From 206fb8b3ab4dc96bb55788bc111abd54939ea040 Mon Sep 17 00:00:00 2001
From: chainchad <96362174+chainchad@users.noreply.github.com>
Date: Thu, 2 Nov 2023 13:36:28 -0400
Subject: [PATCH] Avoid rate limiting when pulling public docker hub images
 (#11153)

---
 .../build-sign-publish-chainlink/action.yml   | 22 +++++++++++++++++++
 .github/workflows/build-publish-develop.yml   |  2 ++
 .github/workflows/build-publish.yml           | 12 +++++-----
 .github/workflows/build.yml                   |  5 +++--
 4 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml
index 55c682bc8d9..fe4ef858f58 100644
--- a/.github/actions/build-sign-publish-chainlink/action.yml
+++ b/.github/actions/build-sign-publish-chainlink/action.yml
@@ -13,6 +13,12 @@ inputs:
     description: Path to the Dockerfile (relative to the repo root)
     default: core/chainlink.Dockerfile
     required: false
+  dockerhub_username:
+    description: Username for Docker Hub to avoid rate limits when pulling public images
+    required: false
+  dockerhub_password:
+    description: Password for Docker Hub to avoid rate limits when pulling public images
+    required: false
   ecr-hostname:
     description: The ECR registry scope
     default: public.ecr.aws
@@ -126,6 +132,14 @@ runs:
           type=semver,pattern={{version}},suffix=${{ inputs.ecr-tag-suffix }}-root
           type=sha,format=short,suffix=${{ inputs.ecr-tag-suffix }}-root
 
+    # To avoid rate limiting from Docker Hub, we login with a paid user account.
+    - name: Login to Docker Hub
+      if: inputs.dockerhub_username && inputs.dockerhub_password
+      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+      with:
+        username: ${{ inputs.dockerhub_username }}
+        password: ${{ inputs.dockerhub_password }}
+
     - name: Build and push root docker image
       id: buildpush-root
       uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
@@ -159,6 +173,14 @@ runs:
         images: ${{ env.shared-images }}
         tags: ${{ env.shared-tag-list }}
 
+    # To avoid rate limiting from Docker Hub, we login with a paid user account.
+    - name: Login to Docker Hub
+      if: inputs.dockerhub_username && inputs.dockerhub_password
+      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+      with:
+        username: ${{ inputs.dockerhub_username }}
+        password: ${{ inputs.dockerhub_password }}
+
     - name: Build and push non-root docker image
       id: buildpush-nonroot
       uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
diff --git a/.github/workflows/build-publish-develop.yml b/.github/workflows/build-publish-develop.yml
index 076fdf817df..b8859722378 100644
--- a/.github/workflows/build-publish-develop.yml
+++ b/.github/workflows/build-publish-develop.yml
@@ -52,6 +52,8 @@ jobs:
           ecr-image-name: chainlink
           ecr-tag-suffix: ${{ matrix.image.tag-suffix }}
           dockerfile: ${{ matrix.image.dockerfile }}
+          dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }}
+          dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }}
           git-commit-sha: ${{ steps.git-ref.outputs.checked-out || github.sha }}
       - name: Collect Metrics
         if: always()
diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml
index 4d5a42a369f..1bda6957a2a 100644
--- a/.github/workflows/build-publish.yml
+++ b/.github/workflows/build-publish.yml
@@ -1,17 +1,17 @@
-name: 'Build Chainlink and Publish'
+name: "Build Chainlink and Publish"
 
 on:
   # Mimics old circleci behaviour
   push:
     tags:
-      - 'v*'
+      - "v*"
     branches:
       - master
-      - 'release/**'
+      - "release/**"
 
 jobs:
   checks:
-    name: 'Checks'
+    name: "Checks"
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout repository
@@ -42,10 +42,12 @@ jobs:
           aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
           aws-region: ${{ secrets.AWS_REGION }}
           sign-images: true
-          sign-method: 'keypair'
+          sign-method: "keypair"
           cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }}
           cosign-public-key: ${{ secrets.COSIGN_PUBLIC_KEY }}
           cosign-password: ${{ secrets.COSIGN_PASSWORD }}
+          dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }}
+          dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }}
           verify-signature: true
       - name: Collect Metrics
         if: always()
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0f9a8ea8b35..6282e2168d8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,4 +1,4 @@
-name: 'Build Chainlink'
+name: "Build Chainlink"
 
 on:
   pull_request:
@@ -7,7 +7,6 @@ on:
       - master
 
 jobs:
-
   build-chainlink:
     runs-on: ubuntu-20.04
     steps:
@@ -17,6 +16,8 @@ jobs:
       - name: Build chainlink image
         uses: ./.github/actions/build-sign-publish-chainlink
         with:
+          dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }}
+          dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }}
           publish: false
           sign-images: false
       - name: Collect Metrics