Today, I was trying to integrate the docker/build-push-action with Google Container Registry (GCR). I was able to get the build working, but I was unable to push the image to GCR due to authentication issues. The solution involved the following.
- Using the google-github-actions/auth action to authenticate with Google Cloud.
- Calling
gcloud auth configure-docker --quiet gcr.ioto configure the Docker CLI to use the Google Cloud credentials.
The workflow looks like this.
- name: Setup auth id: "auth" uses: "google-github-actions/auth@v0" with: workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }} service_account: "github-deployer@${{ secrets.GOOGLE_CLOUD_PROJECT }}.iam.gserviceaccount.com" - name: Setup docker uses: docker/setup-buildx-action@v2 - name: Authenticate docker run: | gcloud auth configure-docker --quiet gcr.io - name: Build and push uses: docker/build-push-action@v3 with: context: . push: true tags: ${{ env.IMAGE }} cache-from: type=gha cache-to: type=gha,mode=max I was unable to get the cache working with GCR. I’m not sure if it’s a bug or if I’m doing something wrong.
IAM Role
I also created a custom role based upon Storage Legacy Bucket Writer to add to the github-deployer@ service account.
This includes the following permissions.
storage.buckets.getstorage.multipartUploads.abortstorage.multipartUploads.createstorage.multipartUploads.liststorage.multipartUploads.listPartsstorage.objects.createstorage.objects.deletestorage.objects.list
And it works! 🎉
Top comments (0)