Add-on build fails to pull base images from private registries

[agners]

The problem

When building add-ons that use a base image from a private registry, the build fails because credentials are not passed to the build process.

Current behavior

1. User configures registry credentials via the Supervisor API (/docker/registries)
2. Credentials are stored in Supervisor's own config file (docker.json), NOT in ~/.docker/config.json
3. When building an add-on with a private base image:
   • Build runs docker buildx build --pull inside a Docker-in-Docker container
   • The Docker socket is mounted, using the host's Docker daemon
   • BuildKit attempts to pull the base image but has no access to credentials
   • Build fails with authentication error

Root cause

In supervisor/addons/build.py, the get_docker_args() method constructs the build command but doesn't pass any credentials:

return {
    "command": build_cmd,
    "volumes": {
        SOCKET_DOCKER: {"bind": "/var/run/docker.sock", "mode": "rw"},
        addon_extern_path: {"bind": "/addon", "mode": "ro"},
    },
    "working_dir": "/addon",
}

Possible solutions

1. Use BuildKit secrets: Pass credentials via --secret flag to docker buildx build
2. Mount docker config: Generate a temporary config.json with credentials and mount it
3. Use docker login before build: Run docker login inside the build container before building

Related

This is related to #6345 which fixed the install/update path for private registries. The build path has the same underlying issue but requires a different solution.

Environment

• Supervisor version: all versions with build support
• This is a pre-existing issue, not a regression