Compare commits

...

6 Commits

Author SHA1 Message Date
David Montoya
5ef05762b9
Merge 8852fa90d2 into bdf14dc173 2025-09-09 01:04:27 +00:00
CrazyMax
bdf14dc173
Merge pull request #884 from docker/dependabot/github_actions/actions/checkout-5
build(deps): bump actions/checkout from 4 to 5
2025-09-08 16:20:39 +02:00
CrazyMax
21ddfdf39a
Merge pull request #886 from docker/dependabot/github_actions/aws-actions/configure-aws-credentials-5
build(deps): bump aws-actions/configure-aws-credentials from 4 to 5
2025-09-08 16:20:21 +02:00
dependabot[bot]
d5f9e03fca
build(deps): bump aws-actions/configure-aws-credentials from 4 to 5
Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 4 to 5.
- [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases)
- [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/v4...v5)

---
updated-dependencies:
- dependency-name: aws-actions/configure-aws-credentials
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-09-04 11:17:32 +00:00
dependabot[bot]
9b3389107c
build(deps): bump actions/checkout from 4 to 5
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-12 14:16:25 +00:00
David Montoya
8852fa90d2
update docs for workload identity federation with GAR
this is a last mile doc improvement for
https://github.com/docker/login-action/issues/640.

it clarifies how to use direct identity federation in GAR without a
service account using `google-github-actions/auth@v2`.

Signed-off-by: David Montoya <davidmontoyago@gmail.com>
2025-07-09 13:20:30 -05:00
6 changed files with 36 additions and 35 deletions

View File

@ -19,7 +19,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Stop docker
run: |
@ -43,7 +43,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Login to GitHub Container Registry
uses: ./
@ -60,7 +60,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Login to GitHub Container Registry
uses: ./
@ -85,7 +85,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Login to ACR
uses: ./
@ -105,7 +105,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Login to Docker Hub
uses: ./
@ -124,7 +124,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Login to ECR
uses: ./
@ -144,10 +144,10 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@v5
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@ -169,7 +169,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Login to Public ECR
continue-on-error: ${{ matrix.os == 'windows-latest' }}
@ -192,10 +192,10 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@v5
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@ -218,7 +218,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Login to GitHub Container Registry
uses: ./
@ -238,7 +238,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Login to GitLab
uses: ./
@ -258,7 +258,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Login to Google Artifact Registry
uses: ./
@ -278,7 +278,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Login to Google Container Registry
uses: ./

View File

@ -31,7 +31,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Initialize CodeQL
uses: github/codeql-action/init@v3

View File

@ -15,7 +15,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Publish
uses: actions/publish-immutable-action@v0.0.4

View File

@ -17,7 +17,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Test
uses: docker/bake-action@v6

View File

@ -19,7 +19,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: List targets
id: generate

View File

@ -227,8 +227,9 @@ You can authenticate with workload identity federation or a service account.
#### Workload identity federation
Your service account must have permission to push to GAR. Use the
`google-github-actions/auth` action to authenticate using workload identity as
Configure [Direct Workload Identity Federation](https://github.com/google-github-actions/auth/blob/v2.1.10/README.md#preferred-direct-workload-identity-federation) for GitHub Actions in Google Cloud and avoid long-lived GCP credentials.
Make sure to grant the [principal identity](https://cloud.google.com/iam/docs/workload-identity-federation#principal-types) enough permissions to the GAR repository (E.g.: `roles/artifactregistry.writer`).
Use the `google-github-actions/auth@v2` action to authenticate using workload identity as
shown in the following example:
```yaml
@ -238,6 +239,11 @@ on:
push:
branches: main
env:
GCP_PROJECT: ${{ secrets.GCP_PROJECT }}
WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
REGISTRY_URL: ${{ secrets.REGISTRY_URL }}
jobs:
login:
runs-on: ubuntu-latest
@ -245,28 +251,23 @@ jobs:
-
name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v1
uses: google-github-actions/auth@v2
with:
token_format: access_token
workload_identity_provider: <workload_identity_provider>
service_account: <service_account>
project_id: ${{ env.GCP_PROJECT }}
workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}
-
name: Login to GAR
name: Login to Google Artifact Registry
uses: docker/login-action@v3
with:
registry: <location>-docker.pkg.dev
registry: ${{ env.REGISTRY_URL}}
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
password: ${{ steps.auth.outputs.auth_token }}
```
> Replace `<workload_identity_provider>` with configured workload identity
> provider
> Set `WORKLOAD_IDENTITY_PROVIDER` to the configured workload identity provider. For steps to configure, [see here](https://github.com/google-github-actions/auth/blob/v2.1.10/README.md#inputs).
> Replace `<service_account>` with configured service account in workload
> identity provider which has access to push to GCR
> Replace `<location>` with the regional or multi-regional [location](https://cloud.google.com/artifact-registry/docs/repo-organize#locations)
> of the repository where the image is stored.
> Set `REGISTRY_URL` to the regional or multi-regional [repository URL](https://cloud.google.com/artifact-registry/docs/repo-organize#locations).
#### Service account based authentication