Possible to run docker source without pull access?

[lacop11]

Tell us more.

I wonder if it would be possible to get the docker datasource working without the pull permissions?

Specifically I would like to run against private GCP artifact registry using a service account that only has list permissions:

permissions = [
  "artifactregistry.repositories.get",
  "artifactregistry.repositories.list",
  "artifactregistry.packages.list",
  "artifactregistry.versions.list",
  "artifactregistry.tags.list",
]

I think those should be sufficient to get the list of available image tags, at least via the artifact registry REST API / gcloud CLI tool. Basically to minimize risk I only want to give the renovate CI access to list of images and tags, but not access to actually pull the images.

However this fails with permission error due to missing artifactregistry.repositories.downloadArtifacts. I believe that is because renovate asks for the repository:...:pull scope.

This comes from GCP itself:

curl "https://us-central1-docker.pkg.dev/v2/xxx/tags/list?n=10000" -v --header 'content-type: application/json' 2>&1 | grep www-auth

< www-authenticate: Bearer realm="https://us-central1-docker.pkg.dev/v2/token",service="us-central1-docker.pkg.dev",scope="repository:xxx:pull"

I tried to find a definitive list of scopes that are available but got lost among the different specs... Maybe this is a limitation of the OCI / Docker registry API, and the lowest scope that will work is pull?

If this can be done with some other scope, how about allowing to override what is returned in the www-authenticate header via some config option?

And if there is no way to do it via docker, how about special-casing GCP artifact registry and using another API for listing the tags? I see there is already a special path for quay registry, so this would be similar.

(I might contribute PRs for either approach, but wanted to discuss the options and get agreement first)