From 4a9133dab62d903a2443b51c7cdb7bb7910b677f Mon Sep 17 00:00:00 2001
From: "girija.saintange" <girija.saint-ange@orange.com>
Date: Thu, 6 Nov 2025 23:03:02 +0100
Subject: [PATCH 1/4] fix: add condition to not override custom docker release
 config

---
 templates/gitlab-ci-docker.yml | 29 +++++++++++++++++++++++------
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index 849ef01..6ee8e7c 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -791,10 +791,15 @@ stages:
     export docker_snapshot_authent_token
     export docker_snapshot_registry_host
 
-    docker_release_authent_token=$(echo -n "${DOCKER_REGISTRY_RELEASE_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}}:${DOCKER_REGISTRY_RELEASE_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}" | base64 | tr -d '\n')
     docker_release_registry_host=$(echo "$DOCKER_RELEASE_IMAGE" | cut -d/ -f1)
-    export docker_release_authent_token
     export docker_release_registry_host
+    
+    # Only generate release auth token if custom config file is not present
+    if [ ! -f "${DOCKER_CONFIG_FILE}" ]
+    then
+      docker_release_authent_token=$(echo -n "${DOCKER_REGISTRY_RELEASE_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}}:${DOCKER_REGISTRY_RELEASE_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}" | base64 | tr -d '\n')
+      export docker_release_authent_token
+    fi
 
     if [[ -n "$DOCKER_REGISTRY_MIRROR" && -n "$DOCKER_REGISTRY_MIRROR_USER" ]]
     then
@@ -808,7 +813,12 @@ stages:
     fi
 
     docker_snapshot_config_json=$(echo -n "{\"auths\":{$docker_mirror_config_json\"$docker_snapshot_registry_host\":{\"auth\":\"$docker_snapshot_authent_token\"}},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}")
-    docker_release_config_json=$(echo -n "{\"auths\":{$docker_mirror_config_json\"$docker_release_registry_host\":{\"auth\":\"$docker_release_authent_token\"}},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}")
+    
+    # Only generate release config JSON if custom config file is not present
+    if [ ! -f "${DOCKER_CONFIG_FILE}" ]
+    then
+      docker_release_config_json=$(echo -n "{\"auths\":{$docker_mirror_config_json\"$docker_release_registry_host\":{\"auth\":\"$docker_release_authent_token\"}},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}")
+    fi
 
     # Create the configuration file for Docker and Kaniko
     BUILDTOOL_HOME=${BUILDTOOL_HOME:-$HOME}
@@ -827,9 +837,16 @@ stages:
       # use same auth config as the build tool for the source image
       cp -f "$BUILDTOOL_HOME/.docker/config.json" "$BUILDTOOL_HOME/skopeo/.docker/src-config.json"
       # use a merged auth config for the destination image
-      echo "${docker_release_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/release-only.json"
-      maybe_install_python3
-      merge_json "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" "$BUILDTOOL_HOME/skopeo/.docker/release-only.json" > "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
+      if [ -f "${DOCKER_CONFIG_FILE}" ]
+      then
+        # When using custom config file, it already contains all registries auth
+        cp -f "$BUILDTOOL_HOME/.docker/config.json" "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
+      else
+        # When not using custom config file, merge snapshot and release configs
+        echo "${docker_release_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/release-only.json"
+        maybe_install_python3
+        merge_json "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" "$BUILDTOOL_HOME/skopeo/.docker/release-only.json" > "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
+      fi
     fi
 
     if [ "$docker_snapshot_registry_host" = "$docker_release_registry_host" ]
-- 
GitLab


From d9ddc747572a63546a7c6e669a7ddbe3624bf3bd Mon Sep 17 00:00:00 2001
From: "girija.saintange" <girija.saint-ange@orange.com>
Date: Fri, 7 Nov 2025 11:42:05 +0100
Subject: [PATCH 2/4] fix: consider docker config for pull

---
 templates/gitlab-ci-docker.yml | 34 +++++++++++++++-------------------
 1 file changed, 15 insertions(+), 19 deletions(-)

diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index 6ee8e7c..0cd4100 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -791,15 +791,10 @@ stages:
     export docker_snapshot_authent_token
     export docker_snapshot_registry_host
 
+    docker_release_authent_token=$(echo -n "${DOCKER_REGISTRY_RELEASE_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}}:${DOCKER_REGISTRY_RELEASE_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}" | base64 | tr -d '\n')
     docker_release_registry_host=$(echo "$DOCKER_RELEASE_IMAGE" | cut -d/ -f1)
+    export docker_release_authent_token
     export docker_release_registry_host
-    
-    # Only generate release auth token if custom config file is not present
-    if [ ! -f "${DOCKER_CONFIG_FILE}" ]
-    then
-      docker_release_authent_token=$(echo -n "${DOCKER_REGISTRY_RELEASE_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}}:${DOCKER_REGISTRY_RELEASE_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}" | base64 | tr -d '\n')
-      export docker_release_authent_token
-    fi
 
     if [[ -n "$DOCKER_REGISTRY_MIRROR" && -n "$DOCKER_REGISTRY_MIRROR_USER" ]]
     then
@@ -813,12 +808,7 @@ stages:
     fi
 
     docker_snapshot_config_json=$(echo -n "{\"auths\":{$docker_mirror_config_json\"$docker_snapshot_registry_host\":{\"auth\":\"$docker_snapshot_authent_token\"}},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}")
-    
-    # Only generate release config JSON if custom config file is not present
-    if [ ! -f "${DOCKER_CONFIG_FILE}" ]
-    then
-      docker_release_config_json=$(echo -n "{\"auths\":{$docker_mirror_config_json\"$docker_release_registry_host\":{\"auth\":\"$docker_release_authent_token\"}},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}")
-    fi
+    docker_release_config_json=$(echo -n "{\"auths\":{$docker_mirror_config_json\"$docker_release_registry_host\":{\"auth\":\"$docker_release_authent_token\"}},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}")
 
     # Create the configuration file for Docker and Kaniko
     BUILDTOOL_HOME=${BUILDTOOL_HOME:-$HOME}
@@ -836,16 +826,21 @@ stages:
       mkdir -p "$BUILDTOOL_HOME/skopeo/.docker"
       # use same auth config as the build tool for the source image
       cp -f "$BUILDTOOL_HOME/.docker/config.json" "$BUILDTOOL_HOME/skopeo/.docker/src-config.json"
-      # use a merged auth config for the destination image
-      if [ -f "${DOCKER_CONFIG_FILE}" ]
+      
+      # Check if source config already contains release registry auth
+      maybe_install_python3
+      has_release_auth=$(python3 -c "import json,sys;c=json.load(open('$BUILDTOOL_HOME/skopeo/.docker/src-config.json'));print('yes' if '$docker_release_registry_host' in c.get('auths',{}) else 'no')" 2>/dev/null || echo "no")
+      
+      if [ "$has_release_auth" = "yes" ]
       then
-        # When using custom config file, it already contains all registries auth
-        cp -f "$BUILDTOOL_HOME/.docker/config.json" "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
+        # Source config already contains release registry auth: use it for destination too
+        cp -f "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
+        log_info "Using existing release registry auth from Docker config file"
       else
-        # When not using custom config file, merge snapshot and release configs
+        # Source config doesn't contain release registry auth: merge with release config from env vars
         echo "${docker_release_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/release-only.json"
-        maybe_install_python3
         merge_json "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" "$BUILDTOOL_HOME/skopeo/.docker/release-only.json" > "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
+        log_info "Merged Docker config with release registry auth from environment variables"
       fi
     fi
 
@@ -1511,3 +1506,4 @@ docker-publish:
     - if: '$DOCKER_PROD_PUBLISH_STRATEGY == "manual"'
       when: manual
     - if: '$DOCKER_PROD_PUBLISH_STRATEGY == "auto"'
+    
\ No newline at end of file
-- 
GitLab


From 56ec661849010dd4c8105f65d830c8b01dad3b35 Mon Sep 17 00:00:00 2001
From: "girija.saintange" <girija.saint-ange@orange.com>
Date: Fri, 7 Nov 2025 13:50:04 +0100
Subject: [PATCH 3/4] fix: swap priorities

---
 templates/gitlab-ci-docker.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index 0cd4100..3464088 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -839,7 +839,7 @@ stages:
       else
         # Source config doesn't contain release registry auth: merge with release config from env vars
         echo "${docker_release_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/release-only.json"
-        merge_json "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" "$BUILDTOOL_HOME/skopeo/.docker/release-only.json" > "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
+        merge_json "$BUILDTOOL_HOME/skopeo/.docker/release-only.json" "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" > "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
         log_info "Merged Docker config with release registry auth from environment variables"
       fi
     fi
@@ -1506,4 +1506,3 @@ docker-publish:
     - if: '$DOCKER_PROD_PUBLISH_STRATEGY == "manual"'
       when: manual
     - if: '$DOCKER_PROD_PUBLISH_STRATEGY == "auto"'
-    
\ No newline at end of file
-- 
GitLab


From 0f95fd7ce06d36aaa99f6e39f6848befbb52f09d Mon Sep 17 00:00:00 2001
From: "girija.saintange" <girija.saint-ange@orange.com>
Date: Fri, 7 Nov 2025 14:53:09 +0100
Subject: [PATCH 4/4] fix: remove unnecessary condition

---
 templates/gitlab-ci-docker.yml | 18 +++---------------
 1 file changed, 3 insertions(+), 15 deletions(-)

diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index 3464088..aae2d50 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -826,22 +826,10 @@ stages:
       mkdir -p "$BUILDTOOL_HOME/skopeo/.docker"
       # use same auth config as the build tool for the source image
       cp -f "$BUILDTOOL_HOME/.docker/config.json" "$BUILDTOOL_HOME/skopeo/.docker/src-config.json"
-      
-      # Check if source config already contains release registry auth
+      # use a merged auth config for the destination image
+      echo "${docker_release_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/release-only.json"
       maybe_install_python3
-      has_release_auth=$(python3 -c "import json,sys;c=json.load(open('$BUILDTOOL_HOME/skopeo/.docker/src-config.json'));print('yes' if '$docker_release_registry_host' in c.get('auths',{}) else 'no')" 2>/dev/null || echo "no")
-      
-      if [ "$has_release_auth" = "yes" ]
-      then
-        # Source config already contains release registry auth: use it for destination too
-        cp -f "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
-        log_info "Using existing release registry auth from Docker config file"
-      else
-        # Source config doesn't contain release registry auth: merge with release config from env vars
-        echo "${docker_release_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/release-only.json"
-        merge_json "$BUILDTOOL_HOME/skopeo/.docker/release-only.json" "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" > "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
-        log_info "Merged Docker config with release registry auth from environment variables"
-      fi
+      merge_json "$BUILDTOOL_HOME/skopeo/.docker/release-only.json" "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" > "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
     fi
 
     if [ "$docker_snapshot_registry_host" = "$docker_release_registry_host" ]
-- 
GitLab