From b371af7f37cb1f31980d97d9aef020c8058f7ee3 Mon Sep 17 00:00:00 2001
From: Donavan Fritz <dfritz@netflix.com>
Date: Sat, 30 May 2026 14:12:56 -0500
Subject: [PATCH] image-build: optional token input -> docker login to pull
 private base images

Org is 'limited' so buildx 401s pulling a private FROM base. Add an optional ci-bot token input; when set, docker/login-action authenticates before build (mirrors image-push). Public-base builds (base = FROM debian) omit it. Removes the need for a separate per-workflow login step.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 action.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/action.yaml b/action.yaml
index 059b5a7..418fc46 100644
--- a/action.yaml
+++ b/action.yaml
@@ -26,6 +26,14 @@ inputs:
       Empty = no test.
     required: false
     default: ''
+  token:
+    description: |
+      ci-bot token (CI_BOT_TOKEN) for `docker login code.fritzlab.net`. Required
+      when the Dockerfile's FROM is a PRIVATE fritzlab image (e.g. FROM
+      code.fritzlab.net/fritzlab/base) — the org is `limited`, so buildx can't pull
+      it anonymously. Omit for public-base builds (e.g. base itself = FROM debian).
+    required: false
+    default: ''
 outputs:
   tag:
     description: Numeric tag assigned to the built image (= github.run_number)
@@ -33,6 +41,16 @@ outputs:
 runs:
   using: composite
   steps:
+    # Authenticate so buildx can pull PRIVATE fritzlab base images (org is
+    # `limited`). No-op when `token` is empty (public-base builds).
+    - name: Log in to code.fritzlab.net
+      if: ${{ inputs.token != '' }}
+      uses: docker/login-action@v3
+      with:
+        registry: code.fritzlab.net
+        username: ci-bot
+        password: ${{ inputs.token }}
+
     - name: Build (load to local docker)
       uses: docker/build-push-action@v6
       with: