ci: optional Docker Hub login to raise pull rate limits

[vadimpiven]

Summary

• Adds a Docker Hub docker/login-action step in .github/actions/setup-docker/action.yaml, right after the existing GHCR login.
• The step is gated on dockerhub-username / dockerhub-token inputs being non-empty, so it cleanly skips on forks (where the ci environment isn't accessible and secrets are scrubbed).
• Plumbs the two new optional inputs through .github/actions/setup/action.yaml.
• In .github/workflows/regular.yaml's build-and-test job, binds environment: "ci" and passes vars.DOCKERHUB_USERNAME / secrets.DOCKERHUB_TOKEN into setup.

Why

Anonymous docker.io pulls are aggressively rate-limited on shared CI IPs. Authenticating raises the ceiling and reduces transient build failures when pulling base images.

Notes

• The ci environment must have no required-reviewer protection rule, otherwise build-and-test will stall waiting for approval on every run.
• Only regular.yaml is wired up here; release.yaml also calls setup but is left unchanged. If Docker Hub auth is wanted there too, the same two-line addition to its build-addon / build-packages jobs would extend coverage.

Test plan

• On the upstream repo: confirm the step logs "Login Succeeded" against docker.io.
• On a fork PR (no ci env access): confirm the step is skipped with no failure.

🤖 Generated with Claude Code

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
.github/actions/setup-docker/action.yaml	0% smaller
.github/actions/setup/action.yaml	0% smaller
.github/workflows/regular.yaml	0% smaller
.github/workflows/release.yaml	0% smaller

[gemini-code-assist]

Code Review

This pull request adds optional Docker Hub authentication to the setup-docker and setup composite actions to help avoid rate limits. Reviewers noted that the workflow files needed to actually provide these credentials are missing from the PR, and suggested extending the implementation to the release workflow for consistency.

[greptile-apps]

Greptile Summary

This PR adds optional Docker Hub authentication to CI to raise the anonymous pull rate limit for docker.io base images, gated on two new optional inputs so it safely no-ops on forks or repos without the ci environment configured.

• Adds a docker/login-action step (pinned to SHA) in setup-docker/action.yaml, skipped when either credential is empty; threads dockerhub-username / dockerhub-token through setup/action.yaml.
• Wires environment: \"ci\" and the two credential inputs into the build-and-test job in regular.yaml; release.yaml is intentionally left unchanged per the PR description.

Confidence Score: 4/5

Safe to merge once the ci environment's protection rules are confirmed to have no deployment-branch restrictions or wait timers.

The credential-passing chain is straightforward and the conditional guard correctly skips the login step when either input is absent. The one area to double-check is the ci environment configuration: the PR notes the required-reviewer rule, but deployment-branch restrictions or a wait timer would equally stall every PR run. Everything else — pinned action SHA, default docker.io registry, optional inputs — looks correct.

regular.yaml — the new environment: "ci" declaration deserves a quick review of the environment's protection settings before merging.

Important Files Changed

Filename	Overview
.github/actions/setup-docker/action.yaml	Adds optional Docker Hub login step with pinned SHA and correct conditional guard; no registry: key means it defaults to docker.io as intended.
.github/actions/setup/action.yaml	Correctly threads two new optional inputs through to setup-docker with no logic of its own.
.github/workflows/regular.yaml	Adds environment: "ci" and plumbs DOCKERHUB_USERNAME/DOCKERHUB_TOKEN into setup; the new environment declaration could stall or block runs if the environment has deployment-branch or wait-timer protection rules.

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
.github/workflows/regular.yaml:45
**`environment: "ci"` may block runs on non-main branches or fork PRs**

The PR description calls out the required-reviewer protection rule, but GitHub environments also support two other protection types that could silently break CI: *deployment branch/tag rules* (if configured to allow only `main`, every PR branch would be blocked) and *wait timers* (all runs pause for the configured duration). Since `regular.yaml` is the primary PR-validation workflow and `build-and-test` now always requires the `ci` environment, any of those protection types would stall or block every PR run — including those from external forks where access to the environment is already restricted. Worth documenting or verifying that the `ci` environment has no branch/tag rules and no wait timer, not just no required reviewers.

_{Reviews (1): Last reviewed commit: "ci: gate environment: ci on upstream rep..." | Re-trigger Greptile}

[codspeed-hq]

Merging this PR will not alter performance

✅ 15 untouched benchmarks

---

_{Comparing ci/dockerhub-login (eafe7dc) with main (79e89e3)}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!