TRG 4.05 - Container registries
Status | Created | Post-History |
---|---|---|
Draft | 04-May-2023 | Place DockerHub as mandatory container registry; remove GHCR references |
Active | 05-Jan-2023 | Initial release |
Draft | 14-Sept-2022 | n/a |
Why
Using a central container registry greatly improves security and manageability of images. It also makes it easier for external parties to validate that images are correct if they are coming from the same source.
Description
In Eclipse Tractus-X we are using one central container registry. This registry ist tractusx on DockerHub.
All container images released for an Eclipse Tractus-X product must be present on DockerHub. Also be aware of the necessary remarks for container images described in TRG 4-06 and alignment on common base images described in TRG 4.02.
How
Following example shows a simple workflow, that can be used to publish your Docker image(s) to DockerHub
.
It is using secrets, that contain credentials to authenticate at DockerHub
. These secrets are present at GitHub organization
level and can therefore be used in any repository in our org.
# Reference from https://github.com/eclipse-tractusx/app-dashboard/blob/main/.github/workflows/build-image.yaml
# You might want to check the source for recent updates
name: Build - Docker image (SemVer)
on:
push:
branches:
- main
# trigger events for SemVer like tags
tags:
- 'v*.*.*'
- 'v*.*.*-*'
pull_request:
branches:
- main
env:
IMAGE_NAMESPACE: "tractusx"
IMAGE_NAME: "app-dashboard"
jobs:
docker:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- name: Checkout
uses: actions/checkout@v3
# Create SemVer or ref tags dependent of trigger event
- name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
images: |
${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
# Automatically prepare image tags; See action docs for more examples.
# semver patter will generate tags like these for example :1 :1.2 :1.2.3
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}
type=semver,pattern={{major}}.{{minor}}
- name: DockerHub login
if: github.event_name != 'pull_request'
uses: docker/login-action@v2
with:
# Use existing DockerHub credentials present as secrets
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v3
with:
context: .
# Build image for verification purposes on every trigger event. Only push if event is not a PR
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# https://github.com/peter-evans/dockerhub-description
# Important step to push image description to DockerHub
- name: Update Docker Hub description
if: github.event_name != 'pull_request'
uses: peter-evans/dockerhub-description@v3
with:
# readme-filepath defaults to toplevel README.md, Only necessary if you have a dedicated file with your 'Notice for docker images'
# readme-filepath: path/to/dedicated/notice-for-docker-image.md
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
repository: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}