## Summary When GitLab Runner is configured with `DOCKER_AUTH_CONFIG` that references credential helpers (like `docker-credential-gcloud`), and the binary is not available on the runner, the runner silently falls back to using Job Payload credentials (CI_JOB_TOKEN) without providing any error or warning message. This causes authentication failures for users without sufficient permissions and makes troubleshooting harder. ## Steps to reproduce 1. Configure `DOCKER_AUTH_CONFIG` variable at the top-level group with credential helpers: ```json {"auths":{"gitlab.com:443":{"auth":"<base64>"}},"credHelpers":{"us-east1-docker.pkg.dev":"gcloud"},"credsStore":"gcloud"} ``` 2. Ensure the `docker-credential-gcloud` binary is NOT available on the runner 3. Create a pipeline using the dependency proxy 4. Run the pipeline with a user that has Developer or Minimal Access role ## Actual behavior - Runner silently falls back to Job Payload credentials without using `DOCKER_AUTH_CONFIG` - Job log shows: `Authenticating with credentials from job payload (GitLab Registry)` - Jobs fail with HTML 404 responses for users without sufficient permissions (e.g., Developer, Minimal Access) - Jobs succeed for users with Owner permissions (masking the underlying issue) - No error or warning message explains that: - That the credential helper binary is missing - Why `DOCKER_AUTH_CONFIG` was ignored - Issue appears inconsistent because it depends on user permissions ## Expected behavior When the runner cannot use `DOCKER_AUTH_CONFIG` due to missing credential helper binaries, it should: 1. Log a clear ERROR or WARNING message stating: - The specific credential helper binary that is missing (e.g., `docker-credential-gcloud`) - The expected location or PATH where it was searched - That it's falling back to Job Payload credentials as a result 2. Example expected message: ``` WARNING: Cannot use DOCKER_AUTH_CONFIG: credential helper 'docker-credential-gcloud' not found in PATH Falling back to Job Payload credentials (GitLab Registry) ``` 3. This would allow users to: - Quickly identify the root cause - Install the missing binary - Avoid authentication failures for users with insufficient permissions ## Relevant logs Current behavior (no warning about missing binary): ``` Running with gitlab-runner [VERSION] Authenticating with credentials from job payload (GitLab Registry) Pulling docker image gitlab.com:443/<PATH>/dependency_proxy/containers/<IMAGE>:<TAG> ... WARNING: Failed to pull image with policy "if-not-present": Error response from daemon: unknown: <!DOCTYPE html> <html> <head> <title>The page you're looking for could not be found (404)</title> ... ERROR: Job failed: failed to pull image ``` After installing the binary, authentication works correctly: ``` Authenticating with credentials from $DOCKER_AUTH_CONFIG ``` ## Environment description - GitLab Instance: GitLab.com (SaaS) - Runner Type: On-premise runners (Docker executor) ### Used GitLab Runner version 18.7.1