From ee340f5608df74abfda1bfaa8ddd89dd20c80a86 Mon Sep 17 00:00:00 2001 From: Jeff Widman Date: Wed, 4 Mar 2026 00:23:00 +0000 Subject: [PATCH] Fix inverted error check in NewRegistryClient getRegistryAuthHeader() returns (user, pass, nil) on success and ("", "", error) on failure. The error check was inverted: the err != nil branch set auth with empty credentials, while the err == nil branch discarded valid credentials. This caused all registry freshness queries (DigestExists, GetLatestDigest) to go out unauthenticated, which could hit stale CDN caches and incorrectly conclude images are up to date. Fixes #583 --- internal/infra/registry_client.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/infra/registry_client.go b/internal/infra/registry_client.go index 74a4c326..bd37901a 100644 --- a/internal/infra/registry_client.go +++ b/internal/infra/registry_client.go @@ -27,7 +27,7 @@ func NewRegistryClient(image string) *RegistryClient { var remoteOptions []remote.Option user, pass, err := getRegistryAuthHeader(domain) - if err != nil { + if err == nil { remoteOptions = []remote.Option{ remote.WithAuth(&authn.Basic{Username: user, Password: pass}), }