About

GitHub Action to login against a Docker registry.

---

• Usage
  • Docker Hub
  • GitHub Container Registry
  • GitLab
  • Azure Container Registry (ACR)
  • Google Container Registry (GCR)
  • Google Artifact Registry (GAR)
  • AWS Elastic Container Registry (ECR)
  • AWS Public Elastic Container Registry (ECR)
  • OCI Oracle Cloud Infrastructure Registry (OCIR)
  • Quay.io
  • DigitalOcean
• Customizing
  • inputs
• Keep up-to-date with GitHub Dependabot

Usage

Docker Hub

When authenticating to Docker Hub with GitHub Actions, use a personal access token. Don't use your account password.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

GitHub Container Registry

To authenticate to the GitHub Container Registry, use the GITHUB_TOKEN secret.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

You may need to manage write and read access of GitHub Actions for repositories in the container settings.

You can also use a personal access token (PAT) with the appropriate scopes.

GitLab

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to GitLab
        uses: docker/login-action@v3
        with:
          registry: registry.gitlab.com
          username: ${{ secrets.GITLAB_USERNAME }}
          password: ${{ secrets.GITLAB_PASSWORD }}

If you have Two-Factor Authentication enabled, use a Personal Access Token instead of a password.

Azure Container Registry (ACR)

Create a service principal with access to your container registry through the Azure CLI and take note of the generated service principal's ID (also called client ID) and password (also called client secret).

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to ACR
        uses: docker/login-action@v3
        with:
          registry: <registry-name>.azurecr.io
          username: ${{ secrets.AZURE_CLIENT_ID }}
          password: ${{ secrets.AZURE_CLIENT_SECRET }}

Replace <registry-name> with the name of your registry.

Google Container Registry (GCR)

Google Artifact Registry is the evolution of Google Container Registry. As a fully-managed service with support for both container images and non-container artifacts. If you currently use Google Container Registry, use the information on this page to learn about transitioning to Google Artifact Registry.

You can authenticate with workload identity federation or a service account.

Workload identity federation

Configure the workload identity federation for GitHub Actions in Google Cloud, see here. Your service account must have permission to push to GCR. Use the google-github-actions/auth action to authenticate using workload identity as shown in the following example:

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
    -
      name: Authenticate to Google Cloud
      id: auth
      uses: google-github-actions/auth@v1
      with:
        token_format: access_token
        workload_identity_provider: <workload_identity_provider>
        service_account: <service_account>
    -
      name: Login to GCR
      uses: docker/login-action@v3
      with:
        registry: gcr.io
        username: oauth2accesstoken
        password: ${{ steps.auth.outputs.access_token }}

Replace <workload_identity_provider> with configured workload identity provider. For steps to configure, see here.

Replace <service_account> with configured service account in workload identity provider which has access to push to GCR

Service account based authentication

Use a service account with permission to push to GCR and configure access control. Download the key for the service account as a JSON file. Save the contents of the file as a secret named GCR_JSON_KEY in your GitHub repository. Set the username to _json_key, or _json_key_base64 if you use a base64-encoded key.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to GCR
        uses: docker/login-action@v3
        with:
          registry: gcr.io
          username: _json_key
          password: ${{ secrets.GCR_JSON_KEY }}

Google Artifact Registry (GAR)

You can authenticate with workload identity federation or a service account.

Workload identity federation

Download the key for the service account as a JSON file. Save the contents of the file as a secret named GCR_JSON_KEY in your GitHub repository. Set the username to _json_key, or _json_key_base64 if you use a base64-encoded key.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@v1
        with:
          token_format: access_token
          workload_identity_provider: <workload_identity_provider>
          service_account: <service_account>
      -
        name: Login to GAR
        uses: docker/login-action@v3
        with:
          registry: <location>-docker.pkg.dev
          username: oauth2accesstoken
          password: ${{ steps.auth.outputs.access_token }}

Replace <workload_identity_provider> with configured workload identity provider

Replace <service_account> with configured service account in workload identity provider which has access to push to GCR

Replace <location> with the regional or multi-regional location of the repository where the image is stored.

Service account based authentication

Use a service account with permission to push to GAR and configure access control. Download the key for the service account as a JSON file. Save the contents of the file as a secret named GCR_JSON_KEY in your GitHub repository. Set the username to _json_key, or _json_key_base64 if you use a base64-encoded key.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to GAR
        uses: docker/login-action@v3
        with:
          registry: <location>-docker.pkg.dev
          username: _json_key
          password: ${{ secrets.GAR_JSON_KEY }}

Replace <location> with the regional or multi-regional location of the repository where the image is stored.

AWS Elastic Container Registry (ECR)

Use an IAM user with the ability to push to ECR with AmazonEC2ContainerRegistryPowerUser managed policy for example. Download the access keys and save them as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as secrets in your GitHub repo.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to ECR
        uses: docker/login-action@v3
        with:
          registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

If you need to log in to Amazon ECR registries associated with other accounts, you can use the AWS_ACCOUNT_IDS environment variable:

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to ECR
        uses: docker/login-action@v3
        with:
          registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        env:
          AWS_ACCOUNT_IDS: 012345678910,023456789012

Only available with AWS CLI version 1

You can also use the Configure AWS Credentials action in combination with this action:

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: <region>
      -
        name: Login to ECR
        uses: docker/login-action@v3
        with:
          registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com

Replace <aws-account-number> and <region> with their respective values.

AWS Public Elastic Container Registry (ECR)

Use an IAM user with permission to push to ECR Public, for example using managed policies. Download the access keys and save them as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY secrets in your GitHub repository.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to Public ECR
        uses: docker/login-action@v3
        with:
          registry: public.ecr.aws
          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        env:
          AWS_REGION: <region>

Replace <region> with its respective value (default us-east-1).

OCI Oracle Cloud Infrastructure Registry (OCIR)

To push into OCIR in specific tenancy the username must be placed in format <tenancy>/<username> (in case of federated tenancy use the format <tenancy-namespace>/oracleidentitycloudservice/<username>).

For password create an auth token. Save username and token as a secrets in your GitHub repo.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to OCIR
        uses: docker/login-action@v3
        with:
          registry: <region>.ocir.io
          username: ${{ secrets.OCI_USERNAME }}
          password: ${{ secrets.OCI_TOKEN }}

Replace <region> with their respective values from availability regions

Quay.io

Use a Robot account with permission to push to a Quay.io repository.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to Quay.io
        uses: docker/login-action@v3
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_ROBOT_TOKEN }}

DigitalOcean Container Registry

Use your DigitalOcean registered email address and an API access token to authenticate.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to DigitalOcean Container Registry
        uses: docker/login-action@v3
        with:
          registry: registry.digitalocean.com
          username: ${{ secrets.DIGITALOCEAN_USERNAME }}
          password: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}

Customizing

inputs

The following inputs can be used as step.with keys:

Name	Type	Default	Description
registry	String		Server address of Docker registry. If not set then will default to Docker Hub
username	String		Username for authenticating to the Docker registry
password	String		Password or personal access token for authenticating the Docker registry
ecr	String	auto	Specifies whether the given registry is ECR (auto, true or false)
logout	Bool	true	Log out from the Docker registry at the end of a job

Keep up-to-date with GitHub Dependabot

Since Dependabot has native GitHub Actions support, to enable it on your GitHub repo all you need to do is add the .github/dependabot.yml file:

version: 2
updates:
  # Maintain dependencies for GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"