Compare commits

..

No commits in common. "ba38666a08b622da774c4a0970ab11e419b5c018" and "343f7c4344506bcbf9b4de18042ae17996df046d" have entirely different histories.

173
README.md
View File

@ -31,9 +31,8 @@ ___
### Docker Hub ### Docker Hub
When authenticating to [Docker Hub](https://hub.docker.com) with GitHub Actions, To authenticate against [Docker Hub](https://hub.docker.com) it's strongly recommended to create a
use a [personal access token](https://docs.docker.com/docker-hub/access-tokens/). [personal access token](https://docs.docker.com/docker-hub/access-tokens/) as an alternative to your password.
Don't use your account password.
```yaml ```yaml
name: ci name: ci
@ -48,7 +47,7 @@ jobs:
steps: steps:
- -
name: Login to Docker Hub name: Login to Docker Hub
uses: docker/login-action@v3 uses: docker/login-action@v2
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }} password: ${{ secrets.DOCKERHUB_TOKEN }}
@ -56,9 +55,9 @@ jobs:
### GitHub Container Registry ### GitHub Container Registry
To authenticate to the [GitHub Container Registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry), To authenticate against the [GitHub Container Registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry),
use the [`GITHUB_TOKEN`](https://docs.github.com/en/actions/reference/authentication-in-a-workflow) use the [`GITHUB_TOKEN`](https://docs.github.com/en/actions/reference/authentication-in-a-workflow) for the best
secret. security and experience.
```yaml ```yaml
name: ci name: ci
@ -73,7 +72,7 @@ jobs:
steps: steps:
- -
name: Login to GitHub Container Registry name: Login to GitHub Container Registry
uses: docker/login-action@v3 uses: docker/login-action@v2
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.actor }} username: ${{ github.actor }}
@ -101,23 +100,20 @@ jobs:
steps: steps:
- -
name: Login to GitLab name: Login to GitLab
uses: docker/login-action@v3 uses: docker/login-action@v2
with: with:
registry: registry.gitlab.com registry: registry.gitlab.com
username: ${{ secrets.GITLAB_USERNAME }} username: ${{ secrets.GITLAB_USERNAME }}
password: ${{ secrets.GITLAB_PASSWORD }} password: ${{ secrets.GITLAB_PASSWORD }}
``` ```
If you have [Two-Factor Authentication](https://gitlab.com/help/user/profile/account/two_factor_authentication) If you have [Two-Factor Authentication](https://gitlab.com/help/user/profile/account/two_factor_authentication) enabled, use a [Personal Access Token](https://gitlab.com/help/user/profile/personal_access_tokens) instead of a password.
enabled, use a [Personal Access Token](https://gitlab.com/help/user/profile/personal_access_tokens)
instead of a password.
### Azure Container Registry (ACR) ### Azure Container Registry (ACR)
[Create a service principal](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal#create-a-service-principal) [Create a service principal](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal#create-a-service-principal)
with access to your container registry through the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) with access to your container registry through the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
and take note of the generated service principal's ID (also called _client ID_) and take note of the generated service principal's ID (also called _client ID_) and password (also called _client secret_).
and password (also called _client secret_).
```yaml ```yaml
name: ci name: ci
@ -132,7 +128,7 @@ jobs:
steps: steps:
- -
name: Login to ACR name: Login to ACR
uses: docker/login-action@v3 uses: docker/login-action@v2
with: with:
registry: <registry-name>.azurecr.io registry: <registry-name>.azurecr.io
username: ${{ secrets.AZURE_CLIENT_ID }} username: ${{ secrets.AZURE_CLIENT_ID }}
@ -143,21 +139,16 @@ jobs:
### Google Container Registry (GCR) ### Google Container Registry (GCR)
> [Google Artifact Registry](#google-artifact-registry-gar) is the evolution of > [Google Artifact Registry](#google-artifact-registry-gar) is the evolution of Google Container Registry. As a
> Google Container Registry. As a fully-managed service with support for both > fully-managed service with support for both container images and non-container artifacts. If you currently use
> container images and non-container artifacts. If you currently use Google > Google Container Registry, use the information [on this page](https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr)
> Container Registry, use the information [on this page](https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr)
> to learn about transitioning to Google Artifact Registry. > to learn about transitioning to Google Artifact Registry.
