fix(v1/remote): return an error if both auth and keychain are set

pkg/v1/remote/options.go

@@ -102,7 +102,6 @@ var DefaultTransport = &http.Transport{
 
 func makeOptions(target authn.Resource, opts ...Option) (*options, error) {
 	o := &options{
-		auth:           authn.Anonymous,
 		transport:      DefaultTransport,
 		platform:       defaultPlatform,
 		context:        context.Background(),
@@ -118,12 +117,19 @@ func makeOptions(target authn.Resource, opts ...Option) (*options, error) {
 		}
 	}
 
-	if o.keychain != nil {
+	switch {
+	case o.auth != nil && o.keychain != nil:
+		// It is a better experience to explicitly tell a caller their auth is misconfigured
+		// than potentially fail silently when the correct auth is overridden by option misuse.
+		return nil, errors.New("provide an option for either authn.Authenticator or authn.Keychain, not both")
+	case o.keychain != nil:
 		auth, err := o.keychain.Resolve(target)
 		if err != nil {
 			return nil, err
 		}
 		o.auth = auth
+	case o.auth == nil:
+		o.auth = authn.Anonymous
 	}
 
 	// transport.Wrapper is a signal that consumers are opt-ing into providing their own transport without any additional wrapping.
@@ -163,6 +169,7 @@ func WithTransport(t http.RoundTripper) Option {
 
 // WithAuth is a functional option for overriding the default authenticator
 // for remote operations.
+// It is an error to use both WithAuth and WithAuthFromKeychain in the same Option set.
 //
 // The default authenticator is authn.Anonymous.
 func WithAuth(auth authn.Authenticator) Option {
@@ -175,6 +182,7 @@ func WithAuth(auth authn.Authenticator) Option {
 // WithAuthFromKeychain is a functional option for overriding the default
 // authenticator for remote operations, using an authn.Keychain to find
 // credentials.
+// It is an error to use both WithAuth and WithAuthFromKeychain in the same Option set.
 //
 // The default authenticator is authn.Anonymous.
 func WithAuthFromKeychain(keys authn.Keychain) Option {