GitHub Action to login against a Docker registry.

• Usage
  • Docker Hub
  • GitHub Container Registry
  • GitLab
  • Azure Container Registry (ACR)
  • Google Container Registry (GCR)
  • Google Artifact Registry (GAR)
  • AWS Elastic Container Registry (ECR)
  • AWS Public Elastic Container Registry (ECR)
  • OCI Oracle Cloud Infrastructure Registry (OCIR)
  • Quay.io
  • DigitalOcean
  • Authenticate to multiple registries
  • Set scopes for the authentication token
• Customizing
  • inputs
• Contributing

When authenticating to Docker Hub with GitHub Actions, use a personal access token. Don't use your account password.

To authenticate to the GitHub Container Registry, use the GITHUB_TOKEN secret.

You may need to manage write and read access of GitHub Actions for repositories in the container settings.

You can also use a personal access token (PAT) with the appropriate scopes.

If you have Two-Factor Authentication enabled, use a Personal Access Token instead of a password.

Create a service principal with access to your container registry through the Azure CLI and take note of the generated service principal's ID (also called client ID) and password (also called client secret).

Replace with the name of your registry.

Google Artifact Registry is the evolution of Google Container Registry. As a fully-managed service with support for both container images and non-container artifacts. If you currently use Google Container Registry, use the information on this page to learn about transitioning to Google Artifact Registry.

You can authenticate with workload identity federation or a service account.

Configure the workload identity federation for GitHub Actions in Google Cloud, see here. Your service account must have permission to push to GCR. Use the google-github-actions/auth action to authenticate using workload identity as shown in the following example:

Replace with configured workload identity provider. For steps to configure, see here.

Replace with configured service account in workload identity provider which has access to push to GCR

Use a service account with permission to push to GCR and configure access control. Download the key for the service account as a JSON file. Save the contents of the file as a secret named GCR_JSON_KEY in your GitHub repository. Set the username to _json_key.

You can authenticate with workload identity federation or a service account.

Your service account must have permission to push to GAR. Use the google-github-actions/auth action to authenticate using workload identity as shown in the following example:

Replace with configured workload identity provider

Replace with configured service account in workload identity provider which has access to push to GCR

Replace with the regional or multi-regional location of the repository where the image is stored.

Use a service account with permission to push to GAR and configure access control. Download the key for the service account as a JSON file. Save the contents of the file as a secret named GAR_JSON_KEY in your GitHub repository. Set the username to _json_key, or _json_key_base64 if you use a base64-encoded key.

Replace with the regional or multi-regional location of the repository where the image is stored.

Use an IAM user with the ability to push to ECR with AmazonEC2ContainerRegistryPowerUser managed policy for example. Download the access keys and save them as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as secrets in your GitHub repo.

If you need to log in to Amazon ECR registries associated with other accounts, you can use the AWS_ACCOUNT_IDS environment variable:

Only available with AWS CLI version 1

You can also use the Configure AWS Credentials action in combination with this action:

Replace and with their respective values.

Use an IAM user with permission to push to ECR Public, for example using managed policies. Download the access keys and save them as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY secrets in your GitHub repository.

Replace with its respective value (default us-east-1).

To push into OCIR in specific tenancy the username must be placed in format / (in case of federated tenancy use the format /oracleidentitycloudservice/).

For password create an auth token. Save username and token as a secrets in your GitHub repo.

Replace with their respective values from availability regions

Use a Robot account with permission to push to a Quay.io repository.

Use your DigitalOcean registered email address and an API access token to authenticate.

To authenticate against multiple registries, you can specify the login-action step multiple times in your workflow:

You can also use the registry-auth input for raw authentication to registries, defined as YAML objects. Each object have the same attributes as current inputs (except logout):

The scope input allows limiting registry credentials to a specific repository or namespace scope when building images with Buildx.

This is useful in GitHub Actions to avoid overriding the Docker Hub authentication token embedded in GitHub-hosted runners, which is used for pulling images without rate limits. By scoping credentials, you can authenticate only where needed (typically for pushing), while keeping unauthenticated pulls for base images.

When scope is set, credentials are written to the Buildx configuration instead of the global Docker configuration. This means:

• Authentication applies only to the specified scope
• The default Docker Hub credentials remain available for pulls
• Credentials are used only by Buildx during the build

In this example, base images are pulled using the embedded GitHub-hosted runner credentials, while authenticated access is used only to push myorg/myimage.

The following inputs can be used as step.with keys:

Want to contribute? Awesome! You can find information about contributing to this project in the CONTRIBUTING.md