Custom action using private docker registry

[gopisaba]

Select Topic Area

Question

Body

Hi All,

I am trying to create new custom docker actions using the private/internal docker image but I am getting unauthorized. Is it even possible to do this?

# Custom Actions with private image
name: 'action_do_something'
description: 'Actions do something'
runs:
  using: 'docker'
  image: 'ghcr.io/org/private-image:1.2.3'
  args:
    - I_am_parameter_1

I even tried to login to the registry before using the custom action but that didn't work too.

# Workflow consuming above actions
name: Test Github Packages
on:
    workflow_dispatch:
permissions:
    packages: read
    contents: read
    id-token: write
jobs:
    test-job:
        runs-on: ubuntu-latest
        steps:
            - uses: actions/checkout@v3
            - uses: docker/login-action@v2
              with:
                registry: ghcr.io
                username: ${{ github.actor }}
                password: ${{ secrets.GITHUB_TOKEN }}
            - uses: org/actions-repo/actions@1.2.3

[grahame-student]

I've been trying to do something along these line too, also without success.

We have to protect the IP of the tools that we use, which is why having a publicly accessible docker image is not feasible. Creating an internal docker container works great, however consuming that container as part of an internal action is where I'm getting stuck.

I'm sure that other developers, within enterprise organisations, must have wanted to use actions in just this way.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[shoaibli]

I'd be glad to help you create custom Docker actions using private/internal images within GitHub Actions. While directly referencing private images in the workflow YAML can be challenging due to security concerns, there are effective workarounds:

Method 1: Using a Docker Registry Secret

Create a Docker Registry Secret:

Go to your GitHub repository's settings.
Navigate to "Secrets" under "Security."
Click "New secret" and name it appropriately (e.g., DOCKER_REGISTRY_CREDENTIALS).
Paste the base64-encoded credentials for your private registry in the value field. You can generate the credentials using echo -n "username:password" | base64.
Pass Credentials as Environment Variables:

In your custom action's workflow YAML, define environment variables to store the username and password retrieved from the secret:
YAML
name: 'action_do_something'
description: 'Actions do something'
runs:
using: 'docker'
image: 'docker:stable-alpine' # Use a public image for execution
env:
DOCKER_USERNAME: ${{ secrets.DOCKER_REGISTRY_CREDENTIALS.split(':')[0] }}
DOCKER_PASSWORD: ${{ secrets.DOCKER_REGISTRY_CREDENTIALS.split(':')[1] }}
args:

• I_am_parameter_1
  Use code with caution.
  content_copy
  Access these environment variables within your custom action's Dockerfile or entrypoint script to authenticate with the private registry.
  Workflow Consuming the Action:

Use the custom action in your workflow, specifying the public Docker image (docker:stable-alpine) and referencing the previously defined secret:
YAML
name: Test Github Packages
on:
workflow_dispatch:
permissions:
packages: read
contents: read
id-token: write
jobs:
test-job:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: org/actions-repo/actions@1.2.3
with:
DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_CREDENTIALS.split(':')[0] }}
DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_CREDENTIALS.split(':')[1] }}
Use code with caution.
content_copy
Method 2: Using a Docker Registry Login Action (Limited Access)

Create a Custom Docker Registry Login Action:

If your use case allows it, you can create a separate action that logs in to the private registry using a dedicated service account or token. This action should be kept private within your organization.
Utilize the Login Action:

In your custom action's workflow YAML, include the login action as a step before running the private image:
YAML
name: 'action_do_something'
description: 'Actions do something'
runs:
using: 'docker'
image: 'docker:stable-alpine' # Use a public image for execution
steps:

• uses: org/login-action@v1 # Replace with your private login action

• ... rest of your custom action steps

args:

• I_am_parameter_1
  Use code with caution.
  content_copy
  Remember to adapt the action names and secret names to your specific setup.

Additional Considerations:

Choose the method that best suits your security requirements and access control constraints.
Ensure proper permissions are granted to the service account or token used for authentication (Method 2).
Consider using a dedicated credential provider for more advanced use cases. Refer to the Docker documentation for details: https://docs.docker.com/reference/cli/docker/login/
By following these approaches, you can effectively create custom invoice Docker actions within GitHub Actions that leverage your private/internal Docker images while maintaining security best practices.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[mroy-seedbox]

There is still no resolution for this?

Trying to do the same thing without any success. 😞

Using an image from GHCR, not DockerHub. It's in the same repo as the action, but can't access it at all.

[mroy-seedbox]

Something doesn't make sense..... even this does not work:

      - name: Create Docker credentials for GHCR
        id: docker_auth
        env:
          USER: ${{ github.actor }}
          PASS: ${{ secrets.GITHUB_TOKEN }}
        run: |
          CREDS='{"auths": {"ghcr.io": {"auth": "'$(echo -n "$USER:$PASS" | base64)'"}}}'
          echo "config=$CREDS" >> "$GITHUB_OUTPUT"
        shell: bash
      - name: Test docker
        run: docker pull ghcr.io/org/repo
        shell: bash
        env:
          DOCKER_AUTH_CONFIG: ${{ steps.docker_auth.outputs.config }}

Still returns Error response from daemon: Head "https://ghcr.io/v2/org/repo/manifests/latest": unauthorized 😩

Same issue here:

• Error response from daemon: Head .'..manifests/latest": unauthorized #32801
• Can't pull docker image from GitHub Packages registry from GitHub Actions workflow - unauthorized error #45981

[mroy-seedbox]

I found a workaround!

Pulling the image ahead of time allows it to then be used by the following steps/actions without requiring auth!

      - uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Pull docker image
        run: docker pull ghcr.io/org/repo
        shell: bash
      - [ other steps can now use the image! ]