actions/login-action
1
0
Fork 0
mirror of https://github.com/docker/login-action.git synced 2026-04-24 15:38:21 +08:00
Code Issues Packages Projects Releases Wiki Activity
login-action/src/docker.ts
Augustus Nguyen 4bcfaae325 Add Chainguard registry (cgr.dev) login support 
Implement native OIDC-based authentication for Chainguard's container
registry, following the same pattern as the existing AWS ECR integration.

When registry is set to cgr.dev, the action automatically exchanges a
GitHub Actions OIDC token with Chainguard's STS endpoint for a short-lived
registry credential, removing the need for chainctl or long-lived pull tokens.

New inputs: chainguard (auto/true/false), chainguard-identity.

Signed-off-by: Augustus Nguyen <theflash28012002@gmail.com>
2026-04-21 11:20:09 +07:00

94 lines
3.3 KiB
TypeScript
Raw Blame History

import * as core from '@actions/core';
import {Docker} from '@docker/actions-toolkit/lib/docker/docker.js';
import * as aws from './aws.js';
import * as chainguard from './chainguard.js';
import * as context from './context.js';
export async function login(auth: context.Auth): Promise<void> {
if (/true/i.test(auth.ecr) || (auth.ecr == 'auto' && aws.isECR(auth.registry))) {
await loginECR(auth.registry, auth.username, auth.password, auth.scope);
} else if (/true/i.test(auth.chainguard) || (auth.chainguard == 'auto' && chainguard.isChainguard(auth.registry))) {
await loginChainguard(auth.registry, auth.chainguardIdentity, auth.scope);
} else {
await loginStandard(auth.registry, auth.username, auth.password, auth.scope);
}
}
export async function logout(registry: string, configDir: string): Promise<void> {
let envs: {[key: string]: string} | undefined;
if (configDir !== '') {
envs = Object.assign({}, process.env, {
DOCKER_CONFIG: configDir
}) as {
[key: string]: string;
};
core.info(`Alternative config dir: ${configDir}`);
}
await Docker.getExecOutput(['logout', registry], {
ignoreReturnCode: true,
env: envs
}).then(res => {
if (res.stderr.length > 0 && res.exitCode != 0) {
core.warning(res.stderr.trim());
}
});
}
export async function loginStandard(registry: string, username: string, password: string, scope?: string): Promise<void> {
if (!username && !password) {
throw new Error('Username and password required');
}
if (!username) {
throw new Error('Username required');
}
if (!password) {
throw new Error('Password required');
}
await loginExec(registry, username, password, scope);
}
export async function loginECR(registry: string, username: string, password: string, scope?: string): Promise<void> {
core.info(`Retrieving registries data through AWS SDK...`);
const regDatas = await aws.getRegistriesData(registry, username, password);
for (const regData of regDatas) {
await loginExec(regData.registry, regData.username, regData.password, scope);
}
}
export async function loginChainguard(registry: string, identity: string, scope?: string): Promise<void> {
if (!identity) {
throw new Error('Chainguard identity is required for Chainguard registry login. Set the chainguard-identity input.');
}
core.info(`Retrieving Chainguard registry token via OIDC exchange...`);
const creds = await chainguard.getRegistryToken(identity);
await loginExec(registry, creds.username, creds.password, scope);
}
async function loginExec(registry: string, username: string, password: string, scope?: string): Promise<void> {
let envs: {[key: string]: string} | undefined;
const configDir = context.scopeToConfigDir(registry, scope);
if (configDir !== '') {
envs = Object.assign({}, process.env, {
DOCKER_CONFIG: configDir
}) as {
[key: string]: string;
};
core.info(`Logging into ${registry} (scope ${scope})...`);
} else {
core.info(`Logging into ${registry}...`);
}
await Docker.getExecOutput(['login', '--password-stdin', '--username', username, registry], {
ignoreReturnCode: true,
silent: true,
input: Buffer.from(password),
env: envs
}).then(res => {
if (res.stderr.length > 0 && res.exitCode != 0) {
throw new Error(res.stderr.trim());
}
core.info('Login Succeeded!');
});
}
Reference in New Issue View Git Blame Copy Permalink