<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=202074) </details> <!--IssueSummary end--> ### Problem to solve I'm missing a masked variable called `CI_REGISTRY_HASH`. It would've been defined like this: ```bash export CI_REGISTRY_HASH="$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64)" ``` ### Intended users * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) * [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer) ### Further details I'm using docker executor and I'm writing `gitlab-ci.yml`. I want to have two stages there. First builds the registry image and uploads it and the second which runs tests on the built image from the registry. ```yaml stages: - build - test build: stage: build services: - docker:dind script: - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY - docker build . - docker push $CI_REGISTRY_IMAGE:latest test: stage: test image: $CI_REGISTRY_IMAGE:latest script: - sh run_tests.sh ``` The problem is how to pass credentials to runner so the runner would be able to download `$CI_REGISTRY_IMAGE:latest` in the test stage. Note that I don't want runners to have permanent credentials to download images. ### Proposal My ideal solution would be to override `DOCKER_AUTH_CONFIG` env variable. But to do this I need to have `CI_REGISTRY_HASH` defined. So I could do: ```yaml variables: DOCKER_AUTH_CONFIG: "{\"auths\":{\"${CI_REGISTRY}\":{\"auth\":\"${CI_REGISTRY_HASH}\"}}}" ``` This would allow runner to access images from this repository. And because according to doc (https://docs.gitlab.com/ee/user/packages/container_registry/#authenticating-to-the-container-registry-with-gitlab-cicd) CI_REPOSITORY_USER and CI_REPOSITORY_PASSWORD are temporal the CI_REPOSITORY_HASH would be also temporal. So after the job finishes the runner looses the credentials. ### Permissions and Security <!-- What permissions are required to perform the described actions? Are they consistent with the existing permissions as documented for users, groups, and projects as appropriate? Is the proposed behavior consistent between the UI, API, and other access methods (e.g. email replies)?--> ### Documentation <!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html Add all known Documentation Requirements here, per https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements If this feature requires changing permissions, this document https://docs.gitlab.com/ee/user/permissions.html must be updated accordingly. --> ### Availability & Testing <!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier. What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance. * Unit test changes * Integration test changes * End-to-end test change See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning --> ### What does success look like, and how can we measure that? <!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. --> ### What is the type of buyer? Core ### Links / references