tsic, gh: keep unstable on Docker Hub

ghcr.io/tailscale/tailscale:unstable is stale (last updated 2022,
points to v1.35.25). Only tailscale/tailscale on Docker Hub publishes
current unstable builds, so tsic.go reverts the unstable case and
build-tailscale-released pulls unstable from Docker Hub while keeping
release tags on ghcr.io.

Release tags on ghcr.io match Docker Hub by digest (verified v1.96),
so the rate-limit avoidance for the bulk of pulls is preserved.

Add the conditional docker/login-action step to the new job so the
main repo gets authenticated pulls; fork PRs fall through to anonymous
DH for the single unstable pull per CI run, well under the 100/6h
anonymous limit.

.github/workflows/test-integration.yaml

@@ -170,30 +170,44 @@ jobs:
           echo '{"storage-driver":"overlay2"}' | sudo tee /etc/docker/daemon.json
           sudo systemctl restart docker
           docker version
+      - name: Login to Docker Hub
+        env:
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_CI_USERNAME }}
+          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_CI_TOKEN }}
+        if: env.DOCKERHUB_USERNAME != ''
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ env.DOCKERHUB_USERNAME }}
+          password: ${{ env.DOCKERHUB_TOKEN }}
       - name: List Tailscale versions to pre-pull
         id: versions
         run: |
           versions=$(nix develop --command go run ./cmd/hi list-versions --set=must --exclude=head)
           echo "versions=${versions}" >> "$GITHUB_OUTPUT"
           echo "Pre-pulling: ${versions}"
-      - name: Pull released Tailscale images
+      - name: Pull Tailscale images
         run: |
-          # ghcr.io public reads are anonymous and unmetered, so no docker
-          # login is needed even on fork PRs without DOCKERHUB_USERNAME.
-          # Pull in parallel; xargs -P 0 fans out one process per tag and
-          # returns non-zero if any pull fails.
-          echo "${{ steps.versions.outputs.versions }}" \
-            | tr ' ' '\n' \
-            | xargs -P 0 -I{} docker pull "ghcr.io/tailscale/tailscale:{}"
+          # Releases come from ghcr.io (anonymous, unmetered). The
+          # "unstable" floating tag on ghcr.io has been stale since 2022,
+          # so it still needs to come from Docker Hub. xargs -P 0 fans
+          # out one process per tag and returns non-zero if any pull
+          # fails.
+          refs=""
+          for v in ${{ steps.versions.outputs.versions }}; do
+            if [ "${v}" = "unstable" ]; then
+              refs="${refs} tailscale/tailscale:${v}"
+            else
+              refs="${refs} ghcr.io/tailscale/tailscale:${v}"
+            fi
+          done
+          echo "${refs}" | tr ' ' '\n' | grep -v '^$' \
+            | xargs -P 0 -I{} docker pull "{}"
+          echo "REFS=${refs}" >> "$GITHUB_ENV"
       - name: Save Tailscale images to tarball
         run: |
           # Single docker save with all refs: one consistent snapshot, no
           # parallel-daemon race.
-          refs=""
-          for v in ${{ steps.versions.outputs.versions }}; do
-            refs="${refs} ghcr.io/tailscale/tailscale:${v}"
-          done
-          docker save ${refs} | gzip > tailscale-released-images.tar.gz
+          docker save ${REFS} | gzip > tailscale-released-images.tar.gz
           ls -lh tailscale-released-images.tar.gz
       - name: Upload Tailscale released images
         uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0

integration/tsic/tsic.go

@@ -522,7 +522,10 @@ func New(
 			}
 		}
 	case "unstable":
-		tailscaleOptions.Repository = "ghcr.io/tailscale/tailscale"
+		// ghcr.io/tailscale/tailscale:unstable is stale (last updated
+		// 2022); only tailscale/tailscale on Docker Hub publishes
+		// current unstable builds.
+		tailscaleOptions.Repository = "tailscale/tailscale"
 		tailscaleOptions.Tag = version
 
 		err = dockertestutil.PullWithAuth(pool, tailscaleOptions.Repository+":"+tailscaleOptions.Tag)