From 21b68e18188f91935ac1055a78ee97a7f35a110d Mon Sep 17 00:00:00 2001 From: Teppei Fukuda Date: Wed, 4 Dec 2024 17:02:26 +0900 Subject: [PATCH] fix: respect GITHUB_TOKEN to download artifacts from GHCR (#7580) Signed-off-by: knqyf263 --- docs/docs/references/troubleshooting.md | 17 +++++++++++++---- magefiles/fixture.go | 13 ++++++++----- pkg/remote/remote.go | 3 ++- 3 files changed, 23 insertions(+), 10 deletions(-) diff --git a/docs/docs/references/troubleshooting.md b/docs/docs/references/troubleshooting.md index 5d51b0532200..41bb8acb1c93 100644 --- a/docs/docs/references/troubleshooting.md +++ b/docs/docs/references/troubleshooting.md @@ -79,21 +79,25 @@ $ TRIVY_INSECURE=true trivy image [YOUR_IMAGE] ``` ### GitHub Rate limiting +Trivy uses GitHub API for [VEX repositories](../supply-chain/vex/repo.md). !!! error ``` bash - $ trivy image ... + $ trivy image --vex repo ... ... API rate limit exceeded for xxx.xxx.xxx.xxx. ``` -Specify GITHUB_TOKEN for authentication -https://developer.github.com/v3/#rate-limiting +Specify GITHUB_TOKEN for [authentication](https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28) ``` -$ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10 +$ GITHUB_TOKEN=XXXXXXXXXX trivy image --vex repo [YOUR_IMAGE] ``` +!!! note + `GITHUB_TOKEN` doesn't help with the rate limit for the vulnerability database and other assets. + See https://github.com/aquasecurity/trivy/discussions/8009 + ### Unable to open JAR files !!! error @@ -217,6 +221,11 @@ Please remove the token and try downloading the DB again. docker logout ghcr.io ``` +or + +```shell +unset GITHUB_TOKEN +``` ## Homebrew ### Scope error diff --git a/magefiles/fixture.go b/magefiles/fixture.go index e7a2c395157e..39e5bd0ddae2 100644 --- a/magefiles/fixture.go +++ b/magefiles/fixture.go @@ -7,6 +7,8 @@ import ( "path/filepath" "strings" + "github.com/google/go-containerregistry/pkg/authn" + "github.com/google/go-containerregistry/pkg/authn/github" "github.com/google/go-containerregistry/pkg/crane" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/magefile/mage/sh" @@ -16,13 +18,15 @@ import ( const dir = "integration/testdata/fixtures/images/" +var auth = crane.WithAuthFromKeychain(authn.NewMultiKeychain(authn.DefaultKeychain, github.Keychain)) + func fixtureContainerImages() error { var testImages = testutil.ImageName("", "", "") if err := os.MkdirAll(dir, 0750); err != nil { return err } - tags, err := crane.ListTags(testImages) + tags, err := crane.ListTags(testImages, auth) if err != nil { return err } @@ -53,7 +57,7 @@ func saveImage(subpath, tag string) error { } fmt.Printf("Downloading %s...\n", imgName) - img, err := crane.Pull(imgName) + img, err := crane.Pull(imgName, auth) if err != nil { return err } @@ -64,7 +68,6 @@ func saveImage(subpath, tag string) error { if err = sh.Run("gzip", tarPath); err != nil { return err } - return nil } @@ -77,12 +80,12 @@ func fixtureVMImages() error { if err := os.MkdirAll(dir, 0750); err != nil { return err } - tags, err := crane.ListTags(testVMImages) + tags, err := crane.ListTags(testVMImages, auth) if err != nil { return err } for _, tag := range tags { - img, err := crane.Pull(fmt.Sprintf("%s:%s", testVMImages, tag)) + img, err := crane.Pull(fmt.Sprintf("%s:%s", testVMImages, tag), auth) if err != nil { return err } diff --git a/pkg/remote/remote.go b/pkg/remote/remote.go index 9e49e2e4f24f..a8bca7aafe1f 100644 --- a/pkg/remote/remote.go +++ b/pkg/remote/remote.go @@ -9,6 +9,7 @@ import ( "time" "github.com/google/go-containerregistry/pkg/authn" + "github.com/google/go-containerregistry/pkg/authn/github" "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/remote" @@ -166,7 +167,7 @@ func authOptions(ctx context.Context, ref name.Reference, option types.RegistryO return []remote.Option{remote.WithAuth(&bearer)} default: // Use the keychain anyway at the end - opts = append(opts, remote.WithAuthFromKeychain(authn.DefaultKeychain)) + opts = append(opts, remote.WithAuthFromKeychain(authn.NewMultiKeychain(authn.DefaultKeychain, github.Keychain))) return opts } }