As part of https://gerrit.wikimedia.org/r/664683 there is now a dedicated "ci-build" user that CI should use when pushing to docker-registry.wikimedia.org instead of the legacy generic "uploader" one.
I see it used in profile::ci::shipyard and will update that, but are the credentials anywhere else outside of puppet like in Jenkins?