How do I authenticate Docker container actions?

[davidcornu]

Select Topic Area

Question

Body

Third-party actions such as joshmfrankel/simplecov-check-action can be run in Docker images using a feature called Docker container actions.

As far as I can tell:

1. These are built asynchronously to the workflow's steps and as such, putting a docker/login-action ahead of the step that requires them has no effect. This means that any docker pull is subject to Docker Hub's public rate limit for self-hosted runners (Github-hosted runners have an exemption), which can result in errors like the following:
   
   
2. There is no other mechanism to provide Docker Hub credentials for these container builds to use (as opposed to jobs or services)

Is this correct and if so, are there any known workarounds?

[lotirium]

To authenticate Docker container actions in GitHub Actions and avoid the public rate limit issues with Docker Hub, you can follow these steps:

1. Create a PAT with the appropriate scopes from your Docker Hub account.
2. Add the PAT as a secret in your GitHub repository settings.
3. Before the step that uses the Docker container action, use the docker/login-action action with your PAT.

[lotirium]

You are correct that Docker container actions, like the one you're using (joshmfrankel/simplecov-check-action), are built before the steps in the workflow are executed, so the docker/login-action step will not apply to them.
GitHub Actions does not provide a built-in way to authenticate Docker container actions during their build process, the known workaround is to:
Set up a proxy server that will cache and authenticate Docker images. This would require self-hosted runners to be configured to use this proxy.
Alternatively, you could mirror the Docker image to a registry where you can control the rate limits and authentication more directly, such as GitHub's own container registry

[davidcornu]

GitHub Actions does not provide a built-in way to authenticate Docker container actions during their build process,

Yeah this was what I was trying to confirm and hopefully signal an interest in it being addressed. Seems like an odd gap in functionality when all the other container-related actions have authentication mechanisms.

the known workaround is to:
Set up a proxy server that will cache and authenticate Docker images. This would require self-hosted runners to be configured to use this proxy.
Alternatively, you could mirror the Docker image to a registry where you can control the rate limits and authentication more directly, such as GitHub's own container registry

That's good to know. In this instance I'm relying on runners provided by BuildJet which (as far as I can tell) don't provide a way to do this so it looks like my best option is to fork the action.

[bjornstromblom]

We are having issues regarding this as well. Would be fantastic if this feature could be added?

[julian7]

To rub salt to the wound, ARC runners don't have the ability to inherit a docker login from a previous step, as they are created by runner-container-hooks. I could use another runner with different config just for this action, but then the whole point is to run a single step in a (different) container.

[nnellanspdl]

This is a big pain point for me. I'm trying to use a 3rd party action, which is a Docker container action, and it pulls its image from Docker Hub. This is causing us to hit Docker Hub rate limits, as there is no way for me to authenticate to Docker Hub in this scenario, as describe nicely by the original post.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[davidcornu]

This is still an issue that hasn't gotten an answer.

[nnellanspdl]

Really wish we could get some form of official response from GitHub on this issue. Like you said earlier, this seems like a big gap in functionality for GitHub Actions.

[rjinski]

Can this be re-opened? This is still a problem

[davidcornu]

@rjinski I believe this has to be done by someone at GitHub

[mamaicode]

@davidcornu , Sorry for the ping.
Have you perhaps found a solution or work around?