fix: authenticate Docker Hub pulls to prevent anonymous rate limits #3741#3744
fix: authenticate Docker Hub pulls to prevent anonymous rate limits #3741#3744saieswar237 wants to merge 1 commit into
Conversation
|
|
Hi @saieswar237, thanks for your interest in contributing! This project requires that pull request authors are vouched, and you are not in the list of vouched users. This PR will be closed automatically. See https://github.com/triggerdotdev/trigger.dev/blob/main/CONTRIBUTING.md for more details. |
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
WalkthroughThis pull request adds Docker Hub authentication to two GitHub Actions publishing workflows: Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| - name: 🐋 Login to Docker Hub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} |
There was a problem hiding this comment.
🔴 Docker Hub secrets not declared or passed for publish-webapp.yml, causing login failure
The new Docker Hub login step uses ${{ secrets.DOCKERHUB_USERNAME }} and ${{ secrets.DOCKERHUB_TOKEN }}, but these secrets are neither declared in the workflow_call.secrets section of publish-webapp.yml nor passed by the caller in publish.yml:72-74 (which only passes SENTRY_AUTH_TOKEN). In GitHub Actions, when a caller explicitly lists secrets (rather than using secrets: inherit), only declared and passed secrets are available to the called workflow. Both secrets will resolve to empty strings, causing the docker/login-action step to fail. Since this step lacks continue-on-error: true, it will abort the entire publish job, preventing the image build and push.
Comparison with correctly configured workflow
publish-worker.yml:11-15 correctly declares these secrets in its workflow_call.secrets section, and publish.yml:84-86 correctly passes them. The new steps in publish-webapp.yml are missing both pieces.
Prompt for agents
Two changes are needed to fix the Docker Hub login for publish-webapp.yml:
1. In .github/workflows/publish-webapp.yml, add DOCKERHUB_USERNAME and DOCKERHUB_TOKEN to the workflow_call.secrets section (around line 17-19), similar to how publish-worker.yml declares them at its lines 11-15.
2. In .github/workflows/publish.yml, update the publish-webapp job (around line 73-74) to also pass these secrets, similar to how publish-worker passes them at lines 84-86. Add:
secrets:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
Additionally, consider adding a conditional guard (if: ${{ secrets.DOCKERHUB_USERNAME != '' }}) or continue-on-error: true on the Docker Hub login step to avoid hard failures when the secrets are not configured (e.g. in forks). See publish-worker.yml:63 for the existing pattern.
Was this helpful? React with 👍 or 👎 to provide feedback.
| - name: 🐋 Login to Docker Hub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} |
There was a problem hiding this comment.
🔴 Docker Hub secrets not declared or passed for publish-worker-v4.yml, causing login failure via workflow_call
Same issue as in publish-webapp.yml: the new Docker Hub login step uses ${{ secrets.DOCKERHUB_USERNAME }} and ${{ secrets.DOCKERHUB_TOKEN }}, but these are not declared in the workflow_call.secrets section of publish-worker-v4.yml, and the caller at publish.yml:90-98 passes no secrets at all. When invoked via workflow_call, both secrets will be empty and the login step will fail, aborting the build job. (When triggered directly via push tags, repository secrets are available, so only the workflow_call path is broken.)
Prompt for agents
Two changes are needed:
1. In .github/workflows/publish-worker-v4.yml, add a secrets section under workflow_call (after line 10) declaring DOCKERHUB_USERNAME and DOCKERHUB_TOKEN as optional secrets, matching the pattern in publish-worker.yml:11-15.
2. In .github/workflows/publish.yml, update the publish-worker-v4 job (around line 96) to pass these secrets:
secrets:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
Also consider adding a conditional guard on the Docker Hub login step (like publish-worker.yml:63 does with if: ${{ env.DOCKERHUB_USERNAME }}) to gracefully skip when secrets are unavailable.
Was this helpful? React with 👍 or 👎 to provide feedback.
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: 🐋 Login to Docker Hub | ||
| uses: docker/login-action@v3 |
There was a problem hiding this comment.
🔴 Docker Hub login uses unpinned mutable tag @v3 instead of commit SHA, inconsistent with all other action references
Both new Docker Hub login steps use docker/login-action@v3 while every other docker/login-action reference in the repository (8 occurrences across 7 workflow files) is pinned to a specific commit SHA: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0. Using a mutable tag is a supply-chain security risk (the tag can be moved to point at malicious code) and is inconsistent with the established repository convention. Additionally, @v3 is an older major version than the v4.1.0 used everywhere else.
| uses: docker/login-action@v3 | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 |
Was this helpful? React with 👍 or 👎 to provide feedback.
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: 🐋 Login to Docker Hub | ||
| uses: docker/login-action@v3 |
There was a problem hiding this comment.
🔴 Docker Hub login in publish-worker-v4 uses unpinned mutable tag @v3 instead of commit SHA
Same issue as in publish-webapp.yml: the new Docker Hub login step uses docker/login-action@v3 instead of the pinned commit SHA docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 used by all other workflow files in the repository. This is both a supply-chain security risk and a convention violation.
| uses: docker/login-action@v3 | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 |
Was this helpful? React with 👍 or 👎 to provide feedback.
|
Hey team! I have a production-grade fix ready for this that injects I submitted it in PR #3744, but the automation auto-closed it because my account isn't on the "vouched users" list yet for workflow modifications. Could a maintainer please reopen #3744, vouch for me, or take a look at the commit? I'd love to get this fixed for you guys! /claim #3741 |
1 participant
Resolves #3741
/claim #3741
Summary of Changes
Added authenticated Docker Hub logins using
docker/login-action@v3right before thedepot/build-push-actionstep in both the worker (publish-worker-v4.yml) and webapp (publish-webapp.yml) publish workflows. This ensures the automated image builder bypasses Docker Hub's anonymous-pull rate limits, resolving the 401 Unauthorized errors reported during deployment windows.