Add aws/ecr-public integration for ECR Public authentication

[osterman]

what

Add aws/ecr-public integration kind to Atmos for authenticated access to AWS ECR Public (public.ecr.aws). Solves Docker rate limiting on public ECR images by enabling authenticated pulls with significantly higher or no rate limits.

Key changes:

• Cloud layer (pkg/auth/cloud/aws/ecr_public.go): GetPublicAuthorizationToken() function that calls ecrpublic:GetAuthorizationToken API, always using us-east-1 region
• Integration layer (pkg/auth/integrations/aws/ecr_public.go): ECRPublicIntegration factory that registers the new aws/ecr-public kind, validates regions at config time
• Region validation: Rejects unsupported regions (only us-east-1 and us-west-2 have service endpoints; auth is us-east-1 only)
• Tests: Comprehensive unit tests for cloud layer (token retrieval, region validation, registry detection) and integration layer (factory, execution, error handling)
• Documentation: Updated ecr-login command reference, ECR authentication tutorial, added ECR Public configuration section with examples
• Blog post: Announced feature explaining problem, solution, and usage patterns
• Roadmap: Added shipped milestone linking to changelog entry

why

Docker pulls from public.ecr.aws hit rate limits when unauthenticated. This blocks CI workflows, especially those using cloudposse/github-action-docker-build-push which pulls BuildKit/binfmt images on every run. Authenticated pulls have significantly higher (or no) rate limits.

ECR Public differs fundamentally from private ECR: uses ecrpublic SDK service, bearer token instead of SigV4, hardcoded us-east-1 auth region, fixed public.ecr.aws registry URL. Requires ecr-public:GetAuthorizationToken and sts:GetServiceBearerToken IAM permissions.

references

• ECR Public Authentication Tutorial - Configuration examples, multi-environment setup
• ecr-login Command Reference - Command usage and integration configuration
• ECR Public Blog Post - Announcement and use cases
• AWS Docs: ECR Public APIs

Summary by CodeRabbit

• New Features

  • Added authenticated pull support for public.ecr.aws registry via new aws/ecr-public integration
  • Automatic token retrieval and Docker credential management for ECR Public

• Documentation

  • Added comprehensive guides and tutorials for ECR Public authentication setup
  • Updated CLI command documentation to include public registry support
  • Added blog post describing ECR Public integration usage and benefits

• Chores

  • Added AWS SDK dependency for ECR Public service support
  • Updated roadmap with ECR Public authentication milestone

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Files

• go.mod

[mergify]

Important

Cloud Posse Engineering Team Review Required

This pull request modifies files that require Cloud Posse's review. Please be patient, and a core maintainer will review your changes.

To expedite this process, reach out to us on Slack in the #pr-reviews channel.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 74a86b32-ac27-438b-969b-e7bc3d53bdff

📥 Commits

Reviewing files that changed from the base of the PR and between c05b722 and 0f03dee.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• NOTICE
• go.mod

---

📝 Walkthrough

Walkthrough

Adds AWS ECR Public authentication support to Atmos via new cloud authentication module, integration layer, error sentinels, and AWS SDK dependency. Introduces token retrieval pinned to us-east-1, Docker credential management, and comprehensive documentation covering implementation details and user guidance.

Changes

Cohort / File(s)	Summary
Dependencies & Error Sentinels go.mod, LICENSES.txt, errors/errors.go	Added AWS ECR Public SDK v1.38.12 dependency and two new error sentinels (ErrECRPublicAuthFailed, ErrECRPublicInvalidRegion) for public ECR authentication failures.
Cloud Authentication Module pkg/auth/cloud/aws/ecr_public.go, pkg/auth/cloud/aws/ecr_public_test.go, pkg/auth/cloud/aws/mock_ecr_public_client_test.go	Implements GetPublicAuthorizationToken to retrieve base64-encoded credentials from AWS ECR Public, region validation (us-east-1/us-west-2), and Docker credential decoding. Includes ECRPublicClient interface for testability and GoMock-generated test utilities.
Integration Module pkg/auth/integrations/aws/ecr_public.go, pkg/auth/integrations/aws/ecr_public_test.go	Registers ECRPublicIntegration type that orchestrates token retrieval and Docker config writes. Implements Kind() returning "aws/ecr-public", region validation, and Execute() for credential provisioning with error mapping.
Integration Types pkg/auth/integrations/types.go	Added KindAWSECRPublic constant ("aws/ecr-public") alongside existing ECR/EKS integration kinds.
Product & Design Documentation docs/prd/ecr-public-authentication.md	Comprehensive PRD covering problem statement, technical specification, regional constraints (us-east-1 auth only), configuration schema, security considerations, implementation checklist, and file layout.
CLI & User Documentation website/docs/cli/commands/auth/ecr-login.mdx, website/docs/tutorials/ecr-authentication.mdx, website/blog/2026-03-18-ecr-public-authentication.mdx	Expanded ECR login documentation distinguishing private vs. public ECR workflows, added usage examples, IAM permission guidance, and blog post covering benefits of authenticated ECR Public pulls.
Roadmap website/src/data/roadmap.js	Updated project roadmap with "ECR Public registry authentication" milestone (shipped, Q1 2026).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Add depguard rules to enforce provider-agnostic auth architecture #1743: Introduces AWS SDK imports in provider-specific auth/cloud packages, which directly enables the ECR Public SDK dependency added in this PR.
• feat: Add ECR authentication  #1859: Implements ECR authentication/integration machinery that ECR Public extends and reuses for credential handling and Docker config management.

