Build and push remotely

I think it would be very beneficial to self-hosted users to enable a Trigger server to manage the build and push instead of the user from their local client. The new v3 model of building the Docker image locally and pushing it to a registry requires that the user has an account on the Trigger instance and access to a Docker registry as well, and the server must also have access to the same registry. The additional complexity of having two systems with access control seems difficult to manage correctly. I.e. if a user has access to a registry location containing another user’s task images, they could pull, overwrite or delete them, unbeknownst to the real owner. If the server did the build and push to a registry that users could not access, then the authentication would be unified under the Trigger API which is already perfectly sufficient.

I think ideally, the user would not need any access to a registry, and Trigger could use a single credential to a remote registry or just a local registry. As long as nobody else has access to push to it, the Trigger server could safely assume that the images are not tampered with.

Perhaps alternatively, the Trigger system could provide a registry proxy such that the Trigger CLI forces a push to occur through the registry proxy, which validates the user’s auth and uses the server’s auth to push to the real registry.

Context - I’d like to be able to add users to a self-hosted Trigger service but not have to deal with managing registry authentication and not worry about potential sabotage or privacy between users. (Even though there is no motivation for it, in principle, it must not be possible.) Without this separation, it seems self-hosted is only usable for a single organization where all users have the same access level which is extremely limiting.

Perhaps the intent is that self-hosted is this limited in functionality. If that’s the case, it would be more transparent to make this clear from the outset as it’s not very obvious until you get to the final step of setting up the registry.