fix: add registry authentication for platform discovery (project-copacetic#1420)

Author: sozercan

.github/workflows/private-registry-test.yml

@@ -0,0 +1,108 @@
+name: "[Blocking] Private Registry E2E Test"
+
+# This workflow tests Copa's ability to work with private container registries.
+# It runs only on merge to main (not on PRs) because it requires access to
+# private images in GHCR using the repository's GITHUB_TOKEN.
+
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - "**.md"
+      - "website/**"
+      - "docs/**"
+      - "demo/**"
+  workflow_dispatch:
+
+env:
+  TRIVY_VERSION: 0.59.1
+  BUILDKIT_VERSION: 0.19.0
+
+permissions:
+  contents: read
+  packages: read
+
+jobs:
+  build:
+    name: Build Copa
+    runs-on: oracle-vm-16cpu-64gb-x86-64
+    timeout-minutes: 5
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.3.1
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        with:
+          go-version: "1.25"
+          check-latest: true
+      - name: Build copa
+        shell: bash
+        run: |
+          make build
+          make archive
+      - name: Upload copa to build artifacts
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: copa_edge_linux_amd64.tar.gz
+          path: dist/linux_amd64/release/copa_edge_linux_amd64.tar.gz
+
+  test-private-registry:
+    needs: build
+    name: Test Private Registry Authentication
+    runs-on: oracle-vm-16cpu-64gb-x86-64
+    timeout-minutes: 15
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.3.1
+        with:
+          egress-policy: audit
+
+      - name: Check out code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        with:
+          go-version: "1.25"
+          check-latest: true
+
+      - name: Add containerd-snapshotter to docker daemon
+        run: |
+          echo '{"features": { "containerd-snapshotter": true }}' | sudo tee /etc/docker/daemon.json
+          sudo systemctl restart docker
+
+      - name: Download copa from build artifacts
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: copa_edge_linux_amd64.tar.gz
+
+      - name: Extract copa
+        shell: bash
+        run: |
+          tar xzf copa_edge_linux_amd64.tar.gz
+          ./copa --version
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run private registry e2e tests
+        shell: bash
+        run: |
+          set -eu -o pipefail
+          go test -v ./test/e2e/private-registry --addr="docker://" --copa="$(pwd)/copa" -timeout 0
+
+      - name: Test Summary
+        if: always()
+        run: |
+          echo "## Private Registry Test Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "This test validates that Copa can authenticate to private registries" >> $GITHUB_STEP_SUMMARY
+          echo "using credentials from Docker config (via docker login)." >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Test image: \`ghcr.io/project-copacetic/copa-action/test/docker.io/library/nginx-private:1.21.0\`" >> $GITHUB_STEP_SUMMARY

pkg/buildkit/buildkit.go

@@ -29,6 +29,7 @@ import (
 	"github.com/project-copacetic/copacetic/pkg/utils"
 	log "github.com/sirupsen/logrus"
 
+	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/daemon"
@@ -304,7 +305,7 @@ func DiscoverPlatformsFromReference(manifestRef string) ([]types.PatchPlatform,
 	desc, err := TryGetManifestFromLocal(ref)
 	if err != nil {
 		log.Debugf("Failed to get descriptor from local daemon: %v, trying remote registry", err)
-		desc, err = remote.Get(ref)
+		desc, err = remote.Get(ref, remote.WithAuthFromKeychain(authn.DefaultKeychain))
 		if err != nil {
 			return nil, fmt.Errorf("error fetching descriptor for %q from both local daemon and remote registry: %w", manifestRef, err)
 		}
@@ -1445,7 +1446,7 @@ func exportPreservedPlatformsToOutput(outputDir string, originalRef reference.Na
 	isLocal := (err == nil)
 	if err != nil {
 		log.Debugf("Failed to get descriptor from local daemon: %v, trying remote registry", err)
-		desc, err = remote.Get(ref)
+		desc, err = remote.Get(ref, remote.WithAuthFromKeychain(authn.DefaultKeychain))
 		if err != nil {
 			return nil, fmt.Errorf("failed to get remote descriptor: %w", err)
 		}
@@ -1552,7 +1553,7 @@ func exportPreservedPlatformsToOutput(outputDir string, originalRef reference.Na
 						platformDesc, err := TryGetManifestFromLocal(platformRef)
 						if err != nil {
 							// Fall back to remote if local fails
-							img, err = remote.Image(platformRef)
+							img, err = remote.Image(platformRef, remote.WithAuthFromKeychain(authn.DefaultKeychain))
 							if err != nil {
 								return nil, fmt.Errorf("failed to get image for preserved platform %s/%s: %w", platformSpec.OS, platformSpec.Architecture, err)
 							}
@@ -1788,7 +1789,7 @@ func exportOriginalImagePlatformsAsOCI(outputDir string, originalRef reference.N
 	}
 
