Hi all, I would like to create a Github action and to sell it on the marketplace. My action should be based on a Docker image that is stored on a private Docker registry and for licensing/security issues nobody could have direct access to it. Is there a way, also using Github secrets inside the action repository, to perform the access to such repository for example inside the action.yml file? My idea is to base the action on this Docker image and then to use a Python to script to perform the required operations calling a Python library installed into the container (all the business logic is inside the Docker image). Thanks in advance!
About action, there are few points you need to understand:
- When using an action in the workflow, typically the following operations are included.
- Check out the source code of the action to a special folder (_actions) under the runner’s working directory. This operation is done in the “Set up job” step.
For example, when you run an action on the Linux runner,
- name: run action uses: my-actions/my-docker-action@master with: . . .
this action will be checked out to the path ‘/home/runner/work/_actions/my-actions/my-docker-action/master’.
After checkout the source code, build the action if needed. Generally this is applied to build the container for the docker action, and the workflow run will generate a build step for each docker action.
Execute the action with the inputs you set.
If you store an action in a private repository, generally only this repository can use this action. If you want to use this private action in the workflows in other repositories, you need to use the checkout action with a personal access token (PAT) to checkout the source code of the action. The PAT should have the permissions (‘read’ at least) to access the private repository of the action.
Is there a way, also using Github secrets inside the action repository, to perform the access to such repository for example inside the action.yml file?
No, we have no any way to do that. When using an action in a workflow, it is not directly executed in the action repository. The action is a step in the workflow, and every step in the workflow can only use the secrets in the repository where the workflow is running.
Hi @brightran thank you for your reply! I don’t know if I got it wrong, but my problem is related to accessing a private Docker repository and not keeping the action repository private. The latter can be public.
What I’m interested in is access to use a Docker image stored in a private registry, without giving anyone who uses the action access to this registry. From your description, however, I understand that this is not possible, right?
Yes. Generally the base image used in a Dockerfile should be public.
When using a Docker container action in the workflow, GitHub will do the following things during the workflow run:
- Pull the base image from the Docker registry.
- Based on the base image, build the new image according to other steps and configurations set in Dockerfile.
- Startup the container and execute the Docker container action.
If you use a private image as the base image for the Docker container action, when pulling the base image, GitHub need to login the Docker registry at first authenticating with the user and password that can access the private Docker registry.
When you use this Docker container action in the workflow, you can try to add a step before the action step to execute the docker login command to login to the private Docker registry with the the user and password. Then execute the action to see if the authentication can work when pulling the base image.
There is a similar case as reference: https://stackoverflow.com/questions/57903470/how-build-a-dockerfile-using-base-image-from-private-registry
If you want other users can use this Docker container action, you need to share the authentication information (user and password) with the users, so that then can set the docker login step before the action step in their workflows.
But this generally brings some obvious risks that a user who has gained the authentication may share the authentication to any other users that you do not grant to. The private image will become not “private”. Keeping it private no longer makes sense.
Thank you very much!
@brightran You spoke to the case where a Dockerfile is supplied in the github action. What I need to know is how it is done when you just want to use a docker image from a private registry and run shell commands inside it to do the work of the action. The example looks like this in the yaml file where you define the action:
runs: using: 'docker' image: 'docker://myprivaterepo/someimage:notlatest'
Note that this became more important as of 2 Nov 2020 when Dockerhub placed pull limits on all nonauthenticated image pulls. In effect, everybody has to pay for an account and treat Dockerhub as a private registry when loading images to use in an action (as with every other case).