Harden version check helper when registry auth missing

scripts/check-versions.sh

@@ -13,11 +13,35 @@ ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 # shellcheck source=/dev/null
 source "$ROOT_DIR/deploy/env.sh"
 
-# Load secrets (for REGISTRY_USERNAME/PASSWORD) if present.
+: "${SOPS_AGE_KEY_FILE:=$ROOT_DIR/creds/age-key.txt}"
-if [[ -f "$ROOT_DIR/scripts/load-secrets.sh" ]]; then
+: "${ENCRYPTED_FILE:=$ROOT_DIR/creds/secrets.enc.env}"
-  # shellcheck source=/dev/null
+: "${SECRETS_FILE:=$ROOT_DIR/creds/secrets.env}"
-  source "$ROOT_DIR/scripts/load-secrets.sh" >/dev/null 2>&1 || true
+
-fi
+load_registry_creds() {
+  # Try repo helper if present (may decrypt creds).
+  if [[ -f "$ROOT_DIR/scripts/load-secrets.sh" ]]; then
+    # shellcheck source=/dev/null
+    source "$ROOT_DIR/scripts/load-secrets.sh" >/dev/null 2>&1 || true
+  fi
+
+  # Fallback: if secrets file is empty but encrypted exists, decrypt to temp.
+  if [[ ! -s "$SECRETS_FILE" && -f "$ENCRYPTED_FILE" && -f "$SOPS_AGE_KEY_FILE" && -x "$(command -v sops || true)" ]]; then
+    tmpfile=$(mktemp)
+    SOPS_AGE_KEY_FILE="$SOPS_AGE_KEY_FILE" sops -d "$ENCRYPTED_FILE" >"$tmpfile" 2>/dev/null || true
+    if [[ -s "$tmpfile" ]]; then
+      # shellcheck source=/dev/null
+      source "$tmpfile" || true
+    fi
+    rm -f "$tmpfile"
+  elif [[ -s "$SECRETS_FILE" ]]; then
+    # shellcheck source=/dev/null
+    source "$SECRETS_FILE" >/dev/null 2>&1 || true
+  fi
+}
+
+load_registry_creds
+
+REGISTRY_AUTH_STATE="missing"
 
 # Prefer repo kubeconfig if none set.
 if [[ -z "${KUBECONFIG:-}" && -f "$ROOT_DIR/creds/kubeconfig.yaml" ]]; then
@@ -25,13 +49,27 @@ if [[ -z "${KUBECONFIG:-}" && -f "$ROOT_DIR/creds/kubeconfig.yaml" ]]; then
 fi
 
 login_registry() {
+  if ! command -v docker >/dev/null 2>&1; then
+    REGISTRY_AUTH_STATE="no-docker"
+    return
+  fi
   if [[ -n "${REGISTRY_USERNAME:-}" && -n "${REGISTRY_PASSWORD:-}" ]]; then
-    docker login "$REGISTRY" -u "$REGISTRY_USERNAME" -p "$REGISTRY_PASSWORD" >/dev/null 2>&1 || true
+    if docker login "$REGISTRY" -u "$REGISTRY_USERNAME" -p "$REGISTRY_PASSWORD" >/dev/null 2>&1; then
+      REGISTRY_AUTH_STATE="logged-in"
+    else
+      REGISTRY_AUTH_STATE="login-failed"
+    fi
+  else
+    REGISTRY_AUTH_STATE="no-creds"
   fi
 }
 
 manifest_digest() {
   local image="$1"
+  if ! command -v docker >/dev/null 2>&1; then
+    echo ""
+    return
+  fi
   local out
   out="$(
     { docker manifest inspect "$image" 2>/dev/null | python3 - <<'PY'
@@ -70,11 +108,20 @@ LATEST_IMAGE="${REGISTRY}/${REGISTRY_REPO}:latest"
 LATEST_DIGEST="$(manifest_digest "$LATEST_IMAGE")"
 
 echo "Registry latest: $LATEST_IMAGE"
-echo "  digest: ${LATEST_DIGEST:-n/a (docker unavailable or unauthorized)}"
+if [[ -z "$LATEST_DIGEST" ]]; then
+  echo "  digest: unavailable (docker missing or unauthorized)"
+else
+  echo "  digest: $LATEST_DIGEST"
+fi
 if [[ -f "$ROOT_DIR/deploy/.last-image" ]]; then
   echo "Local last built: $(cat "$ROOT_DIR/deploy/.last-image")"
 fi
 echo
+if [[ "$REGISTRY_AUTH_STATE" != "logged-in" && "$REGISTRY_AUTH_STATE" != "missing" ]]; then
+  echo "Note: registry auth not established (state: $REGISTRY_AUTH_STATE); digest comparison may be unavailable."
+  echo "      Export REGISTRY_USERNAME/REGISTRY_PASSWORD (via sops load) or run: docker login $REGISTRY"
+  echo
+fi
 
 for row in "testing:$TEST_NAMESPACE" "staging:$STAGING_NAMESPACE" "prod:$PROD_NAMESPACE"; do
   env_name="${row%%:*}"
@@ -91,6 +138,10 @@ for row in "testing:$TEST_NAMESPACE" "staging:$STAGING_NAMESPACE" "prod:$PROD_NA
   fi
   echo "Env $env_name ($ns):"
   echo "  image:  $img"
-  echo "  digest: ${digest:-n/a}"
+  if [[ -z "$digest" ]]; then
+    echo "  digest: unavailable (docker missing or unauthorized)"
+  else
+    echo "  digest: $digest"
+  fi
   echo "  matches latest: $match"
 done