|
{% raw %}
```yaml
on:
push:
branches: ['release']
```
{% endraw %}
|
Configures the Create and publish a package workflow to run every time a change is pushed to the branch called release.
|
|
{% raw %}
```yaml
run-npm-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: npm install and build webpack
run: |
npm install
npm run build
- uses: actions/upload-artifact@main
with:
name: webpack artifacts
path: public/
```
{% endraw %}
|
This job installs NPM and uses it to build the app.
|
|
{% raw %}
```yaml
run-npm-test:
runs-on: ubuntu-latest
needs: run-npm-build
strategy:
matrix:
os: [ubuntu-latest]
node-version: [14.x]
steps:
- uses: actions/checkout@v2
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v1
with:
node-version: ${{ matrix.node-version }}
- uses: actions/download-artifact@main
with:
name: webpack artifacts
path: public
- name: npm install, and test
run: |
npm install
npm test
env:
CI: true
```
{% endraw %}
|
This job uses npm test to test the code. The needs: run-npm-build command makes this job dependent on the run-npm-build job.
|
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.1" or currentVersion == "github-ae@next" %}
|
{% raw %}
```yaml
permissions:
contents: read
packages: write
```
{% endraw %}
|
Sets the permissions granted to the GITHUB_TOKEN for the actions in this job.
|
{% endif %}
|
{% raw %}
```yaml
- name: Build container image
```
{% endraw %}
|
Creates a new step called Build container image. This step runs as part of the build-and-push-image job. The needs: run-npm-test command makes this job dependent on the run-npm-test job.
|
|
{% raw %}
```yaml
uses: docker/build-push-action@v1
```
{% endraw %}
|
Uses the Docker build-push-action action to build the image, based on your repository's Dockerfile. If the build succeeds, it pushes the image to {% data variables.product.prodname_registry %}.
|
|
{% raw %}
```yaml
with:
```
{% endraw %}
|
Sends the required parameters to the build-push-action action. This are defined in the subsequent lines.
|
|
{% raw %}
```yaml
username: ${{ github.actor }}
```
{% endraw %}
|
Defines the user account that will publish the packages. Once published, the packages are owned by the account defined here.
|
|
{% raw %}
```yaml
password: ${{ secrets.GITHUB_TOKEN }}
```
{% endraw %}
|
Defines the password that is used to access {% data variables.product.prodname_registry %}.
|
|
```yaml
registry: {% if currentVersion == "github-ae@latest" %}docker.YOUR-HOSTNAME.com{% else %}docker.pkg.github.com{% endif %}
```
|
Defines the registry that will host the resulting packages. This example uses {% data variables.product.prodname_registry %}.{% if currentVersion == "github-ae@latest" %} Replace YOUR-HOSTNAME with the name of your enterprise.{% endif %} {% if currentVersion == "free-pro-team@latest" %} If you're using the {% data variables.product.prodname_container_registry %}, then use ghcr.io as the hostname.{% endif %}
|
|
{% raw %}
```yaml
repository: ${{ github.repository }}/octo-image
```
{% endraw %}
|
Defines which repository will host the resulting package, and sets the name of the published package. Replace octo-image with the name you want for your package.
|
|
{% raw %}
```yaml
tag_with_sha: true
```
{% endraw %}
|
Tags the published package with the first seven characters of the commit's SHA. For example, sha-2f2d842.
|
|
{% raw %}
```yaml
tag_with_ref: true
```
{% endraw %}
|
Tags the published package with the git ref. This can be the name of the branch used to create the package.
|
- This new workflow will run automatically every time you push a change to a branch named `release` in the repository. You can view the progress in the **Actions** tab.
- A few minutes after the workflow has completed, the new package will visible in your repository. To find your available packages, see "[Viewing a repository's packages](/packages/publishing-and-managing-packages/viewing-packages#viewing-a-repositorys-packages)."
### Installing a package using an action
You can install packages as part of your CI flow using {% data variables.product.prodname_actions %}. For example, you could configure a workflow so that anytime a developer pushes code to a pull request, the workflow resolves dependencies by downloading and installing packages hosted by {% data variables.product.prodname_registry %}. Then, the workflow can run CI tests that require the dependencies.
Installing packages hosted by {% data variables.product.prodname_registry %} through {% data variables.product.prodname_actions %} requires minimal configuration or additional authentication when you use the `GITHUB_TOKEN`.{% if currentVersion == "free-pro-team@latest" %} Data transfer is also free when an action installs a package. For more information, see "[About billing for {% data variables.product.prodname_registry %}](/github/setting-up-and-managing-billing-and-payments-on-github/about-billing-for-github-packages)."{% endif %}
{% if currentVersion == "free-pro-team@latest" %}
The `GITHUB_TOKEN` cannot install packages from any private repository besides the repository where the action runs. You cannot currently use the `GITHUB_TOKEN` to authenticate to {% data variables.product.prodname_github_container_registry %}.
{% endif %}
{% data reusables.package_registry.actions-configuration %}
{% if currentVersion == "free-pro-team@latest" %}
### Upgrading a workflow that accesses `ghcr.io`
{% data reusables.package_registry.github-token-security-over-pat %}
Using the `GITHUB_TOKEN` instead of a PAT, which includes the `repo` scope, increases the security of your repository as you don't need to use a long-lived PAT that offers unnecessary access to the repository where your workflow is run. For more information about security best practices, see "[Security hardening for GitHub Actions](/actions/learn-github-actions/security-hardening-for-github-actions#using-secrets)."
1. Navigate to your package landing page.
1. In the left sidebar, click **Actions access**.
2. To ensure your container package has access to your workflow, you must add the repository where the workflow is stored to your container. Click **Add repository** and search for the repository you want to add.
{% note %}
**Note:** Adding a repository to your container through the **Actions access** menu option is different than connecting your container to a repository. For more information, see "[Ensuring workflow access to your package](/packages/guides/configuring-access-control-and-visibility-for-container-images#ensuring-workflow-access-to-your-package)" and "[Connecting a repository to a container image](/packages/guides/connecting-a-repository-to-a-container-image)."
{% endnote %}
3. Optionally, using the "role" drop-down menu, select the default access level that you'd like the repository to have to your container image.
5. Open your workflow file. On the line where you login to `ghcr.io`, replace your PAT with {% raw %}`${{ secrets.GITHUB_TOKEN }}`{% endraw %}.
For example, this workflow publishes a Docker container using {% raw %}`${{ secrets.GITHUB_TOKEN }}`{% endraw %} to authenticate.
```yaml{:copy}
name: Demo Push
on:
push:
# Publish `master` as Docker `latest` image.
branches:
- master
- seed
# Publish `v1.2.3` tags as releases.
tags:
- v*
# Run tests for any PRs.
pull_request:
env:
IMAGE_NAME: ghtoken_product_demo
jobs:
# Push image to GitHub Packages.
# See also https://docs.docker.com/docker-hub/builds/
push:
runs-on: ubuntu-latest{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.1" or currentVersion == "github-ae@next" %}
permissions:
packages: write
contents: read{% endif %}
{% raw %}steps:
- uses: actions/checkout@v2
- name: Build image
run: docker build . --file Dockerfile --tag $IMAGE_NAME --label "runnumber=${GITHUB_RUN_ID}"
- name: Log into registry
# This is where you will update the PAT to GITHUB_TOKEN
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Push image
run: |
IMAGE_ID=ghcr.io/${{ github.repository_owner }}/$IMAGE_NAME
# Change all uppercase to lowercase
IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
# Strip git ref prefix from version
VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
# Strip "v" prefix from tag name
[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
# Use Docker `latest` tag convention
[ "$VERSION" == "master" ] && VERSION=latest
echo IMAGE_ID=$IMAGE_ID
echo VERSION=$VERSION
docker tag $IMAGE_NAME $IMAGE_ID:$VERSION
docker push $IMAGE_ID:$VERSION{% endraw %}
```
{% endif %}