Possible to run docker source without pull access?

[lacop11]

Tell us more.

I wonder if it would be possible to get the docker datasource working without the pull permissions?

Specifically I would like to run against private GCP artifact registry using a service account that only has list permissions:

permissions = [
  "artifactregistry.repositories.get",
  "artifactregistry.repositories.list",
  "artifactregistry.packages.list",
  "artifactregistry.versions.list",
  "artifactregistry.tags.list",
]

I think those should be sufficient to get the list of available image tags, at least via the artifact registry REST API / gcloud CLI tool. Basically to minimize risk I only want to give the renovate CI access to list of images and tags, but not access to actually pull the images.

However this fails with permission error due to missing artifactregistry.repositories.downloadArtifacts. I believe that is because renovate asks for the repository:...:pull scope.

This comes from GCP itself:

curl "https://us-central1-docker.pkg.dev/v2/xxx/tags/list?n=10000" -v --header 'content-type: application/json' 2>&1 | grep www-auth

< www-authenticate: Bearer realm="https://us-central1-docker.pkg.dev/v2/token",service="us-central1-docker.pkg.dev",scope="repository:xxx:pull"

I tried to find a definitive list of scopes that are available but got lost among the different specs... Maybe this is a limitation of the OCI / Docker registry API, and the lowest scope that will work is pull?

If this can be done with some other scope, how about allowing to override what is returned in the www-authenticate header via some config option?

And if there is no way to do it via docker, how about special-casing GCP artifact registry and using another API for listing the tags? I see there is already a special path for quay registry, so this would be similar.

(I might contribute PRs for either approach, but wanted to discuss the options and get agreement first)

[github-actions[bot]]

Hi there,

This issue or discussion is missing some logs, making it difficult or impossible to help you. Depending on which situation applies follow one, some or all of these instructions.

No logs at all

If you haven't posted any log yet, we need you to find and copy/paste the log into the issue template.

Finding logs on hosted app

Select me to read instructions

If you use the Mend Renovate app (GitHub):

1. Log in to the Mend Developer Portal
2. Navigate to the correct organization and repository
3. Locate the appropriate log (it may not always be the latest one)
4. Copy/paste the log contents
5. Follow the steps in the formatting your logs section

Finding logs when self-hosting

Select me to read instructions

Read the Renovate docs, troubleshooting, self-hosted to learn how to find the logs.

Insufficient logs

Select me to read instructions

If you already gave us a log, and the Renovate team said it's not enough, then follow the instructions from the No logs at all section.

Formatting your logs

Select me to read instructions

Please put your logs in a <details> and <summary> element like this:

<details><summary>Select me to see logs</summary>

```
Copy/paste your logs here, between the starting and ending backticks
```

</details>

If you feel the logs are too large to paste here, please use a service like GitHub Gist and paste the link here.

Good luck,

The Renovate team

[rarkins]

Renovate is not performing any docker pull - it accesses Docker APIs using HTTP.

We'd need to work out which HTTP GET or HTTP HEAD we do which requires pull permissions. Potentially you could patch Renovate locally to not request pull permissions and then see which HTTP request fails, for example.

[viceice]

pull is needed to get manifests, so currently no way around