Suggested reviewers

• aknysh

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 24.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a new aws/ecr-public integration for ECR Public authentication, which is the primary objective of this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch osterman/ecr-public-auth

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (3)

pkg/auth/cloud/aws/ecr_public.go (1)

26-32: Don't export a mutable region set.

ECRPublicSupportedRegions behaves like constant data, but exposing it as a writable map lets any caller change validation globally and makes concurrent access fragile. Keep the set private and expose a helper or copy if other packages need the list.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/auth/cloud/aws/ecr_public.go` around lines 26 - 32,
ECRPublicSupportedRegions is exported as a mutable map which lets callers modify
global state; make it unexported (rename to ecrPublicSupportedRegions) and stop
exposing the map directly, then add a safe accessor: either a function
IsECRPublicSupportedRegion(region string) bool for validation or a
GetECRPublicSupportedRegions() []string that returns a new slice copy of keys;
update callers to use the new accessor and remove direct map usage to prevent
concurrent mutation and preserve immutability.

pkg/auth/integrations/aws/ecr_public_test.go (1)

31-35: Test the interface contract, not the struct internals.

These assertions downcast to *ECRPublicIntegration and inspect private fields, so harmless implementation refactors will break the suite. Prefer asserting Kind() and GetIdentity() on the returned interface instead.

Based on learnings "Test behavior, not implementation; never test stub functions; avoid tautological tests; make code testable via DI; no coverage theater; remove always-skipped tests; use errors.Is() for error checking."

Also applies to: 50-52, 86-88

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/auth/integrations/aws/ecr_public_test.go` around lines 31 - 35, The test
currently downcasts to *ECRPublicIntegration and asserts private fields
(ecrPublicIntegration.name / identity); change it to test the interface contract
instead by using the returned integration variable's methods: assert
integration.Kind() equals the expected kind (e.g., "ecr-public") and assert
integration.GetIdentity() equals "dev-admin"; remove the downcast to
ECRPublicIntegration and the direct field assertions and apply the same
replacement for the other occurrences that inspect private fields (the blocks
referencing ECRPublicIntegration around the other failing assertions).

pkg/auth/integrations/aws/ecr_public.go (1)

36-52: Validate via.identity during construction for clearer failures.

identity is optional in this constructor today, so a bad config can fail later in execution with less actionable errors. Fail fast here when via.identity is empty.

Suggested validation

  identity := ""
  if config.Config.Via != nil {
    identity = config.Config.Via.Identity
  }
+ if identity == "" {
+   return nil, fmt.Errorf("%w: integration '%s': missing required via.identity", errUtils.ErrIntegrationFailed, config.Name)
+ }

  // Validate region if user specified one in spec.registry.

As per coding guidelines: "Provide clear error messages to users, include troubleshooting hints when appropriate, and log detailed errors for debugging."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/auth/integrations/aws/ecr_public.go` around lines 36 - 52, The
constructor currently allows an empty via.identity and returns an
ECRPublicIntegration with identity == "" which defers failure; update the
initialization logic (where identity is derived from config.Config.Via and the
ECRPublicIntegration is returned) to validate that config.Config.Via != nil and
config.Config.Via.Identity is non-empty and, if not, return a clear error (wrap
with errUtils.ErrIntegrationFailed and include config.Name and a helpful message
about missing via.identity) before creating the ECRPublicIntegration instance;
keep the existing region validation for config.Config.Spec.Registry as-is.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/auth/cloud/aws/ecr_public_test.go`:
- Around line 11-140: Add unit tests for GetPublicAuthorizationToken that cover
all error and success branches: build a test suite in ecr_public_test.go that
injects a mocked ECR Public client (or a test double) into
GetPublicAuthorizationToken to simulate (1) AWS config build failure, (2) API
call returning an error, (3) API response with missing Auth token/ExpiresAt, (4)
API response with invalid base64 Auth token, (5) API response with decoded token
missing the "username:password" format, and (6) a successful response that
returns expected username/password; use table-driven tests and assert returned
error values or parsed credentials accordingly, referencing the
GetPublicAuthorizationToken function and the client method it calls
(GetAuthorizationToken) so tests remain resilient to line changes.

