Running jobs in a private container

Question

Running jobs in a private container

bgdanix opened this issue a year ago · comments

TL;DR

To be able to run jobs in a container that uses a private registry for images, with Workload Identity Federation

container:
  image: europe-docker.pkg.dev/my-project/my-artifact/image:latest
  credentials:
     username: 'oauth2accesstoken'
     password: '${{ steps.auth.outputs.access_token }}'

Detailed design

No response

Additional information

Right now it's a chicken-egg issue as I need to first authenticate via Workload Identity Federation, but then I can't use the token in another job to pull the image from a private Artifact Registry. Just looking for guidance on what would be the best way to implement this.

github-actions · Answer 1 · Mon May 22 2023 21:05:04 GMT+0800 (China Standard Time)

Hi there @bgdanix 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

Seth Vargo · Answer 2 · Tue May 23 2023 00:33:36 GMT+0800 (China Standard Time)

Hi @bgdanix - this is a limitation of GitHub Action, and is not something we control. In this case, I believe you would need to use a longer-lived secret like a service account key and interprolate it as a GitHub Secret.

Alex Faxå · Answer 3 · Wed Mar 27 2024 15:34:11 GMT+0800 (China Standard Time)

This is a pretty sad limitation, especially if your project/org does not allow long lived service account keys.

I'm curious if anyone else has found a (even hacky) workaround. There are some ideas floating around in https://github.com/orgs/community/discussions/38006 but none that seems to work.