fix(cli-integ): proxy test is being throttled by ecr (#80)

We are seeing sporadic throttling errors:

```console
 💻 docker run --net=bridge --rm -v /tmp:/tmp -v /home/runner:/home/runner -v /tmp/cdk-integ-0ffcgkzpab:/tmp/cdk-integ-0ffcgkzpab -e HOME -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -w /tmp/cdk-integ-0ffcgkzpab --cap-add=NET_ADMIN public.ecr.aws/ubuntu/ubuntu:24.04_stable /tmp/cdk-integ-0ffcgkzpab/script.sh
  Unable to find image 'public.ecr.aws/ubuntu/ubuntu:24.04_stable' locally
  24.04_stable: Pulling from ubuntu/ubuntu
  docker: toomanyrequests: Rate exceeded.
  See 'docker run --help'.
  'docker run --net=bridge --rm -v /tmp:/tmp -v /home/runner:/home/runner -v /tmp/cdk-integ-0ffcgkzpab:/tmp/cdk-integ-0ffcgkzpab -e HOME -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -w /tmp/cdk-integ-0ffcgkzpab --cap-add=NET_ADMIN public.ecr.aws/ubuntu/ubuntu:24.04_stable /tmp/cdk-integ-0ffcgkzpab/script.sh' exited with error code 125.Error: 'docker run --net=bridge --rm -v /tmp:/tmp -v /home/runner:/home/runner -v /tmp/cdk-integ-0ffcgkzpab:/tmp/cdk-integ-0ffcgkzpab -e HOME -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -w /tmp/cdk-integ-0ffcgkzpab --cap-add=NET_ADMIN public.ecr.aws/ubuntu/ubuntu:24.04_stable /tmp/cdk-integ-0ffcgkzpab/script.sh' exited with error code 125.
      at ChildProcess.<anonymous> (/home/runner/work/aws-cdk-cli/aws-cdk-cli/lib/shell.ts:109:22)
      at ChildProcess.emit (node:events:524:28)
      at maybeClose (node:internal/child_process:1104:16)
      at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
  ::endgroup::
```

Login to ECR to increase our throttling limits.

Author: iliapolo

.projenrc.ts

@@ -172,6 +172,7 @@ const cliInteg = configureProject(
       '@aws-sdk/client-codeartifact@^3',
       '@aws-sdk/client-cloudformation@^3',
       '@aws-sdk/client-ecr@^3',
+      '@aws-sdk/client-ecr-public@^3',
       '@aws-sdk/client-ecs@^3',
       '@aws-sdk/client-iam@^3',
       '@aws-sdk/client-lambda@^3',

packages/@aws-cdk-testing/cli-integ/.projen/deps.json

@@ -6,6 +6,7 @@ import {
   type Stack,
 } from '@aws-sdk/client-cloudformation';
 import { DeleteRepositoryCommand, ECRClient } from '@aws-sdk/client-ecr';
+import { ECRPUBLICClient } from '@aws-sdk/client-ecr-public';
 import { ECSClient } from '@aws-sdk/client-ecs';
 import { IAMClient } from '@aws-sdk/client-iam';
 import { LambdaClient } from '@aws-sdk/client-lambda';
@@ -42,6 +43,7 @@ export class AwsClients {
   public readonly cloudFormation: CloudFormationClient;
   public readonly s3: S3Client;
   public readonly ecr: ECRClient;
+  public readonly ecrPublic: ECRPUBLICClient;
   public readonly ecs: ECSClient;
   public readonly sso: SSOClient;
   public readonly sns: SNSClient;
@@ -61,6 +63,7 @@ export class AwsClients {
     this.cloudFormation = new CloudFormationClient(this.config);
     this.s3 = new S3Client(this.config);
     this.ecr = new ECRClient(this.config);
+    this.ecrPublic = new ECRPUBLICClient({ ...this.config, region: 'us-east-1' /* public gallery is only available in us-east-1 */ });
     this.ecs = new ECSClient(this.config);
     this.sso = new SSOClient(this.config);
     this.sns = new SNSClient(this.config);

packages/@aws-cdk-testing/cli-integ/lib/aws.ts

@@ -4,6 +4,7 @@ import * as fs from 'fs';
 import * as os from 'os';
 import * as path from 'path';
 import { DescribeStacksCommand, Stack } from '@aws-sdk/client-cloudformation';
+import { GetAuthorizationTokenCommand } from '@aws-sdk/client-ecr-public';
 import { outputFromStack, AwsClients, sleep } from './aws';
 import { TestContext } from './integ-test';
 import { findYarnPackages } from './package-sources/repo-source';
@@ -345,6 +346,36 @@ export class TestFixture extends ShellHelper {
     this.output.write(`${s}\n`);
   }
 
+  /**
+   * Login to the public ECR gallery using the current AWS credentials.
+   * Use this if your test needs to directly pull images outside of a `cdk` or `cdk-assets` command.
+   */
+  public async ecrPublicLogin() {
+
+    const tokenResponse = await this.aws.ecrPublic.send(new GetAuthorizationTokenCommand({}));
+    const authData = tokenResponse.authorizationData?.authorizationToken;
+
+    const docker = process.env.CDK_DOCKER ?? 'docker';
+
+    if (!authData) {
+      throw new Error("Could not retrieve ECR public auth token.");
+    }
+
+    const decoded = Buffer.from(authData, "base64").toString("utf-8");
+    const [username, password] = decoded.split(":");
+
+    await this.shell([docker, 'login',
+      '--username', username,
+      '--password', "${ECR_PASSWORD}",
+      'public.ecr.aws'], {
+      shell: true,
+      modEnv: {
+        ECR_PASSWORD: password,
+      },
+    });
+
+  }
+
   public async cdkDeploy(stackNames: string | string[], options: CdkCliOptions = {}, skipStackRename?: boolean) {
     return this.cdk(this.cdkDeployCommandLine(stackNames, options, skipStackRename), options);
   }

packages/@aws-cdk-testing/cli-integ/lib/with-cdk-app.ts

@@ -55,6 +55,8 @@ async function runInIsolatedContainer(fixture: TestFixture, pathsToMount: string
 
     await fs.chmod(scriptName, 0o755);
 
+    await fixture.ecrPublicLogin();
+
     // Run commands in a Docker shell
     await fixture.shell([
       docker, 'run', '--net=bridge', '--rm',