Fix CopyBaseImages failure for external source registries (#1975)

Fix the `check-base-image-updates-official` pipeline
caused by `CopyImageService.ImportImageAsync` throwing
`InvalidOperationException` when the source registry is an external
registry like `docker.io`. PR #1945 moved subscription and resource
group lookups into `CopyImageService`, but the new code unconditionally calls `GetRegistryResource()` for the source registry, which throws when the registry isn't in the publish configuration. External registries like `docker.io` use username/password credentials for ACR import (via `RegistryAddress` + `Credentials`), not Azure resource IDs — they are intentionally not in the `RegistryAuthentication` list.

- Check `FindRegistryAuthentication()` before calling
`GetRegistryResource()` in `CopyImageService.ImportImageAsync`, so
external source registries correctly get a null `ResourceId` and use the
`RegistryAddress` code path
- Add test
`ImportImageAsync_ExternalSourceRegistry_DoesNotRequireSourceRegistryInPublishConfig`
to cover the non-dry-run external registry scenario (existing test only
covered the dry-run path)

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: lbussell

src/ImageBuilder.Tests/CopyImageServiceTests.cs

@@ -1,7 +1,9 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System;
 using System.Threading.Tasks;
+using Azure.Core;
 using Microsoft.DotNet.ImageBuilder.Configuration;
 using Microsoft.DotNet.ImageBuilder.Tests.Helpers;
 using Microsoft.Extensions.Logging;
@@ -35,4 +37,64 @@ await Should.NotThrowAsync(() =>
                 srcRegistryName: "docker.io",
                 isDryRun: true));
     }
+
+    /// <summary>
+    /// When the source registry is external (e.g., docker.io) and not in the publish configuration,
+    /// ImportImageAsync should proceed past the registry lookup without throwing. External registries
+    /// use RegistryAddress + Credentials for ACR import, not ResourceId.
+    /// </summary>
+    [Fact]
+    public async Task ImportImageAsync_ExternalSourceRegistry_DoesNotRequireSourceRegistryInPublishConfig()
+    {
+        var publishConfig = new PublishConfiguration
+        {
+            RegistryAuthentication =
+            [
+                new RegistryAuthentication
+                {
+                    Server = "myacr.azurecr.io",
+                    ResourceGroup = "my-rg",
+                    Subscription = Guid.NewGuid().ToString(),
+                    ServiceConnection = new ServiceConnection
+                    {
+                        Name = "test",
+                        Id = Guid.NewGuid().ToString(),
+                        TenantId = Guid.NewGuid().ToString(),
+                        ClientId = Guid.NewGuid().ToString()
+                    }
+                }
+            ]
+        };
+
+        var mockCredProvider = new Mock<IAzureTokenCredentialProvider>();
+        mockCredProvider
+            .Setup(x => x.GetCredential(It.IsAny<ServiceConnection>()))
+            .Returns(Mock.Of<TokenCredential>());
+
+        var service = new CopyImageService(
+            Mock.Of<ILogger<CopyImageService>>(),
+            mockCredProvider.Object,
+            ConfigurationHelper.CreateOptionsMock(publishConfig));
+
+        try
+        {
+            await service.ImportImageAsync(
+                destTagNames: ["mirror/repo:tag"],
+                destAcrName: "myacr.azurecr.io",
+                srcTagName: "repo:tag",
+                srcRegistryName: "docker.io",
+                isDryRun: false);
+        }
+        catch (InvalidOperationException ex) when (ex.Message.Contains("No authentication details found"))
+        {
+            Assert.Fail($"External source registries should not require publish configuration: {ex.Message}");
+        }
+        catch
+        {
+            // ARM SDK failures are expected with mocked credentials
+        }
+
+        // Verify execution reached the ARM client (past the registry lookup)
+        mockCredProvider.Verify(x => x.GetCredential(It.IsAny<ServiceConnection>()), Times.Once);
+    }
 }

src/ImageBuilder/Configuration/ConfigurationExtensions.cs

@@ -47,7 +47,7 @@ auth.Server is not null
                 && Acr.Parse(auth.Server) == targetAcr);
     }
 
-    public static ResourceIdentifier GetRegistryResource(this PublishConfiguration publishConfig, string registry)
+    public static ResourceIdentifier GetAcrResource(this PublishConfiguration publishConfig, string registry)
     {
         var registryAuthentication = publishConfig.FindRegistryAuthentication(registry)
             ?? throw new InvalidOperationException(

src/ImageBuilder/CopyImageService.cs

@@ -70,10 +70,16 @@ public async Task ImportImageAsync(
             return;
         }
 
-        var destResourceId = _publishConfig.GetRegistryResource(destAcrName);
-        var srcResourceId = srcRegistryName is not null
-            ? _publishConfig.GetRegistryResource(srcRegistryName)
-            : null;
+        var destResourceId = _publishConfig.GetAcrResource(destAcrName);
+
+        // Only look up the source resource ID for registries in the publish config (i.e. ACRs).
+        // External registries like docker.io use RegistryAddress + Credentials instead.
+        ResourceIdentifier? srcResourceId =
+            // TODO: In the future, ACR credentials (user/pw) could be passed via PublishConfiguration
+            // as well, and resolved here.
+            srcRegistryName is not null && _publishConfig.FindRegistryAuthentication(srcRegistryName) is not null
+                ? _publishConfig.GetAcrResource(srcRegistryName)
+                : null;
 
         // Azure ACR import only supports one source identifier. Use ResourceId for ACR-to-ACR
         // imports (same tenant), or RegistryAddress for external registries.