Nota: Container registry se encuentra actualmente en versión beta para GitHub Enterprise Server y está sujeto a cambios.
Tanto GitHub Packages como el aislamiento de subdominio deben estar habilitados para usar Container registry. Para obtener más información, consulta "Trabajo con el registro de contenedor".
About the Container registry
El Container registry almacena imágenes de contenedor dentro de tu organización o cuenta personal y te permite asociar una imagen a un repositorio. Puedes elegir si quieres heredar permisos desde un repositorio o si quieres configurar permisos granulares independientemente de un repositorio. También puedes acceder a imágenes de contenedor públicas de forma anónima.
To use the Container registry on GitHub Enterprise Server, your site administrator must first configure GitHub Packages for your instance and enable subdomain isolation. For more information, see "Getting started with GitHub Packages for your enterprise" and "Enabling subdomain isolation."
About Container registry support
The Container registry currently supports the following container image formats:
When installing or publishing a Docker image, the Container registry supports foreign layers, such as Windows images.
Authenticating to the Container registry
To authenticate to the Container registry (ghcr.io) within a GitHub Actions workflow, use the GITHUB_TOKEN for the best security and experience. Si en el flujo de trabajo se usa un personal access token para autenticarse en un registro, se recomienda encarecidamente actualizar el flujo de trabajo para usar el GITHUB_TOKEN.
Para más información sobre GITHUB_TOKEN, vea "Autenticación en un flujo de trabajo".
Para obtener más información sobre los procedimientos recomendados al usar un registro en acciones, consulta "Fortalecimiento de seguridad para Acciones de GitHub".
Ensure that you replace HOSTNAME with your GitHub Enterprise Server instance hostname or IP address in the examples below.
-
Create a new personal access token with the appropriate scopes for the tasks you want to accomplish. If your organization requires SSO, you must enable SSO for your new token.
Note: By default, when you select the
write:packagesscope for your personal access token in the user interface, thereposcope will also be selected. Thereposcope offers unnecessary and broad access, which we recommend you avoid using for GitHub Actions workflows in particular. For more information, see "Security hardening for GitHub Actions." As a workaround, you can select just thewrite:packagesscope for your personal access token in the user interface with this url:https://HOSTNAME/settings/tokens/new?scopes=write:packages.- Select the
read:packagesscope to download container images and read their metadata. - Select the
write:packagesscope to download and upload container images and read and write their metadata. - Select the
delete:packagesscope to delete container images.
For more information, see "Creating a personal access token for the command line."
- Select the
-
Save your personal access token. We recommend saving your token as an environment variable.
$ export CR_PAT=YOUR_TOKEN -
Using the CLI for your container type, sign in to the Container registry service at
containers.HOSTNAME.$ echo $CR_PAT | docker login containers.HOSTNAME -u USERNAME --password-stdin > Login Succeeded
Pushing container images
This example pushes the latest version of IMAGE_NAME.
$ docker push containers.HOSTNAME/OWNER/IMAGE_NAME:latestThis example pushes the 2.5 version of the image.
$ docker push containers.HOSTNAME/OWNER/IMAGE_NAME:2.5When you first publish a package, the default visibility is private. To change the visibility or set access permissions, see "Configuring a package's access control and visibility."
Pulling container images
Pull by digest
To ensure you're always using the same image, you can specify the exact container image version you want to pull by the digest SHA value.
-
To find the digest SHA value, use
docker inspectordocker pulland copy the SHA value afterDigest:$ docker inspect containers.HOSTNAME/OWNER/IMAGE_NAME -
Remove image locally as needed.
$ docker rmi containers.HOSTNAME/OWNER/IMAGE_NAME:latest -
Pull the container image with
@YOUR_SHA_VALUEafter the image name.$ docker pull containers.HOSTNAME/OWNER/IMAGE_NAME@sha256:82jf9a84u29hiasldj289498uhois8498hjs29hkuhs
Pull by name
$ docker pull containers.HOSTNAME/OWNER/IMAGE_NAMEPull by name and version
Docker CLI example showing an image pulled by its name and the 1.14.1 version tag:
$ docker pull containers.HOSTNAME/OWNER/IMAGE_NAME:1.14.1
> 5e35bd43cf78: Pull complete
> 0c48c2209aab: Pull complete
> fd45dd1aad5a: Pull complete
> db6eb50c2d36: Pull complete
> Digest: sha256:ae3b135f133155b3824d8b1f62959ff8a72e9cf9e884d88db7895d8544010d8e
> Status: Downloaded newer image for containers.HOSTNAME/orgname/image-name/release:1.14.1
> containers.HOSTNAME/orgname/image-name/release:1.14.1Pull by name and latest version
$ docker pull containers.HOSTNAME/OWNER/IMAGE_NAME:latest
> latest: Pulling from user/image-name
> Digest: sha256:b3d3e366b55f9a54599220198b3db5da8f53592acbbb7dc7e4e9878762fc5344
> Status: Downloaded newer image for containers.HOSTNAME/user/image-name:latest
> containers.HOSTNAME/user/image-name:latestBuilding container images
This example builds the hello_docker image:
$ docker build -t hello_docker .Tagging container images
-
Find the ID for the Docker image you want to tag.
$ docker images > REPOSITORY TAG IMAGE ID CREATED SIZE > containers.HOSTNAME/my-org/hello_docker latest 38f737a91f39 47 hours ago 91.7MB > containers.HOSTNAME/my-username/hello_docker latest 38f737a91f39 47 hours ago 91.7MB > hello-world latest fce289e99eb9 16 months ago 1.84kB -
Tag your Docker image using the image ID and your desired image name and hosting destination.
$ docker tag 38f737a91f39 containers.HOSTNAME/OWNER/NEW_IMAGE_NAME:latest
Labelling container images
Puedes usar etiquetas de Docker para agregar metadatos, incluida una descripción, una licencia y un repositorio de origen a la imagen de contenedor. For more information on Docker labels, see LABEL in the official Docker documentation and Pre-Defined Annotation Keys in the opencontainers/image-spec repository.
The following labels are supported in the Container registry. Supported labels will appear on the package page for the image.
| Label | Description |
|---|---|
org.opencontainers.image.source | The URL of the repository associated with the package. For more information, see "Connecting a repository to a package." |
org.opencontainers.image.description | A text-only description limited to 512 characters. This description will appear on the package page, below the name of the package. |
org.opencontainers.image.licenses | An SPDX license identifier such as "MIT," limited to 256 characters. The license will appear on the package page, in the "Details" sidebar. For more information, see SPDX License List. |
To add labels to an image, we recommend using the LABEL instruction in your Dockerfile. For example, if you're the user monalisa and you own my-repo, and your image is distributed under the terms of the MIT license, you would add the following lines to your Dockerfile:
LABEL org.opencontainers.image.source=https://HOSTNAME/monalisa/my-repo
LABEL org.opencontainers.image.description="My container image"
LABEL org.opencontainers.image.licenses=MIT
Alternatively, you can add labels to an image at buildtime with the docker build command.
$ docker build \
--label "org.opencontainers.image.source=https://HOSTNAME/monalisa/my-repo" \
--label "org.opencontainers.image.description=My container image" \
--label "org.opencontainers.image.licenses=MIT"