Auto-login to MCR before image push using CLI token

mcp build and mcp deploy (auto-build path) now authenticate to the container registry using the CLI's stored MCIAS token before pushing. MCR accepts JWTs as passwords, so this works with both human and service account tokens. Falls back silently to existing podman auth. Eliminates the need for a separate interactive `podman login` step. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 15:13:35 -07:00
parent 41437e3730
commit dd167b8e0b
2 changed files with 50 additions and 0 deletions
--- a/internal/runtime/podman.go
+++ b/internal/runtime/podman.go
@@ -178,6 +178,18 @@ func (p *Podman) Inspect(ctx context.Context, name string) (ContainerInfo, error
 	return info, nil
 }

+// Login authenticates to a container registry using the given token as
+// the password. This enables non-interactive push with service account
+// tokens (MCR accepts MCIAS JWTs as passwords).
+func (p *Podman) Login(ctx context.Context, registry, username, token string) error {
+	cmd := exec.CommandContext(ctx, p.command(), "login", "--username", username, "--password-stdin", registry) //nolint:gosec // args built programmatically
+	cmd.Stdin = strings.NewReader(token)
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("podman login %q: %w: %s", registry, err, out)
+	}
+	return nil
+}
+
 // Build builds a container image from a Dockerfile.
 func (p *Podman) Build(ctx context.Context, image, contextDir, dockerfile string) error {
 	args := []string{"build", "-t", image, "-f", dockerfile, contextDir}