Skip to content

fix: fix auth for Dockerfiles referencing cross-project base images#526

Open
WitoDelnat wants to merge 1 commit into
mainfrom
wito/dep-5276-fix-cross-project-base-image-pull-authentication
Open

fix: fix auth for Dockerfiles referencing cross-project base images#526
WitoDelnat wants to merge 1 commit into
mainfrom
wito/dep-5276-fix-cross-project-base-image-pull-authentication

Conversation

@WitoDelnat

@WitoDelnat WitoDelnat commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Note

Medium Risk
Changes build-time registry authentication and token selection; incorrect scope logic could break pushes/pulls for the current project or still mis-auth cross-project images.

Overview
Registry auth now picks credentials from the OAuth scope, so pulls of base images in another Depot project use the user’s Docker config instead of the build’s Depot credentials.

AuthProvider stores a project ID and FetchToken only uses Depot credentials when scopes include repository:<projectID>:...; otherwise it delegates to the inner Docker auth provider. WithDepotSave wires this via ReplaceDockerAuthForProject. Setup no longer merges Depot credentials into the Docker config file up front.

Tests cover scope matching and FetchToken fallback for other-project scopes.

Reviewed by Cursor Bugbot for commit 5cc9744. Bugbot is set up for automated code reviews on this repo. Configure here.

@linear-code

linear-code Bot commented Jul 6, 2026

Copy link
Copy Markdown

DEP-5276

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 3 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 5cc9744. Configure here.

Comment thread pkg/registry/auth.go
}
}

return false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Empty scopes skip Depot auth

Medium Severity

When projectID is set, shouldUseDepotCredentials incorrectly delegates FetchToken requests to the inner provider if req.Scopes are empty, nil, or don't explicitly match repository:{projectID}:. This bypasses Depot credentials, causing build failures for push/save operations that rely on them without a separate Docker login.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 5cc9744. Configure here.

Comment thread pkg/registry/auth_test.go
if provider.shouldUseDepotCredentials([]string{"repository:other-project:pull"}) {
t.Fatal("expected other project scope to use Docker credentials")
}
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Low-value scope predicate tests

Low Severity

TestShouldUseDepotCredentialsForCurrentProjectScope and TestShouldUseDepotCredentialsFallsBackForOtherProjectScope only assert the private shouldUseDepotCredentials helper mirrors its own prefix logic. They do not exercise observable auth behavior and would not catch regressions in FetchToken or registry pulls beyond what TestFetchTokenFallsBackForOtherProjectScope already covers.

Fix in Cursor Fix in Web

Triggered by team rule: Test Critic

Reviewed by Cursor Bugbot for commit 5cc9744. Configure here.

Comment thread pkg/registry/auth.go
}

func (a *AuthProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequest) (*auth.FetchTokenResponse, error) {
if !a.shouldUseDepotCredentials(req.Scopes) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Credentials ignore project scoping

Medium Severity

FetchToken now gates Depot build credentials on projectID and OAuth scopes, but Credentials still returns the build x-token whenever req.Host matches registry.depot.dev, with no use of projectID. Cross-project base image pulls that authenticate through the Credentials RPC can still get the current-build token instead of Docker config credentials.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 5cc9744. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant