Github Actions (new) Pulling from private docker repositories

Hi All,

I have been playing around with github actions for a around a day now and was wondering how to deal with pulling from private docker repositories for example google cloud container registry.

I am trying to pull from a repo like so

- name: Download Cache
        uses: docker://gcr.io/[Project ID]/cache

I have authenticated in a step above using a service account however in the github actions workflow it prefers to try and pull all of the docker images before running any of the steps.

Any plans to support this or know of a way to support this now?

Any discussion will be helpful

28 Likes

GitHub Actions currently only supports public Docker images. I can’t give an ETA or even promise if using Docker images from private repositories will become available, but I’ll pass along your feedback to the developer team.

Thanks for reaching out and giving us your feedback!

11 Likes

This is something available on Azure Pipelines as a service connection. 

https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#sep-docreg

I too would be interested. It would make migrating or even hopping back between Azure Pipelines and GitHub actions much easier. 

@lee-dohm might you be able to comment on whether this is under consideration at all? This is a show stopper for us, as we need to use images in our private AWS ECR repos. 

thanks!

Adding the ability to use private docker registeries for Job, Service and Step containers is something we do plan to do.  However, I don’t have an exact timeline right now.

31 Likes

I solved this by having a step in my workflow that authenticates and pulls the docker image and then using a internal repo action (which doesn’t pull the image on startup) for using the private image. Not ideal but works until github adds support:

.github/workflow/main.yml:

- name: Setup service account
      run: echo -n ${{ secrets.GCS }} | base64 -d > token.json
    - name: gql
      uses: actions/gcloud/cli@master
      with:
        entrypoint: /bin/sh
        args: "-c \"gcloud auth activate-service-account --key-file token.json && gcloud auth configure-docker && docker pull gcr.io/ **** /test\""
      env:
        GOOGLE_APPLICATION_CREDENTIALS: token.json
- name: test action
uses: ./action

action/action.yml

name: test action
runs:
  using: 'docker'
  image: 'docker://gcr.io/ **** /test'
19 Likes

It looks like the actions/gcloud repo was archived - what should be used to replace that now?

I also need this for private repos on both AWS ECR and Docker Hub.

@chrispat is there an issue we can follow and up-vote on GitHub?

4 Likes

The strange issue here is, the docker:// images will be pulled right after initiating the runner, without executing the previous steps. Hence, we can’t login to the private repository.  Even if we mark the login as a separate job, the order of jobs is not respectes.

3 Likes

Hi,

Is there any news about the ability to pull images from a private repository hosted in DockerHub in the services section of the workflow.yml file?

4 Likes

This is particularly annoying because even “public” Github Packages repos require auth.  So effectively we can’t use Github on Github.

1 Like

Does the same apply for GitHub registry hosted docker images under a private repository?
I’d image it could inherit the permissions from the repository it’s running the workflow in? — I believe that’s how it currently works on GitLab.

My main concern is that the Visual Studio build tools eula requires me to make the docker image with my configuration private. I am willing to make it public but i’m not allowed to do that. So either Visual Studio build tools should allow being hosted on public dockers or github should allow private containers for this usecase. I find that Visual Studio is rarely configured correctly for my usecase (cutting edge c++), as usually only .NET things are taken into account.

If you’re using AWS ECR, and have self-hosted github runner, you can consider docker-credential-ecr-login (aka, the Docker credentials plugin)

you can install it on your self-hosted runner, and use following config (you can modify the config for specific ECR repo rather than general)

{
    "credsStore": "ecr-login"
}

in this way, the runner will auto login AWS ECR and pull images from your private ECR repo. it works for both github actions service containers and docker container step.

Anyone know the status of this?

It seems like a fundamental flaw not being able to docker login (to any registry, whether github packages or docker hub or ecr).

Our co would love to adopt actions, but the inability to pull private images is a deal breaker.

Also writing here to manifest that I consider this an essential feature, and I’d like to know what’s the status with this request. Can we expect this to be supported anytime soon?

If not any private registry at least GitHub’s own docker registry, as right now it’s funny to not be able to use GitHub images from public repos in GitHub itself.

The last semi-official update from @chrispat was a little over a year ago. Are any updates available?

Shipped today for job and service containers.

1 Like

such timing! great job, and thanks to all who made it happen @chrispat (including you).

Is this only for pulling from GH registry? if I need to pull from GCR, it doesn’t look like that’s supported yet, unless i’m missing something.