ci(e2e): authenticate Docker Hub pulls in nightly

[cv]

Summary

Adds Docker Hub authentication to the nightly E2E workflow before install/onboard/sandbox-build steps can pull Docker Hub base images. This supersedes #3668 on top of the current reusable E2E workflow structure and keeps credentials out of workflow_dispatch runs that test an explicit target_ref.

Related Issue

Fixes #3629

Changes

• Adds optional DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets to .github/workflows/e2e-script.yaml and logs in before reusable E2E scripts run.
• Passes Docker Hub credentials to all reusable nightly E2E jobs only when the run is schedule/manual-main, not target_ref validation.
• Adds guarded Docker Hub login steps to direct nightly E2E jobs such as docs-validation-e2e, double-onboard-e2e, GPU jobs, and other non-reusable jobs that can install or build sandboxes.
• Extends workflow contract tests to require Docker Hub auth wiring and target_ref credential guards.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

• Chores

  • CI workflows now support optional Docker Hub authentication across nightly and delegated E2E runs; auth is injected only when appropriate and otherwise skipped with a notice so jobs continue with anonymous pulls.
  • Multiple E2E jobs standardized to use the new guarded checkout/auth behavior for more consistent runs.

• Tests

  • E2E workflow tests updated to verify the conditional Docker Hub auth step and related job settings.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0d49c716-464b-43de-a840-5b7f8740898c

📥 Commits

Reviewing files that changed from the base of the PR and between 2546a56 and 359e182.

📒 Files selected for processing (1)

• .github/workflows/nightly-e2e.yaml

---

📝 Walkthrough

Walkthrough

Adds optional Docker Hub credentials to the reusable E2E workflow, inserts a conditional "Authenticate to Docker Hub" login step, propagates credentials into nightly E2E jobs (blanking for untrusted dispatches), updates checkout settings, and extends tests and types for the new fields.

Changes

Docker Hub authentication for nightly E2E

Layer / File(s)	Summary
Workflow contract type definitions test/helpers/e2e-workflow-contract.ts	WorkflowJob and WorkflowStep type definitions extended to support optional steps arrays, with inputs, and step-level if conditions.
Reusable e2e-script workflow Docker Hub setup .github/workflows/e2e-script.yaml	Declares optional DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets in the workflow_call interface, and adds an "Authenticate to Docker Hub" step that conditionally performs docker login with token-stdin or logs a notice and continues with anonymous pulls when credentials are not provided.
Nightly E2E jobs Docker Hub credential wiring .github/workflows/nightly-e2e.yaml	Defines &nightly-e2e-default-secrets to conditionally inject Docker Hub credentials, replaces many per-job secrets blocks with secrets: *nightly-e2e-default-secrets, and adds anchored checkout/auth steps (persist-credentials: false and guarded Docker Hub login) for jobs that run explicit host steps.
Test validation of Docker Hub authentication test/e2e-script-workflow.test.ts	Updates the reusable nightly jobs secrets mapping to include conditional Docker Hub credentials and adds tests verifying the auth step if condition, secret env interpolation, docker login usage, and checkout persist-credentials settings across direct nightly E2E jobs.

Sequence Diagram(s)

sequenceDiagram
  participant NightlyWorkflow
  participant E2EReusableWorkflow
  participant DockerHub
  NightlyWorkflow->>E2EReusableWorkflow: call e2e-script with conditional DOCKERHUB_USERNAME/DOCKERHUB_TOKEN
  E2EReusableWorkflow->>DockerHub: docker login docker.io (token-stdin) [if credentials present]
  E2EReusableWorkflow-->>NightlyWorkflow: continue (anonymous pulls) [if credentials missing]

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

nightly-e2e

Poem

🐰 I hop in CI with a tiny shrug,
Credentials snug beneath my rug,
I whisper to Docker, "please let us through,"
Sandbox builds fetch without a queue,
Nightly runs hum—no rate-limit tug.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding Docker Hub authentication to the nightly E2E workflows for authenticated image pulls.
Linked Issues check	✅ Passed	All coding objectives from #3629 are met: Docker Hub secrets added to e2e-script.yaml [#3629], reusable nightly jobs conditionally pass credentials [#3629], guarded auth steps added to all sandbox-heavy E2E jobs [#3629], and workflow contract tests extended [#3629].
Out of Scope Changes check	✅ Passed	All changes directly support Docker Hub authentication: workflow secrets configuration, conditional credential passing, authentication steps with proper guards, and corresponding test coverage.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/dockerhub-auth-nightly-e2e-v2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: None

Workflow run

Full advisor summary

E2E Recommendation Advisor

Failed: Could not parse JSON from advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/e2e-advisor/e2e-advisor-raw-output.txt

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Failed: Could not parse JSON from advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/e2e-advisor/e2e-scenario-advisor-raw-output.txt

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 2 worth checking, 0 nice ideas
Since last review: 1 prior item resolved, 0 still apply, 2 new items found

