495b903b08
Introduce codeql.yml to enable SAST scanning |
||
---|---|---|
.github | ||
__tests__ | ||
dist | ||
src | ||
.dockerignore | ||
.editorconfig | ||
.eslintignore | ||
.eslintrc.json | ||
.gitattributes | ||
.gitignore | ||
.prettierrc.json | ||
LICENSE | ||
README.md | ||
action.yml | ||
codecov.yml | ||
dev.Dockerfile | ||
docker-bake.hcl | ||
jest.config.ts | ||
package.json | ||
tsconfig.json | ||
yarn.lock |
README.md
About
GitHub Action to login against a Docker registry.
Usage
Docker Hub
When authenticating to Docker Hub with GitHub Actions, use a personal access token. Don't use your account password.
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
GitHub Container Registry
To authenticate to the GitHub Container Registry,
use the GITHUB_TOKEN
secret.
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
You may need to manage write and read access of GitHub Actions for repositories in the container settings.
You can also use a personal access token (PAT) with the appropriate scopes.
GitLab
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to GitLab
uses: docker/login-action@v3
with:
registry: registry.gitlab.com
username: ${{ secrets.GITLAB_USERNAME }}
password: ${{ secrets.GITLAB_PASSWORD }}
If you have Two-Factor Authentication enabled, use a Personal Access Token instead of a password.
Azure Container Registry (ACR)
Create a service principal with access to your container registry through the Azure CLI and take note of the generated service principal's ID (also called client ID) and password (also called client secret).
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to ACR
uses: docker/login-action@v3
with:
registry: <registry-name>.azurecr.io
username: ${{ secrets.AZURE_CLIENT_ID }}
password: ${{ secrets.AZURE_CLIENT_SECRET }}
Replace
<registry-name>
with the name of your registry.
Google Container Registry (GCR)
Google Artifact Registry is the evolution of Google Container Registry. As a fully-managed service with support for both container images and non-container artifacts. If you currently use Google Container Registry, use the information on this page to learn about transitioning to Google Artifact Registry.
You can authenticate with workload identity federation or a service account.
Workload identity federation
Configure the workload identity federation for GitHub Actions in Google Cloud,
see here.
Your service account must have permission to push to GCR. Use the
google-github-actions/auth
action to authenticate using workload identity as
shown in the following example:
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v1
with:
token_format: access_token
workload_identity_provider: <workload_identity_provider>
service_account: <service_account>
-
name: Login to GCR
uses: docker/login-action@v3
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
Replace
<workload_identity_provider>
with configured workload identity provider. For steps to configure, see here.
Replace
<service_account>
with configured service account in workload identity provider which has access to push to GCR
Service account based authentication
Use a service account with permission to push to GCR and configure access control.
Download the key for the service account as a JSON file. Save the contents of
the file as a secret
named GCR_JSON_KEY
in your GitHub repository. Set the username to _json_key
,
or _json_key_base64
if you use a base64-encoded key.
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to GCR
uses: docker/login-action@v3
with:
registry: gcr.io
username: _json_key
password: ${{ secrets.GCR_JSON_KEY }}
Google Artifact Registry (GAR)
You can authenticate with workload identity federation or a service account.
Workload identity federation
Download the key for the service account as a JSON file. Save the contents of
the file as a secret
named GCR_JSON_KEY
in your GitHub repository. Set the username to _json_key
,
or _json_key_base64
if you use a base64-encoded key.
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v1
with:
token_format: access_token
workload_identity_provider: <workload_identity_provider>
service_account: <service_account>
-
name: Login to GAR
uses: docker/login-action@v3
with:
registry: <location>-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
Replace
<workload_identity_provider>
with configured workload identity provider
Replace
<service_account>
with configured service account in workload identity provider which has access to push to GCR
Replace
<location>
with the regional or multi-regional location of the repository where the image is stored.
Service account based authentication
Use a service account with permission to push to GAR and configure access control.
Download the key for the service account as a JSON file. Save the contents of
the file as a secret
named GCR_JSON_KEY
in your GitHub repository. Set the username to _json_key
,
or _json_key_base64
if you use a base64-encoded key.
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to GAR
uses: docker/login-action@v3
with:
registry: <location>-docker.pkg.dev
username: _json_key
password: ${{ secrets.GAR_JSON_KEY }}
Replace
<location>
with the regional or multi-regional location of the repository where the image is stored.
AWS Elastic Container Registry (ECR)
Use an IAM user with the ability to push to ECR with AmazonEC2ContainerRegistryPowerUser
managed policy for example.
Download the access keys and save them as AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
as secrets
in your GitHub repo.
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to ECR
uses: docker/login-action@v3
with:
registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
If you need to log in to Amazon ECR registries associated with other accounts,
you can use the AWS_ACCOUNT_IDS
environment variable:
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to ECR
uses: docker/login-action@v3
with:
registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
env:
AWS_ACCOUNT_IDS: 012345678910,023456789012
Only available with AWS CLI version 1
You can also use the Configure AWS Credentials action in combination with this action:
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: <region>
-
name: Login to ECR
uses: docker/login-action@v3
with:
registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
Replace
<aws-account-number>
and<region>
with their respective values.
AWS Public Elastic Container Registry (ECR)
Use an IAM user with permission to push to ECR Public, for example using managed policies.
Download the access keys and save them as AWS_ACCESS_KEY_ID
and
AWS_SECRET_ACCESS_KEY
secrets
in your GitHub repository.
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to Public ECR
uses: docker/login-action@v3
with:
registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
env:
AWS_REGION: <region>
Replace
<region>
with its respective value (defaultus-east-1
).
OCI Oracle Cloud Infrastructure Registry (OCIR)
To push into OCIR in specific tenancy the username
must be placed in format <tenancy>/<username>
(in case of federated tenancy use the format
<tenancy-namespace>/oracleidentitycloudservice/<username>
).
For password create an auth token. Save username and token as a secrets in your GitHub repo.
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to OCIR
uses: docker/login-action@v3
with:
registry: <region>.ocir.io
username: ${{ secrets.OCI_USERNAME }}
password: ${{ secrets.OCI_TOKEN }}
Replace
<region>
with their respective values from availability regions
Quay.io
Use a Robot account with permission to push to a Quay.io repository.
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to Quay.io
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_ROBOT_TOKEN }}
Customizing
inputs
The following inputs can be used as step.with
keys:
Name | Type | Default | Description |
---|---|---|---|
registry |
String | Server address of Docker registry. If not set then will default to Docker Hub | |
username |
String | Username for authenticating to the Docker registry | |
password |
String | Password or personal access token for authenticating the Docker registry | |
ecr |
String | auto |
Specifies whether the given registry is ECR (auto , true or false ) |
logout |
Bool | true |
Log out from the Docker registry at the end of a job |
Keep up-to-date with GitHub Dependabot
Since Dependabot
has native GitHub Actions support,
to enable it on your GitHub repo all you need to do is add the .github/dependabot.yml
file:
version: 2
updates:
# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"