Add note about ghcr.io for HOMEBREW_DOCKER_REGISTRY_TOKEN #16794
Conversation
There was a problem hiding this comment.
Thanks @azatoth! Definitely think this needs changing, just let's riff off exactly what to.
Library/Homebrew/env_config.rb
Outdated
| Use this bearer token for authenticating with a Docker registry proxying GitHub Packages. | ||
| Preferred over `HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN`. | ||
|
|
||
| *Note:* when authenticating against ghcr.io, \ | ||
| the `HOMEBREW_DOCKER_REGISTRY_TOKEN` must be a base64 \ | ||
| encoded GitHub Personal Access Token (PAT). |
There was a problem hiding this comment.
Not convinced this description makes that much sense after this? If you're "authenticating against ghcr.io" is this "a Docker registry proxying GitHub Packages"? It doesn't sound like it. Maybe the whole description needs a bigger overhaul?
There was a problem hiding this comment.
Yea, this is related to the underlying issue I had, trying to access a private tap hosted on a private GitHub repo. And while optimally, there should be a way to be able to assign different tokens for different taps, at the moment this environment variable is the only way to address brew to authenticate again ghcr.io.
There was a problem hiding this comment.
I wonder if this should default to HOMEBREW_GITHUB_API_TOKEN and/or read from the repository URL like #16649. Avoiding the user from having to manually run base64 seems ideal.
There was a problem hiding this comment.
should default to
HOMEBREW_GITHUB_API_TOKEN
While it's highly possibly it's the same token, conceptually it's wrong as the docker registry doesn't have anything to do with the API and vice versa. Wouldn't defaulting to HOMEBREW_GITHUB_PACKAGES_TOKEN be more logical (which in itself then might need to be promoted out from development towards more general use)?
and/or read from the repository URL
I assume it makes sense to allow it to read from the URL, even though having the token in the URL isn't something I personally would ever do.
There was a problem hiding this comment.
Wouldn't defaulting to
HOMEBREW_GITHUB_PACKAGES_TOKENbe more logical (which in itself then might need to be promoted out from development towards more general use)?
Yup, this would make sense!
There was a problem hiding this comment.
- default to
HOMEBREW_GITHUB_API_TOKEN
Don't you mean HOMEBREW_GITHUB_PACKAGES_TOKEN?
There was a problem hiding this comment.
No, that's another option we could use but if HOMEBREW_GITHUB_API_TOKEN is setup correctly we should be able to Base64 it and use it accordingly.
There was a problem hiding this comment.
No, that's another option we could use but if
HOMEBREW_GITHUB_API_TOKENis setup correctly we should be able to Base64 it and use it accordingly.
I think I'm a bit confused, I thought the API token was for accessing the API and PACKAGES token to access packages in the event you would want to have different tokes with limited permissions in each
There was a problem hiding this comment.
HOMEBREW_GITHUB_PACKAGES_TOKEN is currently only used for uploading packages.
There was a problem hiding this comment.
- default to
HOMEBREW_GITHUB_API_TOKENand do the Base64 internally inside of Homebrew
I decided to try this route;
I did rebase against master, but I don't know what your policy for PRs actually is in this regard.
|
(Prior discussion for context: https://github.com/orgs/Homebrew/discussions/5171) |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
I might have misunderstood you, but I thought I had addressed your comments, and I don't know what more I can say to further the issue. |
It's not clear that when using HOMEBREW_DOCKER_REGISTRY_TOKEN directly against ghcr.io that you should use your PAT base64-encoded as the bearer token.
And adjusting the documentation to match
azatoth
force-pushed
the
docker-registry-token-documentation
branch
from
76301fa
to
55e9913
Compare
| description: <<~EOS, | ||
| Use this bearer token for authenticating with a Docker registry proxying GitHub Packages. | ||
| Preferred over `HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN`. | ||
| EOS |
There was a problem hiding this comment.
Please put this all on one line again, thanks.
| Use this bearer token for authenticating with a Docker registry proxying GitHub Packages. | ||
| Preferred over `HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN`. | ||
| EOS | ||
| default_text: "`QQ==` unless `HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN` is set.", |
There was a problem hiding this comment.
| default_text: "`QQ==` unless `HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN` is set.", | |
| default_text: "`HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN` if set or `QQ==` otherwise.", |
| "<https://docs.github.com/en/rest/overview/rate-limits-for-the-rest-api>" \ | ||
| "\n\n *Note:* Homebrew doesn't require permissions for any of the scopes, but some " \ | ||
| "developer commands may require additional permissions.", | ||
| description: <<~EOS, |
There was a problem hiding this comment.
Please put this all one one line too.
| *Note:* If set, this token will also be used to authenticating against `ghcr.io` unless | ||
| `HOMEBREW_DOCKER_REGISTRY_TOKEN` or `HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN` has been set. | ||
| In this case, the token will require the `packages` permission to be set. | ||
| `HOMEBREW_GITHUB_PACKAGES_TOKEN` is not used for this permission, but only for uploading packages. |
There was a problem hiding this comment.
| `HOMEBREW_GITHUB_PACKAGES_TOKEN` is not used for this permission, but only for uploading packages. |
Remove this and move to the HOMEBREW_GITHUB_PACKAGES_TOKEN description (if there is one).
| *Note:* Homebrew doesn't require permissions for any of the scopes, | ||
| but some developer commands may require additional permissions. | ||
|
|
||
| *Note:* If set, this token will also be used to authenticating against `ghcr.io` unless |
| Use this personal access token for the GitHub API, for features such as `brew search`. | ||
| You can create one at <https://github.com/settings/tokens>. | ||
| If set, GitHub will allow you a greater number of API requests. | ||
| For more information, see: "<https://docs.github.com/en/rest/overview/rate-limits-for-the-rest-api>" |
There was a problem hiding this comment.
| For more information, see: "<https://docs.github.com/en/rest/overview/rate-limits-for-the-rest-api>" | |
| For more information, see: <https://docs.github.com/en/rest/overview/rate-limits-for-the-rest-api> |
It's not clear that when using HOMEBREW_DOCKER_REGISTRY_TOKEN directly against ghcr.io that you should use your PAT base64-encoded as the bearer token.
brew stylewith your changes locally?brew typecheckwith your changes locally?brew testswith your changes locally?