refactor: move container username from secret to input property

Co-authored-by: neilime <[email protected]>

Author: Copilot

.github/workflows/continuous-integration.md

@@ -207,7 +207,10 @@ container: |
     "env": {
       "NODE_ENV": "production"
     },
-    "options": "--cpus 2"
+    "options": "--cpus 2",
+    "credentials": {
+      "username": "myusername"
+    }
   }
 ```
 
@@ -216,22 +219,28 @@ container: |
 - `image` (string, required) - Container image name
 - `env` (object) - Environment variables
 - `options` (string) - Additional Docker options
+- `credentials` (object) - Registry credentials with `username` property
 
 **Note:** `ports` and `volumes` are not currently supported due to GitHub Actions workflow syntax limitations.
 
 #### Container Registry Credentials
 
-For private container images, use the `container-registry-username` and `container-registry-password` secrets:
+For private container images, specify the username in the container input's `credentials.username` property and pass the password via the `container-registry-password` secret:
 
 ```yaml
 jobs:
   continuous-integration:
     uses: hoverkraft-tech/ci-github-nodejs/.github/workflows/continuous-integration.yml@main
     secrets:
-      container-registry-username: ${{ secrets.REGISTRY_USERNAME }}
       container-registry-password: ${{ secrets.REGISTRY_PASSWORD }}
     with:
-      container: "ghcr.io/myorg/my-private-image:latest"
+      container: |
+        {
+          "image": "ghcr.io/myorg/my-private-image:latest",
+          "credentials": {
+            "username": "myusername"
+          }
+        }
 ```
 
 See [GitHub's container specification](https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/run-jobs-in-a-container) for more details.
@@ -242,16 +251,14 @@ When specified, steps will execute inside this container instead of checking out
 
 ## Secrets
 
-| **Secret**                        | **Description**                                                                                                      | **Required** |
-| --------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ------------ |
-| **`build-secrets`**               | Secrets to be used during the build step.                                                                            | **false**    |
-|                                   | Must be a multi-line env formatted string.                                                                           |              |
-|                                   | Example:                                                                                                             |              |
-|                                   | <!-- textlint-disable --><pre lang="txt">SECRET_EXAMPLE=$\{{ secrets.SECRET_EXAMPLE }}</pre><!-- textlint-enable --> |              |
-| **`container-registry-username`** | Username for authenticating to the container registry.                                                               | **false**    |
-|                                   | Required when using private container images.                                                                        |              |
-| **`container-registry-password`** | Password or token for authenticating to the container registry.                                                      | **false**    |
-|                                   | Required when using private container images.                                                                        |              |
+| **Secret**                        | **Description**                                                                                                                          | **Required** |
+| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ------------ |
+| **`build-secrets`**               | Secrets to be used during the build step.                                                                                                | **false**    |
+|                                   | Must be a multi-line env formatted string.                                                                                               |              |
+|                                   | Example:                                                                                                                                 |              |
+|                                   | <!-- textlint-disable --><pre lang="txt">SECRET_EXAMPLE=$\{{ secrets.SECRET_EXAMPLE }}</pre><!-- textlint-enable -->                     |              |
+| **`container-registry-password`** | Password or token for authenticating to the container registry.                                                                          | **false**    |
+|                                   | Required when using private container images. The username should be specified in the container input's `credentials.username` property. |              |
 
 <!-- secrets:end -->
 
@@ -367,7 +374,7 @@ jobs:
 
 ### Continuous Integration with Advanced Container Options
 
-This example shows how to use advanced container options like environment variables and additional Docker options.
+This example shows how to use advanced container options like environment variables, credentials, and additional Docker options.
 
 ```yaml
 name: Continuous Integration - Advanced Container Options
@@ -383,14 +390,19 @@ jobs:
       id-token: write
       security-events: write
       contents: read
+    secrets:
+      container-registry-password: ${{ secrets.REGISTRY_PASSWORD }}
     with:
       container: |
         {
-          "image": "node:18-alpine",
+          "image": "ghcr.io/myorg/node-image:18-alpine",
           "env": {
             "NODE_ENV": "production",
             "CI": "true"
           },
+          "credentials": {
+            "username": "myusername"
+          },
           "options": "--cpus 2 --memory 4g"
         }
       # When using container mode, code-ql and dependency-review are typically disabled

.github/workflows/continuous-integration.yml

@@ -126,15 +126,11 @@ on:
           SECRET_EXAMPLE=$\{{ secrets.SECRET_EXAMPLE }}
           ```
         required: false
-      container-registry-username:
-        description: |
-          Username for authenticating to the container registry.
-          Required when using private container images.
-        required: false
       container-registry-password:
         description: |
           Password or token for authenticating to the container registry.
           Required when using private container images.
+          The username should be specified in the container input's credentials.username property.
         required: false
     outputs:
       build-artifact-id:
@@ -180,6 +176,13 @@ jobs:
                   config.env = container.env;
                 }
                 
+                // Add credentials username if provided
+                if (container.credentials && container.credentials.username) {
+                  config.credentials = {
+                    username: container.credentials.username
+                  };
+                }
+                
                 // Merge user options with default --user root:root
                 if (container.options) {
                   config.options = `${config.options} ${container.options}`;
@@ -226,7 +229,7 @@ jobs:
       env: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).env || null }}
       options: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).options || null }}
       credentials:
-        username: ${{ secrets.container-registry-username }}
+        username: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).credentials.username || null }}
         password: ${{ secrets.container-registry-password }}
     needs: parse-container
     if: ${{ always() && !cancelled() && !failure() }}
@@ -350,7 +353,7 @@ jobs:
       env: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).env || null }}
       options: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).options || null }}
       credentials:
-        username: ${{ secrets.container-registry-username }}
+        username: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).credentials.username || null }}
         password: ${{ secrets.container-registry-password }}
     needs:
       - parse-container
@@ -412,7 +415,7 @@ jobs:
       env: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).env || null }}
       options: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).options || null }}
       credentials:
-        username: ${{ secrets.container-registry-username }}
+        username: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).credentials.username || null }}
         password: ${{ secrets.container-registry-password }}
     needs:
       - parse-container
@@ -464,7 +467,7 @@ jobs:
       env: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).env || null }}
       options: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).options || null }}
       credentials:
-        username: ${{ secrets.container-registry-username }}
+        username: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).credentials.username || null }}
         password: ${{ secrets.container-registry-password }}
     needs:
       - parse-container