fix: Fix docker login for oauth logins

.github/workflows/build-pr.yml

@@ -313,6 +313,77 @@ jobs:
           grep -q 'ARG IMAGE_REGISTRY=ghcr.io/blue-build' Containerfile || exit 1
           bluebuild build --retry-push -S sigstore --push -vv recipes/recipe.yml recipes/recipe-39.yml
 
+  docker-build-oauth-login:
+    timeout-minutes: 60
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    needs:
+      - build
+    if: needs.build.outputs.push == 'true'
+
+    steps:
+      - name: Google Auth
+        id: auth
+        uses: "google-github-actions/auth@v2"
+        with:
+          token_format: "access_token"
+          service_account: ${{ secrets.SERVICE_ACCOUNT }}
+          project_id: bluebuild-oidc
+          create_credentials_file: false
+          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY }}
+
+      - name: Maximize build space
+        uses: ublue-os/remove-unwanted-software@v6
+
+      - uses: sigstore/cosign-installer@v3.3.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          install: true
+
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
+
+      - name: Docker Auth
+        id: docker-auth
+        uses: "docker/login-action@v3"
+        with:
+          username: "oauth2accesstoken"
+          password: "${{ steps.auth.outputs.access_token }}"
+          registry: us-east1-docker.pkg.dev
+
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{github.event.pull_request.head.ref}}
+          repository: ${{github.event.pull_request.head.repo.full_name}}
+
+      - name: Install bluebuild
+        run: |
+          cargo install --path . --debug --all-features
+
+      - name: Expose GitHub Runtime
+        uses: crazy-max/ghaction-github-runtime@v3
+
+      - name: Run Build
+        env:
+          GH_PR_EVENT_NUMBER: ${{ github.event.number }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.TEST_SIGNING_SECRET }}
+          BB_BUILDKIT_CACHE_GHA: true
+        run: |
+          cd integration-tests/test-repo
+          bluebuild template -vv | tee Containerfile
+          bluebuild build \
+            --registry us-east1-docker.pkg.dev \
+            --registry-namespace bluebuild-oidc/bluebuild \
+            --retry-push \
+            --push \
+            -vv \
+            recipes/recipe.yml recipes/recipe-39.yml
+
   podman-build:
     timeout-minutes: 60
     runs-on: ubuntu-latest

.github/workflows/build.yml

@@ -311,6 +311,75 @@ jobs:
           grep -q 'ARG IMAGE_REGISTRY=ghcr.io/blue-build' Containerfile || exit 1
           bluebuild build --retry-push -S sigstore --push -vv recipes/recipe.yml recipes/recipe-39.yml
 
+  docker-build-oauth-login:
+    timeout-minutes: 60
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    needs:
+      - build
+    if: github.repository == 'blue-build/cli'
+
+    steps:
+      - name: Google Auth
+        id: auth
+        uses: "google-github-actions/auth@v2"
+        with:
+          token_format: "access_token"
+          service_account: ${{ secrets.SERVICE_ACCOUNT }}
+          project_id: bluebuild-oidc
+          create_credentials_file: false
+          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY }}
+
+      - name: Maximize build space
+        uses: ublue-os/remove-unwanted-software@v6
+
+      - uses: sigstore/cosign-installer@v3.3.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          install: true
+
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
+
+      - name: Docker Auth
+        id: docker-auth
+        uses: "docker/login-action@v3"
+        with:
+          username: "oauth2accesstoken"
+          password: "${{ steps.auth.outputs.access_token }}"
+          registry: us-east1-docker.pkg.dev
+
+      - uses: actions/checkout@v4
+        with:
+          ref: main
+
+      - name: Install bluebuild
+        run: |
+          cargo install --path . --debug --all-features
+
+      - name: Expose GitHub Runtime
+        uses: crazy-max/ghaction-github-runtime@v3
+
+      - name: Run Build
+        env:
+          GH_PR_EVENT_NUMBER: ${{ github.event.number }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.TEST_SIGNING_SECRET }}
+          BB_BUILDKIT_CACHE_GHA: true
+        run: |
+          cd integration-tests/test-repo
+          bluebuild template -vv | tee Containerfile
+          bluebuild build \
+            --registry us-east1-docker.pkg.dev \
+            --registry-namespace bluebuild-oidc/bluebuild \
+            --retry-push \
+            --push \
+            -vv \
+            recipes/recipe.yml recipes/recipe-39.yml
+
   podman-build:
     timeout-minutes: 60
     runs-on: ubuntu-latest

utils/src/credentials.rs

@@ -55,58 +55,34 @@ static ENV_CREDENTIALS: LazyLock<Option<Credentials>> = LazyLock::new(|| {
         env::var(CI_REGISTRY).ok(),
         env::var(GITHUB_ACTIONS).ok(),
     ) {
-        (Some(registry), _, _) if !registry.is_empty() => registry,
+        (Some(registry), _, _) | (_, Some(registry), _) if !registry.is_empty() => registry,
-        (None, Some(ci_registry), None) if !ci_registry.is_empty() => ci_registry,
+        (_, _, Some(_)) => string!("ghcr.io"),
-        (None, None, Some(_)) => string!("ghcr.io"),
         _ => return None,
     };
     trace!("Registry: {registry:?}");
 
-    let docker_creds = docker_credential::get_credential(&registry).ok();
+    let (username, password) = match (
-    let podman_creds = docker_credential::get_podman_credential(&registry).ok();
+        (username, password),
-
+        docker_credential::get_credential(&registry).ok(),
-    let username = match (
+        docker_credential::get_podman_credential(&registry).ok(),
-        username,
+        (
-        env::var(CI_REGISTRY_USER).ok(),
+            env::var(CI_REGISTRY_USER).ok(),
-        env::var(GITHUB_ACTOR).ok(),
+            env::var(CI_REGISTRY_PASSWORD).ok(),
-        &docker_creds,
+        ),
-        &podman_creds,
+        (env::var(GITHUB_ACTOR).ok(), env::var(GITHUB_TOKEN).ok()),
     ) {
-        (Some(username), _, _, _, _) if !username.is_empty() => username,
+        ((Some(username), Some(password)), _, _, _, _)
-        (_, _, _, Some(DockerCredential::UsernamePassword(username, _)), _)
+        | (_, Some(DockerCredential::UsernamePassword(username, password)), _, _, _)
-        | (_, _, _, _, Some(DockerCredential::UsernamePassword(username, _)))
+        | (_, _, Some(DockerCredential::UsernamePassword(username, password)), _, _)
-            if !username.is_empty() =>
+        | (_, _, _, (Some(username), Some(password)), _)
+        | (_, _, _, _, (Some(username), Some(password)))
+            if !username.is_empty() && !password.is_empty() =>
         {
-            username.clone()
+            (username, password)
         }
-        (None, Some(ci_registry_user), None, _, _) if !ci_registry_user.is_empty() => {
-            ci_registry_user
-        }
-        (None, None, Some(github_actor), _, _) if !github_actor.is_empty() => github_actor,
-        _ => return None,
-    };
-    trace!("Username: {username:?}");
-
-    let password = match (
-        password,
-        env::var(CI_REGISTRY_PASSWORD).ok(),
-        env::var(GITHUB_TOKEN).ok(),
-        &docker_creds,
-        &podman_creds,
-    ) {
-        (Some(password), _, _, _, _) if !password.is_empty() => password,
-        (_, _, _, Some(DockerCredential::UsernamePassword(_, password)), _)
-        | (_, _, _, _, Some(DockerCredential::UsernamePassword(_, password)))
-            if !password.is_empty() =>
-        {
-            password.clone()
-        }
-        (None, Some(ci_registry_password), None, _, _) if !ci_registry_password.is_empty() => {
-            ci_registry_password
-        }
-        (None, None, Some(registry_token), _, _) if !registry_token.is_empty() => registry_token,
         _ => return None,
     };
+    trace!("Username: {username}");
 
     Some(
         Credentials::builder()