Draft: Allow different push credentials for auto-build

• Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA

Currently the $CI_JOB_TOKEN only allows read access to other project container registries.

Docker build + any FROM statements work just fine with this. woo!

The issue comes when trying to push a container to another project using the job token. ❌ bad times all round.

Why not use a deploy token or PAT?

If the namespace/group of the projects we need to pull images from are not the same as where we need to push then I either need a PAT (not ideal) or a deploy token doesn't work.

e.g.

/groupA/project_i_pull_from_A

/groupA/project_i_pull_from_B

/groupA/project_i_pull_from_C

/groupB/central_container_registry_project_i_need_to_push_to

This issue stems from the way Gitlab handles auto to the registry:

https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/services/auth/container_registry_authentication_service.rb

pull:

    def build_can_pull?(requested_project)
      # Build can:
      # 1. pull from its own project (for ex. a build)
      # 2. read images from dependent projects if creator of build is a team member
      has_authentication_ability?(:build_read_container_image) &&
        (requested_project == project || can_user?(:build_read_container_image, requested_project))
    end

push:

    def build_can_push?(requested_project)
      # Build can push only to the project from which it originates
      has_authentication_ability?(:build_create_container_image) &&
        requested_project == project
    end

This change means I can use a CI_JOB_TOKEN for pulling container image and use the "Allow Token" feature inside gitlab to grant access across projects, but also input a deploy token to then push my container somewhere else :)

Happy for thoughts, updates, discussion around this :)