GHCR
Definition
GHCR, or GitHub Container Registry, is a service provided by GitHub for storing and managing Docker container images. It allows developers to host container images within the GitHub ecosystem, leveraging GitHub’s security and collaboration features. GHCR supports fine-grained permissions and integrates seamlessly with GitHub Actions for automated workflows, making it a convenient choice for CI/CD pipelines.
Secure Settings Example
# GitHub Actions workflow file example
name: Build and Push Docker Image
on:
push:
branches:
- main
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Log in to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push Docker image
uses: docker/build-push-action@v3
with:
context: .
push: true
tags: ghcr.io/${{ github.repository }}/my-image:latest
Insecure Settings Example
# GitHub Actions workflow file example with insecure settings
name: Build and Push Docker Image
on:
push:
branches:
- main
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Log in to GitHub Container Registry
run: echo $CR_PAT | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin
- name: Build and push Docker image
run: |
docker build -t ghcr.io/${{ github.repository }}/my-image:latest .
docker push ghcr.io/${{ github.repository }}/my-image:latest
In the insecure example, the use of a personal access token (CR_PAT) directly in the workflow file can lead to exposure of sensitive credentials if not managed properly.