GitHub Community
-
Select Topic AreaQuestion BodyI think I'm missing something and I cannot seem to find the appropriate docs for this. What I'm trying to do is pull and use a private docker image from ghcr as a Workflow Step. First, I have a workflow like this that is building the docker image and successfully pushing it to the private repository: name: Build and Push Docker Image
on:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Metadata
id: metadata
run: |
# convert repository name to lowercase
repo=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')
tag="ghcr.io/${repo}/test-action:latest"
echo "TAG=$tag" >> $GITHUB_OUTPUT
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push Docker image
uses: docker/build-push-action@v6
with:
context: ./test-action
file: ./test-action/Dockerfile
push: true
tags: ${{ steps.metadata.outputs.TAG }}
target: productionThis seems to work as expected. ✅ But then, within the same repository I cannot pull this image using the name: Run docker image from ghcr
on:
workflow_dispatch:
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Test
uses: docker://ghcr.io/myorg/myrepo/test-action:latestWhen the workflow run tries to pull the image before running the steps I get an I also tried modifying the Workflow permissions but got the same error: name: Run docker image from ghcr
on:
workflow_dispatch:
jobs:
test:
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
id-token: write
steps:
- name: Test
uses: docker://ghcr.io/myorg/myrepo/test-action:latestThe following did work as expected, but the syntax feels much worse in the workflow. I'd like to avoid using a shell step and the name: Run docker image from ghcr
on:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Test
run: |
docker pull ghcr.io/myorg/myrepo/test-action:latest
docker run ghcr.io/myorg/myrepo/test-action:latestMy question is how can I properly authenticate with ghcr while using the Also this is within an Enterprise Organization if that makes any difference. I want to ensure everything is centralized on the org and/or repo and not use user-level access tokens. Thanks for your assistance and would appreciate any docs links I'm missing 🙏🏻 |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
I've actually run into this exact problem in our enterprise org too! The uses: docker:// syntax is frustrating because it runs before any of your auth steps. The job container approach worked best for me: If you need more flexibility with multiple steps, you can create a Docker action in your repo (just a Dockerfile + action.yml) that references your ghcr image, then use: The second approach lets you keep using the cleaner action syntax while avoiding the auth issues completely since it's pulling from your local repo after checkout. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the info! The second solution makes sense with our current internal structure of actions and workflows. Still iterating a bit on how we want to structure workflows and internal actions across our repositories. Too bad I can't just pass credentials to the |
Beta Was this translation helpful? Give feedback.
I've actually run into this exact problem in our enterprise org too! The uses: docker:// syntax is frustrating because it runs before any of your auth steps.
For private GHCR images, I found two approaches that work reliably:
The job container approach worked best for me:
If you need more flexibility with multiple steps, you can create a Docker action in your repo (just a Dockerfile + action.yml) that references your ghcr image, then use: