Copy production image with direct Docker registry auth

justin808 · justin808 · commit ab4b524ed0fc · 2026-06-02T11:43:09.000-10:00
diff --git a/.github/workflows/cpflow-promote-staging-to-production.yml b/.github/workflows/cpflow-promote-staging-to-production.yml
@@ -340,6 +340,7 @@ jobs:
         env:
           # Pass the upstream token via env rather than `-t` so it doesn't appear in /proc/<pid>/cmdline.
           CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
+          CPLN_TOKEN_PRODUCTION: ${{ secrets.CPLN_TOKEN_PRODUCTION }}
           PRODUCTION_APP_NAME: ${{ vars.PRODUCTION_APP_NAME }}
           CPLN_ORG_STAGING: ${{ vars.CPLN_ORG_STAGING }}
           CPLN_ORG_PRODUCTION: ${{ vars.CPLN_ORG_PRODUCTION }}
@@ -379,7 +380,10 @@ jobs:
                 '[.items[].name | select(startswith($prefix)) | (try capture("^[^:]+:(?<number>[0-9]+)") catch empty) | .number | tonumber] | max // 0'
           )"
           production_image="${PRODUCTION_APP_NAME}:$((latest_number + 1))_${staging_commit}"
+          staging_registry="${CPLN_ORG_STAGING}.registry.cpln.io"
+          production_registry="${CPLN_ORG_PRODUCTION}.registry.cpln.io"
           source_image_ref="${CPLN_ORG_STAGING}.registry.cpln.io/${STAGING_IMAGE}"
+          production_image_ref="${CPLN_ORG_PRODUCTION}.registry.cpln.io/${production_image}"
 
           docker_config_dir="$(mktemp -d)"
           cleanup_copy_credentials() {
@@ -391,14 +395,14 @@ jobs:
 
           copy_status=1
           for attempt in $(seq 1 "${copy_image_attempts}"); do
-            if CPLN_TOKEN="${CPLN_TOKEN_STAGING}" cpln image docker-login --org "${CPLN_ORG_STAGING}" >/dev/null &&
+            if printf '%s' "${CPLN_TOKEN_STAGING}" |
+              docker login "${staging_registry}" -u '<token>' --password-stdin >/dev/null &&
+              printf '%s' "${CPLN_TOKEN_PRODUCTION}" |
+              docker login "${production_registry}" -u '<token>' --password-stdin >/dev/null &&
               docker manifest inspect "${source_image_ref}" >/dev/null &&
-              CPLN_TOKEN="${CPLN_TOKEN_STAGING}" \
-              cpln image copy "${STAGING_IMAGE}" \
-              --org "${CPLN_ORG_STAGING}" \
-              --to-profile default \
-              --to-org "${CPLN_ORG_PRODUCTION}" \
-              --to-name "${production_image}"; then
+              docker pull "${source_image_ref}" &&
+              docker tag "${source_image_ref}" "${production_image_ref}" &&
+              docker push "${production_image_ref}"; then
               copy_status=0
               break
             else
