Allow registry credentials for job/service containers (#694)

* Log in with container credentials if given * Stub in registry aware auth for later * Fix hang if password is empty * Remove default param to fix build * PR Feedback. Add some tests and fix parse
2025-12-17 15:59:37 +00:00 · 2020-09-11 12:28:58 -04:00
parent 444332ca88
commit 4e85b8f3b7
9 changed files with 241 additions and 4 deletions
--- a/src/Sdk/DTPipelines/Pipelines/JobContainer.cs
+++ b/src/Sdk/DTPipelines/Pipelines/JobContainer.cs
@@ -56,5 +56,36 @@ namespace GitHub.DistributedTask.Pipelines
            get;
            set;
        }
+
+        /// <summary>
+        /// Gets or sets the credentials used for pulling the container iamge.
+        /// </summary>
+        public ContainerRegistryCredentials Credentials
+        {
+            get;
+            set;
+        }
+    }
+
+    [EditorBrowsable(EditorBrowsableState.Never)]
+    public sealed class ContainerRegistryCredentials
+    {
+        /// <summary>
+        /// Gets or sets the user to authenticate to a registry with
+        /// </summary>
+        public String Username
+        {
+            get;
+            set;
+        }
+
+        /// <summary>
+        /// Gets or sets the password to authenticate to a registry with
+        /// </summary>
+        public String Password
+        {
+            get;
+            set;
+        }
    }
 }
--- a/src/Sdk/DTPipelines/Pipelines/ObjectTemplating/PipelineTemplateConstants.cs
+++ b/src/Sdk/DTPipelines/Pipelines/ObjectTemplating/PipelineTemplateConstants.cs
@@ -14,6 +14,7 @@ namespace GitHub.DistributedTask.Pipelines.ObjectTemplating
        public const String Clean= "clean";
        public const String Container = "container";
        public const String ContinueOnError = "continue-on-error";
+        public const String Credentials = "credentials";
        public const String Defaults = "defaults";
        public const String Env = "env";
        public const String Event = "event";
@@ -45,6 +46,7 @@ namespace GitHub.DistributedTask.Pipelines.ObjectTemplating
        public const String Options = "options";
        public const String Outputs = "outputs";
        public const String OutputsPattern = "needs.*.outputs";
+        public const String Password = "password";
        public const String Path = "path";
        public const String Pool = "pool";
        public const String Ports = "ports";
@@ -68,6 +70,7 @@ namespace GitHub.DistributedTask.Pipelines.ObjectTemplating
        public const String Success = "success";
        public const String Template = "template";
        public const String TimeoutMinutes = "timeout-minutes";
+        public const String Username = "username";
        public const String Uses = "uses";
        public const String VmImage = "vmImage";
        public const String Volumes = "volumes";
--- a/src/Sdk/DTPipelines/Pipelines/ObjectTemplating/PipelineTemplateConverter.cs
+++ b/src/Sdk/DTPipelines/Pipelines/ObjectTemplating/PipelineTemplateConverter.cs
@@ -209,6 +209,30 @@ namespace GitHub.DistributedTask.Pipelines.ObjectTemplating
            return (Int32)numberToken.Value;
        }

+        internal static ContainerRegistryCredentials ConvertToContainerCredentials(TemplateToken token)
+        {
+            var credentials = token.AssertMapping(PipelineTemplateConstants.Credentials);
+            var result = new ContainerRegistryCredentials();
+            foreach (var credentialProperty in credentials)
+            {
+                var propertyName = credentialProperty.Key.AssertString($"{PipelineTemplateConstants.Credentials} key");
+                switch (propertyName.Value)
+                {
+                    case PipelineTemplateConstants.Username:
+                        result.Username = credentialProperty.Value.AssertString(PipelineTemplateConstants.Username).Value;
+                        break;
+                    case PipelineTemplateConstants.Password:
+                        result.Password = credentialProperty.Value.AssertString(PipelineTemplateConstants.Password).Value;
+                        break;
+                    default:
+                        propertyName.AssertUnexpectedValue($"{PipelineTemplateConstants.Credentials} key {propertyName}");
+                        break;
+                }
+            }
+
+            return result;
+        }
+
        internal static JobContainer ConvertToJobContainer(
            TemplateContext context,
            TemplateToken value,
@@ -275,6 +299,9 @@ namespace GitHub.DistributedTask.Pipelines.ObjectTemplating
                            }
                            result.Volumes = volumeList;
                            break;
+                        case PipelineTemplateConstants.Credentials:
+                            result.Credentials = ConvertToContainerCredentials(containerPropertyPair.Value);
+                            break;
                        default:
                            propertyName.AssertUnexpectedValue($"{PipelineTemplateConstants.Container} key");
                            break;
--- a/src/Sdk/DTPipelines/workflow-v1.0.json
+++ b/src/Sdk/DTPipelines/workflow-v1.0.json
@@ -373,7 +373,8 @@
          "options": "non-empty-string",
          "env": "container-env",
          "ports": "sequence-of-non-empty-string",
-          "volumes": "sequence-of-non-empty-string"
+          "volumes": "sequence-of-non-empty-string",
+          "credentials": "container-registry-credentials"
        }
      }
    },
@@ -404,6 +405,20 @@
      ]
    },

+    "container-registry-credentials": {
+      "context": [
+        "secrets",
+        "env",
+        "github"
+      ],
+      "mapping": {
+        "properties": {
+          "username": "non-empty-string",
+          "password": "non-empty-string"
+        }
+      }
+    },
+
    "container-env": {
      "mapping": {
        "loose-key-type": "non-empty-string",