From 027a23350570b8809632ea3a0d7f3ea95bc54726 Mon Sep 17 00:00:00 2001
From: Jacob Tomlinson <jacob@tomlinson.email>
Date: Wed, 19 Nov 2025 16:59:22 +0000
Subject: [PATCH 1/3] Allow setting a DockerHub Personal Access Token

---
 ci/update-kubernetes.py | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/ci/update-kubernetes.py b/ci/update-kubernetes.py
index d57b71f..c10ca17 100755
--- a/ci/update-kubernetes.py
+++ b/ci/update-kubernetes.py
@@ -140,12 +140,37 @@ def extend_versions(versions, extended_versions, provider):
     return versions
 
 
+def dockerhub_auth():
+    if not os.environ.get("DOCKERHUB_USERNAME") or not os.environ.get(
+        "DOCKERHUB_TOKEN"
+    ):
+        return None
+    data = json.dumps(
+        {
+            "identifier": os.environ.get("DOCKERHUB_USERNAME"),
+            "secret": os.environ.get("DOCKERHUB_TOKEN"),
+        }
+    ).encode()
+    req = urllib.request.Request(
+        "https://hub.docker.com/v2/auth/token",
+        data=data,
+        headers={"Content-Type": "application/json"},
+    )
+    with urllib.request.urlopen(req) as resp:
+        return json.load(resp)["access_token"]
+
+
 def get_kind_versions():
     print("Loading Kubernetes tags from https://hub.docker.com/r/kindest/node/tags...")
     container_tags = []
+    headers = {}
+    jwt_token = dockerhub_auth()
+    if jwt_token:
+        headers = {"Authorization": f"Bearer {jwt_token}"}
     next_url = "https://hub.docker.com/v2/repositories/kindest/node/tags"
     while next_url:
-        with urllib.request.urlopen(next_url) as url:
+        req = urllib.request.Request(next_url, headers=headers)
+        with urllib.request.urlopen(req) as url:
             results = json.load(url)
             container_tags += results["results"]
             if "next" in results and results["next"]:

From 2ef41929276ccdfc4ffb972e091ac38b1891abc1 Mon Sep 17 00:00:00 2001
From: Jacob Tomlinson <jacob@tomlinson.email>
Date: Wed, 19 Nov 2025 16:59:36 +0000
Subject: [PATCH 2/3] Only run update Kubernetes scripts on upstream repo

---
 .github/workflows/update-kubernetes.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/update-kubernetes.yaml b/.github/workflows/update-kubernetes.yaml
index 539aca7..65cae96 100644
--- a/.github/workflows/update-kubernetes.yaml
+++ b/.github/workflows/update-kubernetes.yaml
@@ -10,6 +10,7 @@ on:
 
 jobs:
   update-kubernetes:
+    if: github.repository == 'kr8s-org/kr8s'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

From 02fc0e124f408c7f290fbe607b176cad00328775 Mon Sep 17 00:00:00 2001
From: Jacob Tomlinson <jacob@tomlinson.email>
Date: Wed, 19 Nov 2025 17:00:28 +0000
Subject: [PATCH 3/3] Set credentials in GitHub Action

---
 .github/workflows/update-kubernetes.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/update-kubernetes.yaml b/.github/workflows/update-kubernetes.yaml
index 65cae96..3d94693 100644
--- a/.github/workflows/update-kubernetes.yaml
+++ b/.github/workflows/update-kubernetes.yaml
@@ -18,6 +18,12 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@v5
       - name: Update Kubernetes
+        env:
+          # Set optional secrets for Docker Hub authentication
+          # If not set, the script will not attempt to authenticate with Docker Hub
+          # but may run into rate limiting errors from Docker Hub.
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME || '' }}
+          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN || '' }}
         run: uv run ./ci/update-kubernetes.py
       - name: Show diff
         id: diff