Github Actions (new) Pulling from private docker repositories

Potentially great timing here.

Similar question: Is there any more documentation available? Our use case is with AWS ECR.

Any registry is supported as long as it supports username and password auth. You simply need to specify the fully qualified image.
For GHCR it would look something like image: ghcr.io/octocat/testdb:latest

For ECR it would be something like image: aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app

Thanks, as I understand it I need to programatically run a step such as aws ecr get-login-password as ECR basic auth creds are granted on a temporary basis. Is it possible to run steps prior in such a way to provide this information to a service container?

No that is not currently possible. We only support fixed passwords at this point.

This is great news.
How about any plans to get rid of the credential need for GHCR if you’re using actions in a private repo?
Keeping an additional PAT around, just for this seems excessive. Can’t the GITHUB_TOKEN be used for accessing private repos as a default?

We are working on that and expect to ship it in the next couple of months. With GHCR being an org level experience we are having to make some fairly significant changes to enable Actions to read and write to it while also maintaining good security.

2 Likes

@paulfairless his is fairly trivial so solve. Here is what we’ve done:

  1. Add a scheduled workflow that basically runs aws ecr get-login-password every 6 hours or so (the tokens are valid for 12 hours)
  2. Write this value to a repository or organization secret
  3. use this secret in your workflow to authenticate with ECR:
jobs:
  build:
    container:
      image: aws_account_id.dkr.ecr.region.amazonaws.com/your-image:version
      credentials:
        username: AWS
        password: ${{ secrets.THE_PASSWORD }}

I am able pull private image from dockerhub. But seems like it is not working.

I wanted to run python test case. I installed requirements but when i ran command for test it throws and error that package not found.

jobs:
  test:
    container:
      image: abcd
      credentials:
        username: "test"
        password: "test"

steps:
      - uses: actions/checkout@v2
      - name: Display Python version
        run: |
          pip install -r requirements/dev.txt
      - name: run python manage test
        run: |
          python3 manage.py test 

Anyone run test cases inside container?

@bendavies, can you elaborate or point to documentation on how you “wrote this value to a repository or organization secret”? Was this within a Github workflow?

Thank you