Comments (18)
Now I am really puzzled. It seems to be working fine to do. All the CI jobs that failed yesterday work fine today, after retry.
from login-action.
This makes me nervous, but assuming fixed for now. Closing. If I see it happen again, will reopen.
from login-action.
I am still seeing this. Generally retrying the build fixes the problem.
from login-action.
@brianmay Don't think that's an issue with this action. Are you sure DOCKERHUB_USERNAME
and DOCKERHUB_TOKEN
secrets are allowed for your repository? If so, can you add the secret ACTIONS_STEP_DEBUG=true
and give me the output of this action (redacted if needed) please?
from login-action.
Yes, If I hadn't set the secrets correctly, it would never work. Which is the mystery. Nor does it look like some sort of weird error from Docker.
Will try the setting the debug secret, but not sure when I will be able to reproduce the issue.
from login-action.
Hmmm. Looks like if you upgrade from dependabot.com to to dependabot within github, when it creates a PR it doesn't automatically get access to secrets. This is somewhat confusing.
Will try to read this when I am more awake. But I suspect this might be relevant: https://github.community/t/dependabot-doesnt-see-github-actions-secrets/167104/21
from login-action.
Official announcement: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
from login-action.
Oh, thanks, that really clears this up for me, i was really confused by the login action sometimes not working for dependabot.
from login-action.
@Frederik-Baetens I think the behaviour changed when moving from dependabot preview (dependabot website) to dependabot (github website).
Unfortunately github actions don't have any easy way of skipping an entire job if secrets are not set. And dependabot will create PR and push actions - which are both affected. So I have had to add tests for every step in the job instead. Not sure if there is a better way.
from login-action.
Anyone found a better solution for this?
To be forced rerunning all PRs from dependabot is quite annoying :/
from login-action.
It is not great, but I have been adding the following to every step in the publish task:
if: ${{env.DOCKERHUB_USERNAME != 0}}
e.g. https://github.com/brianmay/penguin_memories/blob/main/.github/workflows/docker.yml#L148
What I wanted is to skip the entire setup-build-publish-deploy
but this is not possible. It is not possible to access environment variables in the "if" for tasks, only the steps.
What I would like now is for the steps to continue normally, but use a valid/fake value of DOCKERHUB_USERNAME
when generating the image name, skip the login step, and then set push to false so it builds the image but doesn't push it anywhere. But I might have to delete the caching stuff also. So I might refine this at some point.
I am somewhat surprised that there isn't a recommended/working pattern to follow that somebody smarter then me has already published. The official documents don't seem to mention this issue.
https://docs.github.com/en/actions/publishing-packages/publishing-docker-images
Nor is there any easy way of testing your github actions config to see if it is going to be OK when run by somebody else.
from login-action.
I just observed this as well, specifically for @dependabot patches, even when defining a PAT as repository secret specifically for dependabot.
See https://github.blog/2021-03-15-dependabot-private-dependencies/
This is kinda what's running:
with:
registry: ghcr.io
username: dependabot[bot]
password: {{ secrets.SOMETHING_I_CONFIGURED_SPECIFICALLY_FOR_DEPENDABOT }}
logout: true
Could it be that the brackets in dependabot[bot]
(username) are being refused by the ghcr.io
login?
from login-action.
Although not a solution to this problem, I really like the github reusable workflows.
https://docs.github.com/en/actions/learn-github-actions/reusing-workflows
This means I only need to put my hacks and kludges in one place.
My latest solution is to login conditionally to github:
And push conditionally:
The condition in both cases is:
${{ github.repository_owner == 'brianmay' && github.ref_name == 'main' && github.event_name != 'pull_request' }}
Which hopefully will only active for pushes direct to the main branch. The downside is sometimes I might want to test images against other branches. And this will build and not push them.
I really wish github had a value like github.untrusted
or something. That I could use instead.
I have also switched to uploading images to ghcr, but the same thing would apply equally to dockerhub.
from login-action.
According to this document: https://docs.github.com/en/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow
It should be noted that using login-action in called workflows need to use the secrets
keyword to pass username
and password
when reusing workflows.
Like this:
...
jobs:
call-workflow-passing-secrets:
uses: ./.github/workflows/called-workflow.yml
secrets: inherit
# OR
secrets:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
...
.github/workflows/called-workflow.yml:
name: Called workflow example
on:
workflow_call:
secrets:
DOCKERHUB_USERNAME:
required: true
DOCKERHUB_PASSWORD:
required: true
jobs:
called-workflow-passing-secrets:
runs-on: ubuntu-latest
steps:
- uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
from login-action.
I am having the same issue with the following setup:
- name: Authenticate with Google Cloud
id: auth
uses: google-github-actions/auth@v0
with:
workload_identity_provider: projects/xxxxxxxxxx/locations/global/workloadIdentityPools/github/providers/github
service_account: [email protected]
- name: Login to Artifact Registry
uses: docker/login-action@v2
with:
registry: us-central-1-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
This was just working earlier and suddenly started giving Username and password required
. Retrying does not fix it.
from login-action.
@CloudByteCH Does it work with previous release?: docker/[email protected]
.
from login-action.
@CloudByteCH Does it work with previous release?:
docker/[email protected]
.
No
from login-action.
For anyone experiencing problems with dependabot: make sure you've added secrets for both Actions and Dependabot in repository (or organization) settings.
from login-action.
Related Issues (20)
- Support multi-user login HOT 1
- Request to bump dependencies HOT 1
- Usage with registry.hop.io
- docker login failure on macos self hosted runner HOT 2
- Public ECR login issue on Windows
- Harbor login issue: authentication required HOT 4
- It always fails While logining local-deployment Nexus HOT 1
- Login issue , secrate checked , not able to push to github registry , token working in local so not token issu HOT 1
- failed to authorize: failed to fetch anonymous token: unexpected status: 403 Forbidden HOT 3
- Support FIPS URLs HOT 2
- Support for DigitalOcean Container Registry HOT 2
- tls: failed to verify certificate: x509: certificate signed by unknown authority HOT 4
- Succefull registry login, but I'm getting x509 error during build. HOT 1
- Clarified documentation re: GAR + Workflow Identity Federation
- Support login via Direct Workload Identity Federation HOT 5
- Fhcc HOT 2
- Fvv
- login-action step fails in Github pull request checks HOT 3
- Support for azure/login@v2? HOT 1
- Using private networking setup, docker/login-action says access denied to IP address HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from login-action.