In `@pkg/auth/integrations/aws/ecr_public_test.go`:
- Around line 182-193: The test TestECRPublicIntegration_Execute_NilCredentials
only asserts an error for nil creds; add unit tests that exercise
ECRPublicIntegration.Execute's happy path and the failure branches (auth token
retrieval failure, docker-config write/login failure) by injecting mocks for any
external calls (e.g., credential provider, token fetcher, docker-config writer
or registry client) so you can simulate success and each error case; create
table-driven tests that call Execute with mocked credentials and assert expected
outcomes and side-effects (token used, docker config written, errors wrapped),
targeting >80% coverage for the pkg/auth/integrations/aws package and
referencing ECRPublicIntegration.Execute and any helper interfaces used for
token retrieval and docker-config operations.

In `@website/docs/cli/configuration/settings/pro.mdx`:
- Around line 185-191: The example YAML for the pro settings omits the required
workspace_id; update the snippet that defines settings.pro to include both token
(settings.pro.token) and workspace_id (settings.pro.workspace_id) so users can
copy/paste a complete bearer-token configuration, e.g., add the workspace_id key
alongside the token key under the pro section.

In `@website/docs/cli/configuration/version/use.mdx`:
- Around line 89-97: The precedence table and explanatory note disagree: update
the table so `--use-version` and the `ATMOS_VERSION_USE` env var appear at the
same priority level (i.e., both as Priority 1) and adjust the remaining
priorities accordingly, or alternatively change the note to state that the
`--use-version` flag sets `ATMOS_VERSION_USE` internally so the flag and the env
var share the same priority; ensure the table rows reference the exact symbols
`--use-version`, `ATMOS_VERSION_USE`, `ATMOS_VERSION`, and `version.use` so they
match the explanatory sentence.

In `@website/src/data/roadmap.js`:
- Line 175: The roadmap entry object with label 'ECR Public registry
authentication' is missing its pr reference; add a pr property to that object
(matching the style used elsewhere in roadmap.js, e.g. pr: '#1234' or pr:
'https://github.com/owner/repo/pull/1234') so the shipped milestone includes the
PR link, and ensure the new property follows the same quoting/comma formatting
as other entries.

---

Nitpick comments:
In `@pkg/auth/cloud/aws/ecr_public.go`:
- Around line 26-32: ECRPublicSupportedRegions is exported as a mutable map
which lets callers modify global state; make it unexported (rename to
ecrPublicSupportedRegions) and stop exposing the map directly, then add a safe
accessor: either a function IsECRPublicSupportedRegion(region string) bool for
validation or a GetECRPublicSupportedRegions() []string that returns a new slice
copy of keys; update callers to use the new accessor and remove direct map usage
to prevent concurrent mutation and preserve immutability.

In `@pkg/auth/integrations/aws/ecr_public_test.go`:
- Around line 31-35: The test currently downcasts to *ECRPublicIntegration and
asserts private fields (ecrPublicIntegration.name / identity); change it to test
the interface contract instead by using the returned integration variable's
methods: assert integration.Kind() equals the expected kind (e.g., "ecr-public")
and assert integration.GetIdentity() equals "dev-admin"; remove the downcast to
ECRPublicIntegration and the direct field assertions and apply the same
replacement for the other occurrences that inspect private fields (the blocks
referencing ECRPublicIntegration around the other failing assertions).

