Create Github Action that uses a private Docker image #26399
-
Hi all, I would like to create a Github action and to sell it on the marketplace. My action should be based on a Docker image that is stored on a private Docker registry and for licensing/security issues nobody could have direct access to it. Is there a way, also using Github secrets inside the action repository, to perform the access to such repository for example inside the action.yml file? My idea is to base the action on this Docker image and then to use a Python to script to perform the required operations calling a Python library installed into the container (all the business logic is inside the Docker image). Thanks in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments 1 reply
-
About action, there are few points you need to understand:
this action will be checked out to the path ‘/home/runner/work/_actions/my-actions/my-docker-action/master’.
No, we have no any way to do that. When using an action in a workflow, it is not directly executed in the action repository. The action is a step in the workflow, and every step in the workflow can only use the secrets in the repository where the workflow is running. |
Beta Was this translation helpful? Give feedback.
-
Hi @brightran thank you for your reply! I don’t know if I got it wrong, but my problem is related to accessing a private Docker repository and not keeping the action repository private. The latter can be public. What I’m interested in is access to use a Docker image stored in a private registry, without giving anyone who uses the action access to this registry. From your description, however, I understand that this is not possible, right? |
Beta Was this translation helpful? Give feedback.
-
Yes. Generally the base image used in a Dockerfile should be public.
If you use a private image as the base image for the Docker container action, when pulling the base image, GitHub need to login the Docker registry at first authenticating with the user and password that can access the private Docker registry. When you use this Docker container action in the workflow, you can try to add a step before the action step to execute the docker login command to login to the private Docker registry with the the user and password. Then execute the action to see if the authentication can work when pulling the base image. There is a similar case as reference: https://stackoverflow.com/questions/57903470/how-build-a-dockerfile-using-base-image-from-private-registry If you want other users can use this Docker container action, you need to share the authentication information (user and password) with the users, so that then can set the docker login step before the action step in their workflows. |
Beta Was this translation helpful? Give feedback.
-
Thank you very much! |
Beta Was this translation helpful? Give feedback.
-
@brightran You spoke to the case where a Dockerfile is supplied in the github action. What I need to know is how it is done when you just want to use a docker image from a private registry and run shell commands inside it to do the work of the action. The example looks like this in the yaml file where you define the action:
Note that this became more important as of 2 Nov 2020 when Dockerhub placed pull limits on all nonauthenticated image pulls. In effect, everybody has to pay for an account and treat Dockerhub as a private registry when loading images to use in an action (as with every other case). |
Beta Was this translation helpful? Give feedback.
@carminedamico,
Yes. Generally the base image used in a Dockerfile should be public.
When using a Docker container action in the workflow, GitHub will do the following things during the workflow run:
If you use a private image as the base image for the Docker container action, when pulling the base image, GitHub need to login the Docker registry at first authenticating with the user and password that can access the private Docker registry.
When you use this Docker container…