You can authenticate with workload identity federation or a service account. You can use either workload identity federation based keyless authentication or service account based authentication.
#### Workload identity federation #### Workload identity federation based authentication
Configure the workload identity federation for GitHub Actions in Google Cloud, Configure the workload identity federation for github actions in gcloud (for steps, [refer here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)). In the steps, your service account should the ability to push to GCR. Then use google-github-actions/auth action for authentication using workload identity like below:
[see here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation).
Your service account must have permission to push to GCR. Use the
`google-github-actions/auth` action to authenticate using workload identity as
shown in the following example:
```yaml ```yaml
name: ci name: ci
@ -170,35 +161,32 @@ jobs:
login: login:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- - id: 'auth'
name: Authenticate to Google Cloud name: 'Authenticate to Google Cloud'
id: auth uses: 'google-github-actions/auth@v0'
uses: google-github-actions/auth@v1
with: with:
token_format: access_token token_format: 'access_token'
workload_identity_provider: <workload_identity_provider> workload_identity_provider: '<workload_identity_provider>'
service_account: <service_account> service_account: '<service_account>'
-
name: Login to GCR - name: Login to GCR
uses: docker/login-action@v3 uses: docker/login-action@v2
with: with:
registry: gcr.io registry: gcr.io
username: oauth2accesstoken username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }} password: ${{ steps.auth.outputs.access_token }}
``` ```
> Replace `<workload_identity_provider>` with configured workload identity > Replace `<workload_identity_provider>` with configured workload identity provider. For steps to configure, [refer here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation).
> provider. For steps to configure, [see here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation).
> Replace `<service_account>` with configured service account in workload > Replace `<service_account>` with configured service account in workload identity provider which has access to push to GCR
> identity provider which has access to push to GCR
#### Service account based authentication #### Service account based authentication
Use a service account with permission to push to GCR and [configure access control](https://cloud.google.com/container-registry/docs/access-control). Use a service account with the ability to push to GCR and [configure access control](https://cloud.google.com/container-registry/docs/access-control).
Download the key for the service account as a JSON file. Save the contents of Then create and download the JSON key for this service account and save content of `.json` file
the file [as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository) [as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
named `GCR_JSON_KEY` in your GitHub repository. Set the username to `_json_key`, called `GCR_JSON_KEY` in your GitHub repo. Ensure you set the username to `_json_key`,
or `_json_key_base64` if you use a base64-encoded key. or `_json_key_base64` if you use a base64-encoded key.
```yaml ```yaml
@ -214,7 +202,7 @@ jobs:
steps: steps:
- -
name: Login to GCR name: Login to GCR
uses: docker/login-action@v3 uses: docker/login-action@v2
with: with:
registry: gcr.io registry: gcr.io
username: _json_key username: _json_key
@ -223,14 +211,11 @@ jobs:
### Google Artifact Registry (GAR) ### Google Artifact Registry (GAR)
You can authenticate with workload identity federation or a service account. You can use either workload identity federation based keyless authentication or service account based authentication.
#### Workload identity federation #### Workload identity federation based authentication
Download the key for the service account as a JSON file. Save the contents of Configure the workload identity federation for github actions in gcloud (for steps, [refer here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)). In the steps, your service account should the ability to push to GAR. Then use google-github-actions/auth action for authentication using workload identity like below:
the file [as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
named `GCR_JSON_KEY` in your GitHub repository. Set the username to `_json_key`,
or `_json_key_base64` if you use a base64-encoded key.
