Skip to content

Instantly share code, notes, and snippets.

@yokawasa
Last active October 14, 2024 13:38
Show Gist options
  • Save yokawasa/841b6db379aa68b2859846da84a9643c to your computer and use it in GitHub Desktop.
Save yokawasa/841b6db379aa68b2859846da84a9643c to your computer and use it in GitHub Desktop.
ghcr (GitHub Container Registry)

ghcr (GitHub Container Registry) quickstart

CLI

To push container images to ghcr, you need peronal access token (PAT) - see how to create PAT

  1. Get PAT (personal access token)

Personal Settings > Developer settings > Personal access tokens

  1. ghcr login test
# echo $PAT | docker login ghcr.io -u <githubユーザ名> --password-stdin
echo $PAT | docker login ghcr.io -u yokawasa --password-stdin

Login Succeeded
  1. push
docker tag mycontainer ghcr.io/yokawasa/myrepo/mycontainer:0.0.1
docker push ghcr.io/yokawasa/myrepo/mycontainer:0.0.1
  1. inspect
docker inspect ghcr.io/yokawasa/myrepo/mycontainer:0.0.1

GitHub Actions

you can do seamless access to containers from Actions workflows via the GITHUB_TOKEN

The Container registry supports the GITHUB_TOKEN for easy and secure authentication in your workflows. If your workflow is using a personal access token (PAT) to authenticate to ghcr.io, then we highly recommend you update your workflow to use the GITHUB_TOKEN.

     - name: Log in to registry
        # This is where you will update the PAT to GITHUB_TOKEN
        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

See Upgrading a workflow that accesses ghcr.io for more detail

Associate a certain package to a repository

REFERENCES

@yokawasa
Copy link
Author

memo:
there are a couple of other public registries. for instances, trivy uses dockerhub, public.ecr.aws as well as ghcr.io

docker pull aquasec/trivy:0.19.2
docker pull ghcr.io/aquasecurity/trivy:0.19.2
docker pull public.ecr.aws/aquasecurity/trivy:0.19.2
docker pull aquasec/trivy:latest
docker pull ghcr.io/aquasecurity/trivy:latest
docker pull public.ecr.aws/aquasecurity/trivy:latest

https://github.com/aquasecurity/trivy/releases

@timothyclarke
Copy link

What permissions do you need in the PAT ? Ticking ALL for a never expire token is bad practise

@yokawasa
Copy link
Author

What permissions do you need in the PAT ? Ticking ALL for a never expire token is bad practise

@timothyclarke write:packages permission is needed in the PAT. Regarding the expiration, I agree upon you. Expiration should be set for the token.

@Vanessabvb
Copy link

@vanillaiice
Copy link

thank you for this !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment