Running jobs in a private container
bgdanix opened this issue · comments
TL;DR
To be able to run jobs in a container that uses a private registry for images, with Workload Identity Federation
container:
image: europe-docker.pkg.dev/my-project/my-artifact/image:latest
credentials:
username: 'oauth2accesstoken'
password: '${{ steps.auth.outputs.access_token }}'
Detailed design
No response
Additional information
Right now it's a chicken-egg issue as I need to first authenticate via Workload Identity Federation, but then I can't use the token in another job to pull the image from a private Artifact Registry. Just looking for guidance on what would be the best way to implement this.
Hi there @bgdanix 👋!
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
Hi @bgdanix - this is a limitation of GitHub Action, and is not something we control. In this case, I believe you would need to use a longer-lived secret like a service account key and interprolate it as a GitHub Secret.
This is a pretty sad limitation, especially if your project/org does not allow long lived service account keys.
I'm curious if anyone else has found a (even hacky) workaround. There are some ideas floating around in https://github.com/orgs/community/discussions/38006 but none that seems to work.