Skip to content

docs: document OCI/docker registry credential discovery#1001

Open
sofusalbertsen wants to merge 3 commits into
mainfrom
docs/oci-registry-credentials
Open

docs: document OCI/docker registry credential discovery#1001
sofusalbertsen wants to merge 3 commits into
mainfrom
docs/oci-registry-credentials

Conversation

@sofusalbertsen

Copy link
Copy Markdown
Contributor

Explain how registry credentials are resolved for --artifact-type=oci (and docker with --registry-username set): explicit flags first, then Docker/Podman auth files and credential helpers, then anonymous access. Also note --registry-provider is deprecated and no longer used.

Explain how registry credentials are resolved for --artifact-type=oci
(and docker with --registry-username set): explicit flags first, then
Docker/Podman auth files and credential helpers, then anonymous access.
Also note --registry-provider is deprecated and no longer used.
@claude

claude Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Claude finished @mbevc1's task in 2m 41s —— View job


Review: docs — OCI/docker registry credential discovery

  • Read PR diff
  • Verified doc claims against source (cli_utils.go, internal/digest/digest.go)
  • Static checks (go build ./... ✅, go vet ./cmd/kosli/ ✅)
  • Posted review

Content is accurate. I cross-checked the help text against the code and the resolution chain is correct:

  • --artifact-type=oci always takes the discovery path — OciSha256 (cli_utils.go:384).
  • --artifact-type=docker only takes it when --registry-username is set (cli_utils.go:386); otherwise it reads the digest from the local Docker daemon. The doc's qualifier captures this correctly. 👍
  • Explicit-credentials branch and the auth-file / credential-helper / anonymous fallback all match digest.go:85-116.

The accuracy nuances raised in the earlier review round have been folded in — nicely done.

🔴 One blocking item — generated-docs fixtures

The changed flag descriptions (and the new fingerprintDesc paragraph) are captured in the mintlify docs snapshots, which TestDocsCommandTestSuite compares byte-for-byte. Both still hold the old text and will fail:

  • cmd/kosli/testdata/output/docs/mintlify/artifact.md:48-49 (also needs the new resolution paragraph near line 30)
  • cmd/kosli/testdata/output/docs/mintlify/snyk.md:53-54

This is the fixture update @mbevc1 flagged. Regenerating the docs will fix both. (I couldn't run the test here — go test needs approval in this environment — but the exact-match comparison in docs_test.go:68,92 makes the failure certain.) See the inline comment for a one-click fix link.

Minor / optional

  • Step 1 leads with --registry-username, but for --artifact-type=oci the explicit-credentials branch is entered when either username or password is set (digest.go:95). Fine as written for the common case; just noting the code is slightly more permissive.

Nothing else — clear, well-scoped, and the deprecation note on --registry-provider is a helpful addition.
docs/oci-registry-credentials

Comment thread cmd/kosli/root.go Outdated

@mbevc1 mbevc1 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor nit and we'll need to update fixtures for testing. But looks good otherwise

Comment thread cmd/kosli/root.go Outdated
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
Comment thread cmd/kosli/root.go
Comment on lines +215 to +216
registryUsernameFlag = "[conditional] The container registry username. Only required if you want to read container image SHA256 digest from a remote container registry and it is not already accessible via Docker/Podman auth files or a credential helper."
registryPasswordFlag = "[conditional] The container registry password or access token. Only required if you want to read container image SHA256 digest from a remote container registry and it is not already accessible via Docker/Podman auth files or a credential helper."

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These flag-text changes break the generated-docs fixtures. TestDocsCommandTestSuite does an exact file comparison, and both fixtures still carry the old help text, so the suite will fail until they're regenerated:

  • cmd/kosli/testdata/output/docs/mintlify/artifact.md:48-49
  • cmd/kosli/testdata/output/docs/mintlify/snyk.md:53-54

artifact.md also needs the new credential-resolution paragraph (the fingerprintDesc change around line 30). This matches @mbevc1's "we'll need to update fixtures" note.

Regenerate the fixtures →

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants