Skip to content

feat: add GHCR support for container registry #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gabor-boros wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add GHCR support for container registry #48

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,13 @@ on:
required: false
type: string
default: "%Y%m%d-%H%M"
outputs:
image_tag:
description: "Image tag only (e.g., '20250101abcdef12')"
value: ${{ jobs.build.outputs.image_tag }}
image_name:
description: "Full image name with registry and tag (e.g., 'registry.example.com/service:20250101abcdef12')"
value: ${{ jobs.build.outputs.image_name }}
secrets:
DOCKERHUB_USERNAME:
description: 'DockerHub username for login'
Expand All @@ -91,6 +98,9 @@ on:

jobs:
build:
outputs:
image_tag: ${{ steps.set-image-tag-output.outputs.image_tag }}
image_name: ${{ steps.set-image-tag-output.outputs.image_name }}
runs-on: ${{ inputs.RUNNER_WORKFLOW_LABEL }}
defaults:
run:
Expand Down Expand Up @@ -212,6 +222,14 @@ jobs:
if: ${{ contains(env.DOCKER_REGISTRY, 'aws') }}
uses: aws-actions/amazon-ecr-login@v2

- name: Login to GitHub Container Registry if Docker registry is GitHub Container Registry
Copy link
Contributor

@magajh magajh Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, I think we’re only missing a short doc update

It would be great if we could mention somewhere that the workflow now supports using GitHub Container Registry as a Docker registry and that, by default, it relies on the GITHUB_TOKEN generated by GitHub. My understanding is that the only requirement on the caller side is to invoke the Picasso workflow with the appropriate permissions (like packages: write), right?

Maybe we could add this under the Key features section in the Workflow Overview, so users can easily see that GHCR is supported and what is needed to use it

if: ${{ contains(env.DOCKER_REGISTRY, 'ghcr.io') }}
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Login to DockerHub if Docker registry is DockerHub or not set
if: ${{ env.DOCKER_REGISTRY == null || contains(env.DOCKER_REGISTRY, 'docker.io') }}
uses: docker/login-action@v3
Expand Down Expand Up @@ -245,6 +263,25 @@ jobs:
if: ${{ inputs.USE_DYNAMIC_IMAGE_TAG }}
run: tutor config printvalue $TARGET_KEY

- name: Set job outputs for image tag and name
id: set-image-tag-output
run: |
# Determine the target key for the service
if [ -z "$TARGET_KEY" ]; then
# If TARGET_KEY is not set (static image tag scenario), determine it from service
TARGET_KEY=$(python picasso/.github/workflows/scripts/get_service_target_key.py --service ${{ inputs.SERVICE }})
Copy link
Contributor

@magajh magajh Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gabor-boros I tested this in the static-tag scenario (USE_DYNAMIC_IMAGE_TAG = false) and the Set job outputs for image tag and name step is failing with:

Run # Determine the target key for the service
python: can't open file '/home/runner/work/ednx-strains/ednx-strains/strains/teak/base/picasso/.github/workflows/scripts/get_service_target_key.py': [Errno 2] No such file or directory

This seems to be related to the job defaults

defaults:
  run:
    working-directory: strains/${{ inputs.STRAIN_PATH }}

This command python picasso/.github/workflows/scripts/get_service_target_key.py --service ${{ inputs.SERVICE }} ends up resolving to strains/<path>/picasso/..., but the picasso repo is actually checked out at ${{ github.workspace }}/picasso

I think to fix this we could either set working-directory: ${{ github.workspace }} for this step, or use an absolute path to the script

fi

# Get the full image name from Tutor config
FULL_IMAGE_NAME=$(tutor config printvalue $TARGET_KEY)

# Extract the tag portion (everything after the last colon)
IMAGE_TAG="${FULL_IMAGE_NAME##*:}"

# Set outputs
echo "image_name=$FULL_IMAGE_NAME" >> $GITHUB_OUTPUT
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT

- name: Update image tag in remote repository
if: ${{ inputs.USE_DYNAMIC_IMAGE_TAG && inputs.UPDATE_IMAGE_TAG_IN_REPO }}
working-directory: ${{ github.workspace }}/strains
Expand Down
40 changes: 40 additions & 0 deletions .github/workflows/scripts/get_service_target_key.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
"""
Script to get the target key for a service from the service_tag_map.

This script is used to determine which config key corresponds to a given service
when dynamic image tags are not being used.
"""

import sys
import argparse
from service_tag_map import service_tag_map


def parse_args():
"""Parse command-line arguments."""
parser = argparse.ArgumentParser(
description="Get the target key for a service from service_tag_map"
)

parser.add_argument(
"--service",
required=True,
help="Service name to look up in service_tag_map"
)

return parser.parse_args()


def main():
"""Get and print the target key for the given service."""
args = parse_args()

if args.service not in service_tag_map:
sys.exit(f"ERROR: Service '{args.service}' not found in service_tag_map")

target_key = service_tag_map[args.service]
print(target_key)


if __name__ == "__main__":
main()