Is there a way to use private images from a registry with authentication for custom GitHub Docker container actions? Would like to point at runs.image to a private docker image. Ideally, one which is uploaded to a GitHub Packages registry.
# action.yml
name: 'Hello World'
description: 'Greet someone'
inputs:
who_to_greet: # id of input
description: 'Who to greet'
required: true
default: 'World'
outputs:
time: # id of output
description: 'The time we greeted you'
runs:
using: 'docker'
image: 'Dockerfile'
args:
- ${{ inputs.who_to_greet }}
https://docs.github.com/en/actions/creating-actions/creating-a-docker-container-action
Related
I have a shell script which runs k6 scenarios. This shell script successfully runs locally as well as on TeamCity via Docker.
I m trying to setup github actions to run the Docker which runs the script so that each time a PR is merged, it runs. But without giving any error the script is not really running as the logs from github action is not printing any echo statement from the script neither is it printing any K6 logs.
Custom action - action.yml:
name: 'k6 Load Test'
description: 'K6 action created similar to grafana for running load test with k6 in Antman project.'
inputs:
cloud:
description: |
To run in the k6 cloud, provide your k6 cloud token as a secret to the input `token`.
required: false
default: false
token:
description: |
k6 Cloud Token. Only required for using the cloud service.
required: false
default: ''
filename:
description: |
Path to the test script to execute, relative to the workspace.
required: true
default: './src/scenarios/full-card-visa/index.js'
flags:
description: |
Additional argument, flags and environment variables to provide to the k6 CLI.
required: false
default: ''
runs:
using: 'docker'
image: 'Dockerfile'
env:
K6_CLOUD_TOKEN: ${{ inputs.token }}
args:
- ${{ inputs.cloud }}
- ${{ inputs.filename || './src/scenarios/full-card-visa/index.js' }}
- ${{ inputs.flags }}
Github action that uses action.yml:
name: K6 Local Cloud test
on:
push:
branches:
- 'main'
- 'task/ANT-4-github-action'
pull_request:
types: [opened]
jobs:
k6_load_test:
name: k6 Load Test
runs-on: ubuntu-latest
steps:
- name: Checkout branch
uses: actions/checkout#v3
with:
ref: task/ANT-4-github-action
- name: Run load test using action code from commit
uses: ./
with:
filename: ./src/scenarios/full-card-visa/index.js
cloud: true
token: <my token>
Dockerfile:
FROM loadimpact/k6:0.34.1
COPY ./src/lib /lib
COPY ./src/scenarios /scenarios
COPY ./src/k6-run-all.sh /k6-run-all.sh
WORKDIR /
ENTRYPOINT []
CMD ["sh", "-c", "./src/k6-run-all.sh"]
Sample github action run (runs successfully but doesn't really run k6):
Please note, I do not have permission to use grafana/k6 directly hence created my own action from their code.
I am trying to use GitHub workflow to build an ASP.NET 6 project using Dockerfile then push the image to a private Azure Registry using docker.
Here is my .yml file
name: Docker Image CI
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v3
- name: Login To Azure Container Registr
uses: Azure/docker-login#v1
with:
login-server: ${{ secrets.ACR_HOST }}
username: ${{ secrets.ACR_USERNAME }}
password: ${{ secrets.ACR_PASSWWORD }}
- name: Build And Push Docker Images
uses: docker/build-push-action#v3.1.1
with:
push: true
file: ./Dockerfile
tags: companyname/projectname:${{ github.run_number }}
In the above, the Dockerfile is located in the root of my project's code.
However, the the build runs I get the following error
Error: buildx failed with: error: denied: requested access to the resource is denied
In the Secrets > Action section in my repository settings, I added ACR_HOST, ACR_USERNAME and ACR_PASSWORD secrets.
When viewing the logs, this issue seems to happen after this line in the logs
pushing companyname/projectname:2 with docker:
How can I solve this issue?
UPDATED
I changed the .yml script to the following
name: Docker Image CI
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v3
- name: Login To Azure Container Registr
uses: Azure/docker-login#v1
with:
login-server: mycontainer.azurecr.io
username: "The admin username"
password: "The admin password"
- run: cat ${{ env.DOCKER_CONFIG }}/config.json
- name: Build And Push Docker Images
uses: docker/build-push-action#v3.1.1
with:
push: true
file: ./Dockerfile
tags: companyname/projectname:${{ github.run_number }}
The added step (i.e., cat ${{ env.DOCKER_CONFIG }}/config.json) displayed a json string that look like this
{"auths":{"mycontainer.azurecr.io":{"auth":"BASE64 string with the admin username:password as expected"}}}
The base64 string was formatted like this username:password
I am assuming that the step Azure/docker-login#v1 has no issue and stages the token for docker/build-push-action#v3.1.1 correctly.
If I set the push flag to false in the docker/build-push-action#v3.1.1 step, the workflow runs with no issue. So from what I can tell, the issue is when the step docker/build-push-action#v3.1.1 tries to push the created image to the Azure registry.
I use my local machine to login using the same credentials and all worked with no issue docker login mycontainer.azurecr.io
Additionally, the login request from my local machine is logged into Azure portal. However, I do not see the request when I run the workflow.
I think that main issue is that the step docker/build-push-action#v3.1.1 does not attempt to login before it pushes the image.
I followed the instructions here and it worked.
I am trying to create a Github-Actions workflow - pytorch_error.yml to automatically push Docker images to Docker Hub using Github Actions -
# This is a basic workflow to help you get started with Actions
name: Building and pushing Docker images to Docker hub
# Controls when the workflow will run
on:
workflow_dispatch:
branches: [main]
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build_push_pytorch_docker_image:
name: Build and push apex-pytorch-image image to Docker Hub
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- name: Checkout Github repo
uses: actions/checkout#v2
- name: Log into Docker Hub
uses: docker/login-action#f054a8b539a109f9f41c372932f1ae047eff08c9
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Get Metadata (tags,labels) for Docker images
id: meta_pytorch
uses: docker/metadata-action#98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: kusur/apex-pytorch-image
- name: Build and push Docker image to Docker Hub
uses: docker/build-push-action#ad44023a93711e3deb337508980b4b5e9bcdc5dc
with:
context: .
file: ./dockerfile-pytorch
push: true
tags: ${{ steps.meta_pytorch.ouputs.tags }}
labels: ${{ steps.meta_pytorch.outputs.labels }}
Whenever I execute this code, I get the following error -
error: tag is needed when pushing to registry
Error: buildx call failed with: error: tag is needed when pushing to registry
While looking at the logs, I see that the tag is being generated at the previous step i.e "Get Metadata (tags,labels) for Docker images" -
with:
images: ***/apex-pytorch-image
github-token: ***
Context info
eventName: workflow_dispatch
sha: 046137ce5ae09aac18ba44083cd061ac3a37e48a
ref: refs/heads/main
workflow: Building and pushing Docker images to Docker hub
action: meta_pytorch
actor: ***
runNumber: 2
runId: 1090239471
Processing tags input
type=schedule,pattern=nightly,enable=true,priority=1000
type=ref,event=branch,enable=true,priority=600
type=ref,event=tag,enable=true,priority=600
type=ref,event=pr,prefix=pr-,enable=true,priority=600
Processing flavor input
latest=auto
prefix=
suffix=
Docker image version
main
Docker tags
***/apex-pytorch-image:main
Docker labels
org.opencontainers.image.title=learning-audio-processing
org.opencontainers.image.description=Learning Audio Processing
org.opencontainers.image.url=https://github.com/***/learning-audio-processing
org.opencontainers.image.source=https://github.com/***/learning-audio-processing
org.opencontainers.image.version=main
org.opencontainers.image.created=2021-08-02T12:39:20.636Z
org.opencontainers.image.revision=046137ce5ae09aac18ba44083cd061ac3a37e48a
org.opencontainers.image.licenses=Unlicense
JSON output
{
"tags": [
"***/apex-pytorch-image:main"
],
"labels": {
"org.opencontainers.image.title": "learning-audio-processing",
"org.opencontainers.image.description": "Learning Audio Processing",
"org.opencontainers.image.url": "https://github.com/***/learning-audio-processing",
"org.opencontainers.image.source": "https://github.com/***/learning-audio-processing",
"org.opencontainers.image.version": "main",