```yaml ```yaml
name: ci name: ci
@ -243,38 +228,34 @@ jobs:
login: login:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- - id: 'auth'
name: Authenticate to Google Cloud name: 'Authenticate to Google Cloud'
id: auth uses: 'google-github-actions/auth@v0'
uses: google-github-actions/auth@v1
with: with:
token_format: access_token token_format: 'access_token'
workload_identity_provider: <workload_identity_provider> workload_identity_provider: '<workload_identity_provider>'
service_account: <service_account> service_account: '<service_account>'
-
name: Login to GAR - name: Login to GAR
uses: docker/login-action@v3 uses: docker/login-action@v2
with: with:
registry: <location>-docker.pkg.dev registry: <location>-docker.pkg.dev
username: oauth2accesstoken username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }} password: ${{ steps.auth.outputs.access_token }}
``` ```
> Replace `<workload_identity_provider>` with configured workload identity provider
> Replace `<workload_identity_provider>` with configured workload identity > Replace `<service_account>` with configured service account in workload identity provider which has access to push to GCR
> provider
> Replace `<service_account>` with configured service account in workload
> identity provider which has access to push to GCR
> Replace `<location>` with the regional or multi-regional [location](https://cloud.google.com/artifact-registry/docs/repo-organize#locations) > Replace `<location>` with the regional or multi-regional [location](https://cloud.google.com/artifact-registry/docs/repo-organize#locations)
> of the repository where the image is stored. > of the repository where the image is stored.
#### Service account based authentication #### Service account based authentication
Use a service account with permission to push to GAR and [configure access control](https://cloud.google.com/artifact-registry/docs/access-control). Use a service account with the ability to push to GAR and [configure access control](https://cloud.google.com/artifact-registry/docs/access-control).
Download the key for the service account as a JSON file. Save the contents of Then create and download the JSON key for this service account and save content of `.json` file
the file [as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository) [as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
named `GCR_JSON_KEY` in your GitHub repository. Set the username to `_json_key`, called `GAR_JSON_KEY` in your GitHub repo. Ensure you set the username to `_json_key`,
or `_json_key_base64` if you use a base64-encoded key. or `_json_key_base64` if you use a base64-encoded key.
```yaml ```yaml
@ -290,7 +271,7 @@ jobs:
steps: steps:
- -
name: Login to GAR name: Login to GAR
uses: docker/login-action@v3 uses: docker/login-action@v2
with: with:
registry: <location>-docker.pkg.dev registry: <location>-docker.pkg.dev
username: _json_key username: _json_key
@ -303,7 +284,7 @@ jobs:
### AWS Elastic Container Registry (ECR) ### AWS Elastic Container Registry (ECR)
Use an IAM user with the ability to [push to ECR with `AmazonEC2ContainerRegistryPowerUser` managed policy for example](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html#AmazonEC2ContainerRegistryPowerUser). Use an IAM user with the ability to [push to ECR with `AmazonEC2ContainerRegistryPowerUser` managed policy for example](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html#AmazonEC2ContainerRegistryPowerUser).
Download the access keys and save them as `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` [as secrets](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository) Then create and download access keys and save `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` [as secrets](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
in your GitHub repo. in your GitHub repo.
```yaml ```yaml
@ -319,15 +300,15 @@ jobs:
steps: steps:
- -
name: Login to ECR name: Login to ECR
uses: docker/login-action@v3 uses: docker/login-action@v2
with: with:
registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
username: ${{ secrets.AWS_ACCESS_KEY_ID }} username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
``` ```
If you need to log in to Amazon ECR registries associated with other accounts, If you need to log in to Amazon ECR registries associated with other accounts, you can use the `AWS_ACCOUNT_IDS`
you can use the `AWS_ACCOUNT_IDS` environment variable: environment variable:
```yaml ```yaml
name: ci name: ci
@ -342,7 +323,7 @@ jobs:
steps: steps:
- -
name: Login to ECR name: Login to ECR
uses: docker/login-action@v3 uses: docker/login-action@v2
with: with:
registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
username: ${{ secrets.AWS_ACCESS_KEY_ID }} username: ${{ secrets.AWS_ACCESS_KEY_ID }}
@ -353,8 +334,8 @@ jobs:
> Only available with [AWS CLI version 1](https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login.html) > Only available with [AWS CLI version 1](https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login.html)
You can also use the [Configure AWS Credentials](https://github.com/aws-actions/configure-aws-credentials) You can also use the [Configure AWS Credentials](https://github.com/aws-actions/configure-aws-credentials) action in
action in combination with this action: combination with this action:
```yaml ```yaml
name: ci name: ci
@ -369,14 +350,14 @@ jobs:
steps: steps:
- -
name: Configure AWS Credentials name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4 uses: aws-actions/configure-aws-credentials@v1
with: with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: <region> aws-region: <region>
- -
name: Login to ECR name: Login to ECR
uses: docker/login-action@v3 uses: docker/login-action@v2
with: with:
registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
``` ```
@ -385,10 +366,9 @@ jobs:
### AWS Public Elastic Container Registry (ECR) ### AWS Public Elastic Container Registry (ECR)
Use an IAM user with permission to push to ECR Public, for example using [managed policies](https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerRegistryPowerUser). Use an IAM user with the ability to [push to ECR Public with `AmazonElasticContainerRegistryPublicPowerUser` managed policy for example](https://docs.aws.amazon.com/AmazonECR/latest/public/public-ecr-managed-policies.html#AmazonElasticContainerRegistryPublicPowerUser).
