Git Product home page Git Product logo

login-action's Introduction

GitHub release GitHub marketplace CI workflow Test workflow Codecov

About

GitHub Action to login against a Docker registry.

Screenshot

Usage

Docker Hub

When authenticating to Docker Hub with GitHub Actions, use a personal access token. Don't use your account password.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

GitHub Container Registry

To authenticate to the GitHub Container Registry, use the GITHUB_TOKEN secret.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

You may need to manage write and read access of GitHub Actions for repositories in the container settings.

You can also use a personal access token (PAT) with the appropriate scopes.

GitLab

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to GitLab
        uses: docker/login-action@v3
        with:
          registry: registry.gitlab.com
          username: ${{ secrets.GITLAB_USERNAME }}
          password: ${{ secrets.GITLAB_PASSWORD }}

If you have Two-Factor Authentication enabled, use a Personal Access Token instead of a password.

Azure Container Registry (ACR)

Create a service principal with access to your container registry through the Azure CLI and take note of the generated service principal's ID (also called client ID) and password (also called client secret).

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to ACR
        uses: docker/login-action@v3
        with:
          registry: <registry-name>.azurecr.io
          username: ${{ secrets.AZURE_CLIENT_ID }}
          password: ${{ secrets.AZURE_CLIENT_SECRET }}

Replace <registry-name> with the name of your registry.

Google Container Registry (GCR)

Google Artifact Registry is the evolution of Google Container Registry. As a fully-managed service with support for both container images and non-container artifacts. If you currently use Google Container Registry, use the information on this page to learn about transitioning to Google Artifact Registry.

You can authenticate with workload identity federation or a service account.

Workload identity federation

Configure the workload identity federation for GitHub Actions in Google Cloud, see here. Your service account must have permission to push to GCR. Use the google-github-actions/auth action to authenticate using workload identity as shown in the following example:

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
    -
      name: Authenticate to Google Cloud
      id: auth
      uses: google-github-actions/auth@v1
      with:
        token_format: access_token
        workload_identity_provider: <workload_identity_provider>
        service_account: <service_account>
    -
      name: Login to GCR
      uses: docker/login-action@v3
      with:
        registry: gcr.io
        username: oauth2accesstoken
        password: ${{ steps.auth.outputs.access_token }}

Replace <workload_identity_provider> with configured workload identity provider. For steps to configure, see here.

Replace <service_account> with configured service account in workload identity provider which has access to push to GCR

Service account based authentication

Use a service account with permission to push to GCR and configure access control. Download the key for the service account as a JSON file. Save the contents of the file as a secret named GCR_JSON_KEY in your GitHub repository. Set the username to _json_key, or _json_key_base64 if you use a base64-encoded key.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to GCR
        uses: docker/login-action@v3
        with:
          registry: gcr.io
          username: _json_key
          password: ${{ secrets.GCR_JSON_KEY }}

Google Artifact Registry (GAR)

You can authenticate with workload identity federation or a service account.

Workload identity federation

Download the key for the service account as a JSON file. Save the contents of the file as a secret named GCR_JSON_KEY in your GitHub repository. Set the username to _json_key, or _json_key_base64 if you use a base64-encoded key.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@v1
        with:
          token_format: access_token
          workload_identity_provider: <workload_identity_provider>
          service_account: <service_account>
      -
        name: Login to GAR
        uses: docker/login-action@v3
        with:
          registry: <location>-docker.pkg.dev
          username: oauth2accesstoken
          password: ${{ steps.auth.outputs.access_token }}

Replace <workload_identity_provider> with configured workload identity provider

Replace <service_account> with configured service account in workload identity provider which has access to push to GCR

Replace <location> with the regional or multi-regional location of the repository where the image is stored.

Service account based authentication

Use a service account with permission to push to GAR and configure access control. Download the key for the service account as a JSON file. Save the contents of the file as a secret named GCR_JSON_KEY in your GitHub repository. Set the username to _json_key, or _json_key_base64 if you use a base64-encoded key.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to GAR
        uses: docker/login-action@v3
        with:
          registry: <location>-docker.pkg.dev
          username: _json_key
          password: ${{ secrets.GAR_JSON_KEY }}

Replace <location> with the regional or multi-regional location of the repository where the image is stored.

AWS Elastic Container Registry (ECR)

Use an IAM user with the ability to push to ECR with AmazonEC2ContainerRegistryPowerUser managed policy for example. Download the access keys and save them as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as secrets in your GitHub repo.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to ECR
        uses: docker/login-action@v3
        with:
          registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

If you need to log in to Amazon ECR registries associated with other accounts, you can use the AWS_ACCOUNT_IDS environment variable:

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to ECR
        uses: docker/login-action@v3
        with:
          registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        env:
          AWS_ACCOUNT_IDS: 012345678910,023456789012

Only available with AWS CLI version 1

You can also use the Configure AWS Credentials action in combination with this action:

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: <region>
      -
        name: Login to ECR
        uses: docker/login-action@v3
        with:
          registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com

Replace <aws-account-number> and <region> with their respective values.

AWS Public Elastic Container Registry (ECR)

Use an IAM user with permission to push to ECR Public, for example using managed policies. Download the access keys and save them as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY secrets in your GitHub repository.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to Public ECR
        uses: docker/login-action@v3
        with:
          registry: public.ecr.aws
          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        env:
          AWS_REGION: <region>

Replace <region> with its respective value (default us-east-1).

OCI Oracle Cloud Infrastructure Registry (OCIR)

To push into OCIR in specific tenancy the username must be placed in format <tenancy>/<username> (in case of federated tenancy use the format <tenancy-namespace>/oracleidentitycloudservice/<username>).

For password create an auth token. Save username and token as a secrets in your GitHub repo.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to OCIR
        uses: docker/login-action@v3
        with:
          registry: <region>.ocir.io
          username: ${{ secrets.OCI_USERNAME }}
          password: ${{ secrets.OCI_TOKEN }}

Replace <region> with their respective values from availability regions

Quay.io

Use a Robot account with permission to push to a Quay.io repository.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to Quay.io
        uses: docker/login-action@v3
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_ROBOT_TOKEN }}

DigitalOcean Container Registry

Use your DigitalOcean registered email address and an API access token to authenticate.

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to DigitalOcean Container Registry
        uses: docker/login-action@v3
        with:
          registry: registry.digitalocean.com
          username: ${{ secrets.DIGITALOCEAN_USERNAME }}
          password: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}

Customizing

inputs

The following inputs can be used as step.with keys:

Name Type Default Description
registry String Server address of Docker registry. If not set then will default to Docker Hub
username String Username for authenticating to the Docker registry
password String Password or personal access token for authenticating the Docker registry
ecr String auto Specifies whether the given registry is ECR (auto, true or false)
logout Bool true Log out from the Docker registry at the end of a job

Keep up-to-date with GitHub Dependabot

Since Dependabot has native GitHub Actions support, to enable it on your GitHub repo all you need to do is add the .github/dependabot.yml file:

version: 2
updates:
  # Maintain dependencies for GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"

login-action's People

Contributors

crazy-max avatar cs278 avatar dependabot[bot] avatar dineshba avatar flydiverny avatar jhihruei avatar johngunderwood avatar justincormack avatar loshz avatar temenuzhka-thede avatar tonistiigi avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

keshav423 yangchuansheng vf-cdaas unholster jimbo8098 docker-practice philipphomberger zlangbert eine pgressa mgalgs carmarla adamrogas bnaganathan hasheddan woolrab6 akcakalehaber wisersolutions connectionmaster rishianand06 ai2hub razorpay fardin01 zendesk consensysluxoft isabella232 divyansh42 chilicyber lesmiscore mpcarolin crazy-max bmborne updater kimballjohnson dacbd mmeendez8 cs278 whiteshadowofficial msg4rajesh daniele-tentoni classicvalues vhalkhymher-valentine-valkirye-vendetta general-of-the-pentagone-and-us-navy mdedetrich nebulose-io hinodeya minhqp weare0 restaurant-org khlam starsuff howaboutudance kinensake flydiverny calisoulb pahrens-github haf admincontrolas chicago-joe hmboyd hgdata ftos-forks eswar9908172217 petrol-requests petrol-market lighting-construction gscuderi tf-dive-coke useparagon samkenxstream 00mjk bone7system monykastory26 kimdonghyub chevah umanaiaci possehl-analytics telia-actions minnurashi spacecase123 iziwork leeks-ken vivek2508 acud1 kd-collective eegiazarov baby636 open-maze marcus-arcadius testingiacwithnewaccount sewah2012 evaldeco mathieusoufflard rohit-ramtirth dakdevops christopherrothwell andreagit97 mario-juarez acezuha costica-moldovanu

login-action's Issues

Ubuntu latest cannot find .docker

Behaviour

Steps to reproduce this issue

  1. Execute action

Expected behaviour

Login

Actual behaviour

Error: Unable to locate executable file: docker. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also check the file mode to verify the file is executable.

Configuration

name: Staging

on:
  push:
    branches:
      - "development"
      - "develop"
      - "devel"

jobs:
  build:
    runs-on: ubuntu-latest

    # runs all of the steps inside the specified container rather than on the VM host.
    # Because of this the network configuration changes from host based network to a container network.
    container:
      image: node:10.16-jessie

    steps:
      - name: Check Out Repo
        uses: actions/checkout@main

      - name: Login to Docker Hub
        uses: docker/login-action@master
        with:
          username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v1

      - name: Build and push AUTH
        id: docker_build_auth
        uses: docker/build-push-action@v2
        with:
          context: ./
          file: .docker/Dockerfile
          push: true
          tags: ${{ secrets.DOCKER_HUB_USERNAME }}/auth-s:latest
          build-args: |
            PROJECT_ENV=staging
            SERVICE_NAME=AUTH

      - name: Image digest
        run: echo ${{ steps.docker_build_auth.outputs.digest }}

      - name: Build and push PRODUCT
        id: docker_build_product
        uses: docker/build-push-action@v2
        with:
          context: ./
          file: .docker/Dockerfile
          push: true
          tags: ${{ secrets.DOCKER_HUB_USERNAME }}/product-s:latest
          build-args: |
            PROJECT_ENV=staging
            SERVICE_NAME=PRODUCT

      - name: Image digest
        run: echo ${{ steps.docker_build_product.outputs.digest }}

      - name: ZIP
        uses: papeloto/action-zip@master
        with:
          files: "README.md docker-compose.yml"
          dest: staging/latest.zip
          recursive: false

      - name: Upload S3
        uses: shallwefootball/s3-upload-action@master
        id: S3
        with:
          aws_key_id: ${{ secrets.AWS_KEY_ID }}
          aws_secret_access_key: ${{ secrets.AWS_KEY}}
          aws_bucket: ${{ secrets.AWS_BUCKET }}
          source_dir: staging
          destination_dir: ${{ github.event.repository.name }}/staging

Logs

logs_4.zip

Logout parameter and interaction with other docker actions

Hello,

I'd like to further understand how docker/login-action interacts with other docker actions like docker/build-push, and the VM in general. To keep it simple: is the purpose of this action to login the user on the runs-on VM? Then, whatever actions require being logged in come after like build-push?

This is my initial understanding, although finding the logout parameter has me questioning that understanding. As far as I understand, having post: 'dist/index.js' in action.yml runs the logout function in src/docker.ts, which is really just the docker logout <registry> shell command. This is ran, I think, once the main: command finishes executing, and before the next job. But if that is correct, then the following would happen using login-action with logout: true, and then using build-push:

  • login
  • logout
  • build
  • push

That doesn't make sense, so I must be misunderstanding the sequence here. Do post actions happen at a different time than I expect, or is it something else? Any clarification would be appreciated.

Logging in to Github Container Registry

Behaviour

Run docker/login-action@v1
Error: Username and password required

Steps to reproduce this issue

  1. Follow your guide here: https://github.com/docker/login-action#github-container-registry

Expected behaviour

It should at least log in. I assume that the token I created should be added to the secrets (will try that in a moment)

Also project wide settings should not depend on personal tokens. IMO it's a an obviously bad design. The token is personal, the user might accidentally delete it, leave the projects etc. Either it should dynamically identify as committing user, or it should identify as the pipeline. It should not require the project to contain personal tokens in shared configs.

Actual behaviour

Isn't this the same as behaviour?

Configuration

  • Repository URL (if public): N/A (not public)
  • Build URL (if public): N/A (not public)

The part that fails:

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.CR_PAT }}

Logs

Download the log file of your build and attach it to this issue.

Use AWS ECR login method with a custom domain

Behaviour

Currently the ECR login method depends on isEcr which verifies an address. However, we would like to use a custom domain with ECR to simplify our Dockerfiles.

Steps to reproduce this issue

  1. Create an action in workflow with a custom domain for ECR private registry
  2. Run workflow

Expected behaviour

Action correctly logins to ECR despite custom address using loginECR

Actual behaviour

login-action does not login to ECR using loginECR

Configuration

  • Repository URL (if public):
  • Build URL (if public):
     - name: Login to ECR
        uses: docker/login-action@v1
        with:
          registry: custom.io
          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

Solution

I think, it would be the best to add an optional flag isECR to the configuration to allow use of ECR login despite custom domain usage.

Docker related steps after login-action don't work with `no basic auth credentials`

Behavior

Steps to reproduce this issue

  1. Have an already existing docker login using echo ${GITHUB_TOKEN} | docker login docker.pkg.github.com -u ${GITHUB_ACTOR} --password-stdin
  2. Change it so it uses login-action github action
  3. Create a pull request out of it

Expected behaviour

A successful docker-login persists the login information so later docker-compose works succesfully

Actual behaviour

Docker login happened successfully however the next step in the pipeline docker-compose up -d fails to execute with no basic auth credentials.

Configuration

# This file was automatically generated by sbt-github-actions using the
# githubWorkflowGenerate task. You should add and commit this file to
# your git repository. It goes without saying that you shouldn't edit
# this file by hand! Instead, if you wish to make changes, you should
# change your sbt build configuration to revise the workflow description
# to meet your needs, then regenerate this file.

name: Continuous Integration

on:
  pull_request:
    branches: ['**']
  push:
    branches: ['**']

env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

jobs:
  build:
    name: Build and Test
    strategy:
      matrix:
        os: [ubuntu-latest]
        scala: [2.12.11, 2.13.4]
        java: [[email protected]]
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout current branch (full)
        uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - name: Setup Java and Scala
        uses: olafurpg/setup-scala@v12
        with:
          java-version: ${{ matrix.java }}

      - name: Cache sbt
        uses: actions/cache@v2
        with:
          path: |
            ~/.sbt
            ~/.ivy2/cache
            ~/.coursier/cache/v1
            ~/.cache/coursier/v1
            ~/AppData/Local/Coursier/Cache/v1
            ~/Library/Caches/Coursier/v1
          key: ${{ runner.os }}-sbt-cache-v2-${{ hashFiles('**/*.sbt') }}-${{ hashFiles('project/build.properties') }}

      - name: Check that workflows are up to date
        run: sbt ++${{ matrix.scala }} githubWorkflowCheck

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Launch Nakadi
        run: docker-compose up -d

      - name: Build project
        run: sbt ++${{ matrix.scala }} clean coverage test

      - name: Upload coverage data to Coveralls
        env:
          COVERALLS_REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          COVERALLS_FLAG_NAME: Scala ${{ matrix.scala }}
        run: sbt ++${{ matrix.scala }} coverageReport coverageAggregate coveralls

      - name: Shut down Nakadi
        run: docker-compose down

Logs

logs_71.zip

Make this action compatible with aws-actions/configure-aws-credentials

Behaviour

The official AWS action for setting up credentials works very well for assuming roles. Ideally, this action should be compatible with it. We have been using https://github.com/aws-actions/amazon-ecr-login for logging in, but it is not compatible with your new https://github.com/docker/build-push-action.

Something like this would be very useful:

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.DEFAULT_REGION }}
          role-to-assume: ${{ secrets.ROLE_ARN }}
          role-duration-seconds: 1200
          role-session-name: GithubActions

      - name: Login to Amazon ECR
        uses: docker/login-action@v1
        with:
          registry: ${{ secrets.ECR_REGISTRY }}

     - name: Build and push
        id: docker_build
        uses: docker/build-push-action@v2
        with:
          ...

What do you think? Is there a known workaround to accomplish this? Thanks in advance!

Login fails asking for a password although one appears to be provided

Behaviour

When running workflow it errors at the login step, talking about a missing password.

I have created a PAT as described in #6

Steps to reproduce this issue

  1. run workflow

Expected behaviour

Should log in as expected

Actual behaviour

Errors
image

Configuration

name: Deploy and run

on:
  push:
    branches: master
  workflow_dispatch:

jobs:
  Deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v2
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_REGISTRY_TOKEN }}

Logs

https://github.com/AlexJeffcott/amboss-cypress-demo/runs/1750353837?check_suite_focus=true#step:3:6

Issue: Login to public ECR action

I am receiving Error response from daemon: Get https://public.ecr.aws/v2/: denied: Not Authorized while using Login to ECR action in my workflow. I am able to run aws ecr-public get-login-password --region us-east-1 | docker login -u AWS --password-stdin public.ecr.aws in my local machine. Would you be able to confirm if it's a bug? I could not find ecr publish test in this repo so not sure if login to ecr actions has any issues or not.

Workflow error: https://github.com/bhautikpip/aws-xray-daemon/runs/1554928752?check_suite_focus=true
Workflow code: https://github.com/bhautikpip/aws-xray-daemon/blob/daemon-ecr-publish/.github/workflows/continuous-build.yml

AWS Auth does not include session token

Behaviour

If used with short term AWS access tokens including a Session Token, the AWS ECR auth fails because the AWS integration interferes in the standard AWS credentials resolution process.

Steps to reproduce this issue

  1. Use the aws-actions/configure-aws-credentials@master action with OIDC based role assumption (github/roadmap#249).
  2. Use the docker/login-action action to attempt to auth to AWS

Expected behaviour

AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID, and AWS_SESSION_TOKEN should be used to authenticate the request.

Actual behaviour

AWS_SESSION_TOKEN is omitted from the auth process because the code interferes with standard credentials resolution process.

Run aws-actions/configure-aws-credentials@master
  with:
    role-to-assume: arn:aws:iam::0123456789:role/abcded-role-name
    role-session-name: github-actions
    aws-region: us-east-1
    
Run docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
  with:
    registry: ***.dkr.ecr.us-east-1.amazonaws.com
    username: AWS
    logout: true
  env:
    AWS_DEFAULT_REGION: us-east-1
    AWS_REGION: us-east-1
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***
    AWS_SESSION_TOKEN: ***
    JAVA_HOME: /opt/hostedtoolcache/Java_Adopt_jdk/17.0.1-12/x64
AWS ECR detected with us-east-1 region
Retrieving docker login command through AWS CLI 2.4.9 (/usr/local/bin/aws)...
Error: An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.

Configuration

  • Repository URL (if public):
  • Build URL (if public):
name: Run build

on:
  push:
    branches:
      - 'feature/**'
  pull_request:
    branches:
      - main

permissions:
  id-token: write
  contents: read
jobs:
  api:
    runs-on: ubuntu-latest
    if: github.event_name == 'push'
    steps:
      - name: configure aws credentials
        uses: aws-actions/configure-aws-credentials@master
        with:
          role-to-assume: arn:aws:iam::01234567890:role/github-automation
          role-session-name: github-actions
          aws-region: us-east-1

      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
        with:
          registry: 01234567890.dkr.ecr.us-east-1.amazonaws.com
          username: AWS

Logs

See above

Failure to publish an anonymous docker container

Hi there,

I'm trying to setup something for an open-source library hosted on my company space. I am getting an error though when my action runs at the login step, talking about a missing password.

