Encourage registry password from ENV

README.md

@@ -14,7 +14,8 @@ servers:
   - 192.168.0.2
 registry:
   username: registry-user-name
-  password: <%= ENV.fetch("MRSK_REGISTRY_PASSWORD") %>
+  password:
+    - MRSK_REGISTRY_PASSWORD
 env:
   secret:
     - RAILS_MASTER_KEY

lib/mrsk/cli/templates/deploy.yml

@@ -13,7 +13,8 @@ registry:
   # Specify the registry server, if you're not using Docker Hub
   # server: registry.digitalocean.com / ghcr.io / ...
   username: my-user
-  password: my-password-should-go-somewhere-safe
+  password:
+    - MRSK_REGISTRY_PASSWORD
 
 # Inject ENV variables into containers (secrets come from .env).
 # env:

lib/mrsk/commands/registry.rb

@@ -2,10 +2,19 @@ class Mrsk::Commands::Registry < Mrsk::Commands::Base
   delegate :registry, to: :config
 
   def login
-    docker :login, registry["server"], "-u", redact(registry["username"]), "-p", redact(registry["password"])
+    docker :login, registry["server"], "-u", redact(registry["username"]), "-p", redact(lookup_password)
   end
 
   def logout
     docker :logout, registry["server"]
   end
+
+  private
+    def lookup_password
+      if registry["password"].is_a?(Array)
+        ENV.fetch(registry["password"].first).dup
+      else
+        registry["password"]
+      end
+    end
 end

test/commands/registry_test.rb

@@ -19,6 +19,17 @@ class CommandsRegistryTest < ActiveSupport::TestCase
       @registry.login.join(" ")
   end
 
+  test "registry login with ENV password" do
+    ENV["MRSK_REGISTRY_PASSWORD"] = "more-secret"
+    @config[:registry]["password"] = [ "MRSK_REGISTRY_PASSWORD" ]
+
+    assert_equal \
+      "docker login hub.docker.com -u dhh -p more-secret",
+      @registry.login.join(" ")
+  ensure
+    ENV.delete("MRSK_REGISTRY_PASSWORD")
+  end
+
   test "registry logout" do
     assert_equal \
       "docker logout hub.docker.com",