Permitir que tu codespace acceda a una imagen de registro privada

Puedes utilizar secretos para permitir que los Codespaces accedan a un registro de imagen privada

Codespaces está disponible para las organizaciones que utilicen GitHub Team o Nube de GitHub Enterprise. Para obtener más información, consulta la sección "Productos de GitHub".

Acerca de los registros de imagen y Codespaces privados

A registry is a secure space for storing, managing, and fetching private container images. You may use one to store one or more devcontainers. There are many examples of registries, such as GitHub Container Registry, Azure Container Registry, or DockerHub.

GitHub Container Registry can be configured to pull container images seamlessly, without having to provide any authentication credentials to Codespaces. For other image registries, you must create secrets in GitHub to store the access details, which will allow Codespaces to access images stored in that registry.

Accessing images stored in GitHub Container Registry

GitHub Container Registry is the easiest way for Acerca de GitHub Codespaces to consume devcontainer container images.

For more information, see "Working with the Container registry".

Accessing an image published to the same repository as the codespace

If you publish a container image to GitHub Container Registry in the same repository that the codespace is being launched in, you will automatically be able to fetch that image on codespace creation. You won't have to provide any additional credentials, unless the Inherit access from repo option was unselected when the container image was published.

Inheriting access from the repository from which an image was published

By default, when you publish a container image to GitHub Container Registry, the image inherits the access setting of the repository from which the image was published. For example, if the repository is public, the image is also public. If the repository is private, the image is also private, but is accessible from the repository.

This behavior is controlled by the Inherit access from repo option. Inherit access from repo is selected by default when publishing via GitHub Actions, but not when publishing directly to GitHub Container Registry using a Personal Access Token (PAT).

If the Inherit access from repo option was not selected when the image was published, you can manually add the repository to the published container image's access controls. Para obtener más información, consulta la sección "Configurar el control de accesos y la visibilidad de un paquete".

Accessing an image published to the organization a codespace will be launched in

If you want a container image to be accessible to all codespaces in an organization, we recommend that you publish the container image with internal visibility. This will automatically make the image visible to all codespaces within the organization, unless the repository the codespace is launched from is public.

If the codespace is being launched from a public repository referencing an internal or private image, you must manually allow the public repository access to the internal container image. This prevents the internal image from being accidentally leaked publicly. For more information, see "Ensuring Codespaces access to your package."

Accessing a private container from a subset of repositories in an organization

If you want to allow a subset of an organization's repositories to access a container image, or allow an internal or private image to be accessed from a codespace launched in a public repository, you can manually add repositories to a container image's access settings. For more information, see "Ensuring Codespaces access to your package."

Publishing a container image from a codespace

Seamless access from a codespace to GitHub Container Registry is limited to pulling container images. If you want to publish a container image from inside a codespace, you must use a personal access token (PAT) with the write:packages scope.

We recommend publishing images via GitHub Actions. For more information, see "Publishing Docker images."

Accessing images stored in other container registries

If you are accessing a container image from a registry that isn't GitHub Container Registry, Codespaces checks for the presence of three secrets, which define the server name, username, and personal access token (PAT) for a container registry. Si se encuentran estos secretos, Codespaces hará que el registro esté disponible dentro de tu codespace.

  • <*>_CONTAINER_REGISTRY_SERVER
  • <*>_CONTAINER_REGISTRY_USER
  • <*>_CONTAINER_REGISTRY_PASSWORD

Puedes almacenar los secretos a nivel de repositorio, organización o usuario, lo cual te permite compartirlos de forma segura entre diferentes codespaces. When you create a set of secrets for a private image registry, you need to replace the "<*>" in the name with a consistent identifier. Para obtener más información, consulta las secciones "Administrar los secretos cifrados para tus codespaces" y "Administrar los secretos cifrados de tu repositorio y organización para los Codespaces".

Si estás configurando secretos a nivel de organización o de usuario, asegúrate de asignarlos al repositorio en el que crearás el codespace eligiendo una política de acceso desde la lista desplegable.

Ejemplo de secreto de registro de imagen

Secretos de ejemplo

Para los registros de imagen privados en Azure, podrías crear los siguientes secretos:

ACR_CONTAINER_REGISTRY_SERVER = mycompany.azurecr.io
ACR_CONTAINER_REGISTRY_USER = acr-user-here
ACR_CONTAINER_REGISTRY_PASSWORD = <PAT>

Para obtener más información sobre los registros de imagen comunes, consulta la sección "Servidores de registro de imagen comunes".

Ejemplo de secreto de registro de imagen

Una vez que hayas agregado los secretos, podría ser que necesites parar y luego iniciar el codespace en el que estás para que las variables de ambiente nuevas pasen en el contenedor. Para obtener más información, consulta la sección "Suspender o detener un codespace".

Servidores de registro de imagen comunes

Algunos de los servidores de registro de imagen comunes se listan a continuación:

Accessing AWS Elastic Container Registry

If you want to access AWS Elastic Container Registry (ECR), you must provide an AWS authorization token in the ECR_CONTAINER_REGISTRY_PASSWORD. This authorization token is not the same as your secret key. You can obtain an AWS authorization token by using AWS's APIs or CLI. These tokens are short lived and will need to be refreshed periodically. For more information, see AWS ECR's "Private registry authentication documentation."

¿Te ayudó este documento?

Política de privacidad

¡Ayúdanos a hacer geniales estos documentos!

Todos los documentos de GitHub son de código abierto. ¿Notas algo que esté mal o que no sea claro? Emite una solicitud de cambios.

Haz una contribución

O, aprende cómo contribuir.