Skip to content

ci: add Docker Hub authentication to all CI workflows that pull images#60353

Merged
gantoine merged 12 commits into
masterfrom
mendral/add-dockerhub-auth-ci-workflows
Jun 2, 2026
Merged

ci: add Docker Hub authentication to all CI workflows that pull images#60353
gantoine merged 12 commits into
masterfrom
mendral/add-dockerhub-auth-ci-workflows

Conversation

@mendral-app
Copy link
Copy Markdown
Contributor

@mendral-app mendral-app Bot commented May 27, 2026

Summary

  • Add docker/login-action (v4.1.0) before every bin/ci-wait-for-docker launch call across 8 CI workflow files to authenticate Docker Hub image pulls and eliminate recurring toomanyrequests rate limit failures

Context

Docker Hub anonymous rate limits (100 pulls/6h per shared IP) have been causing escalating CI failures since April 2025 — 25+ occurrences across Django tests, build-images, agent skills, and Node.js workflows. The issue resurfaced May 26–27 hitting 3+ commits in a single day.

All existing docker/login-action steps in the repo target GHCR only. This PR adds Docker Hub authentication using the existing DOCKERHUB_USERNAME / DOCKERHUB_TOKEN secrets.

Workflows updated

Workflow Jobs affected
ci-backend.yml 5 jobs (Django Core, Django Temporal, Async migrations, Validate migrations, another)
ci-nodejs.yml 1 job
ci-e2e-playwright.yml 1 job
ci-dagster.yml 1 job
ci-ai.yml 1 job
ci-agent-skills.yml 2 jobs
ci-mcp.yml 1 job
ci-rust.yml 1 job

Uses the same docker/login-action SHA pin (4907a6ddec9925e35a0a9e82d7399ccc52663121 / v4.1.0) already used in other workflows in this repo.

Related insight: Docker CI: Unauthenticated Docker Hub pulls causing escalating rate limit failures

Note

Created by Mendral. Tag @mendral-app with feedback or questions.

mendral-app Bot added 2 commits May 27, 2026 13:29
@mendral-app
ci: add Docker Hub authentication to all CI workflows that pull images
1c62ba9 
Add docker/login-action before bin/ci-wait-for-docker launch in all
affected workflows to prevent Docker Hub rate limit (toomanyrequests)
errors that have been recurring since April 2025.

Workflows updated:
- ci-backend.yml (5 jobs)
- ci-nodejs.yml
- ci-e2e-playwright.yml
- ci-dagster.yml
- ci-ai.yml
- ci-agent-skills.yml (2 jobs)
- ci-mcp.yml
- ci-rust.yml

Uses the same docker/login-action pin (v4.1.0) already used elsewhere
in the repo, with existing DOCKERHUB_USERNAME/DOCKERHUB_TOKEN secrets.
@mendral-app
ci: skip Docker Hub login when secrets are unavailable
64c0f57 
Add 'if' condition to gracefully skip the login step when
DOCKERHUB_USERNAME secret is not set (e.g., fork PRs or repos
where the secret hasn't been added yet).
@mendral-app mendral-app Bot marked this pull request as ready for review May 27, 2026 20:53
@mendral-app
Copy link
Copy Markdown
Contributor Author

mendral-app Bot commented May 27, 2026

Note on secrets

The DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets need to be configured in the repository settings for the Docker Hub login to take effect. The login step uses an if condition to gracefully skip when secrets aren't available, so CI will still pass without them — but rate limit protection won't be active until the secrets are added.

To add the secrets:

  1. Go to Settings → Secrets and variables → Actions
  2. Add DOCKERHUB_USERNAME — your Docker Hub username
  3. Add DOCKERHUB_TOKEN — a Docker Hub access token (create at https://hub.docker.com/settings/security)

Once added, all CI workflows will automatically authenticate and get higher rate limits (200 pulls/6h for free accounts, unlimited for paid).

@assign-reviewers-posthog assign-reviewers-posthog Bot requested a review from a team May 27, 2026 20:54
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented May 27, 2026

Reviews (1): Last reviewed commit: "ci: skip Docker Hub login when secrets a..." | Re-trigger Greptile

@gantoine gantoine requested a review from a team May 28, 2026 14:26
@gantoine gantoine self-assigned this May 28, 2026
@gantoine gantoine enabled auto-merge (squash) May 28, 2026 15:33
gantoine and others added 5 commits May 29, 2026 16:33
@gantoine
Merge branch 'master' into mendral/add-dockerhub-auth-ci-workflows
0e0c48a
@gantoine
Merge branch 'master' into mendral/add-dockerhub-auth-ci-workflows
7419e65
@gantoine
Merge remote-tracking branch 'origin/master' into mendral/add-dockerh…
c6306b7 
…ub-auth-ci-workflows
@gantoine @claude
chore(ci): mirror docker hub login steps into ci-backend depot shadow
e3a7ca3 
Canonical ci-backend.yml added Docker Hub login steps to the turbo-tests,
check-migrations, check-openapi-types, django, and async-migrations jobs.
Mirror them into the depot shadow so it stays apples-to-apples and the
shadow-drift check passes. check-openapi-types is folded into the depot
check-migrations job, so its login is covered there — 4 steps in depot
cover the 5 canonical steps.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@gantoine
Merge branch 'mendral/add-dockerhub-auth-ci-workflows' of https://git…
1773629 
…hub.com/PostHog/posthog into mendral/add-dockerhub-auth-ci-workflows
@gantoine gantoine requested a review from Copilot June 1, 2026 21:09
Copilot AI reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Docker Hub authentication to CI workflows before starting Docker Compose stacks, aiming to reduce flaky CI failures caused by Docker Hub anonymous pull rate limits.

Changes:

  • Insert docker/login-action (pinned to v4.1.0 SHA) before Docker stack startup across multiple CI workflows.
  • Apply the same Docker Hub login step to both GitHub Actions workflows and the Depot backend workflow.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 17 comments.

Show a summary per file
File Description
.github/workflows/ci-backend.yml Adds Docker Hub login before multiple backend jobs bring up Docker services.
.github/workflows/ci-nodejs.yml Adds Docker Hub login before Node.js job starts Docker Compose stack.
.github/workflows/ci-e2e-playwright.yml Adds Docker Hub login before Playwright E2E job starts Docker services.
.github/workflows/ci-dagster.yml Adds Docker Hub login before Dagster job starts Docker Compose stack.
.github/workflows/ci-ai.yml Adds Docker Hub login before AI eval job starts Docker Compose stack.
.github/workflows/ci-agent-skills.yml Adds Docker Hub login before agent-skills jobs start Docker services.
.github/workflows/ci-mcp.yml Adds Docker Hub login before MCP job starts Docker services.
.github/workflows/ci-rust.yml Adds Docker Hub login before Rust job brings up Docker dependencies.
.depot/workflows/ci-backend.yml Adds Docker Hub login before multiple Depot backend jobs start Docker services.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/ci-rust.yml Outdated
Comment thread .github/workflows/ci-nodejs.yml Outdated
Comment thread .github/workflows/ci-mcp.yml Outdated
Comment thread .github/workflows/ci-e2e-playwright.yml Outdated
Comment thread .github/workflows/ci-dagster.yml Outdated
Comment thread .github/workflows/ci-agent-skills.yml Outdated
Comment thread .depot/workflows/ci-backend.yml Outdated
Comment thread .depot/workflows/ci-backend.yml Outdated
Comment thread .depot/workflows/ci-backend.yml Outdated
Comment thread .depot/workflows/ci-backend.yml Outdated
gantoine and others added 3 commits June 2, 2026 08:10
@gantoine
Apply suggestions from code review
57b864c 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@gantoine
Merge branch 'master' into mendral/add-dockerhub-auth-ci-workflows
b073b41
@gantoine @claude
fix(ci): use env context for docker hub login conditions
f8730cf 
The secrets context is not available in step-level if: conditions, so
`if: ${{ secrets.DOCKERHUB_USERNAME != '' }}` raised "Unrecognized
named-value: 'secrets'". Map the two creds into env and check env.* in
the conditions instead.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 2, 2026
edited
Loading

🎭 Playwright report

⚠️ 3 flaky tests:

  • create experiment via wizard, add metrics, and launch (chromium)
  • service filter passes serviceNames to API (chromium)
  • Inline editing insight title via compact card popover (chromium)

These issues are not necessarily caused by your changes.
Annoyed by this comment? Help fix flakies and failures and it'll disappear!

@gantoine gantoine merged commit 38cd811 into master Jun 2, 2026
216 checks passed
@gantoine gantoine deleted the mendral/add-dockerhub-auth-ci-workflows branch June 2, 2026 16:51
@deployment-status-posthog
Copy link
Copy Markdown

deployment-status-posthog Bot commented Jun 2, 2026
edited
Loading

Deploy status

Environment Status Deployed At Workflow
dev ✅ Deployed 2026-06-02 17:40 UTC Run
prod-us ✅ Deployed 2026-06-02 18:08 UTC Run
prod-eu ✅ Deployed 2026-06-02 18:13 UTC Run

@mendral-app mendral-app Bot mentioned this pull request Jun 2, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gantoine gantoine gantoine approved these changes

@Piccirello Piccirello Piccirello approved these changes

Assignees

@gantoine gantoine

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gantoine @Piccirello