This article describes how to publish Docker container images to the Azure Container Registry with help of GitHub Actions.
Overview
In order for a CI platform like GitHub Actions or Jenkins to access the Azure Container Registry (ACR), credentials are required. These credentials can be either service principals or tokens. Tokens allow you to define access permissions within repositories in an ACR registry. Access using tokens is currently only available in the ACR Premium Tier. When using service principals, permissions can also be set, but these refer to all repositories within a registry.
New repositories are not created in ACR via the CLI or the web interface. Instead, they are implicitly created by Azure itself with the first docker push
command.
Optional: Set up local Azure CLI in WSL and log in
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
az login --use-device-code
Creating new service principals for accessing Azure Container Registry
First, look up the name of your ACR registry:
With help of the Gist create_azure_container_registry_service_principals.sh you can then easily create two new service principals in your Azure subscription account.
curl -O https://gist.githubusercontent.com/schakko/52d7743282b6d70a692e5d5282597567/raw/55d588745af7531fb4aa7bf4b75517f56322f652/create_azure_container_registry_service_principals.sh
chmod +x create_azure_container_registry_service_principals.sh
./create_azure_container_registry_service_principals.sh ${REGISTRY_NAME} ${SERVICE_PRINCIPAL_PREFIX}
${REGISTRY_NAME}
equals to the ACR registry name you have looked up${SERVICE_PRINCIPAL_PREFIX}
is the prefix name of both service principal's. If you usesp-acr-my-service-principal
as${SERVICE_PRINCIPAL_PREFIX}
two service principalssp-acr-my-service-principal-ro
andsp-acr-my-service-principal-rw
would be created.
After running the command, you receive the following output:
Store both service principals and their usernames and passwords in your password manager.
Setting up GitHub Actions to publish Docker images
Add required GitHub Actions secrets
In the Azure Container Registry UI, lookup the login server. It should be ${REGISTRY_NAME}.azurecr.io
:
.
Now head over to your GitHub project Settings > Secrets > Actions and add the following secrets:
Name | Secret |
---|---|
ACR_HOST |
Login server (${REGISTRY_NAME}.azurecr.io ) |
ACR_USERNAME |
Username of previously created -rw service principal |
ACR_PASSWORD |
Password of previously created -rw service principal |
After that, the Secrets > Actions overview should look like this:
Update your GitHub Actions workflow
We are using elgohr/Publish-Docker-Github-Action
to publish new Docker images to ACR. Open your GitHub Actions workflow YAML file and add the following steps:
- name: Publish to Registry
id: publish_to_registry
uses: elgohr/Publish-Docker-Github-Action@main
with:
name: my-repository/my-artifact
username: ${{ secrets.ACR_USERNAME }}
password: ${{ secrets.ACR_PASSWORD }}
registry: ${{ secrets.ACR_HOST }}
snapshot: true
After the first Actions run, the newly created Docker image should appear in your Azure Container Registry: