github
diff --git a/‎__tests__/main.test.ts‎
Lines changed: 48 additions & 1 deletion b/‎__tests__/main.test.ts‎
Lines changed: 48 additions & 1 deletion
diff --git a/‎dist/main/index.js‎
Lines changed: 37 additions & 1 deletion b/‎dist/main/index.js‎
Lines changed: 37 additions & 1 deletion
diff --git a/‎dist/main/index.js.map‎
Lines changed: 1 addition & 1 deletion b/‎dist/main/index.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/api-client.ts‎
Lines changed: 4 additions & 0 deletions b/‎src/api-client.ts‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/main.ts‎
Lines changed: 40 additions & 2 deletions b/‎src/main.ts‎
Lines changed: 40 additions & 2 deletions
@@ -13,7 +13,7 @@ import {Updater} from '../src/updater'
 import {ImageService, MetricReporter} from '../src/image-service'
 import {updaterImageName} from '../src/docker-tags'
 import * as inputs from '../src/inputs'
-import {run} from '../src/main'
+import {run, credentialsFromEnv} from '../src/main'
 
 import {eventFixturePath} from './helpers'
 
@@ -787,3 +787,50 @@ describe('run', () => {
     })
   })
 })
+
+describe('credentialsFromEnv', () => {
+  const originalEnv = process.env.GITHUB_REGISTRIES_PROXY
+  afterEach(() => {
+    process.env.GITHUB_REGISTRIES_PROXY = originalEnv
+    jest.clearAllMocks()
+  })
+
+  it('returns an empty array if GITHUB_REGISTRIES_PROXY is not set', () => {
+    delete process.env.GITHUB_REGISTRIES_PROXY
+    expect(credentialsFromEnv()).toEqual([])
+  })
+
+  it('returns an empty array if GITHUB_REGISTRIES_PROXY is not valid base64', () => {
+    process.env.GITHUB_REGISTRIES_PROXY = 'not-base64!'
+    expect(credentialsFromEnv()).toEqual([])
+  })
+
+  it('returns an empty array if GITHUB_REGISTRIES_PROXY is not valid JSON', () => {
+    process.env.GITHUB_REGISTRIES_PROXY =
+      Buffer.from('not-json').toString('base64')
+    expect(credentialsFromEnv()).toEqual([])
+  })
+
+  it('returns parsed credentials and masks secrets', () => {
+    const creds = [
+      {
+        url: 'https://foo',
+        username: 'bar',
+        password: 'baz',
+        token: 'tok',
+        host: 'h',
+        'replaces-base': false
+      }
+    ]
+    process.env.GITHUB_REGISTRIES_PROXY = Buffer.from(
+      JSON.stringify(creds)
+    ).toString('base64')
+    const setSecretSpy = jest.spyOn(core, 'setSecret')
+    const result = credentialsFromEnv()
+    expect(result).toEqual(creds)
+    expect(setSecretSpy).toHaveBeenCalledWith('baz')
+    expect(setSecretSpy).toHaveBeenCalledWith('tok')
+    expect(setSecretSpy).not.toHaveBeenCalledWith('bar')
+    expect(setSecretSpy).not.toHaveBeenCalledWith('https://foo')
+  })
+})
@@ -37,6 +37,7 @@ export type Credential = {
   'env-key'?: string
   'replaces-base'?: boolean
   'public-key-fingerprint'?: string
+  'auth-key'?: string
 }
 
 export type Metric = {
@@ -138,6 +139,9 @@ export class ApiClient {
         if (credential.token) {
           core.setSecret(credential.token)
         }
+        if (credential['auth-key']) {
+          core.setSecret(credential['auth-key'])
+        }
       }
 
       return res.result.data.attributes.credentials
 
@@ -2,7 +2,7 @@ import * as core from '@actions/core'
 import * as github from '@actions/github'
 import * as httpClient from '@actions/http-client'
 import {Context} from '@actions/github/lib/context'
-import {ApiClient, CredentialFetchingError} from './api-client'
+import {ApiClient, Credential, CredentialFetchingError} from './api-client'
 import {getJobParameters} from './inputs'
 import {ImageService, MetricReporter} from './image-service'
 import {updaterImageName, PROXY_IMAGE_NAME} from './docker-tags'
@@ -89,7 +89,11 @@ export async function run(context: Context): Promise<void> {
     }
 
     try {
-      const credentials = await apiClient.getCredentials()
+      const credentials = (await apiClient.getCredentials()) || []
+      const registryCredentials = credentialsFromEnv()
+
+      credentials.push(...registryCredentials)
+
       const updater = new Updater(
         updaterImage,
         PROXY_IMAGE_NAME,
@@ -215,4 +219,38 @@ function dependabotJobUrl(id: number): string {
   return url_parts.filter(Boolean).join('/')
 }
 
+export function credentialsFromEnv(): Credential[] {
+  const registriesProxyStr = process.env.GITHUB_REGISTRIES_PROXY
+  let credentialsStr: string
+  if (registriesProxyStr !== undefined) {
+    credentialsStr = Buffer.from(registriesProxyStr, 'base64').toString()
+  } else {
+    return []
+  }
+
+  let parsed: Credential[]
+
+  try {
+    parsed = JSON.parse(credentialsStr) as Credential[]
+  } catch {
+    // Don't log the error as it may contain sensitive information
+    parsed = []
+    botSay('Failed to parse GITHUB_REGISTRIES_PROXY environment variable')
+  }
+
+  const nonSecrets = ['url', 'username', 'host', 'replaces-base']
+  for (const e of parsed) {
+    // Mask credentials to reduce chance of accidental leakage in logs.
+    for (const key of Object.keys(e)) {
+      if (!nonSecrets.includes(key)) {
+        core.setSecret((e as Record<string, unknown>)[key] as string)
+      }
+    }
+
+    // TODO: Filter down to only credentials relevant to this job.
+  }
+
+  return parsed
+}
+
 run(github.context)
Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,7 @@ export type Credential = {`
`37`	`37`	`'env-key'?: string`
`38`	`38`	`'replaces-base'?: boolean`
`39`	`39`	`'public-key-fingerprint'?: string`
	`40`	`+ 'auth-key'?: string`
`40`	`41`	`}`
`41`	`42`
`42`	`43`	`export type Metric = {`
`@@ -138,6 +139,9 @@ export class ApiClient {`
`138`	`139`	`if (credential.token) {`
`139`	`140`	`core.setSecret(credential.token)`
`140`	`141`	`}`
	`142`	`+ if (credential['auth-key']) {`
	`143`	`+ core.setSecret(credential['auth-key'])`
	`144`	`+ }`
`141`	`145`	`}`
`142`	`146`
`143`	`147`	`return res.result.data.attributes.credentials`