Skip to content

Commit f40b73e

Browse files
Copilotneilime
Copilot
and
neilime
committed
fix: align structured registry keys with review
Co-authored-by: neilime <314088+neilime@users.noreply.github.com>
1 parent 88cf262 commit f40b73e

7 files changed

Lines changed: 183 additions & 136 deletions

File tree

.github/workflows/__test-workflow-docker-build-images-multi-registry.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,15 +18,15 @@ jobs:
1818
uses: ./.github/workflows/docker-build-images.yml
1919
secrets:
2020
oci-registry-password: |
21-
{"ghcr.io":"${{ secrets.GITHUB_TOKEN }}"}
21+
{"push":"${{ secrets.GITHUB_TOKEN }}","pull:private":"${{ secrets.GITHUB_TOKEN }}"}
2222
build-secret-github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
2323
with:
2424
cache-type: "registry"
2525
sign: false
2626
oci-registry: |
27-
{"pull":["docker.io","ghcr.io"],"push":"ghcr.io","cache":"ghcr.io"}
27+
{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io"}
2828
oci-registry-username: |
29-
{"ghcr.io":"${{ github.repository_owner }}"}
29+
{"push":"${{ github.repository_owner }}","pull:private":"${{ github.repository_owner }}"}
3030
images: |
3131
[
3232
{

.github/workflows/docker-build-images.md

Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -75,13 +75,16 @@ jobs:
7575

7676
# OCI registry configuration used to pull, push and cache images.
7777
# Accepts either a registry hostname string or a JSON object with
78-
# `default`, `pull`, `push` and `cache` keys.
78+
# `pull`, `pull:<name>`, `push` and `cache` keys.
79+
# Example:
80+
# `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io","cache":"ghcr.io"}`
7981
# Default: `ghcr.io`
8082
oci-registry: ghcr.io
8183

8284
# Username configuration used to log against OCI registries.
83-
# Accepts either a single username string or a JSON object keyed by registry hostname.
84-
# JSON object can also define `default` as a fallback username.
85+
# Accepts either a single username string or a JSON object using the same keys as `oci-registry`.
86+
# Example:
87+
# `{"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}","cache":"${{ github.repository_owner }}"}`
8588
# See https://github.com/docker/login-action#usage.
8689
#
8790
# Default: `${{ github.repository_owner }}`
@@ -170,9 +173,9 @@ jobs:
170173
| **`runs-on`** | Runner to use. JSON array of runners. | **false** | **string** | `["ubuntu-latest"]` |
171174
| | See <https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job>. | | | |
172175
| **`oci-registry`** | OCI registry configuration used to pull, push and cache images. | **false** | **string** | `ghcr.io` |
173-
| | Accepts a single registry hostname or a JSON object with `default`, `pull`, `push` and `cache` keys. | | | |
176+
| | Accepts a single registry hostname or a JSON object with `pull`, `pull:<name>`, `push` and `cache` keys. | | | |
174177
| **`oci-registry-username`** | Username configuration used to log against OCI registries. | **false** | **string** | `${{ github.repository_owner }}` |
175-
| | Accepts a single username or a JSON object keyed by registry hostname, with optional `default`. | | | |
178+
| | Accepts a single username or a JSON object using the same keys as `oci-registry`. | | | |
176179
| | See <https://github.com/docker/login-action#usage>. | | | |
177180
| **`images`** | Images to build parameters. | **true** | **string** | - |
178181
| | JSON array of objects. | | | |
@@ -202,7 +205,7 @@ jobs:
202205
| **Secret** | **Description** | **Required** |
203206
| --------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------------ |
204207
| **`oci-registry-password`** | Password or GitHub token (`packages:read` and `packages:write` scopes) configuration used to log against OCI registries. | **true** |
205-
| | Accepts a single password/token or a JSON object keyed by registry hostname, with optional `default`. | |
208+
| | Accepts a single password/token or a JSON object using the same keys as `oci-registry`. | |
206209
| | See <https://github.com/docker/login-action#usage>. | |
207210
| **`build-secrets`** | List of secrets to expose to the build. | **false** |
208211
| | See <https://docs.docker.com/build/ci/github-actions/secrets/>. | |
@@ -228,15 +231,16 @@ To configure distinct pull, push and cache registries, pass JSON objects:
228231
```yaml
229232
with:
230233
oci-registry: |
231-
{"pull":["docker.io","ghcr.io"],"push":"ghcr.io","cache":"ghcr.io"}
234+
{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io","cache":"ghcr.io"}
232235
oci-registry-username: |
233-
{"ghcr.io":"${{ github.repository_owner }}"}
236+
{"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}","cache":"${{ github.repository_owner }}"}
234237
secrets:
235238
oci-registry-password: |
236-
{"ghcr.io":"${{ github.token }}"}
239+
{"pull:private":"${{ github.token }}","push":"${{ github.token }}","cache":"${{ github.token }}"}
237240
```
238241

239-
Registry credentials are resolved by hostname, then by the optional `default` entry when present.
242+
Registry credentials are resolved by role using the same keys as `oci-registry`.
243+
`pull` is the default pull registry, while `pull:<name>` can be repeated for additional pull registries.
240244
Optional pull registries without credentials are skipped, which is useful for public registries such as Docker Hub.
241245

242246
### Images entry parameters

.github/workflows/docker-build-images.yml

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,10 @@ on: # yamllint disable-line rule:truthy
1818
description: |
1919
OCI registry configuration used to pull, push and cache images.
2020
Accepts either a registry hostname string (legacy format) or a JSON object.
21+
JSON example: `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io","cache":"ghcr.io"}`
2122
JSON object keys:
22-
- `default`: fallback registry for unspecified operations
23-
- `pull`: string or array of registries to authenticate for pulls
23+
- `pull`: registry used to pull public or default base images
24+
- `pull:<name>`: additional pull registry
2425
- `push`: registry used for published images
2526
- `cache`: registry used when `cache-type` is `registry`
2627
type: string
@@ -29,8 +30,8 @@ on: # yamllint disable-line rule:truthy
2930
oci-registry-username:
3031
description: |
3132
Username configuration used to log against OCI registries.
32-
Accepts either a single username string (legacy format) or a JSON object keyed by registry hostname.
33-
JSON object can also define `default` as a fallback username.
33+
Accepts either a single username string (legacy format) or a JSON object using the same keys as `oci-registry`.
34+
JSON example: `{"pull:private":"my-user","push":"my-user","cache":"my-user"}`
3435
See https://github.com/docker/login-action#usage.
3536
type: string
3637
default: ${{ github.repository_owner }}
@@ -113,8 +114,8 @@ on: # yamllint disable-line rule:truthy
113114
oci-registry-password:
114115
description: |
115116
Password or GitHub token (`packages:read` and `packages:write` scopes) configuration used to log against OCI registries.
116-
Accepts either a single password/token string (legacy format) or a JSON object keyed by registry hostname.
117-
JSON object can also define `default` as a fallback password/token.
117+
Accepts either a single password/token string (legacy format) or a JSON object using the same keys as `oci-registry`.
118+
JSON example: `{"pull:private":"my-token","push":"my-token","cache":"my-token"}`
118119
See https://github.com/docker/login-action#usage.
119120
required: true
120121
build-secrets:

actions/docker/build-image/README.md

Lines changed: 17 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -50,23 +50,27 @@ permissions:
5050
with:
5151
# OCI registry configuration used to pull, push and cache images.
5252
# Accepts either a registry hostname string or a JSON object with
53-
# `default`, `pull`, `push` and `cache` keys.
53+
# `pull`, `pull:<name>`, `push` and `cache` keys.
54+
# Example:
55+
# `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io","cache":"ghcr.io"}`
5456
# This input is required.
5557
# Default: `ghcr.io`
5658
oci-registry: ghcr.io
5759

5860
# Username configuration used to log against OCI registries.
59-
# Accepts either a single username string or a JSON object keyed by registry hostname.
60-
# JSON object can also define `default` as a fallback username.
61+
# Accepts either a single username string or a JSON object using the same keys as `oci-registry`.
62+
# Example:
63+
# `{"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}","cache":"${{ github.repository_owner }}"}`
6164
# See https://github.com/docker/login-action#usage.
6265
#
6366
# This input is required.
6467
# Default: `${{ github.repository_owner }}`
6568
oci-registry-username: ${{ github.repository_owner }}
6669

6770
# Password or personal access token configuration used to log against OCI registries.
68-
# Accepts either a single password/token string or a JSON object keyed by registry hostname.
69-
# JSON object can also define `default` as a fallback password/token.
71+
# Accepts either a single password/token string or a JSON object using the same keys as `oci-registry`.
72+
# Example:
73+
# `{"pull:private":"${{ github.token }}","push":"${{ github.token }}","cache":"${{ github.token }}"}`
7074
# Can be passed in using `secrets.GITHUB_TOKEN`.
7175
# See https://github.com/docker/login-action#usage.
7276
#
@@ -144,12 +148,12 @@ permissions:
144148
| **Input** | **Description** | **Required** | **Default** |
145149
| --------------------------- | -------------------------------------------------------------------------------------------------------- | ------------ | -------------------------------- |
146150
| **`oci-registry`** | OCI registry configuration used to pull, push and cache images. | **true** | `ghcr.io` |
147-
| | Accepts a single registry hostname or a JSON object with `default`, `pull`, `push` and `cache` keys. | | |
151+
| | Accepts a single registry hostname or a JSON object with `pull`, `pull:<name>`, `push` and `cache` keys. | | |
148152
| **`oci-registry-username`** | Username configuration used to log against OCI registries. | **true** | `${{ github.repository_owner }}` |
149-
| | Accepts a single username or a JSON object keyed by registry hostname, with optional `default`. | | |
153+
| | Accepts a single username or a JSON object using the same keys as `oci-registry`. | | |
150154
| | See <https://github.com/docker/login-action#usage>. | | |
151155
| **`oci-registry-password`** | Password or personal access token configuration used to log against OCI registries. | **true** | `${{ github.token }}` |
152-
| | Accepts a single password/token or a JSON object keyed by registry hostname, with optional `default`. | | |
156+
| | Accepts a single password/token or a JSON object using the same keys as `oci-registry`. | | |
153157
| | Can be passed in using `secrets.GITHUB_TOKEN`. | | |
154158
| | See <https://github.com/docker/login-action#usage>. | | |
155159
| **`repository`** | Repository name. | **false** | `${{ github.repository }}` |
@@ -214,14 +218,15 @@ To configure distinct pull, push and cache registries, pass JSON objects:
214218

215219
```yaml
216220
oci-registry: |
217-
{"pull":["docker.io","ghcr.io"],"push":"ghcr.io","cache":"ghcr.io"}
221+
{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io","cache":"ghcr.io"}
218222
oci-registry-username: |
219-
{"ghcr.io":"${{ github.repository_owner }}"}
223+
{"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}","cache":"${{ github.repository_owner }}"}
220224
oci-registry-password: |
221-
{"ghcr.io":"${{ github.token }}"}
225+
{"pull:private":"${{ github.token }}","push":"${{ github.token }}","cache":"${{ github.token }}"}
222226
```
223227

224-
Registry credentials are resolved by hostname, then by the optional `default` entry when present.
228+
Registry credentials are resolved by role using the same keys as `oci-registry`.
229+
`pull` is the default pull registry, while `pull:<name>` can be repeated for additional pull registries.
225230
Optional pull registries without credentials are skipped, which is useful for public registries such as Docker Hub.
226231

227232
<!-- examples:start -->

0 commit comments

Comments
 (0)