feat: fallback to GITHUB_TOKEN for ghcr.io

isometry · isometry · commit 836cd5becbdf · 2024-02-16T22:30:23.000+01:00
diff --git a/README.md b/README.md
@@ -1,8 +1,13 @@
 # Docker Credentials from the Environment
 
-A docker credential helper to streamline repository interactions in CI/CD pipelines, particularly Jenkins declarative Pipelines, where dynamic credentials are used.
+A [Docker credential helper](https://docs.docker.com/engine/reference/commandline/login/#credential-helpers) to streamline repository interactions in scenarios where the cacheing of credentials to `~/.docker/config.json` is undesirable, including CI/CD pipelines, or anywhere ephemeral credentials are used.
 
-In addition to handling simple credentials, it also fully support private AWS ECR repositories, including full automatic cross-account sts:AssumeRole support.
+All OCI registry clients that support `~/.docker/config.json` are supported, including [`oras`](https://oras.land/), [`crane`](https://github.com/google/go-containerregistry/blob/main/cmd/crane/README.md), [`grype`](https://github.com/anchore/grype), etc.
+
+In addition to handling basic username:password credentials, the credential helper also includes special support for:
+
+* Amazon Elastic Container Registry (ECR) repositories using [standard AWS credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html), including automatic cross-account role assumption.
+* [GitHub Packages](https://ghcr.io/) via the common `GITHUB_TOKEN` environment variable.
 
 ## Environment Variables
 
@@ -21,7 +26,7 @@ Hyphens within DNS labels are transformed to underscores (`s/-/_/g`) for the pur
 
 ## Configuration
 
-The `docker-credential-env` binary must be installed to `$PATH`, configured via `~/.docker/config.json`:
+The `docker-credential-env` binary must be installed to `$PATH`, and is enabled via `~/.docker/config.json`:
 
 * Handle all docker authentication:
 
@@ -49,25 +54,25 @@ By default, attempts to explicitly `docker {login,logout}` will generate an erro
 
 ```groovy
 stages {
-    stage("Push Image to Artifactory") {
+    stage('Push Image to Artifactory') {
         environment {
             DOCKER_artifactory_example_com = credentials('jenkins.artifactory') // (Vault) Username-Password credential
         }
         steps {
-            sh "docker push artifactory.example.com/example/example-image:1.0"
+            sh 'docker push artifactory.example.com/example/example-image:1.0'
         }
     }
 
-    stage("Push Image to Docker Hub") {
+    stage('Push Image to Docker Hub') {
         environment {
             DOCKER_docker_com = credentials('hub.docker.com') // Username-Password credential, exploiting domain search
         }
         steps {
-            sh "docker push hub.docker.com/example/example-image:1.0"
+            sh 'docker push hub.docker.com/example/example-image:1.0'
         }
     }
 
-    stage("Push Image to AWS-ECR") {
+    stage('Push Image to AWS-ECR') {
         environment {
             // any standard AWS authentication mechanisms are supported
             AWS_ROLE_ARN          = 'arn:aws:iam::123456789:role/jenkins-user' // triggers automatic sts:AssumeRole
@@ -77,8 +82,18 @@ stages {
             AWS_SECRET_ACCESS_KEY = credentials('AWS_SECRET_ACCESS_KEY') // String credential
         }
         steps {
-            sh "docker push 123456789.dkr.ecr.us-east-1.amazonaws.com/example/example-image:1.0"
+            sh 'docker push 123456789.dkr.ecr.us-east-1.amazonaws.com/example/example-image:1.0'
         }
     }
+
+      stage('Push Image to GHCR') {
+        environment {
+            GITHUB_TOKEN = credentials('github') // String credential
+        }
+        steps {
+            sh 'docker push ghcr.io/example/example-image:1.0'
+        }
+    }
+
 }
 ```
diff --git a/env.go b/env.go
@@ -19,6 +19,7 @@ import (
 )
 
 var ecrHostname = regexp.MustCompile(`^[0-9]+\.dkr\.ecr\.[-a-z0-9]+\.amazonaws\.com$`)
+var ghcrHostname = regexp.MustCompile(`^ghcr\.io$`)
 
 const (
 	defaultScheme     = "https://"
@@ -85,6 +86,15 @@ func (e *Env) Get(serverURL string) (username string, password string, err error
 		return
 	}
 
+	if ghcrHostname.MatchString(hostname) {
+		// This is a GitHub Container Registry: ghcr.io
+		if token, found := os.LookupEnv("GITHUB_TOKEN"); found {
+			username = "github"
+			password = token
+		}
+		return
+	}
+
 	return
 }
 
diff --git a/env_test.go b/env_test.go
@@ -204,6 +204,11 @@ func TestEnvGet(t *testing.T) {
 			input:    "https://other-example.com",
 			expected: output{username: "", password: "", err: nil},
 		},
+		{
+			name:     "GitHub Container Registry",
+			input:    "https://ghcr.io",
+			expected: output{username: "", password: "t1", err: nil},
+		},
 	}
 
 	e := Env{}
@@ -212,6 +217,7 @@ func TestEnvGet(t *testing.T) {
 	t.Setenv("DOCKER_example_com_PSW", "p1")
 	t.Setenv("DOCKER_repo_example_com_USR", "u2")
 	t.Setenv("DOCKER_repo_example_com_PSW", "p2")
+	t.Setenv("GITHUB_TOKEN", "t1")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ import (`
`19`	`19`	`)`
`20`	`20`
`21`	`21`	var ecrHostname = regexp.MustCompile(`^[0-9]+\.dkr\.ecr\.[-a-z0-9]+\.amazonaws\.com$`)
	`22`	+var ghcrHostname = regexp.MustCompile(`^ghcr\.io$`)
`22`	`23`
`23`	`24`	`const (`
`24`	`25`	`defaultScheme = "https://"`
`@@ -85,6 +86,15 @@ func (e *Env) Get(serverURL string) (username string, password string, err error`
`85`	`86`	`return`
`86`	`87`	`}`
`87`	`88`
	`89`	`+ if ghcrHostname.MatchString(hostname) {`
	`90`	`+ // This is a GitHub Container Registry: ghcr.io`
	`91`	`+ if token, found := os.LookupEnv("GITHUB_TOKEN"); found {`
	`92`	`+ username = "github"`
	`93`	`+ password = token`
	`94`	`+ }`
	`95`	`+ return`
	`96`	`+ }`
	`97`	`+`
`88`	`98`	`return`
`89`	`99`	`}`
`90`	`100`