Skip to content

fix: authenticate Docker Hub pulls to prevent anonymous rate limits #3741 #3744

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
saieswar237 wants to merge 1 commit into from
+14 −2
Closed

fix: authenticate Docker Hub pulls to prevent anonymous rate limits #3741 #3744

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion .github/workflows/publish-webapp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,12 @@ jobs:
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: 🐋 Login to Docker Hub
uses: docker/login-action@v3
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Docker Hub login uses unpinned mutable tag @v3 instead of commit SHA, inconsistent with all other action references

Both new Docker Hub login steps use docker/login-action@v3 while every other docker/login-action reference in the repository (8 occurrences across 7 workflow files) is pinned to a specific commit SHA: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0. Using a mutable tag is a supply-chain security risk (the tag can be moved to point at malicious code) and is inconsistent with the established repository convention. Additionally, @v3 is an older major version than the v4.1.0 used everywhere else.

Suggested change
uses: docker/login-action@v3
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
Comment on lines +91 to +95
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Docker Hub secrets not declared or passed for publish-webapp.yml, causing login failure

The new Docker Hub login step uses ${{ secrets.DOCKERHUB_USERNAME }} and ${{ secrets.DOCKERHUB_TOKEN }}, but these secrets are neither declared in the workflow_call.secrets section of publish-webapp.yml nor passed by the caller in publish.yml:72-74 (which only passes SENTRY_AUTH_TOKEN). In GitHub Actions, when a caller explicitly lists secrets (rather than using secrets: inherit), only declared and passed secrets are available to the called workflow. Both secrets will resolve to empty strings, causing the docker/login-action step to fail. Since this step lacks continue-on-error: true, it will abort the entire publish job, preventing the image build and push.

Comparison with correctly configured workflow

publish-worker.yml:11-15 correctly declares these secrets in its workflow_call.secrets section, and publish.yml:84-86 correctly passes them. The new steps in publish-webapp.yml are missing both pieces.

Prompt for agents 
Two changes are needed to fix the Docker Hub login for publish-webapp.yml:

1. In .github/workflows/publish-webapp.yml, add DOCKERHUB_USERNAME and DOCKERHUB_TOKEN to the workflow_call.secrets section (around line 17-19), similar to how publish-worker.yml declares them at its lines 11-15.

2. In .github/workflows/publish.yml, update the publish-webapp job (around line 73-74) to also pass these secrets, similar to how publish-worker passes them at lines 84-86. Add:
   secrets:
     SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
     DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
     DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}

Additionally, consider adding a conditional guard (if: ${{ secrets.DOCKERHUB_USERNAME != '' }}) or continue-on-error: true on the Docker Hub login step to avoid hard failures when the secrets are not configured (e.g. in forks). See publish-worker.yml:63 for the existing pattern.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.


- name: 🐳 Build image and push to GitHub Container Registry
id: build_push
uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
Expand Down Expand Up @@ -117,4 +123,4 @@ jobs:
with:
subject-name: ghcr.io/triggerdotdev/trigger.dev
subject-digest: ${{ steps.build_push.outputs.digest }}
push-to-registry: true
push-to-registry: true
8 changes: 7 additions & 1 deletion .github/workflows/publish-worker-v4.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,10 +81,16 @@ jobs:
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: 🐋 Login to Docker Hub
uses: docker/login-action@v3
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Docker Hub login in publish-worker-v4 uses unpinned mutable tag @v3 instead of commit SHA

Same issue as in publish-webapp.yml: the new Docker Hub login step uses docker/login-action@v3 instead of the pinned commit SHA docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 used by all other workflow files in the repository. This is both a supply-chain security risk and a convention violation.

Suggested change
uses: docker/login-action@v3
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
Comment on lines +84 to +88
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Docker Hub secrets not declared or passed for publish-worker-v4.yml, causing login failure via workflow_call

Same issue as in publish-webapp.yml: the new Docker Hub login step uses ${{ secrets.DOCKERHUB_USERNAME }} and ${{ secrets.DOCKERHUB_TOKEN }}, but these are not declared in the workflow_call.secrets section of publish-worker-v4.yml, and the caller at publish.yml:90-98 passes no secrets at all. When invoked via workflow_call, both secrets will be empty and the login step will fail, aborting the build job. (When triggered directly via push tags, repository secrets are available, so only the workflow_call path is broken.)

Prompt for agents 
Two changes are needed:

1. In .github/workflows/publish-worker-v4.yml, add a secrets section under workflow_call (after line 10) declaring DOCKERHUB_USERNAME and DOCKERHUB_TOKEN as optional secrets, matching the pattern in publish-worker.yml:11-15.

2. In .github/workflows/publish.yml, update the publish-worker-v4 job (around line 96) to pass these secrets:
   secrets:
     DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
     DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}

Also consider adding a conditional guard on the Docker Hub login step (like publish-worker.yml:63 does with if: ${{ env.DOCKERHUB_USERNAME }}) to gracefully skip when secrets are unavailable.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.


- name: 🐳 Build image and push to GitHub Container Registry
uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
with:
file: ./apps/${{ matrix.package }}/Containerfile
platforms: linux/amd64,linux/arm64
tags: ${{ steps.set_tags.outputs.image_tags }}
push: true
push: true