Skip to content

feat(config,client): provide a per-registry envvar scheme to set autentication#237

Draft
mkatychev wants to merge 1 commit into
mainfrom
feat/per-registry-token-overrides
Draft

feat(config,client): provide a per-registry envvar scheme to set autentication#237
mkatychev wants to merge 1 commit into
mainfrom
feat/per-registry-token-overrides

Conversation

@mkatychev

Copy link
Copy Markdown
Member

This fills a gap where the only current ways of overriding configs through envvars are only through the wkg oci subcommands with WKG_OCI_USERNAME and WKG_OCI_PASSWORD:

pub struct Auth {
/// The username to use for authentication. If no credentials are provided, wkg will load them
/// from a local docker config and credential store and default to anonymous if none are found.
#[clap(
id = "username",
short = 'u',
env = "WKG_OCI_USERNAME",
requires = "password"
)]
pub username: Option<String>,
/// The password to use for authentication. This is required if username is set
#[clap(
id = "password",
short = 'p',
env = "WKG_OCI_PASSWORD",
requires = "username"
)]
pub password: Option<String>,
}

Many OCI registries do not expect a username/password scheme and instead want to be given a bearer token.

This attempts to fill the gap by exposing WKG_REGISTRIES_<name>_TOKEN as a means of providing credentials for a given registry.

This attempts to account for scenarios where multiple registries are authenticated with at once.

@mkatychev mkatychev requested a review from vados-cosmonic July 14, 2026 15:42
@mkatychev

mkatychev commented Jul 14, 2026

Copy link
Copy Markdown
Member Author

@vados-cosmonic @ryan-surname-p I know this is a bit "hacky" so I've included this PR as a draft/proposal functionality.

Ideally I'd like to see this land in 0.16 (with further tests & discussion of course) because there is a real gap in configuration currently where CI has to explicitly override config files with bearer tokens because there is no means for doing so from the environment

I usually end up having to overwrite/create files and merge them with existing configs that have password as a placeholder:

# wkg-config set-password --registry my-registry --password $env.OCI_BEARER_TOKEN config.toml
export def set-password [--registry: string --password: string path: path] {
    # override the config.toml path
    open $path 
    | merge deep -s overwrite {registry: {$registry: {oci: { auth: { password: $"($password)"}}}}}
    | save --force $path
}

def main [] { }

This change should not have regressions as we do not have an existing flow for bearer tokens

@ryan-surname-p

ryan-surname-p commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@vados-cosmonic @ryan-surname-p I know this is a bit "hacky" so I've included this PR as a draft/proposal functionality.

Ideally I'd like to see this land in 0.16 (with further tests & discussion of course) because there is a real gap in configuration currently where CI has to explicitly override config files with bearer tokens because there is no means for doing so from the environment

I usually end up having to overwrite/create files and merge them with existing configs that have password as a placeholder:

# wkg-config set-password --registry my-registry --password $env.OCI_BEARER_TOKEN config.toml
export def set-password [--registry: string --password: string path: path] {
    # override the config.toml path
    open $path 
    | merge deep -s overwrite {registry: {$registry: {oci: { auth: { password: $"($password)"}}}}}
    | save --force $path
}

def main [] { }

This change should not have regressions as we do not have an existing flow for bearer tokens


This seems reasonable for mitigating the issue in the near term.

I'm partial to the overlay approach which it looks like you have in the plans already anyway baed on the todo.

@vados-cosmonic vados-cosmonic left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me -- happy to have this to make things slightly easier for actual use.

.chars()
.map(|c| if c.is_ascii_alphanumeric() { c } else { '_' })
.collect();
format!("WKG_REGISTRIES_{}_TOKEN", sanitized.to_ascii_uppercase())

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
format!("WKG_REGISTRIES_{}_TOKEN", sanitized.to_ascii_uppercase())
format!("WKG_REGISTRY_{}_AUTH_BEARER_TOKEN", sanitized.to_ascii_uppercase())

Comment thread crates/wasm-pkg-client/src/oci/mod.rs
if let Ok(token) = std::env::var(registry_token_env_var(&self.oci_registry))
&& !token.is_empty()
{
return Ok(RegistryAuth::Bearer(token));

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about leaving a log message (tracing::debug?) here to make it clear we took this shortcut/the ENV was honored?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants