From c886eee6bd49f4418d005aa79820329e8a119620 Mon Sep 17 00:00:00 2001
From: Simon Huesken <simon@parcellab.com>
Date: Tue, 27 Jan 2026 14:17:59 +0100
Subject: [PATCH 1/7] feat: add optional base image registry

---
 .github/workflows/build-image.yaml | 45 ++++++++++++++++++++++++++++++
 .github/workflows/kubernetes.yaml  | 14 ++++++++--
 2 files changed, 56 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml
index 2edb895..59184ab 100644
--- a/.github/workflows/build-image.yaml
+++ b/.github/workflows/build-image.yaml
@@ -32,9 +32,26 @@ on:
         description: Runner type
         default: ubuntu-latest
         type: string
+      baseImageRegistry:
+        required: false
+        description: The registry to pull base images from
+        type: string
       version:
         required: true
         type: string
+    secrets:
+      npmGithubReadToken:
+        required: true
+        description: The Github token with permissions to read NPM private packages
+      AWS_ROLE_TO_ASSUME:
+        required: true
+        description: AWS OIDC role for GitHub to assume
+      baseImageRegistryUsername:
+        required: false
+        description: The username for the base image registry
+      baseImageRegistryPassword:
+        required: false
+        description: The password for the base image registry
 
 env:
   IMAGE_SCAN_SEVERITY: LOW
@@ -66,6 +83,20 @@ jobs:
         with:
           name: ${{ inputs.artifactName }}
           path: ${{ inputs.artifactPath }}
+      - name: Validate base image registry secrets
+        if: ${{ inputs.baseImageRegistry }}
+        run: |
+          if [ -z "${{ secrets.baseImageRegistryUsername }}" ] || [ -z "${{ secrets.baseImageRegistryPassword }}" ]; then
+            echo "baseImageRegistry is set but baseImageRegistryUsername or baseImageRegistryPassword secrets are missing."
+            exit 1
+          fi
+      - name: Login to base image registry
+        if: ${{ inputs.baseImageRegistry }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ inputs.baseImageRegistry }}
+          username: ${{ secrets.baseImageRegistryUsername }}
+          password: ${{ secrets.baseImageRegistryPassword }}
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
       - name: Configure AWS credentials
@@ -153,6 +184,20 @@ jobs:
         with:
           name: ${{ inputs.artifactName }}
           path: ${{ inputs.artifactPath }}
+      - name: Validate base image registry secrets
+        if: ${{ inputs.baseImageRegistry }}
+        run: |
+          if [ -z "${{ secrets.baseImageRegistryUsername }}" ] || [ -z "${{ secrets.baseImageRegistryPassword }}" ]; then
+            echo "baseImageRegistry is set but baseImageRegistryUsername or baseImageRegistryPassword secrets are missing."
+            exit 1
+          fi
+      - name: Login to base image registry
+        if: ${{ inputs.baseImageRegistry }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ inputs.baseImageRegistry }}
+          username: ${{ secrets.baseImageRegistryUsername }}
+          password: ${{ secrets.baseImageRegistryPassword }}
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
       - name: Configure AWS credentials
diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml
index 6aa6cae..cb238eb 100644
--- a/.github/workflows/kubernetes.yaml
+++ b/.github/workflows/kubernetes.yaml
@@ -97,6 +97,10 @@ on:
         description: The relative file path to the folder that holds the application Kubernetes values
         default: values.yaml
         type: string
+      baseImageRegistry:
+        required: false
+        description: Additional registry to log into for pulling base images
+        type: string
     secrets:
       npmGithubReadToken:
         required: true
@@ -110,9 +114,12 @@ on:
       sentryAuthToken:
         required: false
         description: Authentication token for Sentry
-      AWS_ROLE_TO_ASSUME:
-        required: true
-        description: AWS OIDC role for GitHub to assume
+      baseImageRegistryUsername:
+        required: false
+        description: The username for the base image registry
+      baseImageRegistryPassword:
+        required: false
+        description: The password for the base image registry
 
 jobs:
   initialize:
@@ -171,6 +178,7 @@ jobs:
       registryUsername: ${{ inputs.registryUsername }}
       enableContainerScan: ${{ inputs.enableContainerScan }}
       runner: ${{ inputs.runner }}
+      baseImageRegistry: ${{ inputs.baseImageRegistry }}
       version: ${{ needs.initialize.outputs.version }}
     secrets: inherit
 

From f4b1ce88c95dd83e17c6cd16be74dc351b1996f1 Mon Sep 17 00:00:00 2001
From: Simon Huesken <simon@parcellab.com>
Date: Tue, 27 Jan 2026 14:21:32 +0100
Subject: [PATCH 2/7] chore: remove superfluous secret declaration

---
 .github/workflows/build-image.yaml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml
index 59184ab..39de302 100644
--- a/.github/workflows/build-image.yaml
+++ b/.github/workflows/build-image.yaml
@@ -43,9 +43,6 @@ on:
       npmGithubReadToken:
         required: true
         description: The Github token with permissions to read NPM private packages
-      AWS_ROLE_TO_ASSUME:
-        required: true
-        description: AWS OIDC role for GitHub to assume
       baseImageRegistryUsername:
         required: false
         description: The username for the base image registry

From 603922926792d12b10aa5975c0b5e4e8721c7d9b Mon Sep 17 00:00:00 2001
From: Simon Huesken <simon@parcellab.com>
Date: Tue, 27 Jan 2026 14:22:53 +0100
Subject: [PATCH 3/7] chore: include secret

---
 .github/workflows/build-image.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml
index 39de302..59184ab 100644
--- a/.github/workflows/build-image.yaml
+++ b/.github/workflows/build-image.yaml
@@ -43,6 +43,9 @@ on:
       npmGithubReadToken:
         required: true
         description: The Github token with permissions to read NPM private packages
+      AWS_ROLE_TO_ASSUME:
+        required: true
+        description: AWS OIDC role for GitHub to assume
       baseImageRegistryUsername:
         required: false
         description: The username for the base image registry

From ef96c56715edc84abf0d040aa5d56a31aa50ba5f Mon Sep 17 00:00:00 2001
From: Simon Huesken <simon@parcellab.com>
Date: Wed, 28 Jan 2026 18:53:17 +0100
Subject: [PATCH 4/7] chore: update referenced workflow

---
 .github/workflows/kubernetes.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml
index cb238eb..9358b0e 100644
--- a/.github/workflows/kubernetes.yaml
+++ b/.github/workflows/kubernetes.yaml
@@ -169,7 +169,7 @@ jobs:
 
   build:
     needs: [initialize]
-    uses: parcelLab/ci/.github/workflows/build-image.yaml@v8.2.5
+    uses: parcelLab/ci/.github/workflows/build-image.yaml@chore--allow-additional-base-image-registry-for-dh.io
     with:
       artifactName: ${{ inputs.artifactName }}
       artifactPath: ${{ inputs.artifactPath }}

From 0f8af1ac11c09e9065f57e24d03e40aaa59d359a Mon Sep 17 00:00:00 2001
From: Simon Huesken <simon@parcellab.com>
Date: Wed, 28 Jan 2026 18:56:11 +0100
Subject: [PATCH 5/7] chore: removed unused input

---
 .github/workflows/kubernetes.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml
index 9358b0e..d85ccc1 100644
--- a/.github/workflows/kubernetes.yaml
+++ b/.github/workflows/kubernetes.yaml
@@ -175,7 +175,6 @@ jobs:
       artifactPath: ${{ inputs.artifactPath }}
       imageTargets: ${{ inputs.imageTargets }}
       preScript: ${{ inputs.preScript }}
-      registryUsername: ${{ inputs.registryUsername }}
       enableContainerScan: ${{ inputs.enableContainerScan }}
       runner: ${{ inputs.runner }}
       baseImageRegistry: ${{ inputs.baseImageRegistry }}

From 77b04f83a812687535acb2fcfe54a994b45293b1 Mon Sep 17 00:00:00 2001
From: Simon Huesken <simon@parcellab.com>
Date: Wed, 28 Jan 2026 18:58:11 +0100
Subject: [PATCH 6/7] chore: remove org secret

---
 .github/workflows/build-image.yaml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml
index 59184ab..39de302 100644
--- a/.github/workflows/build-image.yaml
+++ b/.github/workflows/build-image.yaml
@@ -43,9 +43,6 @@ on:
       npmGithubReadToken:
         required: true
         description: The Github token with permissions to read NPM private packages
-      AWS_ROLE_TO_ASSUME:
-        required: true
-        description: AWS OIDC role for GitHub to assume
       baseImageRegistryUsername:
         required: false
         description: The username for the base image registry

From 8d9af82aa268bacfa4d7805efa2c1d5cc7ee8caf Mon Sep 17 00:00:00 2001
From: Simon Huesken <simon@parcellab.com>
Date: Wed, 28 Jan 2026 19:06:31 +0100
Subject: [PATCH 7/7] chore: read aws role secret

---
 .github/workflows/build-image.yaml | 3 +++
 .github/workflows/kubernetes.yaml  | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml
index 39de302..59184ab 100644
--- a/.github/workflows/build-image.yaml
+++ b/.github/workflows/build-image.yaml
@@ -43,6 +43,9 @@ on:
       npmGithubReadToken:
         required: true
         description: The Github token with permissions to read NPM private packages
+      AWS_ROLE_TO_ASSUME:
+        required: true
+        description: AWS OIDC role for GitHub to assume
       baseImageRegistryUsername:
         required: false
         description: The username for the base image registry
diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml
index d85ccc1..82b4cff 100644
--- a/.github/workflows/kubernetes.yaml
+++ b/.github/workflows/kubernetes.yaml
@@ -120,6 +120,9 @@ on:
       baseImageRegistryPassword:
         required: false
         description: The password for the base image registry
+      AWS_ROLE_TO_ASSUME:
+        required: false
+        description: AWS OIDC role for GitHub to assume
 
 jobs:
   initialize: