Just for good measure and extra safety, redact temporary
credentials when aws authorization token is retrieved using
IAM authentication credentials to access Amazon ECR.
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE).
Contributions to this project are [released](https://docs.github.com/en/github/site-policy/github-terms-of-service#6-contributions-under-repository-license)
to the public under the [project's open source license](LICENSE).
## Submitting a pull request
## Submitting a pull request
1. [Fork](https://github.com/crazy-max/ghaction-docker-login/fork) and clone the repository
1. [Fork](https://github.com/docker/login-action/fork) and clone the repository
2. Configure and install the dependencies: `yarn install`
2. Configure and install the dependencies: `yarn install`
4. Create a new branch: `git checkout -b my-branch-name`
3. Create a new branch: `git checkout -b my-branch-name`
5. Make your change
4. Make your changes
6. Run pre-checkin: `yarn run pre-checkin`
5. Make sure the tests pass: `docker buildx bake test`
7. Push to your fork and [submit a pull request](https://github.com/crazy-max/ghaction-docker-login/compare)
6. Format code and build javascript artifacts: `docker buildx bake pre-checkin`
8. Pat your self on the back and wait for your pull request to be reviewed and merged.
7. Validate all code has correctly formatted and built: `docker buildx bake validate`
8. Push to your fork and [submit a pull request](https://github.com/docker/login-action/compare)
9. Pat your self on the back and wait for your pull request to be reviewed and merged.
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
- Write tests.
- Make sure the `README.md` and any other relevant **documentation are kept up-to-date**.
- Make sure the `README.md` and any other relevant **documentation are kept up-to-date**.
- We try to follow [SemVer v2.0.0](https://semver.org/). Randomly breaking public APIs is not an option.
- We try to follow [SemVer v2.0.0](https://semver.org/). Randomly breaking public APIs is not an option.
- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as **separate pull requests**.
- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as **separate pull requests**.
@@ -24,5 +28,5 @@ Here are a few things you can do that will increase the likelihood of your pull
## Resources
## Resources
- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
@@ -13,11 +13,11 @@ about: Create a report to help us improve
#### Expected behaviour
#### Expected behaviour
> Tell me what should happen
> Tell us what should happen
#### Actual behaviour
#### Actual behaviour
> Tell me what happens instead
> Tell us what happens instead
### Configuration
### Configuration
@@ -30,4 +30,5 @@ about: Create a report to help us improve
### Logs
### Logs
> Download the [log file of your build](https://help.github.com/en/actions/configuring-and-managing-workflows/managing-a-workflow-run#downloading-logs) and [attach it](https://help.github.com/en/github/managing-your-work-on-github/file-attachments-on-issues-and-pull-requests) to this issue.
> Download the [log file of your build](https://docs.github.com/en/actions/managing-workflow-runs/using-workflow-run-logs#downloading-logs)
> and [attach it](https://docs.github.com/en/github/managing-your-work-on-github/file-attachments-on-issues-and-pull-requests) to this issue.
# Support [](https://isitmaintained.com/project/crazy-max/ghaction-docker-login)
# Support [](https://isitmaintained.com/project/docker/login-action)
## Reporting an issue
## Reporting an issue
Please do a search in [open issues](https://github.com/crazy-max/ghaction-docker-login/issues?utf8=%E2%9C%93&q=) to see if the issue or feature request has already been filed.
Please do a search in [open issues](https://github.com/docker/login-action/issues?utf8=%E2%9C%93&q=) to see if the issue or feature request has already been filed.
If you find your issue already exists, make relevant comments and add your [reaction](https://github.com/blog/2119-add-reactions-to-pull-requests-issues-and-comments). Use a reaction in place of a "+1" comment.
If you find your issue already exists, make relevant comments and add your [reaction](https://github.com/blog/2119-add-reactions-to-pull-requests-issues-and-comments). Use a reaction in place of a "+1" comment.
@@ -21,9 +21,9 @@ File a single issue per problem and feature request.
The more information you can provide, the more likely someone will be successful reproducing the issue and finding a fix.
The more information you can provide, the more likely someone will be successful reproducing the issue and finding a fix.
You are now ready to [create a new issue](https://github.com/crazy-max/ghaction-docker-login/issues/new/choose)!
You are now ready to [create a new issue](https://github.com/docker/login-action/issues/new/choose)!
## Closure policy
## Closure policy
* Issues that don't have the information requested above (when applicable) will be closed immediately and the poster directed to the support guidelines.
* Issues that don't have the information requested above (when applicable) will be closed immediately and the poster directed to the support guidelines.
* Issues that go a week without a response from original poster are subject to closure at my discretion.
* Issues that go a week without a response from original poster are subject to closure at our discretion.
* [Keep up-to-date with GitHub Dependabot](#keep-up-to-date-with-github-dependabot)
* [How can I help?](#how-can-i-help)
* [License](#license)
## Usage
## Usage
### Docker Hub
To authenticate against [Docker Hub](https://hub.docker.com) it's strongly recommended to create a
[personal access token](https://docs.docker.com/docker-hub/access-tokens/) as an alternative to your password.
```yaml
```yaml
name:ci
name:ci
on:
on:
push:
push:
branches:master
branches:main
tags:
jobs:
jobs:
login:
login:
runs-on:ubuntu-latest
runs-on:ubuntu-latest
steps:
steps:
-
-
name:Checkout
name:Login to Docker Hub
uses:actions/checkout@v2
uses:docker/login-action@v2
-
name:Login to DockerHub
uses:crazy-max/ghaction-docker-login@v1
with:
with:
username:${{ secrets.DOCKER_USERNAME }}
username:${{ secrets.DOCKERHUB_USERNAME }}
password:${{ secrets.DOCKER_PASSWORD }}
password:${{ secrets.DOCKERHUB_TOKEN }}
```
### GitHub Container Registry
To authenticate against the [GitHub Container Registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry),
use the [`GITHUB_TOKEN`](https://docs.github.com/en/actions/reference/authentication-in-a-workflow) for the best
security and experience.
```yaml
name:ci
on:
push:
branches:main
jobs:
login:
runs-on:ubuntu-latest
steps:
-
name:Login to GitHub Container Registry
uses:docker/login-action@v2
with:
registry:ghcr.io
username:${{ github.actor }}
password:${{ secrets.GITHUB_TOKEN }}
```
You may need to [manage write and read access of GitHub Actions](https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#upgrading-a-workflow-that-accesses-ghcrio)
for repositories in the container settings.
You can also use a [personal access token (PAT)](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token)
with the [appropriate scopes](https://docs.github.com/en/packages/getting-started-with-github-container-registry/migrating-to-github-container-registry-for-docker-images#authenticating-with-the-container-registry).
### GitLab
```yaml
name:ci
on:
push:
branches:main
jobs:
login:
runs-on:ubuntu-latest
steps:
-
name:Login to GitLab
uses:docker/login-action@v2
with:
registry:registry.gitlab.com
username:${{ secrets.GITLAB_USERNAME }}
password:${{ secrets.GITLAB_PASSWORD }}
```
If you have [Two-Factor Authentication](https://gitlab.com/help/user/profile/account/two_factor_authentication) enabled, use a [Personal Access Token](https://gitlab.com/help/user/profile/personal_access_tokens) instead of a password.
### Azure Container Registry (ACR)
[Create a service principal](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal#create-a-service-principal)
with access to your container registry through the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
and take note of the generated service principal's ID (also called _client ID_) and password (also called _client secret_).
```yaml
name:ci
on:
push:
branches:main
jobs:
login:
runs-on:ubuntu-latest
steps:
-
name:Login to ACR
uses:docker/login-action@v2
with:
registry:<registry-name>.azurecr.io
username:${{ secrets.AZURE_CLIENT_ID }}
password:${{ secrets.AZURE_CLIENT_SECRET }}
```
> Replace `<registry-name>` with the name of your registry.
### Google Container Registry (GCR)
> [Google Artifact Registry](#google-artifact-registry-gar) is the evolution of Google Container Registry. As a
> fully-managed service with support for both container images and non-container artifacts. If you currently use
> Google Container Registry, use the information [on this page](https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr)
> to learn about transitioning to Google Artifact Registry.
You can use either workload identity federation based keyless authentication or service account based authentication.
#### Workload identity federation based authentication
Configure the workload identity federation for github actions in gcloud (for steps, [refer here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)). In the steps, your service account should the ability to push to GCR. Then use google-github-actions/auth action for authentication using workload identity like below:
> Replace `<workload_identity_provider>` with configured workload identity provider. For steps to configure, [refer here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation).
> Replace `<service_account>` with configured service account in workload identity provider which has access to push to GCR
#### Service account based authentication
Use a service account with the ability to push to GCR and [configure access control](https://cloud.google.com/container-registry/docs/access-control).
Then create and download the JSON key for this service account and save content of `.json` file
[as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
called `GCR_JSON_KEY` in your GitHub repo. Ensure you set the username to `_json_key`,
or `_json_key_base64` if you use a base64-encoded key.
```yaml
name:ci
on:
push:
branches:main
jobs:
login:
runs-on:ubuntu-latest
steps:
-
name:Login to GCR
uses:docker/login-action@v2
with:
registry:gcr.io
username:_json_key
password:${{ secrets.GCR_JSON_KEY }}
```
### Google Artifact Registry (GAR)
You can use either workload identity federation based keyless authentication or service account based authentication.
#### Workload identity federation based authentication
Configure the workload identity federation for github actions in gcloud (for steps, [refer here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)). In the steps, your service account should the ability to push to GAR. Then use google-github-actions/auth action for authentication using workload identity like below:
> Replace `<workload_identity_provider>` with configured workload identity provider
> Replace `<service_account>` with configured service account in workload identity provider which has access to push to GCR
> Replace `<location>` with the regional or multi-regional [location](https://cloud.google.com/artifact-registry/docs/repo-organize#locations)
> of the repository where the image is stored.
#### Service account based authentication
Use a service account with the ability to push to GAR and [configure access control](https://cloud.google.com/artifact-registry/docs/access-control).
Then create and download the JSON key for this service account and save content of `.json` file
[as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
called `GAR_JSON_KEY` in your GitHub repo. Ensure you set the username to `_json_key`,
or `_json_key_base64` if you use a base64-encoded key.
```yaml
name:ci
on:
push:
branches:main
jobs:
login:
runs-on:ubuntu-latest
steps:
-
name:Login to GAR
uses:docker/login-action@v2
with:
registry:<location>-docker.pkg.dev
username:_json_key
password:${{ secrets.GAR_JSON_KEY }}
```
> Replace `<location>` with the regional or multi-regional [location](https://cloud.google.com/artifact-registry/docs/repo-organize#locations)
> of the repository where the image is stored.
### AWS Elastic Container Registry (ECR)
Use an IAM user with the ability to [push to ECR with `AmazonEC2ContainerRegistryPowerUser` managed policy for example](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html#AmazonEC2ContainerRegistryPowerUser).
Then create and download access keys and save `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` [as secrets](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
> Replace `<aws-account-number>` and `<region>` with their respective values.
### AWS Public Elastic Container Registry (ECR)
Use an IAM user with the ability to [push to ECR Public with `AmazonElasticContainerRegistryPublicPowerUser` managed policy for example](https://docs.aws.amazon.com/AmazonECR/latest/public/public-ecr-managed-policies.html#AmazonElasticContainerRegistryPublicPowerUser).
Then create and download access keys and save `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` [as secrets](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
in your GitHub repo.
```yaml
name:ci
on:
push:
branches:main
jobs:
login:
runs-on:ubuntu-latest
steps:
-
name:Login to Public ECR
uses:docker/login-action@v2
with:
registry:public.ecr.aws
username:${{ secrets.AWS_ACCESS_KEY_ID }}
password:${{ secrets.AWS_SECRET_ACCESS_KEY }}
env:
AWS_REGION:<region>
```
> Replace `<region>` with its respective value (default `us-east-1`).
To push into OCIR in specific tenancy the [username](https://www.oracle.com/webfolder/technetwork/tutorials/obe/oci/registry/index.html#LogintoOracleCloudInfrastructureRegistryfromtheDockerCLI)
must be placed in format `<tenancy>/<username>` (in case of federated tenancy use the format
For password [create an auth token](https://www.oracle.com/webfolder/technetwork/tutorials/obe/oci/registry/index.html#GetanAuthToken).
Save username and token [as a secrets](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
in your GitHub repo.
```yaml
name:ci
on:
push:
branches:main
jobs:
login:
runs-on:ubuntu-latest
steps:
-
name:Login to OCIR
uses:docker/login-action@v2
with:
registry:<region>.ocir.io
username:${{ secrets.OCI_USERNAME }}
password:${{ secrets.OCI_TOKEN }}
```
> Replace `<region>` with their respective values from [availability regions](https://docs.cloud.oracle.com/iaas/Content/Registry/Concepts/registryprerequisites.htm#Availab)
### Quay.io
Use a [Robot account](https://docs.quay.io/glossary/robot-accounts.html) with the ability to push to a public/private Quay.io repository.
```yaml
name:ci
on:
push:
branches:main
jobs:
login:
runs-on:ubuntu-latest
steps:
-
name:Login to Quay.io
uses:docker/login-action@v2
with:
registry:quay.io
username:${{ secrets.QUAY_USERNAME }}
password:${{ secrets.QUAY_ROBOT_TOKEN }}
```
```
## Customizing
## Customizing
@@ -57,21 +461,21 @@ Following inputs can be used as `step.with` keys
| `registry` | String | | Server address of Docker registry. If not set then will default to Docker Hub |
| `registry` | String | | Server address of Docker registry. If not set then will default to Docker Hub |
| `username` | String | | Username used to log against the Docker registry |
| `username` | String | | Username used to log against the Docker registry |
| `password` | String | | Password or personal access token used to log against the Docker registry |
| `password` | String | | Password or personal access token used to log against the Docker registry |
| `ecr` | String | `auto` | Specifies whether the given registry is ECR (`auto`, `true` or `false`) |
| `logout` | Bool | `true` | Log out from the Docker registry at the end of a job |
| `logout` | Bool | `true` | Log out from the Docker registry at the end of a job |
## Limitation
## Keep up-to-date with GitHub Dependabot
This action is only available for Linux [virtual environments](https://help.github.com/en/articles/virtual-environments-for-github-actions#supported-virtual-environments-and-hardware-resources).
Since [Dependabot](https://docs.github.com/en/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot)
has [native GitHub Actions support](https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates#package-ecosystem),
to enable it on your GitHub repo all you need to do is add the `.github/dependabot.yml` file:
## How can I help?
```yaml
version:2
All kinds of contributions are welcome :raised_hands:! The most basic way to show your support is to star :star2:
updates:
the project, or to raise issues :speech_balloon: You can also support this project by
# Maintain dependencies for GitHub Actions
[**becoming a sponsor on GitHub**](https://github.com/sponsors/crazy-max) :clap: or by making a
- package-ecosystem:"github-actions"
[Paypal donation](https://www.paypal.me/crazyws) to ensure this journey continues indefinitely! :rocket:
directory:"/"
schedule:
Thanks again for your support, it is much appreciated! :pray:
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
CrazyMax
CrazyMax
dependabot[bot]
Tõnis Tiigi
Hedgehog Chen
Dinesh B
Markus Maga
Chris Smith
CrazyMax
Dan Bond
Chad Metcalf
Pavol Gressa
Bryan Clark
Justin Cormack
