crazy-max merged commit 7256a7a into main Jan 28, 2026
301 of 302 checks passed
@crazy-max crazy-max deleted the scope-auth branch January 28, 2026 15:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees

@crazy-max crazy-max

Labels

None yet

Projects

None yet

Milestone

GA

Development

Successfully merging this pull request may close these issues.

3 participants

@crazy-max @tonistiigi