Doc Improvement: using Google Container Registry (GCR)

[EronWright]

It is somewhat counter-intuitive that one cannot use a credentials helper with build-push-action. The underlying reason is that build-push-action is a docker-based action (as opposed to a JS action) and doesn't inherit the runner's gcloud or docker configuration. In other words, gcloud auth configure-docker doesn't work with build-push-action.

Here's a technique to use build-push-action in combination with setup-gcloud. The benefit of this approach is that it interoperates well with other GCP-related actions. It relies on the use of access tokens (as described here). Note that the access token is short-lived.

Be sure to add a secret to your repository named GCP_SA_KEY containing the base64-encoded service account key (as described here).

jobs:
  publish:
    steps:
      - name: Setup Google Cloud SDK
        uses: GoogleCloudPlatform/github-actions/setup-gcloud@master
        with:
          version: '290.0.1'
          service_account_key: ${{ secrets.GCP_SA_KEY }}

      - name: Generate Access Token
        id: generate_access_token
        run: |
          echo "::set-output name=token::$(gcloud auth print-access-token)"

      - name: Publish
        uses: docker/build-push-action@v1
        with:
          registry: gcr.io
          repository: [PROJECT-ID]/[IMAGE]
          username: oauth2accesstoken
          password: ${{ steps.generate_access_token.outputs.token }}

Here, [PROJECT-ID] is the Google Cloud project ID of the project that hosts Container Registry, and [IMAGE] is the image name.

[mattwelke]

@EronWright I think I ran into this issue before. I was trying to push to GCR and use my SA as the password, like the current README.md says to:

- name: Build and push Docker image to Google Container Registry
  uses: docker/build-push-action@v1.1.0
  with:
    username: _json_key
    password: ${{ secrets.RUN_SA_KEY }}
    registry: gcr.io
    repository: ${{ secrets.RUN_PROJECT }}/${{ env.SERVICE_NAME }}
    tags: ${{ env.GITHUB_SHA }}

This didn't work. You can see all the details about the problem I had in #80.

I ended up only being able to get it to work by using gcloud and docker directly without going through an action. Would it be considered insecure though to run gcloud auth configure-docker on a runner? Does it leave tokens or anything like that around? If so, is that why it's better to do it the way you outline here where you get just one token, one time, that expires soon, and then use it to push?

[crazy-max]

@EronWright

The underlying reason is that build-push-action is a docker-based action (as opposed to a JS action)

Will come with #71 :)

[crazy-max]

@EronWright This will be available through build-push-action v2 (#92) and you can already try the login-action to authenticate against GCR.

[crazy-max]

Version 2 has been merged to the main branch and is therefore available via uses: docker/build-push-action@v2 (mutable tag).

As a reminder, this new version changes drastically and works with 3 new actions (login, setup-buildx and setup-qemu) that we have created. Many usage examples have been added to handle most use cases.

And it should fix this current issue. Don't hesitate if you have any questions.

[EronWright]

Thanks @crazy-max, looks great. The examples don't cover Google Container Registry specifically, but I would guess that gcloud auth configure-docker will work now in combination with this action.

[crazy-max]

@EronWright

The examples don't cover Google Container Registry specifically

See https://github.com/docker/login-action#google-container-registry-gcr