fix: pass credentials to skopeo list-tags for private OCI registries#192
Merged
michaelvl merged 12 commits intokrm-functions:mainfrom Mar 23, 2026
Merged
Conversation
Added Go 1.24 as a build input for the project.
When using helm-upgrader with charts from private OCI registries (e.g. ghcr.io), the SearchRepo function correctly receives credentials from the auth Secret but never passes them to skopeo.ListTags(). This causes skopeo to fail with "exit status 1" when listing tags on private registries, since the request is unauthenticated. Changes: - skopeo.ListTags() now accepts username and password parameters and passes them via --creds to skopeo when provided - helm.SearchRepo() now forwards credentials to skopeo.ListTags()
When using helm-upgrader with charts from private OCI registries (e.g. ghcr.io), the SearchRepo function correctly receives credentials from the auth Secret but never passes them to skopeo.ListTags(). This causes skopeo to fail with "exit status 1" when listing tags on private registries, since the request is unauthenticated. Changes: - skopeo.ListTags() now accepts username and password parameters and passes them via --creds to skopeo when provided - helm.SearchRepo() now forwards credentials to skopeo.ListTags()
bump version in test
mane-tv2
force-pushed
the
fix/skopeo-list-tags-auth
branch
from
dc3c7b4 to
945921e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When using
helm-upgraderwith Helm charts hosted in private OCI registries (e.g.ghcr.io), the version upgrade check fails with:Root Cause
SearchRepo()inpkg/helm/helm.goreceivesusernameandpasswordfrom the auth Secret lookup inmain.go, but when the chart is from an OCI registry, it callsskopeo.ListTags(chart)without forwarding credentials.The
ListTags()function inpkg/skopeo/skopeo.gorunsskopeo list-tags docker://...without--creds, so the request is unauthenticated — which fails on private registries.Note that
PullChart()already handles OCI auth correctly (viahelm registry login), so this is only a gap in the tag listing path.Fix
skopeo.ListTags()now acceptsusername, password stringparameters and passes--creds user:passto skopeo when credentials are provided.helm.SearchRepo()forwards the credentials it receives toskopeo.ListTags().Testing
This was discovered and validated against a private
ghcr.ioOCI registry (ghcr.io/tv2/ccs-helm-charts/argocd-config) used in a GitHub Actions CI workflow.