Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@yokawasa

yokawasa/ghcr.md

Last active March 28, 2024 14:32
Show Gist options
  • Star 28 You must be signed in to star a gist
  • Fork 8 You must be signed in to fork a gist
  • Save yokawasa/841b6db379aa68b2859846da84a9643c to your computer and use it in GitHub Desktop.
Save yokawasa/841b6db379aa68b2859846da84a9643c to your computer and use it in GitHub Desktop.
Download ZIP
ghcr (GitHub Container Registry)
Raw
ghcr.md

ghcr (GitHub Container Registry) quickstart

CLI

To push container images to ghcr, you need peronal access token (PAT) - see how to create PAT

  1. Get PAT (personal access token)

Personal Settings > Developer settings > Personal access tokens

  1. ghcr login test
# echo $PAT | docker login ghcr.io -u <githubユーザ名> --password-stdin
echo $PAT | docker login ghcr.io -u yokawasa --password-stdin

Login Succeeded
  1. push
docker tag mycontainer ghcr.io/yokawasa/myrepo/mycontainer:0.0.1
docker push ghcr.io/yokawasa/myrepo/mycontainer:0.0.1
  1. inspect
docker inspect ghcr.io/yokawasa/myrepo/mycontainer:0.0.1

GitHub Actions

you can do seamless access to containers from Actions workflows via the GITHUB_TOKEN

The Container registry supports the GITHUB_TOKEN for easy and secure authentication in your workflows. If your workflow is using a personal access token (PAT) to authenticate to ghcr.io, then we highly recommend you update your workflow to use the GITHUB_TOKEN.

     - name: Log in to registry
        # This is where you will update the PAT to GITHUB_TOKEN
        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

See Upgrading a workflow that accesses ghcr.io for more detail

Associate a certain package to a repository

REFERENCES

@yokawasa
Copy link
Author

memo:
there are a couple of other public registries. for instances, trivy uses dockerhub, public.ecr.aws as well as ghcr.io

docker pull aquasec/trivy:0.19.2
docker pull ghcr.io/aquasecurity/trivy:0.19.2
docker pull public.ecr.aws/aquasecurity/trivy:0.19.2
docker pull aquasec/trivy:latest
docker pull ghcr.io/aquasecurity/trivy:latest
docker pull public.ecr.aws/aquasecurity/trivy:latest

https://github.com/aquasecurity/trivy/releases

@timothyclarke
Copy link

What permissions do you need in the PAT ? Ticking ALL for a never expire token is bad practise

@yokawasa
Copy link
Author

What permissions do you need in the PAT ? Ticking ALL for a never expire token is bad practise

@timothyclarke write:packages permission is needed in the PAT. Regarding the expiration, I agree upon you. Expiration should be set for the token.

@Vanessabvb
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment