feat: add Docker Hub integration

[rakesh0x]

Summary

This PR adds a new Docker Hub integration for SuperPlane as described in #2243.

Changes

Base Integration

• Docker Hub integration with username/access token authentication
• Validates credentials on sync by testing Docker Hub API access
• Uses Docker Hub v2 API with JWT token authentication

Trigger: On Image Pushed

• Receives Docker Hub webhook events when images are pushed
• Supports optional tag filtering with wildcard patterns
• Emits dockerhub.imagePushed event with push details

Action: List Tags

• Lists tags for a specified Docker Hub repository
• Supports optional pageSize and nameFilter parameters
• Emits dockerhub.tags event with tag information

Frontend

• Added UI mappers for trigger and action components
• Displays repository, tag, and pusher information

Screen.Recording.2026-02-04.at.12.02.00.AM.mp4

Testing

• Added comprehensive unit tests (27 test cases)
• All tests passing

Closes #2243

[AleksandarCole]

@rakesh0x thank you for your submission. Please attach the video recording as specified in the Bounty Details in the issue.

[rakesh0x]

@rakesh0x thank you for your submission. Please attach the video recording as specified in the Bounty Details in the issue.

Attached a video @AleksandarCole, check it out

[AleksandarCole]

@rakesh0x the video shows Unit tests passing - which is great. However, we need the video of in-app usage of the integration and components. I tried running this in dev environment and I do not see either DockerHub integration appearing in UI or the components.

[rakesh0x]

@rakesh0x the video shows Unit tests passing - which is great. However, we need the video of in-app usage of the integration and components. I tried running this in dev environment and I do not see either DockerHub integration appearing in UI or the components.

oh yeah, i haven't imported the dockerhub package anywhere , so the package haven't loaded
fixed this issue, should work now @AleksandarCole :)

[lucaspin]

@rakesh0x how is the webhook setup working? Looks like DockerHub webhooks are per repository

[rakesh0x]

@rakesh0x how is the webhook setup working? Looks like DockerHub webhooks are per repository

Docker Hub doesn't provide an API to programmatically create webhooks, they must be manually configured by users in the Docker Hub UI per repository.

[rakesh0x]

yup, now the integration appears in the list @AleksandarCole

[rakesh0x]

@lucaspin The 4 failing E2E tests are unrelated to docker hub integration , these appear to be pre existing flaky tests, could you please confirm , if these tests are known to be flaky

[lucaspin]

Docker Hub doesn't provide an API to programmatically create webhooks, they must be manually configured by users in the Docker Hub UI per repository.

@rakesh0x and how are users doing this? Which SuperPlane URL are you using to do that?

[rakesh0x]

Docker Hub doesn't provide an API to programmatically create webhooks, they must be manually configured by users in the Docker Hub UI per repository.

@rakesh0x and how are users doing this? Which SuperPlane URL are you using to do that?

When users set up the "On Image Pushed" trigger in SuperPlane, the system generates a unique webhook URL (like https://your-superplane.com/webhooks/abc123).

Users then copy this URL and paste it into their Docker Hub repo settings under Webhooks. It's a manual step since Docker Hub doesn't have an API for creating webhooks programmatically.

The URL is shown in the trigger configuration UI after setup.

[rakesh0x]

hey @lucaspin , can you please review and merge if everything is good

[lucaspin]

@rakesh0x I checked out your changes, but I can't even open the application:

---

Also, CI is failing.

[rakesh0x]

@rakesh0x I checked out your changes, but I can't even open the application:

Also, [CI is failing](https://superplanehq.semaphoreci.com/workflows/c211a1db-49c7-45f1-92ad-7a4839036f53?pipeline_id=dc878c44-a4b7-4dce-b936-20f86e02d0ba).

i had to keep merging the branch again and again, so it created a merge conflicts
fixed the issue , should work now

[rakesh0x]

@lucaspin fixed the ci as well

[lucaspin]

@rakesh0x tested and reviewed your PR. It's not there yet, but it has potential. Here's a list of things we need to address before being able to merge it.

Missing icon on integrations page and on component sidebar

Do not authenticate every time

We are calling authenticate() every time, which is not efficient. The JWT we get back from DockerHub has an expiration time. We should store it as an integration secret, reuse for operations, and use ctx.Integration.ScheduleActionCall to schedule a refresh operation before it expires.

listTags component

We have been discussing list operations in this thread. I don't really see a concrete use case for that one, so I'd just remove it for now.

I think a better alternative component here would be a describeImageTag instead. The use case for that would be: since the webhook payload from DockerHub does not include all the information about the image being pushed, you can grab the additional information through describeImageTag.

onImagePushed component

A couple of notes for this one:

• Rename it to onImagePush. Check this comment for the reason why.
• The repository configuration field should be an IntegrationResource field type, so user can select from a list. We can use this API endpoint to fetch repositories. We will need to include a namespace configuration for this to work properly too, and use this idea to properly list repositories in the correct namespace.
• Rename the tagFilter configuration field to just tags, and use AnyPredicateList as the type. That is a common and established pattern for filtering things already in the system already. Check github.onPush for example.
• On Setup(), verify that repository exists in Docker Hub. Once verified, use an object to store information the repository in the trigger metadata. That makes it easier to extend the trigger with more information in the future, if needed, and also allows us to store more information about the repository, like the URL. Check the semaphore.onPipelineDone for example.
• There is no way for the user to know which URL to use to create the trigger in DockerHub. Use ctx.Webhook.Setup() instead of ctx.Integration.RequestWebhook(), since the webhook won't be provisioned through the integration, and store the URL returned by it in the metadata. Also, to show that to the user, you will need a CustomFieldRenderer in your mapper. You can check how the webhook trigger does it. If we store the repository URL in the metadata, we can even have the link pointing the user to the proper page in DockerHub to create the webhook.

[cursor]

Case-sensitive repository comparison may silently drop webhooks

Medium Severity

The webhook handler compares payload.Repository.RepoName against expectedRepo using case-sensitive string comparison. Docker Hub normalizes repository names to lowercase in webhook payloads, but the expectedRepo is constructed from config.Namespace and config.Repository which come from user input without normalization. If a user configures "MyOrg/MyApp" but Docker Hub sends "myorg/myapp" in the webhook, the comparison fails and events are silently ignored.

 

[cursor]

Unused function splitRepository is dead code

Low Severity

The splitRepository function is defined but never called anywhere in the codebase. This helper function should be removed or used.

 

[cursor]

Unused legacy types in new integration

Low Severity

OnImagePushedMetadata and OnImagePushedConfiguration are labeled as "Legacy types for backwards compatibility" but this is a brand new integration. These types are never used anywhere in the codebase.

 

[cursor]

Unused ListTagsResponse TypeScript interface

Low Severity

The ListTagsResponse interface is defined but never imported or used anywhere in the frontend codebase.

 

[cursor]

Cursor Bugbot has reviewed your changes and found 5 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Empty configuration field in OnEmailEvent Configuration

High Severity

The Configuration() method includes a trailing empty configuration.Field{} in the returned slice. This zero-value struct has no name, label, or type, and will likely render as a broken or blank field in the UI form for the "On Email Event" trigger configuration.

 

[cursor]

Duplicate sidebar order for Semaphore and SendGrid

Low Severity

Both Semaphore.mdx and SendGrid.mdx have order: 15 in their sidebar frontmatter. SendGrid appears after Semaphore alphabetically, so it needs order: 16, and Slack.mdx would need order: 17 to maintain proper ordering.

Additional Locations (1)

• docs/components/Semaphore.mdx#L3-L4

 

[cursor]

Private key material leaked in error message

Medium Severity

The getSigner method includes up to 50 characters of the raw private key bytes in its error message via keyPreview. This sensitive credential material could end up in logs, UI error displays, or monitoring systems. The error message already includes the key length, which is sufficient for debugging without exposing actual key content.

 

[cursor]

Working directory not shell-quoted in SSH command

Medium Severity

The WorkingDirectory value is interpolated directly into the shell command without quoting. Paths containing spaces, shell metacharacters, or special characters will cause the cd to fail or behave unexpectedly. The directory path needs to be shell-quoted in the fmt.Sprintf call.

 

[cursor]

Missing error check on passphrase secret lookup

Medium Severity

When the user configures a passphrase secret reference and IsSet() returns true, the error from ctx.Secrets.GetKey is silently discarded with _. If the referenced secret or key doesn't exist, passphrase will be nil, and the SSH client will attempt to parse the encrypted key without a passphrase. This produces a misleading "failed to parse private key" error instead of a clear message about the missing passphrase credential — unlike the private key path directly above, which properly checks and wraps the error.