[docker/cli] `DOCKER_AUTH_CONFIG` takes precedence over `docker login`

### ROOT CAUSE The issue arises because the `DOCKER_AUTH_CONFIG` environment variable, introduced in PR #6008, takes precedence over the `~/.docker/config.json` file used by `docker login`. This environment variable is designed to override the configuration, but in this case, it causes the credentials from the initial read-only login to persist and block the write operation. Specifically, the environment variable remains set even after `docker login` updates the config file, leading to authentication issues during the push. ### CODE FIX The fix involves unsetting the `DOCKER_AUTH_CONFIG` environment variable after the initial image pull and before the `docker login` command. This ensures that subsequent Docker commands use the updated credentials from `~/.docker/config.json` instead of the stale environment variable. **Example GitLab CI Job Fix:** ```yaml job: image: docker:18 services: - docker:dind variables: # Define the DOCKER_AUTH_CONFIG for the read-only account (base64-encoded JSON) READ_ONLY_AUTH_CONFIG: ${{ base64('...') }} script: # Pull the image using the read-only credentials (via environment variable) - export DOCKER_AUTH_CONFIG=$READ_ONLY_AUTH_CONFIG - docker pull my.registry.com/my-image # Unset the DOCKER_AUTH_CONFIG to allow docker login to update ~/.docker/config.json - unset DOCKER_AUTH_CONFIG # Log in with the write account and push - docker login my.registry.com -u write_user -p write_password - docker push my.registry.com/my-image ``` **Explanation:** 1. **Initial Setup:** The `DOCKER_AUTH_CONFIG` is set with read-only credentials for pulling the base image. 2. **Unset Variable:** After pulling the image, unset `DOCKER_AUTH_CONFIG` to prevent it from overriding the updated config file. 3. **Login & Push:** The `docker login` command updates `~/.docker/config.json` with write credentials, which are then used for the push. This change ensures the environment variable does not interfere with subsequent Docker operations.