How to use private Docker registry?

diegobernardes · May 23, 2020, 5:40am

I found multiple issues about this topic but they’re old and kinda not exploring the point that I want.

It’s easy to work around the limitation of the login of a private Docker registry inside a job. But how to run the actual job inside the Docker? That’s the question.

I want to use jobs.<job_id>.container and jobs.<job_id>.services with private Docker images.

There is any way to make it work? Or maybe any kind of workaround? if not, there is any roadmap or indication that this feature gonna be developed?

On GitLab CI this is solved using before_script:

before_script:
  - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY

This would be an amazing feature for GitHub Actions.

brightran · May 23, 2020, 6:15am

When using the syntaxes jobs.<job_id>.container.image or jobs.<job_id>.services.image to set a Docker image as a container (or service container) for a job, the Docker image can be the Docker base image name or a public docker Hub or registry. You can’t use the image from a private Docker registry.

If you reallly need this feature, I recommend you directly share your suggestions here. That will allow you to directly interact with the appropriate engineering team, and make it more convenient for the engineering team to collect and categorize your suggestions.

gitfool · May 23, 2020, 6:15am

FWIW, I’ve had success with the workaround to use an internal repo action, as mentioned in https://github.community/t5/GitHub-Actions/Github-Actions-new-Pulling-from-private-docker-repositories/m-p/32024/highlight/true#M986, where I first login to AWS ECR, pull the private image, then use the local action to effectively “docker run” with the private image.

karrtikr · June 12, 2020, 8:20pm

Can you please elaborate on what a “local action” is referring to? I do not wish to use the docker run command explicitly. Basically what I am asking is how to run steps inside the docker container?

twistedpair · June 12, 2020, 8:33pm

I don’t think that’s supported.

I too run all the explicit docker commands in bash right now for lack of this feature.

gitfool · June 12, 2020, 9:18pm

@karrtikr this is what I use, which might not help you since I use cake build at the tail end:

.github/workflows/build.yml:

name: Build
on:
  push:
    branches:
      - "**"
      - "!dependabot/**"
  pull_request:
    branches:
      - master
  repository_dispatch:

env:
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  AWS_REGION: us-east-1
  NUGET_USERNAME: pharos
  NUGET_PASSWORD: ${{ secrets.PACKAGES_PAT }}
  NUGET_SOURCE: https://nuget.pkg.github.com/pharos/index.json
  NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages

jobs:
  Docker:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout source
        uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - name: Cache packages
        uses: actions/cache@v2
        with:
          path: ${{ env.NUGET_PACKAGES }}
          key: ${{ runner.os }}-nuget-${{ hashFiles('.config/dotnet-tools.json', '**/packages.lock.json') }}
          restore-keys: ${{ runner.os }}-nuget-

      - name: Patch config
        shell: pwsh
        run: ./NuGet.ps1 NuGet.config github pharos ${{ secrets.PACKAGES_PAT }}

      - name: ECR login
        uses: aws-actions/amazon-ecr-login@v1

      - name: Docker pull
        run: docker pull <id>.dkr.ecr.us-east-1.amazonaws.com/pharos/build/cake-docker:latest

      - name: Cake build
        uses: ./.github/actions/cake-build

.github/actions/cake-build/action.yml:

name: Cake build
runs:
  using: docker
  image: docker://<id>.dkr.ecr.us-east-1.amazonaws.com/pharos/build/cake-docker:latest
  args: [ "bash", "-c", "dotnet tool restore && dotnet cake --bootstrap --verbosity=verbose && dotnet cake --verbosity=verbose --target=build --publish=true" ]

In summary:

Login to aws ecr private repo (using aws env vars)
Pull docker image from aws ecr private repo (note: redacted id)
Run “local action” using git repo relative reference (./.github/actions/cake-build)
Bash command is subsequently run inside a container using previously pulled docker image
… In this case the remaining steps are handled by cake build

missedone · August 10, 2020, 10:37pm

here is my solution for self-hosted runner for pulling private images from AWS ECR: Github Actions (new) Pulling from private docker repositories

jirihradil · September 3, 2020, 10:27am

This works for me:

name: build

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]

jobs:
  tests:
    name: "Build and test"
    runs-on: ubuntu-latest
   
    steps:
       
    - name: Login to DockerHub
      uses: docker/login-action@v1
      with:
        username: ${{ secrets.DOCKERHUB_USERNAME }}
        password: ${{ secrets.DOCKERHUB_PASSWORD }}

    - name: Pull image from DockerHub
      run: docker pull company/repo:version

    - name: Run image in container
      run: docker run --detach company/repo:version
...