Skip to main content

TRG 4.05 - Container registries

StatusCreatedPost-History
Draft04-May-2023Place DockerHub as mandatory container registry; remove GHCR references
Active05-Jan-2023Initial release
Draft14-Sept-2022n/a

Why

Using a central container registry greatly improves security and manageability of images. It also makes it easier for external parties to validate that images are correct if they are coming from the same source.

Description

In Eclipse Tractus-X we are using one central container registry. This registry ist tractusx on DockerHub.

All container images released for an Eclipse Tractus-X product must be present on DockerHub. Also be aware of the necessary remarks for container images described in TRG 4-06 and alignment on common base images described in TRG 4.02.

How

Following example shows a simple workflow, that can be used to publish your Docker image(s) to DockerHub. It is using secrets, that contain credentials to authenticate at DockerHub. These secrets are present at GitHub organization level and can therefore be used in any repository in our org.

# Reference from https://github.com/eclipse-tractusx/app-dashboard/blob/main/.github/workflows/build-image.yaml
# You might want to check the source for recent updates
name: Build - Docker image (SemVer)

on:
push:
branches:
- main
# trigger events for SemVer like tags
tags:
- 'v*.*.*'
- 'v*.*.*-*'
pull_request:
branches:
- main

env:
IMAGE_NAMESPACE: "tractusx"
IMAGE_NAME: "app-dashboard"

jobs:
docker:
runs-on: ubuntu-latest
permissions:
packages: write

steps:
- name: Checkout
uses: actions/checkout@v3

# Create SemVer or ref tags dependent of trigger event
- name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
images: |
${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
# Automatically prepare image tags; See action docs for more examples.
# semver patter will generate tags like these for example :1 :1.2 :1.2.3
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}
type=semver,pattern={{major}}.{{minor}}

- name: DockerHub login
if: github.event_name != 'pull_request'
uses: docker/login-action@v2
with:
# Use existing DockerHub credentials present as secrets
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Build and push
uses: docker/build-push-action@v3
with:
context: .
# Build image for verification purposes on every trigger event. Only push if event is not a PR
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}

# https://github.com/peter-evans/dockerhub-description
# Important step to push image description to DockerHub
- name: Update Docker Hub description
if: github.event_name != 'pull_request'
uses: peter-evans/dockerhub-description@v3
with:
# readme-filepath defaults to toplevel README.md, Only necessary if you have a dedicated file with your 'Notice for docker images'
# readme-filepath: path/to/dedicated/notice-for-docker-image.md
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
repository: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}