Fix: when running restore, provide creds for run image if there are r…

internal/build/lifecycle_execution.go

@@ -469,13 +469,17 @@ func (l *LifecycleExecution) Restore(ctx context.Context, buildCache Cache, kani
 	// for kaniko
 	kanikoCacheBindOp := NullOp()
 	if (l.platformAPI.AtLeast("0.10") && l.hasExtensionsForBuild()) ||
-		(l.platformAPI.AtLeast("0.12") && (l.hasExtensionsForBuild() || l.hasExtensionsForRun())) {
+		l.platformAPI.AtLeast("0.12") {
 		if l.hasExtensionsForBuild() {
 			flags = append(flags, "-build-image", l.opts.BuilderImage)
 			registryImages = append(registryImages, l.opts.BuilderImage)
 		}
-
-		kanikoCacheBindOp = WithBinds(fmt.Sprintf("%s:%s", kanikoCache.Name(), l.mountPaths.kanikoCacheDir()))
+		if l.runImageChanged() || l.hasExtensionsForRun() {
+			registryImages = append(registryImages, l.runImageAfterExtensions())
+		}
+		if l.hasExtensionsForBuild() || l.hasExtensionsForRun() {
+			kanikoCacheBindOp = WithBinds(fmt.Sprintf("%s:%s", kanikoCache.Name(), l.mountPaths.kanikoCacheDir()))
+		}
 	}
 
 	// for auths
@@ -851,9 +855,12 @@ type runImage struct {
 func (l *LifecycleExecution) hasExtensionsForRun() bool {
 	var amd analyzedMD
 	if _, err := toml.DecodeFile(filepath.Join(l.tmpDir, "analyzed.toml"), &amd); err != nil {
+		l.logger.Warnf("failed to parse analyzed.toml file, assuming no run image extensions: %s", err)
 		return false
 	}
 	if amd.RunImage == nil {
+		// this shouldn't be reachable
+		l.logger.Warnf("found no run image in analyzed.toml file, assuming no run image extensions...")
 		return false
 	}
 	return amd.RunImage.Extend
@@ -862,15 +869,22 @@ func (l *LifecycleExecution) hasExtensionsForRun() bool {
 func (l *LifecycleExecution) runImageAfterExtensions() string {
 	var amd analyzedMD
 	if _, err := toml.DecodeFile(filepath.Join(l.tmpDir, "analyzed.toml"), &amd); err != nil {
+		l.logger.Warnf("failed to parse analyzed.toml file, assuming run image did not change: %s", err)
 		return l.opts.RunImage
 	}
 	if amd.RunImage == nil {
 		// this shouldn't be reachable
+		l.logger.Warnf("found no run image in analyzed.toml file, assuming run image did not change...")
 		return l.opts.RunImage
 	}
 	return amd.RunImage.Image
 }
 
+func (l *LifecycleExecution) runImageChanged() bool {
+	currentRunImage := l.runImageAfterExtensions()
+	return currentRunImage != "" && currentRunImage != l.opts.RunImage
+}
+
 func (l *LifecycleExecution) appendLayoutOperations(opts []PhaseConfigProviderOperation) ([]PhaseConfigProviderOperation, error) {
 	layoutDir := filepath.Join(paths.RootDir, "layout-repo")
 	opts = append(opts, WithEnv("CNB_USE_LAYOUT=true", "CNB_LAYOUT_DIR="+layoutDir, "CNB_EXPERIMENTAL_MODE=warn"))

internal/build/lifecycle_execution_test.go

@@ -1709,6 +1709,26 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 			h.AssertSliceContains(t, configProvider.HostConfig().Binds, expectedBind)
 		})
 
+		when("there are extensions", func() {
+			platformAPI = api.MustParse("0.12")
+
+			when("for build", func() {
+				extensionsForBuild = true
+
+				it("configures the phase with registry access", func() {
+					h.AssertSliceContains(t, configProvider.ContainerConfig().Env, "CNB_REGISTRY_AUTH={}")
+				})
+			})
+
+			when("for run", func() {
+				extensionsForRun = true
+
+				it("configures the phase with registry access", func() {
+					h.AssertSliceContains(t, configProvider.ContainerConfig().Env, "CNB_REGISTRY_AUTH={}")
+				})
+			})
+		})
+
 		when("using cache image", func() {
 			fakeBuildCache = newFakeImageCache()
 
@@ -1999,7 +2019,7 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 				h.AssertSliceNotContains(t, configProvider.ContainerConfig().Cmd, "-stack")
 			})
 
-			when("extensions", func() {
+			when("there are extensions", func() {
 				when("for run", func() {
 					extensionsForRun = true