login-action

About

GitHub Action to login against a Docker registry.

• Usage
  • Docker Hub
  • GitHub Container Registry
  • GitLab
  • Azure Container Registry (ACR)
  • Google Container Registry (GCR)
  • Google Artifact Registry (GAR)
  • AWS Elastic Container Registry (ECR)
  • AWS Public Elastic Container Registry (ECR)
  • OCI Oracle Cloud Infrastructure Registry (OCIR)
  • Quay.io
• Customizing
  • inputs
• Keep up-to-date with GitHub Dependabot

Usage

Docker Hub

To authenticate against Docker Hub it’s strongly recommended to create a
personal access token as an alternative to your password.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

GitHub Container Registry

To authenticate against the GitHub Container Registry,
use the GITHUB_TOKEN for the best
security and experience.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

You may need to manage write and read access of GitHub Actions
for repositories in the container settings.

You can also use a personal access token (PAT)
with the appropriate scopes.

GitLab

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to GitLab
        uses: docker/login-action@v2
        with:
          registry: registry.gitlab.com
          username: ${{ secrets.GITLAB_USERNAME }}
          password: ${{ secrets.GITLAB_PASSWORD }}

Azure Container Registry (ACR)

Create a service principal
with access to your container registry through the Azure CLI
and take note of the generated service principal’s ID (also called client ID) and password (also called client secret).

Replace <registry-name> with the name of your registry.

Google Container Registry (GCR)

Google Artifact Registry is the evolution of Google Container Registry. As a
fully-managed service with support for both container images and non-container artifacts. If you currently use
Google Container Registry, use the information on this page
to learn about transitioning to Google Artifact Registry.

You can use either workload identity federation based keyless authentication or service account based authentication.

Workload identity federation based authentication

Configure the workload identity federation for github actions in gcloud (for steps, refer here). In the steps, your service account should the ability to push to GCR. Then use google-github-actions/auth action for authentication using workload identity like below:

Replace <workload_identity_provider> with configured workload identity provider. For steps to configure, refer here.

Replace <service_account> with configured service account in workload identity provider which has access to push to GCR

Service account based authentication

Use a service account with the ability to push to GCR and configure access control.
Then create and download the JSON key for this service account and save content of .json file
as a secret
called GCR_JSON_KEY in your GitHub repo. Ensure you set the username to _json_key,
or _json_key_base64 if you use a base64-encoded key.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to GCR
        uses: docker/login-action@v2
        with:
          registry: gcr.io
          username: _json_key
          password: ${{ secrets.GCR_JSON_KEY }}

Google Artifact Registry (GAR)

You can use either workload identity federation based keyless authentication or service account based authentication.

Workload identity federation based authentication

Configure the workload identity federation for github actions in gcloud (for steps, refer here). In the steps, your service account should the ability to push to GAR. Then use google-github-actions/auth action for authentication using workload identity like below:

Replace <workload_identity_provider> with configured workload identity provider

Replace <service_account> with configured service account in workload identity provider which has access to push to GCR

Replace <location> with the regional or multi-regional location
of the repository where the image is stored.

Service account based authentication

Use a service account with the ability to push to GAR and configure access control.
Then create and download the JSON key for this service account and save content of .json file
as a secret
called GAR_JSON_KEY in your GitHub repo. Ensure you set the username to _json_key,
or _json_key_base64 if you use a base64-encoded key.

Replace <location> with the regional or multi-regional location
of the repository where the image is stored.

AWS Elastic Container Registry (ECR)

Use an IAM user with the ability to push to ECR with AmazonEC2ContainerRegistryPowerUser managed policy for example.
Then create and download access keys and save AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as secrets
in your GitHub repo.

If you need to log in to Amazon ECR registries associated with other accounts, you can use the AWS_ACCOUNT_IDS
environment variable:

Only available with AWS CLI version 1

You can also use the Configure AWS Credentials action in
combination with this action:

Replace <aws-account-number> and <region> with their respective values.

AWS Public Elastic Container Registry (ECR)

Use an IAM user with the ability to push to ECR Public with AmazonElasticContainerRegistryPublicPowerUser managed policy for example.
Then create and download access keys and save AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as secrets
in your GitHub repo.

Replace <region> with its respective value (default us-east-1).

OCI Oracle Cloud Infrastructure Registry (OCIR)

To push into OCIR in specific tenancy the username
must be placed in format <tenancy>/<username> (in case of federated tenancy use the format
<tenancy-namespace>/oracleidentitycloudservice/<username>).

For password create an auth token.
Save username and token as a secrets
in your GitHub repo.

Replace <region> with their respective values from availability regions

Quay.io

Use a Robot account with the ability to push to a public/private Quay.io repository.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to Quay.io
        uses: docker/login-action@v2
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_ROBOT_TOKEN }}

Customizing

inputs

Following inputs can be used as step.with keys

Keep up-to-date with GitHub Dependabot

Since Dependabot
has native GitHub Actions support,
to enable it on your GitHub repo all you need to do is add the .github/dependabot.yml file:

version: 2
updates:
  # Maintain dependencies for GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"