docs: clarify reviewed registry role format

Co-authored-by: neilime <314088+neilime@users.noreply.github.com>

Author: Copilot

.github/workflows/docker-build-images.md

@@ -77,14 +77,14 @@ jobs:
       # Accepts either a registry hostname string or a JSON object with
       # `pull`, `pull:<name>`, `push` and `cache` keys.
       # Example:
-      # `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io","cache":"ghcr.io"}`
+      # `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io"}`
       # Default: `ghcr.io`
       oci-registry: ghcr.io
 
       # Username configuration used to log against OCI registries.
       # Accepts either a single username string or a JSON object using the same keys as `oci-registry`.
       # Example:
-      # `{"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}","cache":"${{ github.repository_owner }}"}`
+      # `{"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}"}`
       # See https://github.com/docker/login-action#usage.
       #
       # Default: `${{ github.repository_owner }}`
@@ -231,16 +231,17 @@ To configure distinct pull, push and cache registries, pass JSON objects:
 ```yaml
 with:
   oci-registry: |
-    {"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io","cache":"ghcr.io"}
+    {"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io"}
   oci-registry-username: |
-    {"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}","cache":"${{ github.repository_owner }}"}
+    {"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}"}
 secrets:
   oci-registry-password: |
-    {"pull:private":"${{ github.token }}","push":"${{ github.token }}","cache":"${{ github.token }}"}
+    {"pull:private":"${{ github.token }}","push":"${{ github.token }}"}
 ```
 
 Registry credentials are resolved by role using the same keys as `oci-registry`.
 `pull` is the default pull registry, while `pull:<name>` can be repeated for additional pull registries.
+When no pull registry is provided, the push registry is also used for pulls.
 Optional pull registries without credentials are skipped, which is useful for public registries such as Docker Hub.
 
 ### Images entry parameters

.github/workflows/docker-build-images.yml

@@ -18,20 +18,21 @@ on: # yamllint disable-line rule:truthy
         description: |
           OCI registry configuration used to pull, push and cache images.
           Accepts either a registry hostname string (legacy format) or a JSON object.
-          JSON example: `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io","cache":"ghcr.io"}`
+          JSON example: `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io"}`
           JSON object keys:
           - `pull`: registry used to pull public or default base images
           - `pull:<name>`: additional pull registry
           - `push`: registry used for published images
           - `cache`: registry used when `cache-type` is `registry`
+          If no `pull` key is provided, the `push` registry is also used for pulls.
         type: string
         default: "ghcr.io"
         required: false
       oci-registry-username:
         description: |
           Username configuration used to log against OCI registries.
           Accepts either a single username string (legacy format) or a JSON object using the same keys as `oci-registry`.
-          JSON example: `{"pull:private":"my-user","push":"my-user","cache":"my-user"}`
+          JSON example: `{"pull:private":"my-user","push":"my-user"}`
           See https://github.com/docker/login-action#usage.
         type: string
         default: ${{ github.repository_owner }}
@@ -115,7 +116,7 @@ on: # yamllint disable-line rule:truthy
         description: |
           Password or GitHub token (`packages:read` and `packages:write` scopes) configuration used to log against OCI registries.
           Accepts either a single password/token string (legacy format) or a JSON object using the same keys as `oci-registry`.
-          JSON example: `{"pull:private":"my-token","push":"my-token","cache":"my-token"}`
+          JSON example: `{"pull:private":"my-token","push":"my-token"}`
           See https://github.com/docker/login-action#usage.
         required: true
       build-secrets:

actions/docker/build-image/README.md

@@ -52,15 +52,15 @@ permissions:
     # Accepts either a registry hostname string or a JSON object with
     # `pull`, `pull:<name>`, `push` and `cache` keys.
     # Example:
-    # `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io","cache":"ghcr.io"}`
+    # `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io"}`
     # This input is required.
     # Default: `ghcr.io`
     oci-registry: ghcr.io
 
     # Username configuration used to log against OCI registries.
     # Accepts either a single username string or a JSON object using the same keys as `oci-registry`.
     # Example:
-    # `{"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}","cache":"${{ github.repository_owner }}"}`
+    # `{"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}"}`
     # See https://github.com/docker/login-action#usage.
     #
     # This input is required.
@@ -70,7 +70,7 @@ permissions:
     # Password or personal access token configuration used to log against OCI registries.
     # Accepts either a single password/token string or a JSON object using the same keys as `oci-registry`.
     # Example:
-    # `{"pull:private":"${{ github.token }}","push":"${{ github.token }}","cache":"${{ github.token }}"}`
+    # `{"pull:private":"${{ github.token }}","push":"${{ github.token }}"}`
     # Can be passed in using `secrets.GITHUB_TOKEN`.
     # See https://github.com/docker/login-action#usage.
     #
@@ -218,15 +218,16 @@ To configure distinct pull, push and cache registries, pass JSON objects:
 
 ```yaml
 oci-registry: |
-  {"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io","cache":"ghcr.io"}
+  {"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io"}
 oci-registry-username: |
-  {"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}","cache":"${{ github.repository_owner }}"}
+  {"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}"}
 oci-registry-password: |
-  {"pull:private":"${{ github.token }}","push":"${{ github.token }}","cache":"${{ github.token }}"}
+  {"pull:private":"${{ github.token }}","push":"${{ github.token }}"}
 ```
 
 Registry credentials are resolved by role using the same keys as `oci-registry`.
 `pull` is the default pull registry, while `pull:<name>` can be repeated for additional pull registries.
+When no pull registry is provided, the push registry is also used for pulls.
 Optional pull registries without credentials are skipped, which is useful for public registries such as Docker Hub.
 
 <!-- examples:start -->

actions/docker/build-image/action.yml

@@ -15,27 +15,28 @@ inputs:
     description: |
       OCI registry configuration used to pull, push and cache images.
       Accepts either a registry hostname string (legacy format) or a JSON object.
-      JSON example: `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io","cache":"ghcr.io"}`
+      JSON example: `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io"}`
       JSON object keys:
       - `pull`: registry used to pull public or default base images
       - `pull:<name>`: additional pull registry
       - `push`: registry used for published images
       - `cache`: registry used when `cache-type` is `registry`
+      If no `pull` key is provided, the `push` registry is also used for pulls.
     default: "ghcr.io"
     required: true
   oci-registry-username:
     description: |
       Username configuration used to log against OCI registries.
       Accepts either a single username string (legacy format) or a JSON object using the same keys as `oci-registry`.
-      JSON example: `{"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}","cache":"${{ github.repository_owner }}"}`
+      JSON example: `{"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}"}`
       See https://github.com/docker/login-action#usage.
     default: ${{ github.repository_owner }}
     required: true
   oci-registry-password:
     description: |
       Password or personal access token configuration used to log against OCI registries.
       Accepts either a single password/token string (legacy format) or a JSON object using the same keys as `oci-registry`.
-      JSON example: `{"pull:private":"${{ github.token }}","push":"${{ github.token }}","cache":"${{ github.token }}"}`
+      JSON example: `{"pull:private":"${{ github.token }}","push":"${{ github.token }}"}`
       Can be passed in using `secrets.GITHUB_TOKEN`.
       See https://github.com/docker/login-action#usage.
     default: ${{ github.token }}
@@ -211,7 +212,7 @@ runs:
             }, {});
           }
 
-          function resolveCredential(credentialMap, role, registry, pushRegistry) {
+          function resolveCredentialByRole(credentialMap, role, registry, pushRegistry) {
             const legacyCredential = credentialMap.legacy ?? '';
 
             if (role === 'push') {
@@ -286,8 +287,8 @@ runs:
           const registryLoginsByRegistry = new Map();
           for (const registryEntry of registryEntries) {
             const { role, registry, required } = registryEntry;
-            const username = resolveCredential(usernameByRole, role, registry, pushRegistry);
-            const password = resolveCredential(passwordByRole, role, registry, pushRegistry);
+            const username = resolveCredentialByRole(usernameByRole, role, registry, pushRegistry);
+            const password = resolveCredentialByRole(passwordByRole, role, registry, pushRegistry);
 
             if ((username && !password) || (!username && password)) {
               throw new Error(`Credentials for "${role}" must define both username and password`);
@@ -301,8 +302,13 @@ runs:
                 throw new Error(`Conflicting credentials configured for registry "${registry}"`);
               }
 
-              existingRegistryLogin.username ||= username;
-              existingRegistryLogin.password ||= password;
+              if (!existingRegistryLogin.username && username) {
+                existingRegistryLogin.username = username;
+              }
+
+              if (!existingRegistryLogin.password && password) {
+                existingRegistryLogin.password = password;
+              }
               existingRegistryLogin.required ||= required;
               continue;
             }

actions/docker/create-images-manifests/README.md

@@ -51,15 +51,15 @@ permissions:
     # Accepts either a registry hostname string or a JSON object with
     # `pull`, `pull:<name>`, `push` and `cache` keys.
     # Example:
-    # `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io","cache":"ghcr.io"}`
+    # `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io"}`
     # This input is required.
     # Default: `ghcr.io`
     oci-registry: ghcr.io
 
     # Username configuration used to log against OCI registries.
     # Accepts either a single username string or a JSON object using the same keys as `oci-registry`.
     # Example:
-    # `{"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}","cache":"${{ github.repository_owner }}"}`
+    # `{"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}"}`
     # See https://github.com/docker/login-action#usage.
     # This input is required.
     # Default: `${{ github.repository_owner }}`
@@ -68,7 +68,7 @@ permissions:
     # Password or personal access token configuration used to log against OCI registries.
     # Accepts either a single password/token string or a JSON object using the same keys as `oci-registry`.
     # Example:
-    # `{"pull:private":"${{ github.token }}","push":"${{ github.token }}","cache":"${{ github.token }}"}`
+    # `{"pull:private":"${{ github.token }}","push":"${{ github.token }}"}`
     # Can be passed in using `secrets.GITHUB_TOKEN`.
     # See https://github.com/docker/login-action#usage.
     #
@@ -154,11 +154,11 @@ To configure distinct pull, push and cache registries, pass JSON objects:
 
 ```yaml
 oci-registry: |
-  {"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io","cache":"ghcr.io"}
+  {"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io"}
 oci-registry-username: |
-  {"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}","cache":"${{ github.repository_owner }}"}
+  {"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}"}
 oci-registry-password: |
-  {"pull:private":"${{ github.token }}","push":"${{ github.token }}","cache":"${{ github.token }}"}
+  {"pull:private":"${{ github.token }}","push":"${{ github.token }}"}
 ```
 
 Registry credentials are resolved by role using the same keys as `oci-registry`.

actions/docker/create-images-manifests/action.yml

@@ -15,7 +15,7 @@ inputs:
     description: |
       OCI registry configuration used to pull, push and cache images.
       Accepts either a registry hostname string (legacy format) or a JSON object.
-      JSON example: `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io","cache":"ghcr.io"}`
+      JSON example: `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io"}`
       JSON object keys:
       - `pull`: registry used to pull public or default base images
       - `pull:<name>`: additional pull registry
@@ -27,15 +27,15 @@ inputs:
     description: |
       Username configuration used to log against OCI registries.
       Accepts either a single username string (legacy format) or a JSON object using the same keys as `oci-registry`.
-      JSON example: `{"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}","cache":"${{ github.repository_owner }}"}`
+      JSON example: `{"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}"}`
       See https://github.com/docker/login-action#usage.
     default: ${{ github.repository_owner }}
     required: true
   oci-registry-password:
     description: |
       Password or personal access token configuration used to log against OCI registries.
       Accepts either a single password/token string (legacy format) or a JSON object using the same keys as `oci-registry`.
-      JSON example: `{"pull:private":"${{ github.token }}","push":"${{ github.token }}","cache":"${{ github.token }}"}`
+      JSON example: `{"pull:private":"${{ github.token }}","push":"${{ github.token }}"}`
       Can be passed in using `secrets.GITHUB_TOKEN`.
       See https://github.com/docker/login-action#usage.
     default: ${{ github.token }}
@@ -210,8 +210,8 @@ runs:
             if (registryInput.legacy) {
               registries.push(registryInput.legacy);
             } else {
-              const pullRegistryEntry = Object.entries(registryInput).find(([key]) => isPullRole(key));
-              const pushRegistry = registryInput.push ?? registryInput.cache ?? pullRegistryEntry?.[1] ?? '';
+              const [, firstPullRegistryValue] = Object.entries(registryInput).find(([key]) => isPullRole(key)) ?? [];
+              const pushRegistry = registryInput.push ?? registryInput.cache ?? firstPullRegistryValue ?? '';
               if (!pushRegistry.length) {
                 throw new Error('Unable to resolve any OCI registry to authenticate against');
               }