Download the access keys and save them as `AWS_ACCESS_KEY_ID` and Then create and download access keys and save `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` [as secrets](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
`AWS_SECRET_ACCESS_KEY` [secrets](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository) in your GitHub repo.
in your GitHub repository.
```yaml ```yaml
name: ci name: ci
@ -403,7 +383,7 @@ jobs:
steps: steps:
- -
name: Login to Public ECR name: Login to Public ECR
uses: docker/login-action@v3 uses: docker/login-action@v2
with: with:
registry: public.ecr.aws registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }} username: ${{ secrets.AWS_ACCESS_KEY_ID }}
@ -437,7 +417,7 @@ jobs:
steps: steps:
- -
name: Login to OCIR name: Login to OCIR
uses: docker/login-action@v3 uses: docker/login-action@v2
with: with:
registry: <region>.ocir.io registry: <region>.ocir.io
username: ${{ secrets.OCI_USERNAME }} username: ${{ secrets.OCI_USERNAME }}
@ -448,8 +428,7 @@ jobs:
### Quay.io ### Quay.io
Use a [Robot account](https://docs.quay.io/glossary/robot-accounts.html) with Use a [Robot account](https://docs.quay.io/glossary/robot-accounts.html) with the ability to push to a public/private Quay.io repository.
permission to push to a Quay.io repository.
```yaml ```yaml
name: ci name: ci
@ -464,7 +443,7 @@ jobs:
steps: steps:
- -
name: Login to Quay.io name: Login to Quay.io
uses: docker/login-action@v3 uses: docker/login-action@v2
with: with:
registry: quay.io registry: quay.io
username: ${{ secrets.QUAY_USERNAME }} username: ${{ secrets.QUAY_USERNAME }}
@ -475,15 +454,15 @@ jobs:
### inputs ### inputs
The following inputs can be used as `step.with` keys: Following inputs can be used as `step.with` keys
| Name | Type | Default | Description | | Name | Type | Default | Description |
|------------|--------|---------|-------------------------------------------------------------------------------| |------------------|---------|-----------------------------|------------------------------------|
| `registry` | String | | Server address of Docker registry. If not set then will default to Docker Hub | | `registry` | String | | Server address of Docker registry. If not set then will default to Docker Hub |
| `username` | String | | Username for authenticating to the Docker registry | | `username` | String | | Username used to log against the Docker registry |
| `password` | String | | Password or personal access token for authenticating the Docker registry | | `password` | String | | Password or personal access token used to log against the Docker registry |
| `ecr` | String | `auto` | Specifies whether the given registry is ECR (`auto`, `true` or `false`) | | `ecr` | String | `auto` | Specifies whether the given registry is ECR (`auto`, `true` or `false`) |
| `logout` | Bool | `true` | Log out from the Docker registry at the end of a job | | `logout` | Bool | `true` | Log out from the Docker registry at the end of a job |
## Keep up-to-date with GitHub Dependabot ## Keep up-to-date with GitHub Dependabot