Skip to content

Separate Registry Endpoints from Authentication in PublishConfig #1945

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
lbussell wants to merge 9 commits into
base: main
Choose a base branch
from
Draft

Separate Registry Endpoints from Authentication in PublishConfig #1945

lbussell wants to merge 9 commits into from

Conversation

@lbussell
Copy link
Member

@lbussell lbussell commented Jan 22, 2026
edited
Loading

Fixes #1914.
In draft mode because I haven't ran it through a pipeline to validate yet.

Problem

The current PublishConfiguration tightly couples registry endpoints with authentication details. Each RegistryConfiguration embeds its own ServiceConnection, ResourceGroup, and Subscription, making it difficult to:

  • Share authentication credentials across multiple registries
  • Clearly separate "which registry to use" from "how to authenticate"
  • Support non-ACR registries cleanly

Changes

Refactored PublishConfiguration to separate concerns:

New types:

  • RegistryEndpoint - Holds only the registry server address
  • RegistryAuthentication - Holds ServiceConnection + ACR metadata (ResourceGroup, Subscription)

New schema:

{
  "PublishConfiguration": {
    "BuildRegistry": { "Server": "mybuildregistry.azurecr.io" },
    "PublishRegistry": { "Server": "mypublishregistry.azurecr.io" },
    "RegistryAuthentication": {
      "mybuildregistry.azurecr.io": {
        "ServiceConnection": { "Name": "...", "Id": "...", "TenantId": "...", "ClientId": "..." },
        "ResourceGroup": "<guid>",
        "Subscription": "<guid>"
      }
    }
  }
}

Multiple registries can now share authentication by referencing the same key in RegistryAuthentication.

Files changed:

  • Added RegistryEndpoint.cs, RegistryAuthentication.cs
  • Deleted RegistryConfiguration.cs
  • Updated all consumers to use new lookup via FindRegistryAuthentication()
  • Added PublishConfigurationBindingTests.cs to validate config binding from json.

Breaking change: JSON configuration schema has changed.

@lbussell lbussell self-assigned this Jan 26, 2026
@lbussell
Refactor PublishConfiguration to allow multiple registries to share s…
e5b89f6 
…ame service connection
@lbussell
Add PublishConfiguration tests
21d0ca9
@lbussell
Use array of objects instead of dictionary in publishConfig
ac5d64e
@lbussell
Look up service connections in publishConfig
6ebb5e6
@lbussell
Move subscription and resource group lookup into CopyImageService
674342a
@lbussell
Remove unused publishConfig options references
0cbb3e8
@lbussell
Fix missing Source.ResourceId in ACR image import
2ce09a7 
CopyAcrImagesCommand was passing srcResourceId to the wrapper method,
but CopyImagesCommand.ImportImageAsync ignored it and passed null for
srcRegistryName to the service. This caused CopyImageService to set
ResourceId to null, resulting in Azure API 400 errors.

Fix by passing srcRegistryName instead, allowing CopyImageService to
look up the ResourceId from the registry name as designed.
@lbussell
Fix duplicate import source in ACR image import
2ca4696 
Azure ACR import only accepts one source identifier. Set ResourceId for
ACR-to-ACR imports, or RegistryAddress for external registries, not both.
@lbussell
Remove unused Subscription and ResourceGroup from BuildOptions
b6850cb 
These CLI options (--acr-subscription, --acr-resource-group) were defined
but never used by BuildCommand. Registry subscription/resource group info
is now provided per-registry via PublishConfiguration.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@lbussell lbussell

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ACR authentication can fail when using two different service connections for the same ACR

1 participant

@lbussell