Summary
When the release-notes source repo is resolved from an untrusted source (an operator-set dd.source.repo container label, a persisted container.sourceRepo fallback, or a live Docker Hub metadata lookup), the GitHub auth token is unconditionally suppressed — including the dedicated DD_RELEASE_NOTES_GITHUB_TOKEN, not just the GHCR fallback. There is no configuration or env override to opt back in.
This makes authenticated release-notes lookups impossible for the common case of a third-party Docker Hub image that lacks OCI source labels, where the operator can only supply the repo via a container label. The operator is permanently capped at the unauthenticated GitHub API limit (60 req/h, public repos only), even when they have deliberately created a narrowly-scoped, read-only-public token whose leakage would be harmless.
Current behavior (v1.5.0)
The trusted flag is purely structural — decided by where the repo string came from — and short-circuits at the container label:
app/release-notes/index.ts:223-228 — a container-level dd.source.repo returns { trusted: false } immediately, with no comparison against the image's OCI labels.
app/release-notes/index.ts:352-354 — trusted is passed straight through as allowToken:
const releaseNotes = await provider.fetchByTag(sourceRepo, tag, getGithubToken(), {
allowToken: trusted,
});
app/release-notes/providers/GithubProvider.ts:186-190 — when allowToken === false, both the explicit DD_RELEASE_NOTES_GITHUB_TOKEN and the GHCR fallback are dropped:
const allowToken = options?.allowToken !== false;
const effectiveToken = allowToken ? (token ?? getGhcrTokenFallback()) : undefined;
The behavior is documented as intentional in content/docs/current/configuration/watchers/index.mdx:757.
Why this is a problem
The threat model — a malicious container spoofing dd.source.repo to exfiltrate a high-scope token to an attacker-controlled repo — is legitimate for the GHCR fallback token, which the operator provisioned for a different purpose and may be broadly scoped. But it should not force the same restriction onto a token the operator created specifically for release notes. An operator who scopes that token to read-only public access has explicitly accepted the (negligible) risk, and there is currently no way to express that intent.
Proposed change
Treat the presence of a dedicated DD_RELEASE_NOTES_GITHUB_TOKEN as an explicit operator opt-in to use that token regardless of source trust:
- When
DD_RELEASE_NOTES_GITHUB_TOKEN is set, send it even for untrusted (container-label / Docker Hub / persisted) sources.
- Keep the GHCR fallback (
getGhcrTokenFallback()) gated by trusted as it is today — only the explicitly-configured release-notes token gets the override. This preserves the original protection for the broadly-scoped GHCR credential while honoring deliberate operator intent.
(Alternatively, a separate explicit flag such as DD_RELEASE_NOTES_TRUST_CONTAINER_LABELS=true would also solve it, but overloading the dedicated token is cleaner — configuring it is already the explicit signal.)
Docs request
Please document this feature explicitly in the release-notes / GHCR configuration docs, including precise instructions to narrowly scope the token so operators can opt in safely. Concretely:
- A classic PAT scoped to
public_repo only (no other scopes), or
- A fine-grained PAT with read-only Contents access limited to public repositories and no account/repo write permissions.
Make clear that this token — unlike the GHCR fallback — is sent even for operator-supplied dd.source.repo container-label sources, and that it should therefore be created exclusively for read-only public release-notes access.
Secondary issue (related, worth a doc note regardless)
Because the container-label check short-circuits before the OCI labels (index.ts:223-228), adding a dd.source.repo container label to an image that already carries a trusted org.opencontainers.image.source label silently downgrades the resolution from trusted to untrusted and drops the token. This is surprising and currently undocumented — at minimum it deserves a warning in the dd.source.repo docs ("don't set this as a container label if the image already exposes a trusted OCI source label").
Environment
Summary
When the release-notes source repo is resolved from an untrusted source (an operator-set
dd.source.repocontainer label, a persistedcontainer.sourceRepofallback, or a live Docker Hub metadata lookup), the GitHub auth token is unconditionally suppressed — including the dedicatedDD_RELEASE_NOTES_GITHUB_TOKEN, not just the GHCR fallback. There is no configuration or env override to opt back in.This makes authenticated release-notes lookups impossible for the common case of a third-party Docker Hub image that lacks OCI source labels, where the operator can only supply the repo via a container label. The operator is permanently capped at the unauthenticated GitHub API limit (60 req/h, public repos only), even when they have deliberately created a narrowly-scoped, read-only-public token whose leakage would be harmless.
Current behavior (v1.5.0)
The
trustedflag is purely structural — decided by where the repo string came from — and short-circuits at the container label:app/release-notes/index.ts:223-228— a container-leveldd.source.reporeturns{ trusted: false }immediately, with no comparison against the image's OCI labels.app/release-notes/index.ts:352-354—trustedis passed straight through asallowToken:app/release-notes/providers/GithubProvider.ts:186-190— whenallowToken === false, both the explicitDD_RELEASE_NOTES_GITHUB_TOKENand the GHCR fallback are dropped:The behavior is documented as intentional in
content/docs/current/configuration/watchers/index.mdx:757.Why this is a problem
The threat model — a malicious container spoofing
dd.source.repoto exfiltrate a high-scope token to an attacker-controlled repo — is legitimate for the GHCR fallback token, which the operator provisioned for a different purpose and may be broadly scoped. But it should not force the same restriction onto a token the operator created specifically for release notes. An operator who scopes that token to read-only public access has explicitly accepted the (negligible) risk, and there is currently no way to express that intent.Proposed change
Treat the presence of a dedicated
DD_RELEASE_NOTES_GITHUB_TOKENas an explicit operator opt-in to use that token regardless of source trust:DD_RELEASE_NOTES_GITHUB_TOKENis set, send it even for untrusted (container-label / Docker Hub / persisted) sources.getGhcrTokenFallback()) gated bytrustedas it is today — only the explicitly-configured release-notes token gets the override. This preserves the original protection for the broadly-scoped GHCR credential while honoring deliberate operator intent.(Alternatively, a separate explicit flag such as
DD_RELEASE_NOTES_TRUST_CONTAINER_LABELS=truewould also solve it, but overloading the dedicated token is cleaner — configuring it is already the explicit signal.)Docs request
Please document this feature explicitly in the release-notes / GHCR configuration docs, including precise instructions to narrowly scope the token so operators can opt in safely. Concretely:
public_repoonly (no other scopes), orMake clear that this token — unlike the GHCR fallback — is sent even for operator-supplied
dd.source.repocontainer-label sources, and that it should therefore be created exclusively for read-only public release-notes access.Secondary issue (related, worth a doc note regardless)
Because the container-label check short-circuits before the OCI labels (
index.ts:223-228), adding add.source.repocontainer label to an image that already carries a trustedorg.opencontainers.image.sourcelabel silently downgrades the resolution from trusted to untrusted and drops the token. This is surprising and currently undocumented — at minimum it deserves a warning in thedd.source.repodocs ("don't set this as a container label if the image already exposes a trusted OCI source label").Environment