-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: respect GITHUB_TOKEN to download artifacts from GHCR #7580
Conversation
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Even GITHUB_TOKEN doesn't seem to help. I locally faced the same error with my token.
|
Does |
First of all, If you still want to try a token, you can just mount config.json as you said. If you use an OS-specific credential store, it will probably not work. e.g.
|
I tried to test it, but now I get
So maybe it's not the rate limit on the user but a repo-specific limit on the ghcr.io/aquasecurity/trivy repo? |
This PR is stale because it has been labeled with inactivity. |
Signed-off-by: knqyf263 <[email protected]>
GITHUB_TOKEN didn't help pull images from GHCR Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
@DmitriyLewen We found that this fix does not help with rate limiting, but it does help with downloads from private repositories, so I modified it and made it ready for review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Description
The troubleshooting documentation currently suggests setting the
GITHUB_TOKEN
to avoid rate limiting. However, this information was outdated, created when theimage
subcommand didn't even exist. We've identified that in the latest version of Trivy, theGITHUB_TOKEN
is not correctly utilized when downloading the vulnerability database, checks bundles and the Java database. The token helps pull these assets from private repositories. Note that it currently doesn't help with rate limiting.This PR addresses the issue by implementing the correct usage of
GITHUB_TOKEN
for GHCR.Notes
The
docker login ghcr.io
functionality is working as expected and remains unchanged.Checklist