 Login to GitHub Package Registry
0s
    logout: true
Run docker/login-action@v1
  with:
    registry: ghcr.io
    username: machinezone
    logout: true
##[error]Input required and not supplied: password

I used this, hoping that the secret would be populated, following this blog post.

        name: Login to GitHub Package Registry
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GHCR_TOKEN }}

The full yaml for the github action is here.

Any clue on what might be going on ?
Should I report that on the github login action instead maybe ... ?

Failed to login with username and password or access token.

Behaviour

Steps to reproduce this issue

  1. Use this action in my workflow
  2. Add a secret for username and for password, try to change any combinations of those, even with a token, username + password, username + token, email + password, email + token, nothing

Expected behaviour

I'm expecting to be authenticated. I don't have any right result message because I haven't one yet.

Actual behaviour

I'm receiving this error message:

Run docker/login-action@v1
  with:
    username: ***
    password: $***
    logout: true
Logging into Docker Hub...
Error: Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password

Configuration

push-to-registry:
    needs: build
    name: Push Docker image to Docker Hub
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - name: Login to Docker Hub
        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: $${{ secrets.DOCKER_PASSWORD }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
        with:
          images: antonioparolisi/weather-vortex-station

      - name: Build and push Docker image
        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
        with:
          context: .
          push: true
          tags: ${{ steps.meta.output.tags }}
          labels: ${{ steps.meta.outputs.labels }}

Logs

Download the log file of your build
and attach it to this issue.

Amazon ECR Private login fails on Windows

Behaviour

Steps to reproduce this issue

  1. Create a GitHub Action workflow using windows-latest
  2. Try to use the docker/login-action@v1 action to login to an Amazon ECR Private repository
  3. Fail

Expected behaviour

Action should login with Amazon ECR Private.

Actual behaviour

Action fails with error: Unable to locate executable file: C:\Program. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also verify the file has a valid extension for an executable file.

Interestingly enough, using aws-actions/amazon-ecr-login works.

Configuration

name: App / Build and push

env:
  # In GitHub, go to Settings -> Secrets and set:
  #  AWS_ACCESS_KEY_ID to your own AWS Access Key ID, eg `AKIAIOSFODNN7EXAMPLE`
  #  AWS_SECRET_ACCESS_KEY to your own AWS Secret Access Key, eg `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`
  AWS_ECR_PRIVATE_ACCOUNT_ID: "355938773567"
  AWS_ECR_PRIVATE_REGION: "us-east-1"
  AWS_ECR_PRIVATE_REPO_NAME: "bug-docker-login-windows"

on:
  push:

jobs:
  windows:
    name: Amazon ECR Private - Windows
    runs-on: windows-latest

    steps:
      - name: Get the code
        uses: actions/[email protected]

      - name: Login to Amazon ECR Private - FAILS
        continue-on-error: true
        uses: docker/login-action@v1
        with:
          registry: ${{ env.AWS_ECR_PRIVATE_ACCOUNT_ID }}.dkr.ecr.${{ env.AWS_ECR_PRIVATE_REGION }}.amazonaws.com
          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

      - name: Configure AWS credentials
        uses: aws-actions/[email protected]
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1

      - name: Login to Amazon ECR - WORKS
        uses: aws-actions/[email protected]

Logs

GitHub Action logs from the linked run

Login in Windows environment

Behaviour

Steps to reproduce this issue

Run following workflow: (this is minimal I think)

jobs:
  docker-windows:
    runs-on: windows-latest
    continue-on-error: true
    steps:
      - uses: actions/checkout@v2
      - name: Login
        uses: docker/login-action@v1
        with:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.DHUB_TOKEN }}

Expected behaviour

Login is performed. Whether it success or not.

Actual behaviour

Gives:

Error: Only supported on linux platform

Configuration

https://github.com/nao20010128nao/ytdl-patched/blob/master/.github/workflows/build.yml

Logs

a.log

Cannot login to private registry that doesn't have routes for api versions

Behaviour

Fails to login to private registry

Steps to reproduce this issue

  1. Declare a registry parameter pointing to a private registry. ie: https://docker.seanesopenko.ca
  2. Run github action

Expected behaviour

Logs in to registry

Actual behaviour

Fails to log in, with a 403 forbidden error. Appends /v2 to the url, assuming all registries have routes for docker registry api versions. Example output in the github action console.

Run docker/login-action@v1
Logging into https://docker.seanesopenko.ca...
Error: Error response from daemon: login attempt to https://docker.seanesopenko.ca/v2/ failed with status: 403 Forbidden

Configuration

  • Repository URL (if public):
  • Build URL (if public):
name: Orchestration

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Extract branch name
        # ref: https://stackoverflow.com/questions/58033366/how-to-get-current-branch-within-github-actions
        shell: bash
        run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
        id: extract_branch
      - name: Set up Go
        uses: actions/setup-go@v2
        with:
[action_log.txt](https://github.com/docker/login-action/files/7271940/action_log.txt)

          go-version: 1.16

      - name: Go Build
        run: go run mage.go build

      - name: Go Test
        run: go run mage.go test
      # see https://github.com/marketplace/actions/build-and-push-docker-images
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Login to Docker
        uses: docker/login-action@v1
        with:
          registry: https://docker.seanesopenko.ca
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Build and push master image
        if: github.ref == 'refs/heads/main'
        uses: docker/build-push-action@v2
        with:
          context: .
          push: true
          tags: docker.seanesopenko.ca/multiplayer-orchestration:latest
      - name: Build and push pr image
        if: github.ref != 'refs/heads/main'
        uses: docker/build-push-action@v2
        with:
          context: .
          push: true
          tags: docker.seanesopenko.ca/multiplayer-orchestration:${{ steps.extract_branch.outputs.branch }}

Logs

attached

When login with AWS session token, username is redundant, but it is required by action from v1.5

Behaviour

We are generating one-time login AWS tokens in our Actions workflow.

Theoretically, we don't need aws_access_key_id and aws_secret_access_key. We need only aws_session_token to login into ECR because it has all needed for AWS information.

In practice:

  • docker/login-action <1.5: it worked fine to run the action without username, just passing registry url and aws_session_token as password
  • docker/login-action >=1.5: the action validates presence of username param, which we don't have.

Steps to reproduce this issue

  1. Generate aws_session_token
  2. Pass it to docker/login-action in password param, set registry param to be ecr url.
  3. Run Action @v1.5.0

Expected behaviour

Docker gets logged into ECR.

Actual behaviour

Error: Input required and not supplied: username

Configuration

# ...
# Previously we've generated AWS_SESSION_TOKEN using 3rd party tool (Okta)

- name: Extract AWS session token by profile name
  id: get_aws_credentials
  run: |
    AWS_SESSION_TOKEN=`python -c 'from boto3 import Session; print(Session().get_credentials().get_frozen_credentials().token)'`
    echo "::add-mask::$AWS_SESSION_TOKEN"
    echo "::set-output name=token::$AWS_SESSION_TOKEN

- name: Login into ECR
  uses: docker/[email protected]
  with:
    registry: ${{ steps.get_ecr_url.outputs.ecr_url }}
    password: ${{ steps.get_aws_credentials.outputs.token }}
# ...

