Gitea Container Registry is working great, and I can push an image to either organization or a user.
I’ve scanned tons of docs and forum posts to check what’s the idiomatic way to use your own container image in a job, i.e. something like:
runs-on: ubuntu-latest
container:
image: git.example.com/some-org/some-image
# credentials: ?
A few questions:
- Are we supposed to pass user’s own login and password to Gitea as username/password to this (via secrets)? That would seem pretty awkward
- Are we supposed to use the gitea_token, or a PAT? In which case, PAT for which user? And how exactly to use PAT here? I don’t think this is documented anywhere and I could find no examples.
- Is there a distinction between “some other registry” and “this gitea’s registry”? I.e., should there be a simplified less-verbose way of accessing your own registry’s images given that it’s not really ‘external’? (again, maybe there’s a way but I couldn’t find anytning)
(Also, in the docs, I have found a section Access Restrictions that describes the difference between access levels but I’m not sure it works for container images, or how is it supposed to work when a runner is executing a job? I was assuming that if the image is attached to a public org, any runner job will have access to it without having to pass credentials, but I was wrong)
1 Like
This setup doesn’t work for me:
name: Deploy website
on: [push]
jobs:
build-and-upload:
runs-on: ubuntu-latest
container:
image: gitea.example.com/private-org/image
credentials:
username: ${{ gitea.actor }}
password: ${{ gitea.token }}
steps:
- run: pwd
I’m not sure if the credentials are getting through:
ci(version:v0.2.8) received task 68 of job 73, be triggered by event: push
workflow prepared
evaluating expression 'success()'
expression 'success()' evaluated to 'true'
expression '${{ gitea.actor }}' rewritten to 'format('{0}', gitea.actor)'
evaluating expression 'format('{0}', gitea.actor)'
expression 'format('{0}', gitea.actor)' evaluated to '%!t(string=annika)'
expression '${{ gitea.token }}' rewritten to 'format('{0}', gitea.token)'
evaluating expression 'format('{0}', gitea.token)'
expression 'format('{0}', gitea.token)' evaluated to '%!t(string=***)'
🚀 Start image=gitea.example.com/private-org/image
🐳 docker pull image=gitea.example.com/private-org/image platform= username=annika forcePull=false
🐳 docker pull gitea.example.com/private-org/image
Image exists? false
pulling image 'gitea.example.com/private-org/image' ()
using authentication for docker pull
pulling image 'gitea.example.com/private-org/image' () failed with credentials Error response from daemon: unauthorized: authentication required retrying without them, please check for stale docker config files
Error response from daemon: unauthorized: authentication required
I got this to work by manually creating a token with read:package
permission, adding that token as a secret, and using password: ${{ secrets.CONTAINERS_TOKEN }}
in my job configuration.
Thank you very much, that helped! Have been struggling for days to get gitea actions work with a self signed certificate and a custom runner image. In the end its so easy, but there is no word about it in documentation. Here is how my workflow looks like:
name: Build docker image using custom gitea runner image with self signed certificates
jobs:
build:
runs-on: ubuntu-20.04
defaults:
run:
shell: bash
container:
image: your-self-hosted-gitea.com/gitea-runner:ubuntu-20.04
credentials:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
steps:
- name: Build some docker image action