Github Actions (new) Pulling from private docker repositories

Does the same apply for GitHub registry hosted docker images under a private repository?
I’d image it could inherit the permissions from the repository it’s running the workflow in? — I believe that’s how it currently works on GitLab.

My main concern is that the Visual Studio build tools eula requires me to make the docker image with my configuration private. I am willing to make it public but i’m not allowed to do that. So either Visual Studio build tools should allow being hosted on public dockers or github should allow private containers for this usecase. I find that Visual Studio is rarely configured correctly for my usecase (cutting edge c++), as usually only .NET things are taken into account.

If you’re using AWS ECR, and have self-hosted github runner, you can consider docker-credential-ecr-login (aka, the Docker credentials plugin)

you can install it on your self-hosted runner, and use following config (you can modify the config for specific ECR repo rather than general)

{
    "credsStore": "ecr-login"
}

in this way, the runner will auto login AWS ECR and pull images from your private ECR repo. it works for both github actions service containers and docker container step.

Anyone know the status of this?

It seems like a fundamental flaw not being able to docker login (to any registry, whether github packages or docker hub or ecr).

Our co would love to adopt actions, but the inability to pull private images is a deal breaker.

Also writing here to manifest that I consider this an essential feature, and I’d like to know what’s the status with this request. Can we expect this to be supported anytime soon?

If not any private registry at least GitHub’s own docker registry, as right now it’s funny to not be able to use GitHub images from public repos in GitHub itself.

The last semi-official update from @chrispat was a little over a year ago. Are any updates available?

Shipped today for job and service containers.

3 Likes

such timing! great job, and thanks to all who made it happen @chrispat (including you).

Is this only for pulling from GH registry? if I need to pull from GCR, it doesn’t look like that’s supported yet, unless i’m missing something.

Potentially great timing here.

Similar question: Is there any more documentation available? Our use case is with AWS ECR.

Any registry is supported as long as it supports username and password auth. You simply need to specify the fully qualified image.
For GHCR it would look something like image: ghcr.io/octocat/testdb:latest

For ECR it would be something like image: aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app

Thanks, as I understand it I need to programatically run a step such as aws ecr get-login-password as ECR basic auth creds are granted on a temporary basis. Is it possible to run steps prior in such a way to provide this information to a service container?

No that is not currently possible. We only support fixed passwords at this point.

This is great news.
How about any plans to get rid of the credential need for GHCR if you’re using actions in a private repo?
Keeping an additional PAT around, just for this seems excessive. Can’t the GITHUB_TOKEN be used for accessing private repos as a default?

We are working on that and expect to ship it in the next couple of months. With GHCR being an org level experience we are having to make some fairly significant changes to enable Actions to read and write to it while also maintaining good security.

2 Likes

@paulfairless his is fairly trivial so solve. Here is what we’ve done:

  1. Add a scheduled workflow that basically runs aws ecr get-login-password every 6 hours or so (the tokens are valid for 12 hours)
  2. Write this value to a repository or organization secret
  3. use this secret in your workflow to authenticate with ECR:
jobs:
  build:
    container:
      image: aws_account_id.dkr.ecr.region.amazonaws.com/your-image:version
      credentials:
        username: AWS
        password: ${{ secrets.THE_PASSWORD }}
1 Like

I am able pull private image from dockerhub. But seems like it is not working.

I wanted to run python test case. I installed requirements but when i ran command for test it throws and error that package not found.

jobs:
  test:
    container:
      image: abcd
      credentials:
        username: "test"
        password: "test"

steps:
      - uses: actions/checkout@v2
      - name: Display Python version
        run: |
          pip install -r requirements/dev.txt
      - name: run python manage test
        run: |
          python3 manage.py test 

Anyone run test cases inside container?

@bendavies, can you elaborate or point to documentation on how you “wrote this value to a repository or organization secret”? Was this within a Github workflow?

Thank you

1 Like

is there any intention to work on this issue?

to further elaborate, someone wrote up a nice blog post about this workaround, but it is a hack and has security risks i’d rather github appropriately address. the concept of my secrets being updated by a pat has many issues. I know that the upcoming pat restrictions will help, but only if those are also passed on so that we can create shared pat tokens for repos or teams. the crux of the issue is this excerpt

 Then I generated a personal access token (the “provided by default” GITHUB_TOKEN doest not have sufficient rights), let’s call it GH_API_ACCESS_TOKEN

even if we restrict the pat, then this entire deploy stack is dependent on my continued access to this github org. if i were to leave, for any reason, issues would immediately begin. this is not an issue elsewhere because we ensure that nothing is dependent on our user accounts. i need a way at an organization level to create a pat for a repo specifically, or a team which is allowed to pass it. like how secrets work, kind of.

implementing ‘before-job’ in the service definition, that accepted runner steps could solve this generically

preferably which passes the environments from uses

  test:
    container:
      image: abcd
      before:
        environment: ECR
        runs-on: ubuntu-latest
        steps:
          - name: Login to Amazon ECR
            id: login-ecr
            uses: aws-actions/amazon-ecr-login@v1

but i can see how that could cause issues:

  test:
    container:
      image: abcd
      credentials:
        username: ${{ before.login-ecr.user }}
        password: ${{ before.login-ecr.password }}
      before:
        environment: ECR
        runs-on: ubuntu-latest
        steps:
          - name: Login to Amazon ECR
            id: login-ecr
            uses: theoretical-amazon-ecr-login-that-outputs-user-and-password-outputs