Fix cooldown breaking Docker updates when registry API calls fail (#14149)

* Initial plan

* Fix cooldown breaking Docker updates by handling registry errors gracefully

When cooldown is enabled for Docker dependencies, the update checker
makes additional API calls (digest + blob HEAD) to determine tag
publication dates. These calls can fail with 404, 401, or other errors
for certain images/registries.

Changes:
- Add error handling in get_tag_publication_details to catch registry
  errors (NotFound, auth, rate limiting) and return nil instead of
  crashing the entire update process
- Fix apply_cooldown to treat tags with unknown publication dates as
  "not in cooldown" instead of skipping them (which could block all
  updates when the registry doesn't support the required API calls)
- Remove incorrect T.cast in publication_detail that would fail when
  get_tag_publication_details returns nil

Co-authored-by: robaiken <6567647+robaiken@users.noreply.github.com>

* Address code review: clarify apply_cooldown comment

Co-authored-by: robaiken <6567647+robaiken@users.noreply.github.com>

* Merge main (includes #14691), rename test to reflect HEAD request context

Co-authored-by: robaiken <6567647+robaiken@users.noreply.github.com>

* Fix RSpec/ReceiveMessages lint offenses in cooldown tests

Co-authored-by: robaiken <6567647+robaiken@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: robaiken <6567647+robaiken@users.noreply.github.com>

Author: Copilot

docker/lib/dependabot/docker/update_checker.rb

@@ -374,7 +374,9 @@ def apply_cooldown(candidate_tags)
         candidate_tags.reverse_each do |tag|
           details = publication_detail(tag)
 
-          next if !details || !details.released_at
+          # If we can't determine publication details, skip cooldown for this tag and use it
+          # rather than blocking the update when the registry doesn't support the required API calls
+          return [tag] if !details || !details.released_at
 
           return [tag] unless cooldown_period?(T.must(details.released_at), tag)
 
@@ -389,7 +391,7 @@ def publication_detail(candidate_tag)
         return publication_details[candidate_tag.name] if publication_details.key?(candidate_tag.name)
 
         details = get_tag_publication_details(candidate_tag)
-        publication_details[candidate_tag.name] = T.cast(details, Dependabot::Package::PackageRelease)
+        publication_details[candidate_tag.name] = details
 
         details
       end
@@ -425,6 +427,15 @@ def get_tag_publication_details(tag)
           url: nil,
           package_type: "docker"
         )
+      rescue *transient_docker_errors,
+             DockerRegistry2::RegistryAuthenticationException,
+             RestClient::Forbidden,
+             RestClient::TooManyRequests => e
+        Dependabot.logger.warn(
+          "Failed to fetch publication details for #{docker_repo_name}:#{tag.name}, " \
+          "skipping cooldown: #{e.class} - #{e.message}"
+        )
+        nil
       end
 
       sig do

docker/spec/dependabot/docker/update_checker_spec.rb

@@ -1522,6 +1522,56 @@ def stub_tag_with_no_digest(tag)
       it { is_expected.to eq("17.10") }
     end
 
+    describe "with cooldown options when HEAD request returns 404" do
+      subject(:latest_version) { checker.latest_version }
+
+      let(:update_cooldown) do
+        Dependabot::Package::ReleaseCooldownOptions.new(default_days: 7)
+      end
+
+      before do
+        mock_client = instance_double(DockerRegistry2::Registry)
+        allow(checker).to receive(:docker_registry_client).and_return(mock_client)
+        allow(mock_client).to receive_messages(
+          tags: { "tags" => %w(17.04 17.10) },
+          digest: "sha256:abc123",
+          manifest_digest: "sha256:3ea1ca1aa8483a38081750953ad75046e6cc9f6b86ca97eba880ebf600d68608"
+        )
+        allow(mock_client).to receive(:dohead).and_raise(DockerRegistry2::NotFound)
+        allow(Dependabot.logger).to receive(:warn)
+        allow(Dependabot.logger).to receive(:info)
+      end
+
+      it "still returns the latest version instead of crashing" do
+        expect(latest_version).to eq("17.10")
+      end
+    end
+
+    describe "with cooldown options when digest request raises authentication error" do
+      subject(:latest_version) { checker.latest_version }
+
+      let(:update_cooldown) do
+        Dependabot::Package::ReleaseCooldownOptions.new(default_days: 7)
+      end
+
+      before do
+        mock_client = instance_double(DockerRegistry2::Registry)
+        allow(checker).to receive(:docker_registry_client).and_return(mock_client)
+        allow(mock_client).to receive_messages(
+          tags: { "tags" => %w(17.04 17.10) },
+          manifest_digest: "sha256:3ea1ca1aa8483a38081750953ad75046e6cc9f6b86ca97eba880ebf600d68608"
+        )
+        allow(mock_client).to receive(:digest)
+          .and_raise(DockerRegistry2::RegistryAuthenticationException)
+        allow(Dependabot.logger).to receive(:warn)
+        allow(Dependabot.logger).to receive(:info)
+      end
+
+      it "still returns the latest version instead of crashing" do
+        expect(latest_version).to eq("17.10")
+      end
+    end
+
     context "when the dependency has a compound suffix with alpine version" do
       let(:dependency_name) { "golang" }
       let(:version) { "1.26.0-alpine3.23" }
@@ -2944,6 +2994,78 @@ def stub_tag_with_no_digest(tag)
         expect(result.version.class).to eq(Dependabot::Docker::Version)
       end
     end
+
+    context "when client.digest raises DockerRegistry2::NotFound" do
+      before do
+        allow(mock_client).to receive(:digest).and_raise(DockerRegistry2::NotFound)
+        allow(Dependabot.logger).to receive(:warn)
+      end
+
+      it "returns nil and logs a warning" do
+        expect(get_tag_publication_details).to be_nil
+        expect(Dependabot.logger).to have_received(:warn).with(
+          /Failed to fetch publication details.*skipping cooldown.*NotFound/
+        )
+      end
+    end
+
+    context "when client.dohead raises DockerRegistry2::NotFound for blob" do
+      before do
+        allow(mock_client).to receive(:digest).and_return("sha256:abc123")
+        allow(mock_client).to receive(:dohead).and_raise(DockerRegistry2::NotFound)
+        allow(Dependabot.logger).to receive(:warn)
+      end
+
+      it "returns nil and logs a warning" do
+        expect(get_tag_publication_details).to be_nil
+        expect(Dependabot.logger).to have_received(:warn).with(
+          /Failed to fetch publication details.*skipping cooldown.*NotFound/
+        )
+      end
+    end
+
+    context "when client.digest raises RegistryAuthenticationException" do
+      before do
+        allow(mock_client).to receive(:digest)
+          .and_raise(DockerRegistry2::RegistryAuthenticationException)
+        allow(Dependabot.logger).to receive(:warn)
+      end
+
+      it "returns nil and logs a warning" do
+        expect(get_tag_publication_details).to be_nil
+        expect(Dependabot.logger).to have_received(:warn).with(
+          /Failed to fetch publication details.*skipping cooldown.*RegistryAuthenticationException/
+        )
+      end
+    end
+
+    context "when client.digest raises RestClient::Forbidden" do
+      before do
+        allow(mock_client).to receive(:digest).and_raise(RestClient::Forbidden)
+        allow(Dependabot.logger).to receive(:warn)
+      end
+
+      it "returns nil and logs a warning" do
+        expect(get_tag_publication_details).to be_nil
+        expect(Dependabot.logger).to have_received(:warn).with(
+          /Failed to fetch publication details.*skipping cooldown.*Forbidden/
+        )
+      end
+    end
+
+    context "when client.digest raises RestClient::TooManyRequests" do
+      before do
+        allow(mock_client).to receive(:digest).and_raise(RestClient::TooManyRequests)
+        allow(Dependabot.logger).to receive(:warn)
+      end
+
+      it "returns nil and logs a warning" do
+        expect(get_tag_publication_details).to be_nil
+        expect(Dependabot.logger).to have_received(:warn).with(
+          /Failed to fetch publication details.*skipping cooldown.*TooManyRequests/
+        )
+      end
+    end
   end
 
   describe "#digest_up_to_date?" do