What's the idiomatic way of using gitea-hosted container images in Actions jobs?

Actions

captainhook February 11, 2024, 1:17pm 1

Gitea Container Registry is working great, and I can push an image to either organization or a user.

I’ve scanned tons of docs and forum posts to check what’s the idiomatic way to use your own container image in a job, i.e. something like:

runs-on: ubuntu-latest
container:
  image: git.example.com/some-org/some-image
  # credentials: ?

A few questions:

• Are we supposed to pass user’s own login and password to Gitea as username/password to this (via secrets)? That would seem pretty awkward
• Are we supposed to use the gitea_token, or a PAT? In which case, PAT for which user? And how exactly to use PAT here? I don’t think this is documented anywhere and I could find no examples.
• Is there a distinction between “some other registry” and “this gitea’s registry”? I.e., should there be a simplified less-verbose way of accessing your own registry’s images given that it’s not really ‘external’? (again, maybe there’s a way but I couldn’t find anytning)

(Also, in the docs, I have found a section Access Restrictions that describes the difference between access levels but I’m not sure it works for container images, or how is it supposed to work when a runner is executing a job? I was assuming that if the image is attached to a public org, any runner job will have access to it without having to pass credentials, but I was wrong)

1 Like

abackstrom March 31, 2024, 2:40pm 2

This setup doesn’t work for me:

name: Deploy website
on: [push]
jobs:
  build-and-upload:
    runs-on: ubuntu-latest
    container:
      image: gitea.example.com/private-org/image
      credentials:
        username: ${{ gitea.actor }}
        password: ${{ gitea.token }}
    steps:
      - run: pwd

I’m not sure if the credentials are getting through:

ci(version:v0.2.8) received task 68 of job 73, be triggered by event: push
workflow prepared
evaluating expression 'success()'
expression 'success()' evaluated to 'true'
expression '${{ gitea.actor }}' rewritten to 'format('{0}', gitea.actor)'
evaluating expression 'format('{0}', gitea.actor)'
expression 'format('{0}', gitea.actor)' evaluated to '%!t(string=annika)'
expression '${{ gitea.token }}' rewritten to 'format('{0}', gitea.token)'
evaluating expression 'format('{0}', gitea.token)'
expression 'format('{0}', gitea.token)' evaluated to '%!t(string=***)'
🚀  Start image=gitea.example.com/private-org/image
  🐳  docker pull image=gitea.example.com/private-org/image platform= username=annika forcePull=false
  🐳  docker pull gitea.example.com/private-org/image
Image exists? false
pulling image 'gitea.example.com/private-org/image' ()
using authentication for docker pull
pulling image 'gitea.example.com/private-org/image' () failed with credentials Error response from daemon: unauthorized: authentication required retrying without them, please check for stale docker config files
Error response from daemon: unauthorized: authentication required

Gitea Actions run a job from a custom image

abackstrom March 31, 2024, 2:49pm 3

I got this to work by manually creating a token with read:package permission, adding that token as a secret, and using password: ${{ secrets.CONTAINERS_TOKEN }} in my job configuration.

Related Topics

Topic		Replies	Views	Activity
Create docker package like github General	1	568	January 15, 2024
Gitea in docker container ignores USER_GID? Install/Maintain/Configure	8	3004	February 27, 2023
Are there organisation access tokens? Gitea Usages	0	1319	April 14, 2023
Custom favicon & logo not appearing Install/Maintain/Configure	3	774	October 9, 2023
Change logo in Gitea? Install/Maintain/Configure	1	368	April 5, 2024