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Reusable Docker Hub auth relies on caller event shape (.github/workflows/e2e-script.yaml:167): The current nightly caller withholds Docker Hub secrets for workflow_dispatch runs with a non-empty target_ref, so the known PR-head auto-dispatch path is protected. However, the reusable workflow itself decides whether to run docker login by reading github.event.inputs.target_ref, which is a nightly workflow_dispatch convention rather than an explicit workflow_call trust contract. A future or different caller could pass Docker Hub secrets and an arbitrary ref without that event input, causing the reusable runner to authenticate before executing checked-out code.
  • Recommendation: Make the reusable workflow boundary self-contained: add an explicit workflow_call input such as dockerhub_auth_allowed/trusted_ref and require callers to set it, or rely only on blank/non-blank passed secrets from the caller while documenting that callers must not pass these secrets for untrusted refs.
  • Evidence: e2e-script.yaml runs `Authenticate to Docker Hub` when `${{ github.event_name != 'workflow_dispatch' || github.event.inputs.target_ref == '' }}`; nightly-e2e.yaml currently blanks DOCKERHUB_* for `${{ github.event_name == 'workflow_dispatch' && inputs.target_ref != '' }}`, but that protection lives in the caller.
• Workflow auth change needs runtime validation evidence (.github/workflows/nightly-e2e.yaml:256): The added tests are useful structural workflow-contract checks, but this change depends on GitHub Actions expression evaluation, reusable-workflow secret propagation, Docker CLI login behavior, and the position of login before sandbox image builds. Those paths cannot be fully proven by string assertions alone.
  • Recommendation: Add or record targeted runtime validation for the changed behavior, for example a selective nightly dispatch that exercises docs-validation-e2e and at least one sandbox-build-heavy job with configured Docker Hub credentials, plus a target_ref dispatch confirming credentials are withheld.
  • Evidence: test/e2e-script-workflow.test.ts asserts workflow YAML strings and job lists; issue ci: authenticate Docker Hub pulls in nightly E2E #3629 proposed approach explicitly asks to validate with a targeted nightly dispatch including docs-validation-e2e and another sandbox-build-heavy job.

🌱 Nice ideas

• None.

Since last review details

Current findings:

• Reusable Docker Hub auth relies on caller event shape (.github/workflows/e2e-script.yaml:167): The current nightly caller withholds Docker Hub secrets for workflow_dispatch runs with a non-empty target_ref, so the known PR-head auto-dispatch path is protected. However, the reusable workflow itself decides whether to run docker login by reading github.event.inputs.target_ref, which is a nightly workflow_dispatch convention rather than an explicit workflow_call trust contract. A future or different caller could pass Docker Hub secrets and an arbitrary ref without that event input, causing the reusable runner to authenticate before executing checked-out code.
  • Recommendation: Make the reusable workflow boundary self-contained: add an explicit workflow_call input such as dockerhub_auth_allowed/trusted_ref and require callers to set it, or rely only on blank/non-blank passed secrets from the caller while documenting that callers must not pass these secrets for untrusted refs.
  • Evidence: e2e-script.yaml runs `Authenticate to Docker Hub` when `${{ github.event_name != 'workflow_dispatch' || github.event.inputs.target_ref == '' }}`; nightly-e2e.yaml currently blanks DOCKERHUB_* for `${{ github.event_name == 'workflow_dispatch' && inputs.target_ref != '' }}`, but that protection lives in the caller.
• Workflow auth change needs runtime validation evidence (.github/workflows/nightly-e2e.yaml:256): The added tests are useful structural workflow-contract checks, but this change depends on GitHub Actions expression evaluation, reusable-workflow secret propagation, Docker CLI login behavior, and the position of login before sandbox image builds. Those paths cannot be fully proven by string assertions alone.
  • Recommendation: Add or record targeted runtime validation for the changed behavior, for example a selective nightly dispatch that exercises docs-validation-e2e and at least one sandbox-build-heavy job with configured Docker Hub credentials, plus a target_ref dispatch confirming credentials are withheld.
  • Evidence: test/e2e-script-workflow.test.ts asserts workflow YAML strings and job lists; issue ci: authenticate Docker Hub pulls in nightly E2E #3629 proposed approach explicitly asks to validate with a targeted nightly dispatch including docs-validation-e2e and another sandbox-build-heavy job.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26858264433
Target ref: ci/dockerhub-auth-nightly-e2e-v2
Requested jobs: docs-validation-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job	Result
docs-validation-e2e	✅ success

[cv]

Validation update: targeted nightly dispatch for docs-validation-e2e on this branch passed, including the new Authenticate to Docker Hub step: https://github.com/NVIDIA/NemoClaw/actions/runs/26858264433

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26858306848
Target ref: f148f1a7d4467a276ca8466f217731345265bac6
Workflow ref: main
Requested jobs: cloud-onboard-e2e,launchable-smoke-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
cloud-onboard-e2e	✅ success
launchable-smoke-e2e	✅ success

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/e2e-script-workflow.test.ts (1)

101-117: ⚡ Quick win

Tighten this auth-step contract so it catches malformed run blocks.

