From 333e98896b488a7fe51106a248f0b9e35830917c Mon Sep 17 00:00:00 2001
From: zensgit <77236085+zensgit@users.noreply.github.com>
Date: Thu, 25 Sep 2025 09:02:50 +0800
Subject: [PATCH] fix: add Docker Hub authentication to CI workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Resolves Docker Hub rate limiting issues causing CI failures.

- Add optional Docker Hub authentication to CI workflow
- Configure DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets
- Add login step before jobs that pull Docker images (postgres, redis)
- Make auth optional with continue-on-error for backward compatibility
- Add documentation for setting up Docker Hub access tokens

This prevents "unauthorized: authentication required" errors when
pulling Docker images in GitHub Actions. The authentication is
optional - CI will still work without credentials but with lower
rate limits (100 vs 200 pulls per 6 hours).

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/DOCKER_AUTH_SETUP.md | 44 ++++++++++++++++++++++++++++++++++++
 .github/workflows/ci.yml     | 19 ++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100644 .github/DOCKER_AUTH_SETUP.md

diff --git a/.github/DOCKER_AUTH_SETUP.md b/.github/DOCKER_AUTH_SETUP.md
new file mode 100644
index 00000000..3d9dae57
--- /dev/null
+++ b/.github/DOCKER_AUTH_SETUP.md
@@ -0,0 +1,44 @@
+# Docker Hub Authentication Setup for CI
+
+## Problem
+GitHub Actions CI workflows were failing with Docker Hub authentication errors:
+```
+unauthorized: authentication required
+```
+
+This happens when GitHub Actions tries to pull Docker images (postgres:15, redis:7) but hits Docker Hub rate limits for unauthenticated requests.
+
+## Solution Implemented
+
+### 1. CI Workflow Changes
+- Added Docker Hub credential environment variables to the workflow
+- Added Docker login step before jobs that use Docker service containers
+- Made authentication optional with `continue-on-error: true` so CI still works without credentials
+
+### 2. Required GitHub Secrets Setup
+
+To enable Docker Hub authentication, add these secrets to your repository:
+
+1. Go to Settings → Secrets and variables → Actions
+2. Add two new repository secrets:
+   - `DOCKERHUB_USERNAME`: Your Docker Hub username
+   - `DOCKERHUB_TOKEN`: Your Docker Hub access token (NOT your password)
+
+### 3. How to Create Docker Hub Access Token
+
+1. Log in to [Docker Hub](https://hub.docker.com)
+2. Click on your username → Account Settings
+3. Select "Security" → "New Access Token"
+4. Give it a descriptive name like "GitHub Actions CI"
+5. Copy the token and save it as `DOCKERHUB_TOKEN` secret in GitHub
+
+## Benefits
+- Avoids Docker Hub rate limits (100 pulls/6hr for anonymous vs 200 pulls/6hr for authenticated)
+- CI runs more reliably without authentication failures
+- Optional - CI still works without credentials, just with lower rate limits
+
+## Files Modified
+- `.github/workflows/ci.yml`: Added Docker authentication steps
+
+## Testing
+After adding the secrets, the CI will automatically use Docker Hub authentication for all Docker image pulls.
\ No newline at end of file
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6f8732d0..51c97f5a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -25,6 +25,9 @@ permissions:
 env:
   FLUTTER_VERSION: '3.35.3'
   RUST_VERSION: '1.89.0'
+  # Docker Hub credentials - optional but recommended to avoid rate limits
+  DOCKER_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+  DOCKER_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
 
 concurrency:
   group: core-ci-${{ github.ref }}-${{ github.event_name }}
@@ -275,6 +278,14 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
+    - name: Login to Docker Hub
+      if: env.DOCKER_USERNAME != '' && env.DOCKER_TOKEN != ''
+      uses: docker/login-action@v3
+      with:
+        username: ${{ env.DOCKER_USERNAME }}
+        password: ${{ env.DOCKER_TOKEN }}
+      continue-on-error: true
+
     - name: Setup Rust
       if: env.DOCS_ONLY != 'true'
       uses: dtolnay/rust-toolchain@stable
@@ -508,6 +519,14 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
+    - name: Login to Docker Hub
+      if: env.DOCKER_USERNAME != '' && env.DOCKER_TOKEN != ''
+      uses: docker/login-action@v3
+      with:
+        username: ${{ env.DOCKER_USERNAME }}
+        password: ${{ env.DOCKER_TOKEN }}
+      continue-on-error: true
+
     - name: Setup Rust
       uses: dtolnay/rust-toolchain@stable
       with: