Github Actions (new) Pulling from private docker repositories

Hi All,

I have been playing around with github actions for a around a day now and was wondering how to deal with pulling from private docker repositories for example google cloud container registry.

I am trying to pull from a repo like so

- name: Download Cache
        uses: docker://gcr.io/[Project ID]/cache

I have authenticated in a step above using a service account however in the github actions workflow it prefers to try and pull all of the docker images before running any of the steps.

Any plans to support this or know of a way to support this now?

Any discussion will be helpful

26 Likes

GitHub Actions currently only supports public Docker images. I can’t give an ETA or even promise if using Docker images from private repositories will become available, but I’ll pass along your feedback to the developer team.

Thanks for reaching out and giving us your feedback!

11 Likes

This is something available on Azure Pipelines as a service connection. 

https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#sep-docreg

I too would be interested. It would make migrating or even hopping back between Azure Pipelines and GitHub actions much easier. 

@lee-dohm might you be able to comment on whether this is under consideration at all? This is a show stopper for us, as we need to use images in our private AWS ECR repos. 

thanks!

Adding the ability to use private docker registeries for Job, Service and Step containers is something we do plan to do.  However, I don’t have an exact timeline right now.

30 Likes

I solved this by having a step in my workflow that authenticates and pulls the docker image and then using a internal repo action (which doesn’t pull the image on startup) for using the private image. Not ideal but works until github adds support:

.github/workflow/main.yml:

- name: Setup service account
      run: echo -n ${{ secrets.GCS }} | base64 -d > token.json
    - name: gql
      uses: actions/gcloud/cli@master
      with:
        entrypoint: /bin/sh
        args: "-c \"gcloud auth activate-service-account --key-file token.json && gcloud auth configure-docker && docker pull gcr.io/ **** /test\""
      env:
        GOOGLE_APPLICATION_CREDENTIALS: token.json
- name: test action
uses: ./action

action/action.yml

name: test action
runs:
  using: 'docker'
  image: 'docker://gcr.io/ **** /test'
18 Likes

It looks like the actions/gcloud repo was archived - what should be used to replace that now?

I also need this for private repos on both AWS ECR and Docker Hub.

@chrispat is there an issue we can follow and up-vote on GitHub?

4 Likes

The strange issue here is, the docker:// images will be pulled right after initiating the runner, without executing the previous steps. Hence, we can’t login to the private repository.  Even if we mark the login as a separate job, the order of jobs is not respectes.

2 Likes

Hi,

Is there any news about the ability to pull images from a private repository hosted in DockerHub in the services section of the workflow.yml file?

3 Likes

This is particularly annoying because even “public” Github Packages repos require auth.  So effectively we can’t use Github on Github.

1 Like

Thanks for finding app who logged in on my direct express SSI direct deposit with another Direct Express Card got my car back 19 check on debit card

Does the same apply for GitHub registry hosted docker images under a private repository?
I’d image it could inherit the permissions from the repository it’s running the workflow in? — I believe that’s how it currently works on GitLab.

My main concern is that the Visual Studio build tools eula requires me to make the docker image with my configuration private. I am willing to make it public but i’m not allowed to do that. So either Visual Studio build tools should allow being hosted on public dockers or github should allow private containers for this usecase. I find that Visual Studio is rarely configured correctly for my usecase (cutting edge c++), as usually only .NET things are taken into account.