diff --git a/hack/update-builder.go b/hack/update-builder.go index d5fc9d58f..be14baf37 100644 --- a/hack/update-builder.go +++ b/hack/update-builder.go @@ -102,8 +102,6 @@ func buildBuilderImage(ctx context.Context, variant, arch string) (string, error } newBuilderImage := "ghcr.io/knative/builder-jammy-" + variant newBuilderImageTagged := newBuilderImage + ":" + *release.Name + "-" + arch - dockerUser := "gh-action" - dockerPassword := os.Getenv("GITHUB_TOKEN") ref, err := name.ParseReference(newBuilderImageTagged) if err != nil { @@ -131,8 +129,7 @@ func buildBuilderImage(ctx context.Context, variant, arch string) (string, error return "", fmt.Errorf("cannot patch java buildpacks: %w", err) } addGoAndRustBuildpacks(&builderConfig) - - packClient, err := pack.NewClient() + packClient, err := pack.NewClient(pack.WithKeychain(ghKeychain{})) if err != nil { return "", fmt.Errorf("cannot create pack client: %w", err) } @@ -168,21 +165,17 @@ func buildBuilderImage(ctx context.Context, variant, arch string) (string, error return "", fmt.Errorf("cannot create docker client") } - authConfig := registry.AuthConfig{ - Username: dockerUser, - Password: dockerPassword, - } - bs, err := json.Marshal(&authConfig) - if err != nil { - return "", fmt.Errorf("cannot marshal credentials: %w", err) - } - imagePushOptions := image.PushOptions{ - All: false, - RegistryAuth: base64.StdEncoding.EncodeToString(bs), - } + pushImage := func(img string) (string, error) { + regAuth, err := dockerDaemonAuthStr(img) + if err != nil { + return "", fmt.Errorf("cannot get credentials: %w", err) + } + imagePushOptions := image.PushOptions{ + All: false, + RegistryAuth: regAuth, + } - pushImage := func(image string) (string, error) { - rc, err := dockerClient.ImagePush(ctx, image, imagePushOptions) + rc, err := dockerClient.ImagePush(ctx, img, imagePushOptions) if err != nil { return "", fmt.Errorf("cannot initialize image push: %w", err) } @@ -265,10 +258,7 @@ func buildBuilderImageMultiArch(ctx context.Context, variant string) error { } remoteOpts := []remote.Option{ - remote.WithAuth(authn.FromConfig(authn.AuthConfig{ - Username: "gh-action", - Password: os.Getenv("GITHUB_TOKEN"), - })), + remote.WithAuthFromKeychain(DefaultKeychain), } idx := mutate.IndexMediaType(empty.Index, types.DockerManifestList) @@ -745,3 +735,46 @@ func newGHClient(ctx context.Context) *github.Client { AccessToken: os.Getenv("GITHUB_TOKEN"), }))) } + +var DefaultKeychain = authn.NewMultiKeychain(ghKeychain{}, authn.DefaultKeychain) + +type ghKeychain struct{} + +func (g ghKeychain) Resolve(resource authn.Resource) (authn.Authenticator, error) { + if resource.RegistryStr() != "ghcr.io" { + return authn.Anonymous, nil + } + return &authn.Basic{ + Username: "gh-action", + Password: os.Getenv("GITHUB_TOKEN"), + }, nil +} + +func dockerDaemonAuthStr(img string) (string, error) { + ref, err := name.ParseReference(img) + if err != nil { + return "", err + } + + a, err := DefaultKeychain.Resolve(ref.Context()) + if err != nil { + return "", err + } + + ac, err := a.Authorization() + if err != nil { + return "", err + } + + authConfig := registry.AuthConfig{ + Username: ac.Username, + Password: ac.Password, + } + + bs, err := json.Marshal(&authConfig) + if err != nil { + return "", err + } + + return base64.StdEncoding.EncodeToString(bs), nil +}