There are several categories of commands that work with Docker registry, thus need to authorize in Docker registry:

These commands do not perform authorization and use prepared docker config to work with Docker registry. Docker config is a directory which contains authorization info for registries and other settings. By default, werf uses the same docker config as Docker utility does: ~/.docker. Docker config directory can be redefined by --docker-config option, $DOCKER_CONFIG or $WERF_DOCKER_CONFIG environment variables. The option and variable value is the same as docker --config standard option value.

To prepare docker config you can use standart Docker client command login or, if you are using CI system, ci-env command in werf (more info about plugging werf into CI systems).

Using docker login in parallel CI jobs can lead to failed jobs because of a race condition and temporary credentials. One job affects another job overriding temporary credentials in Docker config. Thus user should provide independent Docker configs between jobs, docker --config, or use ci-env command