In `@pkg/auth/integrations/aws/ecr_public.go`:
- Around line 36-52: The constructor currently allows an empty via.identity and
returns an ECRPublicIntegration with identity == "" which defers failure; update
the initialization logic (where identity is derived from config.Config.Via and
the ECRPublicIntegration is returned) to validate that config.Config.Via != nil
and config.Config.Via.Identity is non-empty and, if not, return a clear error
(wrap with errUtils.ErrIntegrationFailed and include config.Name and a helpful
message about missing via.identity) before creating the ECRPublicIntegration
instance; keep the existing region validation for config.Config.Spec.Registry
as-is.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f0ec1758-7b8d-42c3-ad11-a7dd27fe83bb

📥 Commits

Reviewing files that changed from the base of the PR and between 7f1f92b and ad31d13.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (18)

• NOTICE
• docs/prd/ecr-public-authentication.md
• errors/errors.go
• go.mod
• pkg/auth/cloud/aws/ecr_public.go
• pkg/auth/cloud/aws/ecr_public_test.go
• pkg/auth/integrations/aws/ecr_public.go
• pkg/auth/integrations/aws/ecr_public_test.go
• pkg/auth/integrations/types.go
• website/blog/2026-03-18-ecr-public-authentication.mdx
• website/docs/cli/commands/auth/ecr-login.mdx
• website/docs/cli/configuration/configuration.mdx
• website/docs/cli/configuration/settings/pro.mdx
• website/docs/cli/configuration/version/use.mdx
• website/docs/cli/configuration/version/version.mdx
• website/docs/cli/environment-variables.mdx
• website/docs/tutorials/ecr-authentication.mdx
• website/src/data/roadmap.js

[codecov]

Codecov Report

❌ Patch coverage is 96.47059% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.90%. Comparing base (bdd2758) to head (0f03dee).
⚠️ Report is 7 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/auth/integrations/aws/ecr_public.go	95.23%	1 Missing and 1 partial ⚠️
pkg/auth/cloud/aws/ecr_public.go	97.67%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2231      +/-   ##
==========================================
+ Coverage   76.85%   76.90%   +0.05%     
==========================================
  Files        1001     1003       +2     
  Lines       95392    95477      +85     
==========================================
+ Hits        73316    73430     +114     
+ Misses      17811    17784      -27     
+ Partials     4265     4263       -2     

Flag	Coverage Δ
unittests	76.90% <96.47%> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
errors/errors.go	100.00% <ø> (ø)
pkg/auth/cloud/aws/ecr_public.go	97.67% <97.67%> (ø)
pkg/auth/integrations/aws/ecr_public.go	95.23% <95.23%> (ø)

... and 4 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mergify]

💥 This pull request now has conflicts. Could you fix it @osterman? 🙏

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

pkg/auth/cloud/aws/ecr_public.go (2)

56-61: Add tracing to the exported option helper.

WithECRPublicClient is public, but it skips the perf.Track hook used by the other public functions in this file. Keeping that contract consistent avoids holes in tracing.

♻️ Proposed fix

 func WithECRPublicClient(client ECRPublicClient) ECRPublicAuthOption {
+	defer perf.Track(nil, "aws.WithECRPublicClient")()
+
 	return func(c *ecrPublicAuthConfig) {
 		c.client = client
 	}
 }

As per coding guidelines: "Add defer perf.Track(atmosConfig, "pkg.FuncName")() + blank line to all public functions, use nil if no atmosConfig param".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/auth/cloud/aws/ecr_public.go` around lines 56 - 61, The exported helper
WithECRPublicClient is missing the perf.Track tracing hook used by other public
functions; update WithECRPublicClient (the function that returns
ECRPublicAuthOption and mutates ecrPublicAuthConfig) to call defer
perf.Track(nil, "pkg.WithECRPublicClient")() as the first statement in the
function body and add a blank line after that defer to match the file's
convention so tracing is consistent for all public helpers.

---

34-39: Pin the mock generator version.

Using go run ...mockgen@latest makes the generated file depend on whatever version is current when go generate runs. Please lock this to a fixed version, ideally the one already declared in go.mod, so mock output stays reproducible.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/auth/cloud/aws/ecr_public.go` around lines 34 - 39, Replace the
go:generate directive that currently uses "go run
go.uber.org/mock/mockgen@latest" with a pinned module version: run "go list -m
-json go.uber.org/mock/mockgen" or inspect go.mod to find the exact version
used, then change the directive to "go run go.uber.org/mock/mockgen@<version>"
(keeping the same -source=ecr_public.go and
-destination=mock_ecr_public_client_test.go flags). This ensures the mock for
ECRPublicClient is reproducible; update the go:generate line in the same file
where ECRPublicClient is declared.

pkg/auth/integrations/aws/ecr_public_test.go (1)

204-219: Generate the Docker writer mock instead of hand-rolling it.

This double only captures arguments; it can't express expectations like "must not be called", so the token-error path still can't prove WriteAuth was skipped. Please switch dockerAuthWriter to a mockgen-generated mock like the ECRPublicClient one in this PR.

