DockerHub Description automated process is broken since 2 months (at least?)

Question

DockerHub Description automated process is broken since 2 months (at least?)

dduportal opened this issue 8 months ago · 8 comments

Each time there is a release, the automated process used to push the updated README to DockerHub is failing:

Acquiring token
Sending PATCH request
Error: Forbidden

It's been at least 2 months with this failure:

I'm not sure why, and how to fix it yet (haven't looked at it) but opening issue for awareness

cc @lemeurherve @MarkEWaite @NotMyFault @gounthar @timja

Answer 1 · 2024-05-05T10:44:07.000Z

I reached here to submit a issue to update the description and saw this,
I believe the dockerhub description is about ~7 months out of date... seeing as the description has mentions of bullseye and no mentions of bookworm.

Answer 2 · 2024-05-05T13:57:14.000Z

I don't have access to the jenkins docker hub account to check if the GitHub repository secrets are valid.

Looking at the code of the GHA used to update description and short description on hub.docker.com at https://github.com/peter-evans/dockerhub-description/blob/main/src/dockerhub-helper.ts, I'm wondering if we shouldn't do these 2 API calls ourselves in a pipeline library function (for example) where Docker hub username and password are already used.

That would avoid setting up and keep up to date GitHub secrets on this repository, and reuse this new function in other docker repositories in @jenkinsci & @jenkins-infra orgs.

WDYT?

Answer 3 · 2024-05-05T14:10:03.000Z

That would avoid setting up and keep up to date GitHub secrets on this repository, and reuse this new function in other docker repositories in @jenkinsci & @jenkins-infra orgs.

WDYT?

That seems very reasonable to me. If the credentials are already used in the Pipeline job and if there is a relatively easy API call that will do the work, then let's call the API directly from the Pipeline.

Answer 4 · 2024-05-06T05:33:34.000Z

The reason it was done like this is because the delete permission is required and delete wasn’t wanted on the main credential

Answer 5 · 2024-05-06T07:19:32.000Z

What @timja said. Separating these credentials is key to safety (and avoid mistakes)

Answer 6 · 2024-05-06T21:19:20.000Z

I've fixed this by setting the right permissions on the agent image for robots (admin).

inbound-agent already had the right permissions

Yes the permissions aren't ideal but we've gone through this at length previously and it's a docker hub limitation.

Answer 7 · 2024-05-06T21:21:01.000Z

I reached here to submit a issue to update the description and saw this, I believe the dockerhub description is about ~7 months out of date... seeing as the description has mentions of bullseye and no mentions of bookworm.

https://hub.docker.com/r/jenkins/agent now has bookworm references.

Answer 8 · 2024-05-06T21:32:35.000Z

Might be worth to update the description even more, there aren't any mentions of bookworm jdk21 (and maybe some reformatting in general)
I might open a PR for that, thumb up if sounds good.