This loop still passes when an unrelated YAML key gets absorbed into the shell script, which happened in several nightly jobs here. A small negative assertion would turn that regression into an immediate test failure.

Suggested fix

       expect(authStep?.env?.DOCKERHUB_TOKEN, name).toBe(
         "${{ (github.event_name != 'workflow_dispatch' || inputs.target_ref == '') && secrets.DOCKERHUB_TOKEN || '' }}",
       );
       expect(authStep?.run, name).toContain("docker login docker.io");
+      expect(authStep?.run, name).not.toContain("persist-credentials:");

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-script-workflow.test.ts` around lines 101 - 117, The loop's
assertion is too weak because a YAML key can be accidentally embedded into the
step's run script; update the check for the "Authenticate to Docker Hub" step
(found via nightlyWorkflow.jobs[name].steps?.find(...) into authStep for each
name in directE2eJobs) to include a negative assertion that authStep.run does
not contain stray YAML keys (e.g., ensure authStep.run does NOT include
substrings like "uses:" or "with:" or "env:"), so malformed runs that swallowed
nearby YAML will fail the test.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/nightly-e2e.yaml:
- Around line 1706-1723: In the "Authenticate to Docker Hub" step (and the four
additional similar steps), remove the stray "persist-credentials: false" lines
that are currently inside the run: | bash block so they are not executed as
shell commands; instead, either delete those lines entirely or move
"persist-credentials: false" out of the run block to be a top-level step key
(i.e., directly under the step alongside name/if/env/shell/run) so it is treated
as a workflow step option rather than a bash command.

---

Nitpick comments:
In `@test/e2e-script-workflow.test.ts`:
- Around line 101-117: The loop's assertion is too weak because a YAML key can
be accidentally embedded into the step's run script; update the check for the
"Authenticate to Docker Hub" step (found via
nightlyWorkflow.jobs[name].steps?.find(...) into authStep for each name in
directE2eJobs) to include a negative assertion that authStep.run does not
contain stray YAML keys (e.g., ensure authStep.run does NOT include substrings
like "uses:" or "with:" or "env:"), so malformed runs that swallowed nearby YAML
will fail the test.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 732e0bcb-9b0f-4814-bc6a-6eaeb0205b35

📥 Commits

Reviewing files that changed from the base of the PR and between ac5b144 and f148f1a.

📒 Files selected for processing (4)

• .github/workflows/e2e-script.yaml
• .github/workflows/nightly-e2e.yaml
• test/e2e-script-workflow.test.ts
• test/helpers/e2e-workflow-contract.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26864149265
Target ref: ci/dockerhub-auth-nightly-e2e-v2
Requested jobs: docs-validation-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job	Result
docs-validation-e2e	✅ success

[cv]

Addressed review feedback in 2546a56:

• Moved persist-credentials: false under every direct target-ref actions/checkout step.
• Removed the stray persist-credentials: false shell commands from Docker Hub login scripts.
• Extended workflow contract tests to assert direct target-ref checkouts are credentialless and auth run blocks do not swallow YAML keys.

Validation after the fix:

• npx vitest run --project cli test/e2e-script-workflow.test.ts test/e2e-advisor-dispatch.test.ts ✅
• npx prek run --all-files ✅
• npm test ✅ (first commit attempt hit a transient unrelated test/onboard-selection.test.ts failure; targeted rerun passed, then full npm test passed)
• Targeted docs-validation-e2e dispatch passed with the Docker Hub auth step: https://github.com/NVIDIA/NemoClaw/actions/runs/26864149265

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26864234883
Target ref: 2546a569cd0d5afdbc5b368eb2587e4d41234555
Workflow ref: main
Requested jobs: cloud-onboard-e2e,issue-3600-gpu-proof-optional-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
cloud-onboard-e2e	✅ success
issue-3600-gpu-proof-optional-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26865738263
Target ref: ci/dockerhub-auth-nightly-e2e-v2
Requested jobs: docs-validation-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job	Result
docs-validation-e2e	✅ success

[cv]

DRYed up the large nightly workflow diff in 359e182 by using YAML anchors/aliases:

• &nightly-e2e-default-secrets / *nightly-e2e-default-secrets for the common reusable-job secret wiring.
• &target-ref-checkout / *target-ref-checkout for direct target-ref checkout steps.
• &dockerhub-auth-step / *dockerhub-auth-step for the direct Docker Hub login step.

Net PR diff is now much smaller: .github/workflows/nightly-e2e.yaml is ~305 changed lines instead of ~900+ from the expanded version.

Validation after DRY-up:

• YAML parse ✅
• npx vitest run --project cli test/e2e-script-workflow.test.ts test/e2e-advisor-dispatch.test.ts ✅
• npx prek run --files .github/workflows/nightly-e2e.yaml test/e2e-script-workflow.test.ts ✅
• npm test ✅
• Targeted docs-validation-e2e dispatch passed on the anchored workflow, confirming GitHub Actions accepts and expands the anchors: https://github.com/NVIDIA/NemoClaw/actions/runs/26865738263