Error: Username and password required

  • name: Log in to Docker Hub
    uses: f054a8b
    with:
    username: ${{ env.DOCKERHUB_USER }}
    password: ${{ secrets.DOCKERHUB_PASS }}

It breaks with error:

Run f054a8b
with:
username: correctUsername
logout: true
env:
DOCKERHUB_PASS:
DOCKERHUB_USER: ozone2021
Error: Username and password required

The secret for password exists I think. It's added as an environment secret. Should it be asterisks if it exists?

Cannot consume authorization in following steps

Behaviour

Steps to reproduce this issue

  1. Sign in with docker/login-action@v1
  2. Try to pull a private image from within a docker image based container

Expected behaviour

Trying to pull the private image from within a docker image based container should work the same as executing docker pull ghcr.io/twiddler/my-alpine:3.13 on the host.

Actual behaviour

Error response from daemon: Head "https://ghcr.io/v2/twiddler/alpine/manifests/3.13": denied

Interestingly, the equivalent also fails on my local machine:

$ docker login ghcr.io
...
$ docker run -v /var/run/docker.sock:/var/run/docker.sock docker pull ghcr.io/twiddler/my-alpine:3.13
Error response from daemon: Head "https://ghcr.io/v2/twiddler/my-alpine/manifests/3.13": unauthorized

while

$ docker login ghcr.io
...
$ docker pull ghcr.io/twiddler/my-alpine:3.13

works as expected.

Configuration

After reading #32 and #34, I came up with this test.yml:

on:
  push:

jobs:
  dind:
    runs-on: ubuntu-latest

    env:
      DOCKER_CONFIG: $HOME/.docker

    steps:
      - uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - uses: docker://docker
        with:
          entrypoint: docker
          args: pull "ghcr.io/twiddler/my-alpine:3.13"

Logs

logs_41.zip

Error to login in mac-os action

Output log:

Run docker/login-action@v1
  with:
    username: ***
    password: ***
    logout: true
Logging into Docker Hub...
Error: Unable to locate executable file: docker. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also check the file mode to verify the file is executable.

log link: https://github.com/rundax/go-bitsong/runs/3341040866?check_suite_focus=true
config file: https://github.com/rundax/go-bitsong/blob/develop/.github/workflows/build.yml

Login to cross-account ECR registry not working with AWS CLI v1 / ubuntu < 20

Behaviour

Logging into a registry in a different AWS account doesn't work when using CLI v1, with the get-login command.

Steps to reproduce this issue

  1. Create a user in ACCOUNT A
  2. Create a repository in ACCOUNT B
  3. Grant the user in ACCOUNT A permission to access the repository in ACCOUNT B
  4. Run docker/login-action with credentials from ACCOUNT A and try to push/pull an image from ACCOUNT B

Expected behaviour

Should work fine

Actual behaviour

Access denied

Configuration

name: Main Workflow

on:
  push:
    branches:
      - master

jobs:
  build:
    name: Build & push image
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v1

      - name: Login to ECR
        uses: docker/login-action@v1
        with:
          registry: 085895507678.dkr.ecr.us-west-2.amazonaws.com
          username: ${{ secrets.AWS_ACCESS_KEY }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

      - name: Build and push
        uses: docker/build-push-action@v2
        with:
          push: true
          tags: 085895507678.dkr.ecr.us-west-2.amazonaws.com/docker-login-test:latest

Logs

See build link.

supporting AWS public registry: public.ecr.aws

This is not a bug repport but maybe more a documentation request so please feel free to close it if there is a better place to raise this. And because I'm far to be an expert, I maybe totally wrong!

The public AWS repository (public.ecr.aws) needs almost the same login process as the private ECR but there is a huge difference in the registry URL which make it not compatible with this action

aws ecr-public get-login-password --region {region} | docker login --username AWS --password-stdin public.ecr.aws/{user_registry_name}

there are 2 problems with the public registry url:

  1. there is no amazonaws in the registery name, so:

login-action/src/aws.ts

Lines 5 to 7 in 12fd633

export const isECR = async (registry: string): Promise<boolean> => {
return registry.includes('amazonaws');
};

isn't triggered

  1. there is no region in the registry url, so:

login-action/src/aws.ts

Lines 9 to 11 in 12fd633

export const getRegion = async (registry: string): Promise<string> => {
return registry.substring(registry.indexOf('ecr.') + 4, registry.indexOf('.amazonaws'));
};

won't work as well.

I see a blocker for a region, but this could be resolved if the user uses the Configure AWS Credentials action

Edit:
well there is a third point

  1. the aws cli sub command is ecr-public not ecr ๐Ÿคฆ

Error logging into GitHub container registry

Behaviour

I was previously (~10 days ago) able to log into the GitHub container registry with no issues. All of the sudden I am getting this error message when trying to log in:

๐Ÿ”‘ Logging into ghcr.io...
Error: Error response from daemon: Get https://ghcr.io/v2/: denied: denied

Steps to reproduce this issue

  1. Create a PAT with the delete:packages and write:packages scopes
  2. Add CR_PAT secret with the PAT
  3. Run a workflow with the configuration mentioned below

Expected behaviour

I expect to be able to log into the GitHub container registry with no errors. The expected output it:

๐Ÿ”‘ Logging into ghcr.io...
๐ŸŽ‰ Login Succeeded!

Configuration

The relevant section in the workflow file:

- name: Login to GitHub Container Registry
  uses: docker/login-action@v1
  with:
  registry: ghcr.io
  username: ${{ github.repository_owner }}
  password: ${{ secrets.CR_PAT }}

Logs

Private repository with potentially sensitive information. If needed urgently, let me know and I will see what I can do.

Scope of Run Command after Authentication

Can I assume that after I auth successfully here that the next run command takes that auth context? For example:

- name: Login to GCR
  uses: docker/login-action@v1
  with:
    registry: gcr.io
    username: _json_key
    password: ${{ secrets.GCR_JSON_KEY }}
- run: docker push gcr.io/${{ secrets.GCP_PROJECT_ID }}/we-do-tdd:latest

I ask because I keep getting this error and I know I'm using a key with Cloud Storage Admin rights and I can't figure out why it keeps rejecting me still if I've authed with that key:
Screen Shot 2020-09-05 at 6 52 34 PM

Screen Shot 2020-09-05 at 3 47 37 AM

Screen Shot 2020-09-05 at 3 36 35 AM

is it possible to use docker/login-action as authentication for subsequent curl commands

I would like to run some curl commands towards the docker hub registry and was curious if this is possible with docker/login-action and if yes, how to do it.

doing this was not successful:

# list public repos
- name: list docker repositories (not authenticated)
  run: curl https://hub.docker.com/v2/repositories/my_repo | jq -r -C .
- uses: docker/login-action@v1
  with:
    username: ${{ secrets.DOCKERHUB_USERNAME }}
    password: ${{ secrets.DOCKERHUB_TOKEN }}
# list public and private repos
- name: list docker repositories (authenticated)
  run: curl https://hub.docker.com/v2/repositories/my_repo | jq -r -C .