As per coding guidelines: "Use go.uber.org/mock/mockgen with //go:generate directives for mock generation - never create manual mocks".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/auth/integrations/aws/ecr_public_test.go` around lines 204 - 219, The
test uses a hand-rolled mock type mockDockerWriter and its WriteAuth method
which only captures args and cannot express expectations (e.g. "must not be
called"); replace it with a mockgen-generated mock for the dockerAuthWriter
interface (similar to the ECRPublicClient mock used elsewhere). Add a
//go:generate directive for go.uber.org/mock/mockgen, run mockgen to produce the
concrete mock type, update tests to import and use that generated mock (set
EXPECT() expectations like NotToBeCalled or Return) and remove the manual
mockDockerWriter type and its WriteAuth implementation so tests can assert
call/non-call behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@website/src/data/roadmap.js`:
- Line 175: Find the initiatives array and update the auth initiative's progress
field (the object with label: 'auth') to account for the newly shipped milestone
— change progress from 80 to 81 so the roadmap bar reflects the added shipped
item; ensure the new milestone already includes pr: 2231 and changelog:
'ecr-public-authentication' as shown.

---

Nitpick comments:
In `@pkg/auth/cloud/aws/ecr_public.go`:
- Around line 56-61: The exported helper WithECRPublicClient is missing the
perf.Track tracing hook used by other public functions; update
WithECRPublicClient (the function that returns ECRPublicAuthOption and mutates
ecrPublicAuthConfig) to call defer perf.Track(nil, "pkg.WithECRPublicClient")()
as the first statement in the function body and add a blank line after that
defer to match the file's convention so tracing is consistent for all public
helpers.
- Around line 34-39: Replace the go:generate directive that currently uses "go
run go.uber.org/mock/mockgen@latest" with a pinned module version: run "go list
-m -json go.uber.org/mock/mockgen" or inspect go.mod to find the exact version
used, then change the directive to "go run go.uber.org/mock/mockgen@<version>"
(keeping the same -source=ecr_public.go and
-destination=mock_ecr_public_client_test.go flags). This ensures the mock for
ECRPublicClient is reproducible; update the go:generate line in the same file
where ECRPublicClient is declared.

In `@pkg/auth/integrations/aws/ecr_public_test.go`:
- Around line 204-219: The test uses a hand-rolled mock type mockDockerWriter
and its WriteAuth method which only captures args and cannot express
expectations (e.g. "must not be called"); replace it with a mockgen-generated
mock for the dockerAuthWriter interface (similar to the ECRPublicClient mock
used elsewhere). Add a //go:generate directive for go.uber.org/mock/mockgen, run
mockgen to produce the concrete mock type, update tests to import and use that
generated mock (set EXPECT() expectations like NotToBeCalled or Return) and
remove the manual mockDockerWriter type and its WriteAuth implementation so
tests can assert call/non-call behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 54c6a18b-9cf1-4e9a-92b2-a7e24ed15260

📥 Commits

Reviewing files that changed from the base of the PR and between ad31d13 and c05b722.

📒 Files selected for processing (8)

• pkg/auth/cloud/aws/ecr_public.go
• pkg/auth/cloud/aws/ecr_public_test.go
• pkg/auth/cloud/aws/mock_ecr_public_client_test.go
• pkg/auth/integrations/aws/ecr_public.go
• pkg/auth/integrations/aws/ecr_public_test.go
• website/docs/cli/configuration/settings/pro.mdx
• website/docs/cli/configuration/version/use.mdx
• website/src/data/roadmap.js

🚧 Files skipped from review as they are similar to previous changes (3)

• website/docs/cli/configuration/version/use.mdx
• pkg/auth/cloud/aws/ecr_public_test.go
• pkg/auth/integrations/aws/ecr_public.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Bump the auth initiative progress too.

This adds another shipped auth milestone, but the auth initiative's progress value above stays at 80. Please update that percentage in the same change so the roadmap bar reflects the new milestone state.

Based on learnings: Applies to website/src/data/roadmap.js : PRs labeled minor/major must update website/src/data/roadmap.js with shipped milestones, changelog links, PR references, and progress percentages.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/src/data/roadmap.js` at line 175, Find the initiatives array and
update the auth initiative's progress field (the object with label: 'auth') to
account for the newly shipped milestone — change progress from 80 to 81 so the
roadmap bar reflects the added shipped item; ensure the new milestone already
includes pr: 2231 and changelog: 'ecr-public-authentication' as shown.

[mergify]

💥 This pull request now has conflicts. Could you fix it @osterman? 🙏