|
{% raw %}
```yaml
on:
push:
branches: ['release']
```
{% endraw %}
|
Configures the Create and publish a Docker image workflow to run every time a change is pushed to the branch called release.
|
{% ifversion fpt %}
|
{% raw %}
```yaml
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
```
{% endraw %}
|
Defines two custom environment variables for the workflow. These are used for the {% data variables.product.prodname_container_registry %} domain, and a name for the Docker image that this workflow builds.
|
|
{% raw %}
```yaml
jobs:
build-and-push-image:
runs-on: ubuntu-latest
```
{% endraw %}
|
There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
|
{% else %}
|
{% raw %}
```yaml
run-npm-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: npm install and build webpack
run: |
npm install
npm run build
- uses: actions/upload-artifact@main
with:
name: webpack artifacts
path: public/
```
{% endraw %}
|
This job installs NPM and uses it to build the app.
|
|
{% raw %}
```yaml
run-npm-test:
runs-on: ubuntu-latest
needs: run-npm-build
strategy:
matrix:
os: [ubuntu-latest]
node-version: [12.x, 14.x]
steps:
- uses: actions/checkout@v2
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v2
with:
node-version: ${{ matrix.node-version }}
- uses: actions/download-artifact@main
with:
name: webpack artifacts
path: public
- name: npm install, and test
run: |
npm install
npm test
env:
CI: true
```
{% endraw %}
|
This job uses npm test to test the code. The needs: run-npm-build command makes this job dependent on the run-npm-build job.
|
|
{% raw %}
```yaml
build-and-push-image:
runs-on: ubuntu-latest
needs: run-npm-test
```
{% endraw %}
|
This job publishes the package. The needs: run-npm-test command makes this job dependent on the run-npm-test job.
|
{% endif %}
{% ifversion fpt or ghes > 3.1 or ghae-next %}
|
{% raw %}
```yaml
permissions:
contents: read
packages: write
```
{% endraw %}
|
Sets the permissions granted to the GITHUB_TOKEN for the actions in this job.
|
{% endif %}
{% ifversion fpt %}
|
{% raw %}
```yaml
- name: Log in to the Container registry
uses: docker/login-action@v1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
```
{% endraw %}
|
Creates a step called Log in to the {% data variables.product.prodname_container_registry %}, which logs in to the registry using the account and password that will publish the packages. Once published, the packages are owned by the account defined here.
|
|
{% raw %}
```yaml
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v3
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
```
{% endraw %}
|
This step uses docker/metadata-action to extract tags and labels that will be applied to the specified image. The id "meta" allows the output of this step to be referenced in a subsequent step. The images value provides the base name for the tags and labels.
|
{% else %}
|
{% raw %}
```yaml
- name: Log in to GitHub Docker Registry
uses: docker/login-action@v1
with:
registry: {% endraw %}{% ifversion ghae %}docker.YOUR-HOSTNAME.com{% else %}docker.pkg.github.com{% endif %}{% raw %}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
```
{% endraw %}
|
Creates a new step called Log in to GitHub Docker Registry, which logs in to the registry using the account and password that will publish the packages. Once published, the packages are owned by the account defined here.
|
{% endif %}
|
{% raw %}
```yaml
- name: Build and push Docker image
```
{% endraw %}
|
Creates a new step called Build and push Docker image. This step runs as part of the build-and-push-image job.
|
|
{% raw %}
```yaml
uses: docker/build-push-action@v2
```
{% endraw %}
|
Uses the Docker build-push-action action to build the image, based on your repository's Dockerfile. If the build succeeds, it pushes the image to {% data variables.product.prodname_registry %}.
|
|
{% raw %}
```yaml
with:
```
{% endraw %}
|
Sends the required parameters to the build-push-action action. These are defined in the subsequent lines.
|
{% ifversion fpt %}
|
{% raw %}
```yaml
context: .
```
{% endraw %}
|
Defines the build's context as the set of files located in the specified path. For more information, see "Usage."
|
{% endif %}
|
{% raw %}
```yaml
push: true
```
{% endraw %}
|
Pushes this image to the registry if it is built successfully.
|
{% ifversion fpt %}
|
{% raw %}
```yaml
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
```
{% endraw %}
|
Adds the tags and labels extracted in the "meta" step.
|
{% else %}
|
{% ifversion ghae %}
{% raw %}
```yaml
tags: |
docker.YOUR-HOSTNAME.com/${{ github.repository }}/octo-image:${{ github.sha }}
```
{% endraw %}
{% else %}
{% raw %}
```yaml
tags: |
docker.pkg.github.com/${{ github.repository }}/octo-image:${{ github.sha }}
```
{% endraw %}
{% endif %}
|
Tags the image with the SHA of the commit that triggered the workflow.
|
{% endif %}
This new workflow will run automatically every time you push a change to a branch named `release` in the repository. You can view the progress in the **Actions** tab.
