Skip to content

WIP: gh auth configure-docker#7828

Closed
imjasonh wants to merge 2 commits into
cli:trunkfrom
imjasonh:gh-cred-helper
Closed

WIP: gh auth configure-docker#7828
imjasonh wants to merge 2 commits into
cli:trunkfrom
imjasonh:gh-cred-helper

Conversation

@imjasonh
Copy link
Copy Markdown

@imjasonh imjasonh commented Aug 11, 2023

Opening this as a proof of concept, to keep the discussion going.

Fixes #5150

This assumes gh is on PATH, to be able to create a sibling symlink also on PATH. To test this, you need to:

go build ./cmd/gh
PATH=$(pwd):$PATH gh auth configure-docker
# see ./docker-credential-gh created as a symlink to ./gh
docker push ghcr.io/<me>/<whatever>

If the user doesn't have permission to write the symlink to PATH, configure-docker fails.

When installed in the normal way (e.g., brew), the flow is:

gh auth configure-docker  # pops up a browser asking for `write:packages` scope
docker push ghcr.io/<me>/<whatever>

Open questions / issues:

  • this uses Docker's credhelper CLI scaffolding, which isn't strictly necessary but it removes some boilerplate; would you prefer to use gh's CLI scaffolding here instead?
  • we probably need a better error message when the symlink can't be created, or on Windows, or other cases where it can fail.
  • need to write ~/.docker/config.json, you can do it manually for now.
  • we can have the credhelper detect a missing/insufficient/expired token and initiate the browser login flow, if you want.

Let me know if this is on the right track, and I can put some more work into it.

cc @mislav

@imjasonh
WIP: gh auth configure-docker
a33ad81 
Signed-off-by: Jason Hall <jason@chainguard.dev>
@imjasonh
update docker config
eeddd3e 
Signed-off-by: Jason Hall <jason@chainguard.dev>
@imjasonh
Copy link
Copy Markdown
Author

imjasonh commented Oct 16, 2023

Friendly ping. I think it would be great to be able to use this myself when pushing to GHCR, and I'd at least love to get some feedback on the approach.

@samcoe
Copy link
Copy Markdown
Contributor

samcoe commented Oct 23, 2023

@imjasonh Sorry for the delay in taking a look at this. Mislav is no longer working at GitHub hence why this fell through the cracks a bit. After looking through the issue and at comments #5150 (comment) and #5150 (comment) I am not sure this is the right direction. I am aligned with what Mislav previously said. I think trying to set up symlinks for our users is not the right approach and that having a separate docker-credential-gh binary or script that users place in the correct directory is the direction we should be moving. There are too many edge cases and known broken cases with the symlink approach.

Having said that, I think we should introduce a gh auth docker-credential command (very similar to gh auth git-credential) that implements the docker credential helper protocol. From the docs it looks like a simple protocol so utilizing any of the docker scaffolding feels like overkill. This command should not do anything fancy with checking scopes or logging in, just be responsible for returning the token in the format that docker expects. This will allow our users to use a simple script like this in their path:

#!/bin/bash
# This "docker-credential-gh" utility should exist an as executable somewhere in PATH.
#
# Dependencies: gh
#
set -e
gh auth docker-credential $1

I can understand this is not an ideal solution as it does not do all the set up work for the user, but I do think it moves us in the right direction and makes it easier than it is now to use gh as a docker credential helper. What are your thoughts?

@samcoe
Copy link
Copy Markdown
Contributor

samcoe commented Jan 11, 2024

Going to close this due to lack of movement from the author.

@samcoe samcoe closed this Jan 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

gh as Docker credential helper

2 participants

@imjasonh @samcoe