fix(registry): request pull,push scope upfront to fix push auth on quay.io

When pushing, ORAS performs an Exists check before uploading. Without
explicit scope hints, registries like quay.io issue a pull-only token
for that check and cache it. The subsequent push then fails with 401
because the cached token lacks push permission.

Fix by appending pull and push scopes to the context before calling
oras.ExtendedCopy, so the first auth request acquires a token that
covers the full push operation.

Fixes #32144

Signed-off-by: Dale Orders <daleorders7@gmail.com>
pull/32156/head
Dale Orders 2 months ago
parent 609e1ca72c
commit 096d05062b
No known key found for this signature in database
GPG Key ID: 7F93A702351A57CB

@ -717,6 +717,11 @@ func (c *Client) Push(data []byte, ref string, options ...PushOption) (*PushResu
repository.PlainHTTP = c.plainHTTP
repository.Client = c.authorizer
ctx = auth.AppendRepositoryScope(ctx, registry.Reference{
Registry: parsedRef.orasReference.Registry,
Repository: parsedRef.orasReference.Repository,
}, auth.ActionPull, auth.ActionPush)
manifestDescriptor, err = oras.ExtendedCopy(ctx, memoryStore, parsedRef.String(), repository, parsedRef.String(), oras.DefaultExtendedCopyOptions)
if err != nil {
return nil, err

Loading…
Cancel
Save