A few minutes after the workflow has completed, the new package will visible in your repository. To find your available packages, see "[Viewing a repository's packages](/packages/publishing-and-managing-packages/viewing-packages#viewing-a-repositorys-packages)."
## Installing a package using an action
You can install packages as part of your CI flow using {% data variables.product.prodname_actions %}. For example, you could configure a workflow so that anytime a developer pushes code to a pull request, the workflow resolves dependencies by downloading and installing packages hosted by {% data variables.product.prodname_registry %}. Then, the workflow can run CI tests that require the dependencies.
Installing packages hosted by {% data variables.product.prodname_registry %} through {% data variables.product.prodname_actions %} requires minimal configuration or additional authentication when you use the `GITHUB_TOKEN`.{% ifversion fpt %} Data transfer is also free when an action installs a package. For more information, see "[About billing for {% data variables.product.prodname_registry %}](/billing/managing-billing-for-github-packages/about-billing-for-github-packages)."{% endif %}
{% data reusables.package_registry.actions-configuration %}
{% ifversion fpt %}
## Upgrading a workflow that accesses `ghcr.io`
The {% data variables.product.prodname_container_registry %} supports the `GITHUB_TOKEN` for easy and secure authentication in your workflows. If your workflow is using a personal access token (PAT) to authenticate to `ghcr.io`, then we highly recommend you update your workflow to use the `GITHUB_TOKEN`.
For more information about the `GITHUB_TOKEN`, see "[Authentication in a workflow](/actions/reference/authentication-in-a-workflow#using-the-github_token-in-a-workflow)."
Using the `GITHUB_TOKEN` instead of a PAT, which includes the `repo` scope, increases the security of your repository as you don't need to use a long-lived PAT that offers unnecessary access to the repository where your workflow is run. For more information about security best practices, see "[Security hardening for GitHub Actions](/actions/learn-github-actions/security-hardening-for-github-actions#using-secrets)."
1. Navigate to your package landing page.
1. In the left sidebar, click **Actions access**.
1. To ensure your container package has access to your workflow, you must add the repository where the workflow is stored to your container. Click **Add repository** and search for the repository you want to add.
{% note %}
**Note:** Adding a repository to your container through the **Actions access** menu option is different than connecting your container to a repository. For more information, see "[Ensuring workflow access to your package](/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package)" and "[Connecting a repository to a package](/packages/learn-github-packages/connecting-a-repository-to-a-package)."
{% endnote %}
1. Optionally, using the "role" drop-down menu, select the default access level that you'd like the repository to have to your container image.
1. Open your workflow file. On the line where you log in to `ghcr.io`, replace your PAT with {% raw %}`${{ secrets.GITHUB_TOKEN }}`{% endraw %}.
For example, this workflow publishes a Docker image using {% raw %}`${{ secrets.GITHUB_TOKEN }}`{% endraw %} to authenticate.
```yaml{:copy}
name: Demo Push
on:
push:
# Publish `master` as Docker `latest` image.
branches:
- master
- seed
# Publish `v1.2.3` tags as releases.
tags:
- v*
# Run tests for any PRs.
pull_request:
env:
IMAGE_NAME: ghtoken_product_demo
jobs:
# Push image to GitHub Packages.
# See also https://docs.docker.com/docker-hub/builds/
push:
runs-on: ubuntu-latest{% ifversion fpt or ghes > 3.1 or ghae-next %}
permissions:
packages: write
contents: read{% endif %}
{% raw %}steps:
- uses: actions/checkout@v2
- name: Build image
run: docker build . --file Dockerfile --tag $IMAGE_NAME --label "runnumber=${GITHUB_RUN_ID}"
- name: Log in to registry
# This is where you will update the PAT to GITHUB_TOKEN
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Push image
run: |
IMAGE_ID=ghcr.io/${{ github.repository_owner }}/$IMAGE_NAME
# Change all uppercase to lowercase
IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
# Strip git ref prefix from version
VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
# Strip "v" prefix from tag name
[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
# Use Docker `latest` tag convention
[ "$VERSION" == "master" ] && VERSION=latest
echo IMAGE_ID=$IMAGE_ID
echo VERSION=$VERSION
docker tag $IMAGE_NAME $IMAGE_ID:$VERSION
docker push $IMAGE_ID:$VERSION{% endraw %}
```
{% endif %}