CI: Docker Hub rate limit failures on ARM runners due to unauthenticated pull of tonistiigi/binfmt

[CharlieTLe]

Problem

The integration (ubuntu-24.04-arm, arm64, ...) CI jobs intermittently fail at the "Install Docker Client" step with:

docker: toomanyrequests: You have reached your unauthenticated pull rate limit.
https://www.docker.com/increase-rate-limit

This happens because install-docker.sh runs docker run --privileged --rm tonistiigi/binfmt --install all without authenticating to Docker Hub. GitHub Actions runners share IP pools, so the anonymous rate limit (100 pulls/6h per IP) is easily exhausted.

Example failure: https://github.com/cortexproject/cortex/actions/runs/24256703215/job/70830753787?pr=7384

Full build log from failed step

Run sudo ./.github/workflows/scripts/install-docker.sh
  sudo ./.github/workflows/scripts/install-docker.sh
  shell: /usr/bin/bash -e {0}
  env:
    GOTOOLCHAIN: local
+ VER=29.2.1
++ uname -m
+ ARCH=aarch64
+ case $ARCH in
+ DOCKER_ARCH=aarch64
+ BUILDX_ARCH=arm64
+ echo 'Installing Docker 29.2.1 for architecture: aarch64 (docker: aarch64, buildx: arm64)'
+ curl -L -o /tmp/docker-29.2.1.tgz https://download.docker.com/linux/static/stable/aarch64/docker-29.2.1.tgz
Installing Docker 29.2.1 for architecture: aarch64 (docker: aarch64, buildx: arm64)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 72.6M  100 72.6M    0     0   283M      0 --:--:-- --:--:-- --:--:--  283M
+ tar -xz -C /tmp -f /tmp/docker-29.2.1.tgz
+ mkdir -vp /root/.docker/cli-plugins/
mkdir: created directory '/root/.docker'
mkdir: created directory '/root/.docker/cli-plugins/'
+ curl --silent -L https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-arm64
+ chmod a+x /root/.docker/cli-plugins/docker-buildx
+ mv /tmp/docker/containerd /tmp/docker/containerd-shim-runc-v2 /tmp/docker/ctr /tmp/docker/docker /tmp/docker/docker-init /tmp/docker/docker-proxy /tmp/docker/dockerd /tmp/docker/runc /usr/bin
+ docker run --privileged --rm tonistiigi/binfmt --install all
Unable to find image 'tonistiigi/binfmt:latest' locally
latest: Pulling from tonistiigi/binfmt
docker: toomanyrequests: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit

Run 'docker run --help' for more information
Error: Process completed with exit code 125.

Possible Solutions

1. Skip binfmt on ARM runners — The tonistiigi/binfmt --install all step installs QEMU for cross-arch emulation. If ARM integration tests only run ARM-native containers, this step is unnecessary on ARM runners.
2. Mirror the image to GHCR — Push tonistiigi/binfmt to ghcr.io/cortexproject/binfmt and pull from there. GHCR has no rate limits for public images within GitHub Actions.
3. Authenticate with Docker Hub — Add docker login using a stored access token before the pull.
4. Pin and cache the image — Pin to a specific tag/digest and cache it as an artifact to avoid repeated pulls.

Affected Files

• .github/workflows/scripts/install-docker.sh
• .github/workflows/test-build-deploy.yml