Merge pull request #600 from crazy-max/bump-major

docs: bump actions to latest major
This commit is contained in:
CrazyMax 2023-09-12 15:13:37 +02:00 committed by GitHub
commit ba38666a08
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 97 additions and 76 deletions

165
README.md
View File

@ -31,8 +31,9 @@ ___
### Docker Hub ### Docker Hub
To authenticate against [Docker Hub](https://hub.docker.com) it's strongly recommended to create a When authenticating to [Docker Hub](https://hub.docker.com) with GitHub Actions,
[personal access token](https://docs.docker.com/docker-hub/access-tokens/) as an alternative to your password. use a [personal access token](https://docs.docker.com/docker-hub/access-tokens/).
Don't use your account password.
```yaml ```yaml
name: ci name: ci
@ -47,7 +48,7 @@ jobs:
steps: steps:
- -
name: Login to Docker Hub name: Login to Docker Hub
uses: docker/login-action@v2 uses: docker/login-action@v3
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }} password: ${{ secrets.DOCKERHUB_TOKEN }}
@ -55,9 +56,9 @@ jobs:
### GitHub Container Registry ### GitHub Container Registry
To authenticate against the [GitHub Container Registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry), To authenticate to the [GitHub Container Registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry),
use the [`GITHUB_TOKEN`](https://docs.github.com/en/actions/reference/authentication-in-a-workflow) for the best use the [`GITHUB_TOKEN`](https://docs.github.com/en/actions/reference/authentication-in-a-workflow)
security and experience. secret.
```yaml ```yaml
name: ci name: ci
@ -72,7 +73,7 @@ jobs:
steps: steps:
- -
name: Login to GitHub Container Registry name: Login to GitHub Container Registry
uses: docker/login-action@v2 uses: docker/login-action@v3
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.actor }} username: ${{ github.actor }}
@ -100,20 +101,23 @@ jobs:
steps: steps:
- -
name: Login to GitLab name: Login to GitLab
uses: docker/login-action@v2 uses: docker/login-action@v3
with: with:
registry: registry.gitlab.com registry: registry.gitlab.com
username: ${{ secrets.GITLAB_USERNAME }} username: ${{ secrets.GITLAB_USERNAME }}
password: ${{ secrets.GITLAB_PASSWORD }} password: ${{ secrets.GITLAB_PASSWORD }}
``` ```
If you have [Two-Factor Authentication](https://gitlab.com/help/user/profile/account/two_factor_authentication) enabled, use a [Personal Access Token](https://gitlab.com/help/user/profile/personal_access_tokens) instead of a password. If you have [Two-Factor Authentication](https://gitlab.com/help/user/profile/account/two_factor_authentication)
enabled, use a [Personal Access Token](https://gitlab.com/help/user/profile/personal_access_tokens)
instead of a password.
### Azure Container Registry (ACR) ### Azure Container Registry (ACR)
[Create a service principal](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal#create-a-service-principal) [Create a service principal](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal#create-a-service-principal)
with access to your container registry through the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) with access to your container registry through the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
and take note of the generated service principal's ID (also called _client ID_) and password (also called _client secret_). and take note of the generated service principal's ID (also called _client ID_)
and password (also called _client secret_).
```yaml ```yaml
name: ci name: ci
@ -128,7 +132,7 @@ jobs:
steps: steps:
- -
name: Login to ACR name: Login to ACR
uses: docker/login-action@v2 uses: docker/login-action@v3
with: with:
registry: <registry-name>.azurecr.io registry: <registry-name>.azurecr.io
username: ${{ secrets.AZURE_CLIENT_ID }} username: ${{ secrets.AZURE_CLIENT_ID }}
@ -139,16 +143,21 @@ jobs:
### Google Container Registry (GCR) ### Google Container Registry (GCR)
> [Google Artifact Registry](#google-artifact-registry-gar) is the evolution of Google Container Registry. As a > [Google Artifact Registry](#google-artifact-registry-gar) is the evolution of
> fully-managed service with support for both container images and non-container artifacts. If you currently use > Google Container Registry. As a fully-managed service with support for both
> Google Container Registry, use the information [on this page](https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr) > container images and non-container artifacts. If you currently use Google
> Container Registry, use the information [on this page](https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr)
> to learn about transitioning to Google Artifact Registry. > to learn about transitioning to Google Artifact Registry.
You can use either workload identity federation based keyless authentication or service account based authentication. You can authenticate with workload identity federation or a service account.
#### Workload identity federation based authentication #### Workload identity federation
Configure the workload identity federation for github actions in gcloud (for steps, [refer here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)). In the steps, your service account should the ability to push to GCR. Then use google-github-actions/auth action for authentication using workload identity like below: Configure the workload identity federation for GitHub Actions in Google Cloud,
[see here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation).
Your service account must have permission to push to GCR. Use the
`google-github-actions/auth` action to authenticate using workload identity as
shown in the following example:
```yaml ```yaml
name: ci name: ci
@ -161,32 +170,35 @@ jobs:
login: login:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- id: 'auth' -
name: 'Authenticate to Google Cloud' name: Authenticate to Google Cloud
uses: 'google-github-actions/auth@v0' id: auth
uses: google-github-actions/auth@v1
with: with:
token_format: 'access_token' token_format: access_token
workload_identity_provider: '<workload_identity_provider>' workload_identity_provider: <workload_identity_provider>
service_account: '<service_account>' service_account: <service_account>
-
- name: Login to GCR name: Login to GCR
uses: docker/login-action@v2 uses: docker/login-action@v3
with: with:
registry: gcr.io registry: gcr.io
username: oauth2accesstoken username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }} password: ${{ steps.auth.outputs.access_token }}
``` ```
> Replace `<workload_identity_provider>` with configured workload identity provider. For steps to configure, [refer here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation). > Replace `<workload_identity_provider>` with configured workload identity
> provider. For steps to configure, [see here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation).
> Replace `<service_account>` with configured service account in workload identity provider which has access to push to GCR > Replace `<service_account>` with configured service account in workload
> identity provider which has access to push to GCR
#### Service account based authentication #### Service account based authentication
Use a service account with the ability to push to GCR and [configure access control](https://cloud.google.com/container-registry/docs/access-control). Use a service account with permission to push to GCR and [configure access control](https://cloud.google.com/container-registry/docs/access-control).
Then create and download the JSON key for this service account and save content of `.json` file Download the key for the service account as a JSON file. Save the contents of
[as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository) the file [as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
called `GCR_JSON_KEY` in your GitHub repo. Ensure you set the username to `_json_key`, named `GCR_JSON_KEY` in your GitHub repository. Set the username to `_json_key`,
or `_json_key_base64` if you use a base64-encoded key. or `_json_key_base64` if you use a base64-encoded key.
```yaml ```yaml
@ -202,7 +214,7 @@ jobs:
steps: steps:
- -
name: Login to GCR name: Login to GCR
uses: docker/login-action@v2 uses: docker/login-action@v3
with: with:
registry: gcr.io registry: gcr.io
username: _json_key username: _json_key
@ -211,11 +223,14 @@ jobs:
### Google Artifact Registry (GAR) ### Google Artifact Registry (GAR)
You can use either workload identity federation based keyless authentication or service account based authentication. You can authenticate with workload identity federation or a service account.
#### Workload identity federation based authentication #### Workload identity federation
Configure the workload identity federation for github actions in gcloud (for steps, [refer here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)). In the steps, your service account should the ability to push to GAR. Then use google-github-actions/auth action for authentication using workload identity like below: Download the key for the service account as a JSON file. Save the contents of
the file [as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
named `GCR_JSON_KEY` in your GitHub repository. Set the username to `_json_key`,
or `_json_key_base64` if you use a base64-encoded key.
```yaml ```yaml
name: ci name: ci
@ -228,34 +243,38 @@ jobs:
login: login:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- id: 'auth' -
name: 'Authenticate to Google Cloud' name: Authenticate to Google Cloud
uses: 'google-github-actions/auth@v0' id: auth
uses: google-github-actions/auth@v1
with: with:
token_format: 'access_token' token_format: access_token
workload_identity_provider: '<workload_identity_provider>' workload_identity_provider: <workload_identity_provider>
service_account: '<service_account>' service_account: <service_account>
-
- name: Login to GAR name: Login to GAR
uses: docker/login-action@v2 uses: docker/login-action@v3
with: with:
registry: <location>-docker.pkg.dev registry: <location>-docker.pkg.dev
username: oauth2accesstoken username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }} password: ${{ steps.auth.outputs.access_token }}
``` ```
> Replace `<workload_identity_provider>` with configured workload identity provider
> Replace `<service_account>` with configured service account in workload identity provider which has access to push to GCR > Replace `<workload_identity_provider>` with configured workload identity
> provider
> Replace `<service_account>` with configured service account in workload
> identity provider which has access to push to GCR
> Replace `<location>` with the regional or multi-regional [location](https://cloud.google.com/artifact-registry/docs/repo-organize#locations) > Replace `<location>` with the regional or multi-regional [location](https://cloud.google.com/artifact-registry/docs/repo-organize#locations)
> of the repository where the image is stored. > of the repository where the image is stored.
#### Service account based authentication #### Service account based authentication
Use a service account with the ability to push to GAR and [configure access control](https://cloud.google.com/artifact-registry/docs/access-control). Use a service account with permission to push to GAR and [configure access control](https://cloud.google.com/artifact-registry/docs/access-control).
Then create and download the JSON key for this service account and save content of `.json` file Download the key for the service account as a JSON file. Save the contents of
[as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository) the file [as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
called `GAR_JSON_KEY` in your GitHub repo. Ensure you set the username to `_json_key`, named `GCR_JSON_KEY` in your GitHub repository. Set the username to `_json_key`,
or `_json_key_base64` if you use a base64-encoded key. or `_json_key_base64` if you use a base64-encoded key.
```yaml ```yaml
@ -271,7 +290,7 @@ jobs:
steps: steps:
- -
name: Login to GAR name: Login to GAR
uses: docker/login-action@v2 uses: docker/login-action@v3
with: with:
registry: <location>-docker.pkg.dev registry: <location>-docker.pkg.dev
username: _json_key username: _json_key
@ -284,7 +303,7 @@ jobs:
### AWS Elastic Container Registry (ECR) ### AWS Elastic Container Registry (ECR)
Use an IAM user with the ability to [push to ECR with `AmazonEC2ContainerRegistryPowerUser` managed policy for example](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html#AmazonEC2ContainerRegistryPowerUser). Use an IAM user with the ability to [push to ECR with `AmazonEC2ContainerRegistryPowerUser` managed policy for example](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html#AmazonEC2ContainerRegistryPowerUser).
Then create and download access keys and save `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` [as secrets](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository) Download the access keys and save them as `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` [as secrets](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
in your GitHub repo. in your GitHub repo.
```yaml ```yaml
@ -300,15 +319,15 @@ jobs:
steps: steps:
- -
name: Login to ECR name: Login to ECR
uses: docker/login-action@v2 uses: docker/login-action@v3
with: with:
registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
username: ${{ secrets.AWS_ACCESS_KEY_ID }} username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
``` ```
If you need to log in to Amazon ECR registries associated with other accounts, you can use the `AWS_ACCOUNT_IDS` If you need to log in to Amazon ECR registries associated with other accounts,
environment variable: you can use the `AWS_ACCOUNT_IDS` environment variable:
```yaml ```yaml
name: ci name: ci
@ -323,7 +342,7 @@ jobs:
steps: steps:
- -
name: Login to ECR name: Login to ECR
uses: docker/login-action@v2 uses: docker/login-action@v3
with: with:
registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
username: ${{ secrets.AWS_ACCESS_KEY_ID }} username: ${{ secrets.AWS_ACCESS_KEY_ID }}
@ -334,8 +353,8 @@ jobs:
> Only available with [AWS CLI version 1](https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login.html) > Only available with [AWS CLI version 1](https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login.html)
You can also use the [Configure AWS Credentials](https://github.com/aws-actions/configure-aws-credentials) action in You can also use the [Configure AWS Credentials](https://github.com/aws-actions/configure-aws-credentials)
combination with this action: action in combination with this action:
```yaml ```yaml
name: ci name: ci
@ -350,14 +369,14 @@ jobs:
steps: steps:
- -
name: Configure AWS Credentials name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1 uses: aws-actions/configure-aws-credentials@v4
with: with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: <region> aws-region: <region>
- -
name: Login to ECR name: Login to ECR
uses: docker/login-action@v2 uses: docker/login-action@v3
with: with:
registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
``` ```
@ -366,9 +385,10 @@ jobs:
### AWS Public Elastic Container Registry (ECR) ### AWS Public Elastic Container Registry (ECR)
Use an IAM user with the ability to [push to ECR Public with `AmazonElasticContainerRegistryPublicPowerUser` managed policy for example](https://docs.aws.amazon.com/AmazonECR/latest/public/public-ecr-managed-policies.html#AmazonElasticContainerRegistryPublicPowerUser). Use an IAM user with permission to push to ECR Public, for example using [managed policies](https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerRegistryPowerUser).
Then create and download access keys and save `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` [as secrets](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository) Download the access keys and save them as `AWS_ACCESS_KEY_ID` and
in your GitHub repo. `AWS_SECRET_ACCESS_KEY` [secrets](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
in your GitHub repository.
```yaml ```yaml
name: ci name: ci
@ -383,7 +403,7 @@ jobs:
steps: steps:
- -
name: Login to Public ECR name: Login to Public ECR
uses: docker/login-action@v2 uses: docker/login-action@v3
with: with:
registry: public.ecr.aws registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }} username: ${{ secrets.AWS_ACCESS_KEY_ID }}
@ -417,7 +437,7 @@ jobs:
steps: steps:
- -
name: Login to OCIR name: Login to OCIR
uses: docker/login-action@v2 uses: docker/login-action@v3
with: with:
registry: <region>.ocir.io registry: <region>.ocir.io
username: ${{ secrets.OCI_USERNAME }} username: ${{ secrets.OCI_USERNAME }}
@ -428,7 +448,8 @@ jobs:
### Quay.io ### Quay.io
Use a [Robot account](https://docs.quay.io/glossary/robot-accounts.html) with the ability to push to a public/private Quay.io repository. Use a [Robot account](https://docs.quay.io/glossary/robot-accounts.html) with
permission to push to a Quay.io repository.
```yaml ```yaml
name: ci name: ci
@ -443,7 +464,7 @@ jobs:
steps: steps:
- -
name: Login to Quay.io name: Login to Quay.io
uses: docker/login-action@v2 uses: docker/login-action@v3
with: with:
registry: quay.io registry: quay.io
username: ${{ secrets.QUAY_USERNAME }} username: ${{ secrets.QUAY_USERNAME }}
@ -454,13 +475,13 @@ jobs:
### inputs ### inputs
Following inputs can be used as `step.with` keys The following inputs can be used as `step.with` keys:
| Name | Type | Default | Description | | Name | Type | Default | Description |
|------------------|---------|-----------------------------|------------------------------------| |------------|--------|---------|-------------------------------------------------------------------------------|
| `registry` | String | | Server address of Docker registry. If not set then will default to Docker Hub | | `registry` | String | | Server address of Docker registry. If not set then will default to Docker Hub |
| `username` | String | | Username used to log against the Docker registry | | `username` | String | | Username for authenticating to the Docker registry |
| `password` | String | | Password or personal access token used to log against the Docker registry | | `password` | String | | Password or personal access token for authenticating the Docker registry |
| `ecr` | String | `auto` | Specifies whether the given registry is ECR (`auto`, `true` or `false`) | | `ecr` | String | `auto` | Specifies whether the given registry is ECR (`auto`, `true` or `false`) |
| `logout` | Bool | `true` | Log out from the Docker registry at the end of a job | | `logout` | Bool | `true` | Log out from the Docker registry at the end of a job |