Push Docker images into the GitHub Container Registry

[ludovicm67]

I saw that this repository is configured to run GitHub Actions to build Docker images. But for the moment it only tests if the Docker image build successfully, but they are not pushed anywhere. It could be nice to be able to test Docker images before they are released into the official Docker images in the Docker Hub.

I suggest that we push those Docker images into the GitHub Container Registry or in the Docker Hub in a custom organization. I can help you to set up that if you want.

@J0WI it seems that you are in charge of the Docker images part. What do you think about that?

This could help for #221.

[mattab]

fyi @crazy-max @juliencarnot @pierreozoux @Silvenga @tianon you also have write or admin access to the repo, this may be of interest

[J0WI]

I guess this is kind of a duplicate of https://github.com/docker-library/official-images/issues/8998

[ludovicm67]

No, this is not my point. I do not ask on this issue for having the whole Docker Hub on the GitHub Container Registry.

What I asked for is to have a way to have an image very quickly, for example on each commit/tag, a CI pipeline should be triggered and an image pushed somewhere (in GitHub Container Registry or in a custom organization on the Docker Hub).

The process for publishing as an official Docker image in the Docker Hub is really slow. Automatic build and push of Docker image somewhere could let people try images before they are released as an official Docker image on the Docker Hub.

So to be clear, I think it could be interesting to push more regularly (for example on each commit/tag ; you can have a look here to see how you can configure GitHub Actions to configure tags for the Docker image) in a Docker container registry (GitHub Container Registry or a custom Docker Hub organization). I can help you on this if you need some help. This should be considered as an additional step ; this does not aim to replace the process of publishing on the Docker Hub as an official image.

[mattab]

Good to see this conversation and others. Btw just wanted to note on your offer:

I can help you on this if you need some help.

That's probably very welcome! Fyi: as opposed to most other projects under matomo-org organization on Github, this docker project is entirely created and maintained by the community, and the people who build Matomo, plugins, marketplace, website, mobile app, etc. don't currently use or work on the docker project. @pierreozoux is current admin and other people are contributors:

[ludovicm67]

Happy New Year!

Thanks for your answer.

If you are interested that I configure GitHub Actions to push into the GitHub Container Registry, it will require following steps:

• Have a dedicated GitHub account in the organization and generate a Personal Access Token for this account (just select the write:packages scope). The reason is that for the moment GitHub doesn't let us scope a personal access token to a specific organization. For example if I use my personal access token, the CI could publish packages here, but also on all GitHub organizations I belong + my own namespace, which is something we do not want. The name of the personal access token could be matomo-org/docker for example (in case you want to explicitly create one personal access token per project).

• In the Docker project, go to Settings > Secrets. Create two secrets:

  • GHCR_USERNAME with the username of the user created in the first step,
  • GHCR_TOKEN with the token you got in the first step.

• In the packages section of the organization settings, enable improved container support. You may want to also allow members to create public packages.

• I will work on a custom branch to write the required workflow file for GitHub Actions, and see if all is working as expected.

• I will open a PR and if you are OK with the work I did, you can merge it into master.

[mattab]

Happy new year 2021 everyone!

@ludovicm67 thanks for offering your help. in general, automating some of the steps via Github actions, sounds like a good idea...

@crazy-max @juliencarnot @pierreozoux @Silvenga @tianon maybe you have some feedback or thoughts on Ludovic's proposal above?

[Silvenga]

I wonder if matomo-org should wait for GA of the ghcr.io before using it. I have no doubt that GH will provide a better method of authenticating other then personal tokens.

In the meantime, maybe using image storage via GH Packages would work to fulfill these pain points? Those work with the github token exposed by the build pipeline (permissions are based on how the job is invoked e.g. master builds will get a token that can push containers).

https://github.com/silvenga-docker/eset-smc/blob/master/.github/workflows/build.yml#L23

My understanding is that ghcr.io will supperseed GH packages at some point - as the ghcr.io is a lot more compliant with the docker registry spec, but it is still in beta.

---

I've been kind of out of touch with the matomo-org project lately since I switch employers.

[ludovicm67]

If you prefer, we can use a custom Docker Hub organization instead of GitHub Container Registry for the moment ; it will be easy to add it later (we can have both, or choose only one of the two ; depending on what you prefer). But we are facing the same problem as for GHCR now : we need a dedicated user on the registry for CI purposes.

If yes, we have to create a new access token on the Docker Hub (https://hub.docker.com/settings/security) using the dedicated user (first bullet point on https://github.com/matomo-org/docker/issues/225#issuecomment-753526880), and we can use DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets instead of GHCR_USERNAME and GHCR_TOKEN (the second bullet point on https://github.com/matomo-org/docker/issues/225#issuecomment-753526880).

[ludovicm67]

Just for information, GitHub Container Registry is now generally available.

Source: https://github.blog/2021-06-21-github-packages-container-registry-generally-available/