"org.opencontainers.image.created": "2021-08-02T12:39:20.636Z",
"org.opencontainers.image.revision": "046137ce5ae09aac18ba44083cd061ac3a37e48a",
"org.opencontainers.image.licenses": "Unlicense"
}
}
Bake definition file
{
"target": {
"docker-metadata-action": {
"tags": [
"***/apex-pytorch-image:main"
],
"labels": {
"org.opencontainers.image.title": "learning-audio-processing",
"org.opencontainers.image.description": "Learning Audio Processing",
"org.opencontainers.image.url": "https://github.com/***/learning-audio-processing",
"org.opencontainers.image.source": "https://github.com/***/learning-audio-processing",
"org.opencontainers.image.version": "main",
"org.opencontainers.image.created": "2021-08-02T12:39:20.636Z",
"org.opencontainers.image.revision": "046137ce5ae09aac18ba44083cd061ac3a37e48a",
"org.opencontainers.image.licenses": "Unlicense"
},
"args": {
"DOCKER_META_IMAGES": "***/apex-pytorch-image",
"DOCKER_META_VERSION": "main"
}
}
}
}
but it is not being read by the build-push-action. This code is copied from Publishing Docker Images. Another file created from this reference is pytorch_image.yml and this code executes without any issue but the code in question is breaking again and again. I am not able to make out any difference between pytorch_image.yml and pytorch_error.yml Any help?
I am using self hosted github runners for vpn access to some software and I am trying to use a dockerized github action on the self hosted runners but I am having issues because I need to specify the --network host flag when github action runs docker run. Is there a way to have the github action use the network of the host?
As far as I know, it is not possible. It's not available on steps either. Options are available on jobs though. The only other way is for you to create a composite action and run docker run ... directly in it. Here is one that I wrote for my own workflow. It's slightly more complicated but it allows you to automatically pass environment variable from the runner to the docker container based on the variable name prefix:
name: Docker start container
description: Start a detached container
inputs:
image:
description: The image to use
required: true
name:
description: The container name
required: true
options:
description: Additional options to pass to docker run
required: false
default: ''
command:
description: The command to run
required: false
default: ''
env_pattern:
description: The environment variable pattern to pass to the container
required: false
default: ''
outputs:
cid:
description: Container ID
value: ${{ steps.info.outputs.cid }}
runs:
using: composite
steps:
- name: Run
shell: bash
run: >
variables='';
for i in $(env | grep '${{ inputs.env_pattern }}' | awk -F '=' '{print $1}'); do
variables="--env ${i} ${variables}";
done;
docker run -d
--name ${{ inputs.name }}
--network host
--cidfile ${{ inputs.name }}.cid
${variables}
${{ inputs.options }}
${{ inputs.image }}
${{ inputs.command }}
- name: Info
id: info
shell: bash
run: echo "::set-output name=cid::$(cat ${{ inputs.name }}.cid)"
and to use it:
- name: Start app container
uses: ./.github/actions/docker-start-container
with:
image: myapp/myapp:latest
name: myapp
env_pattern: 'MYAPP_'
options: --entrypoint entrypoint.sh
command: >
--check
-v
I am trying to write a custom github-action that runs some commands in a docker container but allows the user to select which docker container they are run in (i.e. so I can run the same build instructions across different versions of the runtime environment)
My gut instinct was to have my .github/actions/main/action.yml file as
name: 'Docker container command execution'
inputs:
dockerfile:
default: Dockerfile_r_latest
runs:
using: 'docker'
image: '${{ inputs.dockerfile }}'
args:
- /scripts/commands.sh
However this errors with:
##[error](Line: 7, Col: 10): Unrecognized named-value: 'inputs'. Located at position 1 within expression: inputs.dockerfile
Any help would be appreciated !
File References
My .github/workflow/build_and_test.yml file is:
name: Test Package
on:
[push, pull_request]
jobs:
R_latest:
name: Test on latest
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#master
name: Checkout project
- uses: ./.github/actions/main
name: Build and test
with:
dockerfile: Dockerfile_r_latest
And my Dockerfile .github/actions/main/Dockerfile_r_latest is:
FROM rocker/verse:latest
ADD scripts /scripts
ENTRYPOINT [ "bash", "-c" ]
Interesting approach! I'm not sure if it's possible to use expressions in the image field of the action metadata. I would guess that the only fields that can take expressions instead of hardcoded strings are the args for the image so that the inputs can be passed.
For reference this is the args section of the action.yml metadata.
https://help.github.com/en/articles/metadata-syntax-for-github-actions#args
I think there are other ways to achieve what you want to do. Have you tried using the jobs.<job_id>.container syntax? That allows you to specify an image that the steps of a job will run in. It will require that you publish the image to a public repository, though. So take care not to include any secrets.
For example, if you published your image to Docker Hub at gowerc/r-latest your workflow might look something like this:
name: Test Package
on:
[push, pull_request]
jobs:
R_latest:
name: Test on latest
runs-on: ubuntu-latest
container: gowerc/r-latest
steps:
- uses: actions/checkout#master
name: Checkout project
- name: Build and test
run: ./scripts/commands.sh
ref: https://help.github.com/en/articles/workflow-syntax-for-github-actions#jobsjob_idcontainer
Alternatively, you can also specify your image at the step level with uses. You could then pass a command via args to execute your script.
name: my workflow
on: push
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#master
- name: Check container
uses: docker://alpine:3.8
with:
args: /bin/sh -c "cat /etc/alpine-release"
ref: https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#example-using-a-docker-hub-action
In addition to #peterevans answer, I would add there's a 3rd option where you can use a simple docker run command and pass any env that you have defined.
That helped to solve 3 things :
Reuse a custom docker image being build within the steps for testing actions. It seems not possible to do so with uses as it first tries to pull that image that doesn't exist yet in a Setup job step that occurs before any steps of the job.
This specific image can also be stored in a private docker registry
Be able to use a variable for the docker image
My workflow looks like this :
name: Build-Test-Push
on:
push:
branches:
- master
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
ECR_REGISTRY: ${{ secrets.AWS_ECR_REGISTRY }}
ECR_REPOSITORY: myproject/myimage
IMAGE_TAG: ${{ github.sha }}
jobs:
build-and-push:
runs-on: ubuntu-latest
steps:
- name: Checking out
uses: actions/checkout#v2
with:
ref: master
- name: Login to AWS ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login#v1
- name: Build
run: |
docker pull $ECR_REGISTRY/$ECR_REPOSITORY || true
docker build . -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest
- name: Test
run: |
docker run $ECR_REGISTRY/$ECR_REPOSITORY:latest /bin/bash -c "make test"
- name: Push
run: |
docker push $ECR_REGISTRY/$ECR_REPOSITORY
Here is another approach. The Docker image to use is passed to a cibuild shell script that takes care of pulling the right image.
GitHub workflow file:
name: 'GH Actions CI'
on:
push:
branches: ['*master', '*0.[0-9]?.x']
pull_request:
# The branches below must be a subset of the branches above
branches: ['*master', '*0.[0-9]?.x']
jobs:
build:
name: Build
runs-on: ubuntu-latest
strategy:
fail-fast: true
matrix:
include:
- FROM: 'ubuntu:focal'
- FROM: 'ubuntu:bionic'
- FROM: 'ubuntu:xenial'
- FROM: 'debian:buster'
- FROM: 'debian:stretch'
- FROM: 'opensuse/leap'
- FROM: 'fedora:33'
- FROM: 'fedora:32'
- FROM: 'centos:8'
steps:
- name: Checkout repository
uses: actions/checkout#v2
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
# If this run was triggered by a pull request event, then checkout
# the head of the pull request instead of the merge commit.
- run: git checkout HEAD^2
if: ${{ github.event_name == 'pull_request' }}
- name: Run CI
env:
FROM: ${{ matrix.FROM }}
run: script/cibuild
Bash script script/cibuild:
#!/bin/bash
set -e
docker run --name my-docker-container $FROM script/custom-script.sh
docker cp my-docker-container:/usr/src/my-workdir/my-outputs .
docker rm my-docker-container
echo "cibuild Done!"
Put your custom commands in script/custom-script.sh.