registry: warn of DOCKER_AUTH_CONFIG usage in login and logout

[Benehiko]

• relates to DOCKER_AUTH_CONFIG takes precedence over docker login #6156

- What I did
Add a warning when DOCKER_AUTH_CONFIG is used when running docker login and docker logout.

- How I did it

- How to verify it

- Human readable description for the release notes

Warn when `DOCKER_AUTH_CONFIG` is set during `docker login` and `docker logout`

- A picture of a cute animal (not mandatory but encouraged)

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 13.79310% with 25 lines in your changes missing coverage. Please review.

Project coverage is 54.78%. Comparing base (8403869) to head (ccd5bd8).
Report is 4 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6163      +/-   ##
==========================================
- Coverage   54.82%   54.78%   -0.04%     
==========================================
  Files         364      365       +1     
  Lines       30467    30491      +24     
==========================================
+ Hits        16703    16706       +3     
- Misses      12789    12809      +20     
- Partials      975      976       +1     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull Request Overview

Adds a warning if the DOCKER_AUTH_CONFIG environment variable is set when running docker login or docker logout.

• Refactors PrintNote into a more flexible printNoteWithOptions and adds a new PrintWarning method.
• Renames the dockerEnvConfig constant to DockerEnvConfigKey and updates its references.
• Introduces maybePrintEnvAuthWarning in the registry commands to surface the warning.

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
internal/tui/note.go	Extracts printNoteWithOptions, adds withHeader/withMessageColor options, and defines PrintWarning.
cli/config/configfile/file.go	Renames dockerEnvConfig to DockerEnvConfigKey and updates environment lookup.
cli/command/registry/warning.go	Adds maybePrintEnvAuthWarning to emit the warning when DOCKER_AUTH_CONFIG is set.
cli/command/registry/login.go	Calls maybePrintEnvAuthWarning before running login.
cli/command/registry/logout.go	Calls maybePrintEnvAuthWarning before running logout.

Comments suppressed due to low confidence (2)

cli/command/registry/warning.go:13

• There are no unit tests covering maybePrintEnvAuthWarning. Please add tests to verify the warning only appears when DOCKER_AUTH_CONFIG is set and is written to stderr.

func maybePrintEnvAuthWarning(out command.Streams) {

cli/command/registry/warning.go:1

• [nitpick] The file warning.go is very generic. Consider renaming it to env_auth_warning.go or similar to better reflect that it handles DOCKER_AUTH_CONFIG warnings.

package registry

[Copilot]

The call to maybePrintEnvAuthWarning is passing a command.Cli instead of command.Streams. Either extract and pass the streams (dockerCLI.Streams()) or adjust the helper to accept the CLI interface.

Suggested change

	maybePrintEnvAuthWarning(dockerCLI)
	maybePrintEnvAuthWarning(dockerCLI.Streams())

[thaJeztah]

FWIW this comment could make sense to be explicit about what we pass.

We could even consider making it accept a stream.Out, but that's a concrete type (I don't think we have an interface for those)

cli/cli/streams/out.go

Lines 11 to 14 in 28f19a9

	// Out is an output stream to write normal program output. It implements
	// an [io.Writer], with additional utilities for detecting whether a terminal
	// is connected, getting the TTY size, and putting the terminal in raw mode.
	type Out struct {

[thaJeztah]

I should probably outline my motivation; we have various places where (out of convenience) we just pass DockerCLI around; there's many places where we don't need a full CLI, but because we do, it's not always clear "what's used". Changing the maybePrintEnvAuthWarning to accept a shallower interface already helps, but explicitly passing only what's needed helps as well to discover places where we only need a subset of the CLI's functionality (and can help reduce the "ripple effect" of some of those.

[thaJeztah]

LGTM

we should (separately) continue the discussion on the expected behavior; to some extent having DOCKER_AUTH_CONFIG set resulting in docker login to proceed without any input is a bit surprising. That's related to changes from the past to consider "credentials stored on disk / in credentials helper" to be re-used (I THINK the motivation there may have been to allow the credentials-helper to be responsible for asking for input, but I'd have to dig in history if that was indeed the reason).

To some extend it could make sense to make docker login ignore the env-var, and assume "I want to store new credentials", but that will make more sense once we implemented the "multiple options to try" by changing privilege-funcs that I was considering; see

• moby/moby#50341

[thaJeztah]

LGTM, thanks!