blumeops/docs/how-to/zot/wire-ci-registry-auth.md

---
title: Wire CI Registry Auth
modified: 2026-02-21
status: active
tags:
  - how-to
  - zot
  - ci
  - forgejo
---

# Wire CI Registry Auth

Ensure both CI push paths authenticate to zot after auth is enabled.

## Context

There are two push paths to update:

1. **Dagger path** (`.forgejo/workflows/build-container.yaml` → `.dagger/src/blumeops_ci/main.py`): Add `with_registry_auth()` to the Dagger `publish()` call, sourcing the API key from env var `ZOT_CI_API_KEY`.

2. **Nix/skopeo path** (`.forgejo/workflows/build-container-nix.yaml`): Add `--dest-creds` to `skopeo copy`, sourcing the API key from the same env var.

> **Note:** The API key must be generated manually after OIDC login is working — log in to zot UI via browser, generate an API key, and store it in 1Password. This is a manual step between [[register-zot-oidc-client]] and this card, but not modeled as a formal `requires` dependency.

CI authenticates as a service account in the `artifact-workloads` group (created in [[register-zot-oidc-client]]). This group grants `["read", "create"]` — CI can push new tags but cannot overwrite or delete existing ones, enforcing tag immutability server-side.

## Secret Flow

### Indri runner (minikube)

1Password item (new: `zot-ci-apikey`) → ExternalSecret in `forgejo-runner` namespace → env var `ZOT_CI_API_KEY` in runner pod

### Ringtail runner (k3s)

1Password → `/etc/forgejo-runner/zot-api-key.env` (or similar) deployed by NixOS config

## Key Files

| File | Purpose |
|------|---------|
| `.dagger/src/blumeops_ci/main.py` | Add `with_registry_auth()` to publish |
| `.forgejo/workflows/build-container.yaml` | Pass `ZOT_CI_API_KEY` to Dagger |
| `.forgejo/workflows/build-container-nix.yaml` | Add `--dest-creds` to skopeo |
| `argocd/manifests/forgejo-runner/deployment.yaml` | Mount secret as env var |
| `argocd/manifests/forgejo-runner/external-secret.yaml` | Pull API key from 1Password |
| `nixos/ringtail/configuration.nix` | Ringtail runner secret provisioning |

## Verification

- [ ] Dagger push succeeds with registry auth
- [ ] Nix/skopeo push succeeds with registry auth
- [ ] Push without credentials fails (401)

## Related

- [[harden-zot-registry]] — Parent goal
- [[register-zot-oidc-client]] — OIDC client registration (do first)
Create C2 Mikado cards for harden-zot-registry (#229) ## Summary - Replace the old pre-Mikado plan doc (`docs/how-to/plans/harden-zot-registry.md`) with a proper C2 Mikado chain in `docs/how-to/zot/` - Root goal: `harden-zot-registry` — enable OIDC + API key auth on zot with anonymous pull preserved - Three leaf prereqs: `register-zot-oidc-client`, `wire-ci-registry-auth`, `enforce-tag-immutability` - Add Zot section to `how-to.md` index, remove plan entry from plans index - All doc checks pass (`docs-check-links`, `docs-check-index`, `docs-mikado`) ## Changes - New: `docs/how-to/zot/harden-zot-registry.md` — C2 Mikado root goal - New: `docs/how-to/zot/register-zot-oidc-client.md` — Register OIDC client in Authentik - New: `docs/how-to/zot/wire-ci-registry-auth.md` — Wire CI push paths with registry auth - New: `docs/how-to/zot/enforce-tag-immutability.md` — Prevent version tag overwrites - Deleted: `docs/how-to/plans/harden-zot-registry.md` — Old plan doc (content absorbed into Mikado cards) - Updated: `docs/how-to/how-to.md` — Add Zot section, remove plan entry - Updated: `docs/how-to/plans/plans.md` — Remove plan entry 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/229 2026-02-20 17:56:25 -08:00			`---`
			`title: Wire CI Registry Auth`
Fold enforce-tag-immutability into harden-zot-registry (#235) ## Summary - Removed `status: active` from `enforce-tag-immutability` card — its requirements are folded into the parent `harden-zot-registry` goal's `accessControl` configuration - Updated `harden-zot-registry` with three-tier access control spec (anonymous read, artifact-workloads read+create, admins full) - Added `artifact-workloads` group creation step to `register-zot-oidc-client` - Added service account context to `wire-ci-registry-auth` ## Rationale Tag immutability requires authentication to be meaningful. Without auth, everyone is anonymous and gets the same policy. Rather than client-side push checks, the registry enforces immutability server-side: CI gets `["read", "create"]` (no update/delete), so pushing an existing tag is rejected by zot itself. ## Test plan - [ ] `mise run docs-check-links` passes - [ ] `mise run docs-mikado` shows enforce-tag-immutability as resolved Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/235 2026-02-21 08:05:16 -08:00			`modified: 2026-02-21`
Create C2 Mikado cards for harden-zot-registry (#229) ## Summary - Replace the old pre-Mikado plan doc (`docs/how-to/plans/harden-zot-registry.md`) with a proper C2 Mikado chain in `docs/how-to/zot/` - Root goal: `harden-zot-registry` — enable OIDC + API key auth on zot with anonymous pull preserved - Three leaf prereqs: `register-zot-oidc-client`, `wire-ci-registry-auth`, `enforce-tag-immutability` - Add Zot section to `how-to.md` index, remove plan entry from plans index - All doc checks pass (`docs-check-links`, `docs-check-index`, `docs-mikado`) ## Changes - New: `docs/how-to/zot/harden-zot-registry.md` — C2 Mikado root goal - New: `docs/how-to/zot/register-zot-oidc-client.md` — Register OIDC client in Authentik - New: `docs/how-to/zot/wire-ci-registry-auth.md` — Wire CI push paths with registry auth - New: `docs/how-to/zot/enforce-tag-immutability.md` — Prevent version tag overwrites - Deleted: `docs/how-to/plans/harden-zot-registry.md` — Old plan doc (content absorbed into Mikado cards) - Updated: `docs/how-to/how-to.md` — Add Zot section, remove plan entry - Updated: `docs/how-to/plans/plans.md` — Remove plan entry 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/229 2026-02-20 17:56:25 -08:00			`status: active`
			`tags:`
			`- how-to`
			`- zot`
			`- ci`
			`- forgejo`
			`---`

