From 096d05062b71c082b916452064ea3f4c44b0a45c Mon Sep 17 00:00:00 2001 From: Dale Orders Date: Mon, 25 May 2026 15:58:44 +1000 Subject: [PATCH] fix(registry): request pull,push scope upfront to fix push auth on quay.io When pushing, ORAS performs an Exists check before uploading. Without explicit scope hints, registries like quay.io issue a pull-only token for that check and cache it. The subsequent push then fails with 401 because the cached token lacks push permission. Fix by appending pull and push scopes to the context before calling oras.ExtendedCopy, so the first auth request acquires a token that covers the full push operation. Fixes #32144 Signed-off-by: Dale Orders --- pkg/registry/client.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkg/registry/client.go b/pkg/registry/client.go index f2bfd13b4..f9de915cb 100644 --- a/pkg/registry/client.go +++ b/pkg/registry/client.go @@ -717,6 +717,11 @@ func (c *Client) Push(data []byte, ref string, options ...PushOption) (*PushResu repository.PlainHTTP = c.plainHTTP repository.Client = c.authorizer + ctx = auth.AppendRepositoryScope(ctx, registry.Reference{ + Registry: parsedRef.orasReference.Registry, + Repository: parsedRef.orasReference.Repository, + }, auth.ActionPull, auth.ActionPush) + manifestDescriptor, err = oras.ExtendedCopy(ctx, memoryStore, parsedRef.String(), repository, parsedRef.String(), oras.DefaultExtendedCopyOptions) if err != nil { return nil, err