Logging in to public.ecr.aws stopped working on v1.11.0

Behaviour

After v.1.11.0 release our CI has started to fail when trying to log in to the ECR. Pinning action back to v.1.10.0 fixes the issue.

Steps to reproduce this issue

  1. Run github action

Expected behaviour

Logging in to the ECR should succeed.

Actual behaviour

An error with following logs:

Retrieving registries data through AWS SDK...
AWS Public ECR detected with us-east-1 region
Error: The security token included in the request is invalid.

Configuration

name: Production deployment

on: [push]

jobs:
  production-job:
    name: Build and deploy the image
    runs-on: self-hosted
    container: docker

    steps:
      - name: Check out repository code
        uses: actions/checkout@master

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: ${{ secrets.AWS_REGION }}
          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
          role-external-id: ${{ secrets.AWS_EXTERNAL_ID }}
          role-duration-seconds: 1500

      - name: Install the latest AWS CLI
        run: |
          apk add --no-cache python3 py3-pip
          pip3 install --upgrade pip
          pip3 install awscli

      - name: Log in to Amazon public ECR
        uses: docker/login-action@v1
        with:
          registry: public.ecr.aws
        env:
          AWS_REGION: us-east-1

Logs

Attached

Error: unknown flag: --password-stdin

Behaviour

Steps to reproduce this issue

  1. create secrets: REGISTRY_USER_NAME & REGISTRY_USER_PSW
  2. run the manual.yaml from ### Configuration
  3. tried with and with out "with: registry: docker.io"

Expected behaviour

successfully login to docker hub && push image to docker hub

Actual behaviour

from log:

Run docker/[email protected]
  with:
    username: ***
    password: ***
    logout: true
๐Ÿ”‘ Logging into Docker Hub...
Error: unknown flag: --password-stdin

Configuration

name: Manual workflow
on: push
jobs:
  build_image:
    runs-on: self-hosted
    steps:
    - uses: actions/checkout@v2
    - name: build Docker image
      env: 
        REGISTRY_USER_NAME: ${{ secrets.REGISTRY_USER_NAME }}
        REGISTRY_USER_PSW: ${{ secrets.REGISTRY_USER_PSW }}    
      run: |
        ls -la && \
        docker build -t docker.io/ticteam/feedback .
    - name: Docker Login
      uses: docker/[email protected]
      with:
        # Username used to log against the Docker registry
        username: ${{ secrets.REGISTRY_USER_NAME }}
        # Password or personal access token used to log against the Docker registry
        password: ${{ secrets.REGISTRY_USER_PSW }}
        
    - name: push image to DockerHub
      run: |
        docker push docker.io/ticteam/feedback

Logs

logs_13.zip

buildx doesn't work with GitHub Package Docker registry

The GitHub Packages Docker registry will be superseded by GitHub Container Registry.

The package registry will never support multi-arch image manifests. The container registry (ghcr.io) does.

buildx pushes multi-arch image manifests, even when using a single architecture. I don't think this can be turned off.

docker/build-push-action@v2 uses buildx. Therefore, I don't think it is necessary to have an example for the package registry. Though a comment mentioning why might be nice. Possibly with a link to the migration guide

Permission denied on saving json credentials

Behaviour

When my action login into my GitHub Container Registry, the login fails with following error:

image

Steps to reproduce this issue

  1. Specify correct registry, username, password
  2. Try to login
  3. fail

Expected behaviour

The login should be successful.

Actual behaviour

Errors with code 1

Configuration

  
name: Deploy addons
on:
  push:
    branches:
      - master

jobs:
  build-image:
    name: Build changed addons
    runs-on: ubuntu-latest

...

    steps:

...

      - name: Docker Login
        if: steps.files-check.outputs.changed == 'true'
        uses: docker/[email protected]
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.CR_PAT }}
...

Logs

log.txt

Username and password not recognized

Behaviour

I'm using this example to authenticate with docker hub, however the build fails with the error. What am I missing?
Secrets are set. Both username, password and a PAT - nothing fixes it

Run docker/login-action@v1
  with:
    logout: true
Error: Username and password required

Configuration

name: Publish Docker image
on:
  push:
    tags:
      - v*

jobs:
  push_to_registry:
    name: Push Docker image to Docker Hub
    runs-on: ubuntu-latest
    steps:
      - name: Check out the repo
        uses: actions/checkout@v2

      - name: Login to DockerHub
        uses: docker/login-action@v1 
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_TOKEN }}
          logout: true

      - name: Push to Docker Hub
        uses: docker/build-push-action@v2
        with:
          push: true
          tags: <removed>:latest

      - name: Image digest
        run: echo ${{ steps.docker_build.outputs.digest }}

secrets not passing

Behaviour

tried everything ( did a non-fork public clone)


      - name: Prepare
        id: prep
          super_secret: ${{ secrets.DOCKER_ORG }}
          docker_user: ${{ secrets.DOCKER_USERNAME }}
          docker_repo: ${{ secrets.DOCKER_REPO }}
          docker_org: ${{ secrets.DOCKER_ORG }}
          foolingia: ${{ secrets.DOCKER_USERNAME }}
          
        run: |
          echo "$FOOLONGIA" > /tmp/file
          base64 -w0 /tmp/file
          echo "supersec: $SUPER_SECRET"
          #DOCKER_IMAGE=${{ secrets.DOCKER_USERNAME }}/${GITHUB_REPOSITORY#*/}
          DOCKER_IMAGE=${{ secrets.DOCKER_ORG }}/${{ secrets.DOCKER_REPO }}
          VERSION=latest
          SHORTREF=${GITHUB_SHA::8}
          echo "$DOCKER_IMAGE"
          echo base64
          echo "$DOCKER_IMAGE"|base64 -w0
       
       name: Login to DockerHub
        uses: docker/login-action@v1 
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_TOKEN }}

RESULT:


base64 -w0 /tmp/file
  DOCKER_IMAGE=${DOCKER_ORG}/${DOCKER_REPO}
  
  echo "supersec: $SUPER_SECRET"
  #DOCKER_IMAGE=***/${GITHUB_REPOSITORY#*/}
  VERSION=latest
  SHORTREF=${GITHUB_SHA::8}
  echo "$DOCKER_IMAGE"
  echo base64
  echo "$DOCKER_IMAGE"|base64 -w0
  shell: /usr/bin/bash -e {0}
  env:
    super_secret: ***
    docker_user: ***
    docker_repo: ***
    docker_org: ***
    foolingia: ***
Cg==supersec: 
/
base64
Lwo=


Run docker/login-action@v1
Error: Username and password required

in other repos it works ...

really annyoing ,maybe github issue itself , but about to switch away from sh*thub since microsoft crapped it up.. completely unusable mess since in gitlab you can at least switch off that secret replacing clowns-party for debugging ..

Error: Username and password required

Behaviour

Steps to reproduce this issue

  1. Attempt to run CI on existing project that was working

Example: https://github.com/brianmay/scrooge/runs/2292983499

This is happening though in multiple projects.

Expected behaviour

No error. Should login to Docker. Credentials are (supplied using the designated secrets). This is not a forked repository. It was working. Not sure what has changed.

Actual behaviour

Error: Username and password required

Configuration

Relevant step:

      - name: Login to DockerHub
        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

Logs

See https://github.com/brianmay/scrooge/runs/2292983499

Login to Quay.io does not work

Behaviour

My GitHub Action looks like https://github.com/sclorg/s2i-base-container/blob/master/.github/workflows/build-and-push.yml

Steps to reproduce this issue

  1. export secrets into GITHUB_ENVs
  2. in username and password use: ${{ env.QUAY_TOKEN }} respectively ${{ env.QUAY_TOKEN }}
  3. Login to Quay.io does not work.

See error from action:

Run docker/login-action@v1
  with:
    registry: quay.io
    ecr: auto
    logout: true
Error: Username and password required

Storing secrets in the matrix does not work.

Expected behaviour

Login is working properly.

Tell us what should happen

Actual behaviour

Login does not work.

Tell us what happens instead

Configuration

      - name: Export GitHub secrets
        run: |
          if [ "${{ matrix.os_type }}" == "centos7" ]; then
            username="${{ secrets.QUAY_IMAGE_BUILDER_USERNAME }}"
            token="${{ secrets.QUAY_IMAGE_BUILDER_TOKEN }}"
          else
            username="${{ secrets.QUAY_IMAGE_SCLORG_BUILDER_USERNAME }}"
            token="${{ secrets.QUAY_IMAGE_SCLORG_BUILDER_TOKEN  }}"
          fi
          echo "QUAY_USERNAME=$username" >> GITHUB_ENV
          echo "QUAY_ROBOT_TOKEN=$token" >> GITHUB_ENV
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v1

      - name: Login to Quay.io
        uses: docker/login-action@v1
        with:
          registry: quay.io
          username: ${{ env.QUAY_USERNAME }}
          password: ${{ env.QUAY_ROBOT_TOKEN }}

Logs

Download the log file of your build
and attach it to this issue.

Environment variable https_proxy is not used

Behaviour

Login to AWS ECR doesn't work if action is running behind http(s) proxy.

Steps to reproduce this issue

  1. Run self-hosted runner in network environment with blocked internet connection which needs use http_proxy
  2. Set Environment variables http_proxy and https_proxy to correct proxy server
  3. Let login-action to login to (private) ECR
  4. Error: connect ETIMEDOUT 52.119.173.252:443

Expected behaviour

AWS ECR auth token should be retrieved with AWS SDK.

Actual behaviour

##[debug]Save intra-action state isPost = true
::save-state name=registry::***.dkr.ecr.us-west-2.amazonaws.com
##[debug]Save intra-action state registry = ***.dkr.ecr.us-west-2.amazonaws.com
::save-state name=logout::true
##[debug]Save intra-action state logout = true
Retrieving registries data through AWS SDK...
##[debug]Requesting AWS ECR auth token for ***
AWS ECR detected with us-west-2 region
Error: connect ETIMEDOUT 52.119.173.252:443
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Login to AWS ECR

Configuration

  • Repository URL (if public): private
  • Build URL (if public): private
      - name: Configure AWS Credentials
        if: github.event_name != 'pull_request'
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-west-2

      - name: Login to AWS ECR
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v1
        with:
          registry: ${{ env.ECR_REPO }}

Startup failure

Behaviour

Steps to reproduce this issue

Add docker/login-action to workflow, start the workflow

Expected behaviour

Expect successful login on Docker registry.
No idea on how to diagnose this early error.

Actual behaviour

Error : .github#L1
docker/login-action@v1 is not allowed to be used in <organization>/<repo>. Actions in this workflow must be: within a repository owned by <organization> or created by GitHub.

Configuration

Private.

jobs:
  go:
    name: Build & Test Actions
    runs-on: [self-hosted]

    steps:
      - name: Login to Docker Hub
        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

Logs

Download the [log file of your build]

There is no log file

Screenshot 2021-09-30 at 15 22 23

Feature request: Insecure registry

Hi, it would be nice to add support for registries served only over http instead of https. Right now it gives this error:

Error response from daemon: Get https://***/v2/: http: server gave HTTP response to HTTPS client

Login doesn't support using EC2 instance credentials with ECR login

Behaviour

I am using self-hosted runners with an IAM role attached (with ECR permissions) and the login action fails.

Steps to reproduce this issue

  1. Create a self hosted runner with IAM role attached (with ECR permissions)
  2. Create a workflow with uses: docker/login-action@v1
  3. Try to run the workflow

Expected behaviour

The login should use the EC2 instance credentials and login to ECR.

Actual behaviour

The login action fails

Error: An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.

IMO the action should not attempt to overwrite the env vars for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in this case.

I can make it work using this manual run step:

- name: ECR login
  run: |
    aws ecr get-login-password | docker login --username AWS --password-stdin <aws-account-id>.dkr.ecr.<aws-region>.amazonaws.com

Configuration

  • Repository URL (if public): private
  • Build URL (if public): private
- name: ECR login
  uses: docker/login-action@v1
  with:
    registry: <aws-account-id>.dkr.ecr.<aws-region>.amazonaws.com

Logs

Sorry private repo, I can't share the logs.

Action fails on ARM64 self hosted runner

Behaviour

Permission denied while trying to connect to the Docker daemon socket

Steps to reproduce this issue

  1. Using action on x86 runner works
  2. Using action on arm64 runner fails (tested on many different ones)

Expected behaviour

It should login to the Github with the same way as it does on the x86 runner.

Actual behaviour

Error: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock

Configuration

name: Build Docker Image
on:
  # Trigger the workflow on push but only for the main branch
  push:
    branches:
      - master
  # Trigger manually
  workflow_dispatch:

jobs:

  build-amd64:

    name: Build amd64 Docker image
    needs: build-arm64  
    
    runs-on: ubuntu-latest
    if: ${{ github.repository_owner == 'Armbian' }}
    steps:

     - uses: actions/checkout@v1

     - name: Login to GitHub Container Registry
       uses: docker/login-action@v1
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
         password: ${{ secrets.CR_PAT }}
[logs_7652.zip](https://github.com/docker/login-action/files/7726883/logs_7652.zip)

Support logging to multiple registries with a single execution of the Action

Currently, I need to login to three registries, which makes it very verbose to use this Action:

    - name: Login to ghcr.io
      uses: docker/login-action@v1
      with:
        registry: ghcr.io
        username: gha
        password: ${{ github.token }}
        
    - name: Login to docker.io
      uses: docker/login-action@v1
      with:
        username: ${{ secrets.DOCKER_USERNAME }}
        password: ${{ secrets.DOCKER_PASSWORD }}
        
    - name: Login to GCR
       uses: docker/login-action@v1
       with:
         registry: gcr.io
         username: _json_key
         password: ${{ secrets.GCR_JSON_KEY }}

It would be nice if providing a list of targets was supported. For instance:

    - name: Login to container registries
      uses: docker/login-action@v2
      with:
        targets:
          - 'ghcr.io|gha|${{ github.token }}'
          - 'docker.io|${{ secrets.DOCKER_USERNAME }}|${{ secrets.DOCKER_PASSWORD }}'
          - 'gcr.io|_json_key|${{ secrets.GCR_JSON_KEY }}'

Support List,CSV type for registry input

Opening new issue to keep track of the implementation because original issue was closed #72

Right now we're using this action to login to IBM Cloud Container Registry in different regions:

      - name: Login to IBM Cloud Container Registry US
        uses: docker/login-action@v1
        with:
          registry: us.icr.io
          username: ${{ env.ICR_USERNAME }}
          password: ${{ env.ICR_PASSWORD }}

      - name: Login to IBM Cloud Container Registry UK
        uses: docker/login-action@v1
        with:
          registry: uk.icr.io
          username: ${{ env.ICR_USERNAME }}
          password: ${{ env.ICR_PASSWORD }}

Credentials are the same for all regions, it's just the address of the registry that differs.

Could we possibly support something like this?

      - name: Login to IBM Cloud Container Registry ALL
        uses: docker/login-action@v1
        with:
          registry: |
            us.icr.io
            uk.icr.io
            de.icr.io
            au.icr.io
            jp.icr.io
          username: ${{ env.ICR_USERNAME }}
          password: ${{ env.ICR_PASSWORD }}

Login is not able to get GitHub Actions secrects.

Expected behavior

Login into DockerHub.

Actual behaviour

The system throws an error: "Error: Username and password required".

Configuration

name: Docker Publish

on:
  push:
    branches:
      - master


jobs:
  docker:
    runs-on: ubuntu-latest

    steps:
      - name: Login to DockerHub
        id: login
        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

logs_19.zip

Q: Action vs. CLI

I was wondering about the warning that the docker CLI gives when logging in:

WARNING! Your password will be stored unencrypted in /home/runner/.docker/config.json

How does the action handle it ?
Does the action do the exact same thing as the CLI and just basically masks the warning or does it do the login another way ?

Security issue

Coming from docker/build-push-action#53

Refs:

Behaviour

docker/build-push-action#53 (comment)
It seems that the warning message is hidden from the users, which is misleading as it provides a false feeling of security. As seen in docker/login-action@adb7347/src/docker.ts#L36, on success stderr is not shown. The warning is precisely shown when the login is successful but insecure.

Steps to reproduce this issue

docker/build-push-action#53 (comment)
See eine/login-action@master (commits) and eine/login-action/runs/1354438643?check_suite_focus=true#step:3:8.

Expected behaviour

Login is secure or security warnings are not hidden.

Actual behaviour

Login is reported not to be secure, but warnings are hidden.

Where is the config.json?

I'm a little confused about how this action's side-effects are persisted. I expected to see a $HOME/.docker/config.json file but I'm not seeing it.

The problem I'm trying to solve is enabling experimental docker CLI features in a subsequent step after using docker/login-action. I'm trying:

DOCKER_CFG_PATH="${DOCKER_CONFIG:-$HOME/.docker}/config.json"
jq '. + {"experimental": "enabled"}' < "$DOCKER_CFG_PATH" | sponge "$DOCKER_CFG_PATH"

but $DOCKER_CFG_PATH doesn't exist. When I try to create an empty config.json and set the experimental flag on that I lose my docker login session.

Any tips on enabling experimental docker CLI features after using this action? Thanks!

Unable to locate executable file: aws

Behaviour

Steps to reproduce this issue

  1. Run the CI with the steps described in the Configuration section.

Expected behaviour

It should login to AWS Elastic Container Registry

Actual behaviour

The executable aws is missing.

Configuration

name: Publish Docker Image

on:
  push:
    tags:
      - 'v*'

jobs:

  push_to_registry:

    name: Push Docker image to GitHub Packages

    runs-on: [***]

    steps:
      - uses: actions/checkout@v2
        with:
          token: ${{ secrets.PERSONAL_GITHUB_TOKEN }}
          fetch-depth: 0

      - uses: crazy-max/ghaction-docker-meta@v1
        id: docker_meta
        with:
          images: ghcr.io/***,***.dkr.ecr.***.amazonaws.com/***
          tag-semver: |
            {{version}}
            {{major}}.{{minor}}

      - uses: docker/setup-qemu-action@v1

      - uses: docker/setup-buildx-action@v1

      - uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.PERSONAL_GITHUB_TOKEN }}

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ***

      - uses: docker/login-action@v1
        with:
          registry: ***.dkr.ecr.***.amazonaws.com

      - uses: actions/cache@v2
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-

      - name: Push to GitHub Packages
        uses: docker/build-push-action@v2
        with:
          file: ./Dockerfile
          build-args: |
            token=${{ secrets.PERSONAL_GITHUB_TOKEN }}
          push: true
          tags: ${{ steps.docker_meta.outputs.tags }}
          labels: ${{ steps.docker_meta.outputs.labels }}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

Logs

1_Push Docker image to GitHub Packages.txt

Login persistence on next action steps

Hi, I am using a step after using docker/login-action@v1 called mamezou-tech/buildpacks-action@master and as they use a Dockerfile to run the step the docker connection session is not persisted.

Is there a way to make it work? What could be done to have other "dockerized" steps to be able to benefit from the docker login action?

Thanks!

CR_PAT for GitHub Container Registry

Is the CR_PAT the GitHub Container Registry Personal Access Token? Can we update the docs to explain exactly what this is? I forget where you even generate that from.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.