Check both registry and schemeful URL for Docker creds

itowlson · itowlson · commit 46acd2d719e5 · 2025-10-22T12:43:23.000+13:00
Signed-off-by: itowlson &lt;ivan.towlson@fermyon.com&gt;
diff --git a/crates/wasm-pkg-client/src/oci/mod.rs b/crates/wasm-pkg-client/src/oci/mod.rs
@@ -112,31 +112,17 @@ impl OciBackend {
             ));
         }
 
-        match docker_credential::get_credential(&self.oci_registry) {
-            Ok(DockerCredential::UsernamePassword(username, password)) => {
-                return Ok(RegistryAuth::Basic(username, password));
-            }
-            Ok(DockerCredential::IdentityToken(_)) => {
-                return Err(Error::CredentialError(anyhow::anyhow!(
-                    "identity tokens not supported"
-                )));
-            }
-            Err(err) => {
-                if matches!(
-                    err,
-                    CredentialRetrievalError::ConfigNotFound
-                        | CredentialRetrievalError::ConfigReadError
-                        | CredentialRetrievalError::NoCredentialConfigured
-                        | CredentialRetrievalError::HelperFailure { .. }
-                ) {
-                    tracing::debug!("Failed to look up OCI credentials: {err}");
-                } else {
-                    tracing::warn!("Failed to look up OCI credentials: {err}");
-                };
+        match get_docker_credential(&self.oci_registry)? {
+            Some(c) => Ok(c),
+            None => {
+                tracing::debug!("Failed to look up OCI credentials by registry, trying server URL");
+                let server_url = format!("https://{}", self.oci_registry);
+                match get_docker_credential(&server_url)? {
+                    Some(c) => Ok(c),
+                    None => Ok(RegistryAuth::Anonymous),
+                }
             }
         }
-
-        Ok(RegistryAuth::Anonymous)
     }
 
     pub(crate) fn make_reference(
@@ -164,3 +150,31 @@ pub(crate) fn oci_registry_error(err: OciDistributionError) -> Error {
         _ => Error::RegistryError(err.into()),
     }
 }
+
+fn get_docker_credential(registry: &str) -> Result<Option<RegistryAuth>, Error> {
+    match docker_credential::get_credential(registry) {
+        Ok(DockerCredential::UsernamePassword(username, password)) => {
+            return Ok(Some(RegistryAuth::Basic(username, password)));
+        }
+        Ok(DockerCredential::IdentityToken(_)) => {
+            return Err(Error::CredentialError(anyhow::anyhow!(
+                "identity tokens not supported"
+            )));
+        }
+        Err(err) => {
+            if matches!(
+                err,
+                CredentialRetrievalError::ConfigNotFound
+                    | CredentialRetrievalError::ConfigReadError
+                    | CredentialRetrievalError::NoCredentialConfigured
+                    | CredentialRetrievalError::HelperFailure { .. }
+            ) {
+                tracing::debug!("Failed to look up OCI credentials: {err}");
+            } else {
+                tracing::warn!("Failed to look up OCI credentials: {err}");
+            };
+        }
+    }
+
+    Ok(None)
+}