 	// Get the remote descriptor
-	desc, err := remote.Get(ref)
+	desc, err := remote.Get(ref, remote.WithAuthFromKeychain(authn.DefaultKeychain))
 	if err != nil {
 		return fmt.Errorf("failed to get remote descriptor: %w", err)
 	}

pkg/patch/platform.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	"github.com/containerd/platforms"
+	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/opencontainers/go-digest"
@@ -111,7 +112,7 @@ func getPlatformDescriptorFromManifest(
 	desc, err := buildkit.TryGetManifestFromLocal(ref)
 	if err != nil {
 		log.Debugf("Failed to get descriptor from local daemon: %v, trying remote registry", err)
-		desc, err = remote.Get(ref)
+		desc, err = remote.Get(ref, remote.WithAuthFromKeychain(authn.DefaultKeychain))
 		if err != nil {
 			return nil, fmt.Errorf("error fetching descriptor for %q from both local daemon and remote registry: %w", imageRef, err)
 		}

test/e2e/private-registry/main_test.go

@@ -0,0 +1,25 @@
+package privateregistry
+
+import (
+	"flag"
+	"os"
+	"testing"
+)
+
+var (
+	copaPath     string
+	buildkitAddr string
+)
+
+func TestMain(m *testing.M) {
+	flag.StringVar(&buildkitAddr, "addr", "docker://", "buildkit address to pass through to copa binary")
+	flag.StringVar(&copaPath, "copa", "./copa", "path to copa binary")
+	flag.Parse()
+
+	if copaPath == "" {
+		panic("missing --copa")
+	}
+
+	ec := m.Run()
+	os.Exit(ec)
+}

test/e2e/private-registry/private_registry_test.go

@@ -0,0 +1,70 @@
+package privateregistry
+
+import (
+	"bytes"
+	"os/exec"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// TestPrivateRegistryPlatformDiscovery tests that Copa can correctly discover
+// platforms from a private registry image when authenticated via docker login.
+// This test validates the fix for UNAUTHORIZED errors during platform discovery.
+func TestPrivateRegistryPlatformDiscovery(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping test in short mode")
+	}
+
+	// This test requires authentication to GHCR which should be set up
+	// via docker login before running this test.
+	// In CI, this is done via the workflow using GITHUB_TOKEN.
+
+	// Test image in private GHCR registry
+	testImage := "ghcr.io/project-copacetic/copa-action/test/docker.io/library/nginx-private:1.21.0"
+
+	// Run copa patch without a report (comprehensive patching)
+	// This exercises the DiscoverPlatformsFromReference code path
+	patchCmd := exec.Command(
+		copaPath,
+		"patch",
+		"--image", testImage,
+		"--tag", "patched-test",
+		"-a="+buildkitAddr,
+		"--debug",
+	)
+
+	var stdout, stderr bytes.Buffer
+	patchCmd.Stdout = &stdout
+	patchCmd.Stderr = &stderr
+
+	err := patchCmd.Run()
+
+	// Combine output for error reporting
+	combinedOutput := stdout.String() + stderr.String()
+
+	// Check that the UNAUTHORIZED error does not appear in the output
+	require.NotContains(t, combinedOutput, "UNAUTHORIZED",
+		"Platform discovery should not fail with UNAUTHORIZED error when authenticated. Output:\n%s", combinedOutput)
+
+	require.NotContains(t, combinedOutput, "authentication required",
+		"Platform discovery should not fail with authentication required error. Output:\n%s", combinedOutput)
+
+	// The patch command should succeed or fail for reasons other than authentication
+	if err != nil {
+		// If it failed, make sure it's not due to authentication issues
+		require.NotContains(t, err.Error(), "UNAUTHORIZED",
+			"Patch command failed with UNAUTHORIZED error: %v", err)
+
+		// Check if it's failing because the image doesn't exist or other valid reasons
+		// Authentication errors should never occur if we're properly logged in
+		if strings.Contains(combinedOutput, "Failed to discover platforms") &&
+			strings.Contains(combinedOutput, "UNAUTHORIZED") {
+			t.Fatalf("Platform discovery failed with authentication error despite being logged in.\nOutput:\n%s", combinedOutput)
+		}
+	}
+
+	// If we got here without UNAUTHORIZED errors, the authentication fix is working
+	t.Logf("Platform discovery completed without authentication errors")
+}