feat: make registry auth optional in docker-build-nix

Support unauthenticated registries (e.g., Tailscale-protected internal registries) by making username/password optional. Only passes credentials to skopeo if both are provided. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-03-04 14:56:40 +01:00 · 2026-03-04 14:56:40 +01:00 · 29739f3d4d
commit 29739f3d4d
parent 255fe0fdcc
1 changed files with 12 additions and 8 deletions
--- a/docker-build-nix/action.yaml
+++ b/docker-build-nix/action.yaml
@ -21,13 +21,14 @@ inputs:
    default: 'registry.toph.so'

  registry-username:
-    description: 'Registry username'
+    description: 'Registry username (optional for unauthenticated registries)'
    required: false
-    default: ${{ gitea.actor }}
+    default: ''

  registry-password:
-    description: 'Registry password/token'
-    required: true
+    description: 'Registry password/token (optional for unauthenticated registries)'
+    required: false
+    default: ''

  cache-name:
    description: 'Attic cache name to push build artifacts'
@ -86,8 +87,11 @@ runs:
        TARGET_IMAGE="docker://${{ inputs.registry }}/${{ inputs.image-name }}:${{ inputs.image-tag }}"
        echo "Pushing OCI image to: $TARGET_IMAGE"

+        # Build skopeo command with optional credentials
+        SKOPEO_CMD="skopeo copy"
+        if [ -n "${{ inputs.registry-username }}" ] && [ -n "${{ inputs.registry-password }}" ]; then
+          SKOPEO_CMD="$SKOPEO_CMD --dest-creds ${{ inputs.registry-username }}:${{ inputs.registry-password }}"
+        fi
+
        # Use skopeo to push directly from OCI tarball to registry
-        skopeo copy \
-          --dest-creds "${{ inputs.registry-username }}:${{ inputs.registry-password }}" \
-          "docker-archive:./result" \
-          "$TARGET_IMAGE"
+        $SKOPEO_CMD "docker-archive:./result" "$TARGET_IMAGE"