			`# Wire CI Registry Auth`

			`Ensure both CI push paths authenticate to zot after auth is enabled.`

			`## Context`

			`There are two push paths to update:`

			1. Dagger path (`.forgejo/workflows/build-container.yaml` → `.dagger/src/blumeops_ci/main.py`): Add `with_registry_auth()` to the Dagger `publish()` call, sourcing the API key from env var `ZOT_CI_API_KEY`.

			2. Nix/skopeo path (`.forgejo/workflows/build-container-nix.yaml`): Add `--dest-creds` to `skopeo copy`, sourcing the API key from the same env var.

			> Note: The API key must be generated manually after OIDC login is working — log in to zot UI via browser, generate an API key, and store it in 1Password. This is a manual step between [[register-zot-oidc-client]] and this card, but not modeled as a formal `requires` dependency.

Fold enforce-tag-immutability into harden-zot-registry (#235) ## Summary - Removed `status: active` from `enforce-tag-immutability` card — its requirements are folded into the parent `harden-zot-registry` goal's `accessControl` configuration - Updated `harden-zot-registry` with three-tier access control spec (anonymous read, artifact-workloads read+create, admins full) - Added `artifact-workloads` group creation step to `register-zot-oidc-client` - Added service account context to `wire-ci-registry-auth` ## Rationale Tag immutability requires authentication to be meaningful. Without auth, everyone is anonymous and gets the same policy. Rather than client-side push checks, the registry enforces immutability server-side: CI gets `["read", "create"]` (no update/delete), so pushing an existing tag is rejected by zot itself. ## Test plan - [ ] `mise run docs-check-links` passes - [ ] `mise run docs-mikado` shows enforce-tag-immutability as resolved Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/235 2026-02-21 08:05:16 -08:00			CI authenticates as a service account in the `artifact-workloads` group (created in [[register-zot-oidc-client]]). This group grants `["read", "create"]` — CI can push new tags but cannot overwrite or delete existing ones, enforcing tag immutability server-side.

Create C2 Mikado cards for harden-zot-registry (#229) ## Summary - Replace the old pre-Mikado plan doc (`docs/how-to/plans/harden-zot-registry.md`) with a proper C2 Mikado chain in `docs/how-to/zot/` - Root goal: `harden-zot-registry` — enable OIDC + API key auth on zot with anonymous pull preserved - Three leaf prereqs: `register-zot-oidc-client`, `wire-ci-registry-auth`, `enforce-tag-immutability` - Add Zot section to `how-to.md` index, remove plan entry from plans index - All doc checks pass (`docs-check-links`, `docs-check-index`, `docs-mikado`) ## Changes - New: `docs/how-to/zot/harden-zot-registry.md` — C2 Mikado root goal - New: `docs/how-to/zot/register-zot-oidc-client.md` — Register OIDC client in Authentik - New: `docs/how-to/zot/wire-ci-registry-auth.md` — Wire CI push paths with registry auth - New: `docs/how-to/zot/enforce-tag-immutability.md` — Prevent version tag overwrites - Deleted: `docs/how-to/plans/harden-zot-registry.md` — Old plan doc (content absorbed into Mikado cards) - Updated: `docs/how-to/how-to.md` — Add Zot section, remove plan entry - Updated: `docs/how-to/plans/plans.md` — Remove plan entry 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/229 2026-02-20 17:56:25 -08:00			`## Secret Flow`

			`### Indri runner (minikube)`

			1Password item (new: `zot-ci-apikey`) → ExternalSecret in `forgejo-runner` namespace → env var `ZOT_CI_API_KEY` in runner pod

			`### Ringtail runner (k3s)`

			1Password → `/etc/forgejo-runner/zot-api-key.env` (or similar) deployed by NixOS config

			`## Key Files`

			`\| File \| Purpose \|`
			`\|------\|---------\|`
			\| `.dagger/src/blumeops_ci/main.py` \| Add `with_registry_auth()` to publish \|
			\| `.forgejo/workflows/build-container.yaml` \| Pass `ZOT_CI_API_KEY` to Dagger \|
			\| `.forgejo/workflows/build-container-nix.yaml` \| Add `--dest-creds` to skopeo \|
			\| `argocd/manifests/forgejo-runner/deployment.yaml` \| Mount secret as env var \|
			\| `argocd/manifests/forgejo-runner/external-secret.yaml` \| Pull API key from 1Password \|
			\| `nixos/ringtail/configuration.nix` \| Ringtail runner secret provisioning \|

			`## Verification`

			`- [ ] Dagger push succeeds with registry auth`
			`- [ ] Nix/skopeo push succeeds with registry auth`
			`- [ ] Push without credentials fails (401)`

			`## Related`

			`- [[harden-zot-registry]] — Parent goal`
			`- [[register-zot-oidc-client]] — OIDC client registration (do first)`