Support updating the README at Docker Hub

[ximon18]

At Docker Hub our images have their own README files which were originally in sync with the README in the GitHub repository. However, the Docker Hub README has to be manually kept up-to-date and typically gets forgotten. It would be useful to be able to update it automatically as part of the Docker publication steps done by the reusable packaging workflow.

[ximon18]

Use https://github.com/peter-evans/dockerhub-description.

[ximon18]

I'm currently seeing Forbidden when the peter-evans/dockerhub-description GH Action when using a read/write PAT from Docker Hub.

There seem to have been a lot of issues authenticating the necessary repo PATCH HTTP API call over time with the Docker Hub team refactoring their system internally and breaking things.

This exact case is apparently working via the 'docker-pushrm` command and that is apparently available as a GH Action here, so I'll try that and see if it works.

[ximon18]

Hmm, I spoke to soon perhaps, the README for the GH Action that I thought might work says this:

Pushing READMEs to Dockerhub currently only works with username/password and not with personal access tokens. If you have 2FA auth (two-factor authentication) enabled for your Dockerhub account you're effectively using a personal access token. This is an unfortunate Dockerhub API limitation.

There are indications (in issues and forum posts) that a new API for Dockerhub might be coming up sooner or later that might fill this gap. Fingers crossed. crossed_fingers

[ximon18]

The latest version of the underlying docker-pushrm repo/image, v1.9.0, says:

login on Docker Hub with PATs (Personal Access Tokens) due to an docker/hub-feedback#2127 (comment). Remove all warnings.

And I see that the GH Action is using that via Docker Hub tag "1".

[ximon18]

No, still fails with Forbidden:

level=debug msg="root cmd init config"
level=debug msg="home dir: /github/home"
level=debug msg="subcommand \"pushrm\" called"
level=debug msg="Using target: docker.io/ximoneighteen/ximontest:latest"
level=debug msg="using README file: README.md"
level=debug msg="server: docker.io"
level=debug msg="namespace: ximoneighteen"
level=debug msg="repo: ximontest"
level=debug msg="tag: latest"
level=debug msg="repo provider: dockerhub"
level=debug msg="Dockerhub.GetAuthident called"
level=debug msg="using credentials for user *** from generic env var"
level=debug msg="Using Docker creds: *** ********"
level=debug msg="Dockerhub.Pushrm called"
level=debug msg="retrieve Dockerhub jwt token, status code: 200"
level=debug msg="push readme, response body: {\"message\":\"insufficient scope\",\"errinfo\":{}}\n"
level=debug msg="push README, status code: 403"
level=debug msg="error pushing README, bad status code for response: 403 Forbidden. Try \"docker logout\" and \"docker login\". If you use a PAT token make sure it has sufficient privileges (\"admin\" scope)."

There is no "admin" scope option in the Docker Hub UI, only read, write and delete. Googling seems to say that admin is only with a proper Docker Hub account login via username/password rather than Personal Access Token (PAT), e.g. https://docs.docker.com/docker-hub/access-tokens/ says:

When using an access token, you can’t perform any admin activity on the account, including changing the password. It protects your account if your computer is compromised.

However, I have 2FA enabled for the actual Docker Hub admin account so that won't work in an automation scenario.