docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
docs/content/guides/gha.md

256 lines
8.6 KiB
Markdown
Raw Permalink Blame History

---
title: Introduction to GitHub Actions with Docker
linkTitle: GitHub Actions and Docker
summary: |
Learn how to automate image build and push with GitHub Actions.
params:
tags: [devops]
time: 10 minutes
---
This guide provides an introduction to building CI pipelines using Docker and
GitHub Actions. You will learn how to use Docker's official GitHub Actions to
build your application as a Docker image and push it to Docker Hub. By the end
of the guide, you'll have a simple, functional GitHub Actions configuration for
Docker builds. Use it as-is, or extend it further to fit your needs.
## Prerequisites
If you want to follow along with the guide, ensure you have the following:
- A Docker account.
- Familiarity with Dockerfiles.
This guide assumes basic knowledge of Docker concepts but provides explanations
for using Docker in GitHub Actions workflows.
## Get the sample app
This guide is project-agnostic and assumes you have an application with a
Dockerfile.
If you need a sample project to follow along, you can use [this sample
application](https://github.com/dvdksn/rpg-name-generator.git), which includes
a Dockerfile for building a containerized version of the app. Alternatively,
use your own GitHub project or create a new repository from the template.
{{% dockerfile.inline %}}
{{ $data := resources.GetRemote "https://raw.githubusercontent.com/dvdksn/rpg-name-generator/refs/heads/main/Dockerfile" }}
```dockerfile {collapse=true}
{{ $data.Content }}
```
{{% /dockerfile.inline %}}
## Configure your GitHub repository
The workflow in this guide pushes the image you build to Docker Hub. To do
that, you must authenticate with your Docker credentials (username and access
token) as part of the GitHub Actions workflow.
For instructions on how to create a Docker access token, see
[Create and manage access tokens](/manuals/security/for-developers/access-tokens.md).
Once you have your Docker credentials ready, add the credentials to your GitHub
repository so you can use them in GitHub Actions:
1. Open your repository's **Settings**.
2. Under **Security**, go to **Secrets and variables > Actions**.
3. Under **Secrets**, create a new repository secret named `DOCKER_PASSWORD`,
containing your Docker access token.
4. Next, under **Variables**, create a `DOCKER_USERNAME` repository variable
containing your Docker Hub username.
## Set up your GitHub Actions workflow
GitHub Actions workflows define a series of steps to automate tasks, such as
building and pushing Docker images, in response to triggers like commits or
pull requests. In this guide, the workflow focuses on automating Docker builds
and testing, ensuring your containerized application works correctly before
publishing it.
Create a file named `docker-ci.yml` in the `.github/workflows/` directory of
your repository. Start with the basic workflow configuration:
```yaml
name: Build and Push Docker Image
on:
push:
branches:
- main
pull_request:
```
This configuration runs the workflow on pushes to the main branch and on pull
requests. By including both triggers, you can ensure that the image builds
correctly for a pull request before it's merged.
## Extract metadata for tags and annotations
For the first step in your workflow, use the `docker/metadata-action` to
generate metadata for your image. This action extracts information about your
Git repository, such as branch names and commit SHAs, and generates image
metadata such as tags and annotations.
Add the following YAML to your workflow file:
```yaml
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Extract Docker image metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ vars.DOCKER_USERNAME }}/my-image
```
These steps prepare metadata to tag and annotate your images during the build
and push process.
- The **Checkout** step clones the Git repository.
- The **Extract Docker image metadata** step extracts Git metadata and
generates image tags and annotations for the Docker build.
## Authenticate to your registry
Before you build the image, authenticate to your registry to ensure that you
can push your built image to the registry.
To authenticate with Docker Hub, add the following step to your workflow:
```yaml
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ vars.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
```
This step uses the Docker credentials [configured in the repository settings](#configure-your-github-repository).
## Build and push the image
Finally, build the final production image and push it to your registry. The
following configuration builds the image and pushes it directly to a registry.
```yaml
- name: Build and push Docker image
uses: docker/build-push-action@v6
with:
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
annotations: ${{ steps.meta.outputs.annotations }}
```
In this configuration:
- `push: ${{ github.event_name != 'pull_request' }}` ensures that images are
only pushed when the event is not a pull request. This way, the workflow
builds and tests images for pull requests but only pushes images for commits
to the main branch.
- `tags` and `annotations` use the outputs from the metadata action to apply
consistent tags and [annotations](/manuals/build/metadata/annotations.md) to
the image automatically.
## Attestations
SBOM (Software Bill of Materials) and provenance attestations improve security
and traceability, ensuring your images meet modern software supply chain
requirements.
With a small amount of additional configuration, you can configure
`docker/build-push-action` to generate Software Bill of Materials (SBOM) and
provenance attestations for the image, at build-time.
To generate this additional metadata, you need to make two changes to your
workflow:
- Before the build step, add a step that uses `docker/setup-buildx-action`.
This action configures your Docker build client with additional capabilities
that the default client doesn't support.
- Then, update the **Build and push Docker image** step to also enable SBOM and
provenance attestations.
Here's the updated snippet:
```yaml
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push Docker image
uses: docker/build-push-action@v6
with:
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
annotations: ${{ steps.meta.outputs.annotations }}
provenance: true
sbom: true
```
For more details about attestations, refer to
[the documentation](/manuals/build/metadata/attestations/_index.md).
## Conclusion
With all the steps outlined in the previous section, here's the full workflow
configuration:
```yaml
name: Build and Push Docker Image
on:
push:
branches:
- main
pull_request:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Extract Docker image metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ vars.DOCKER_USERNAME }}/my-image
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ vars.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push Docker image
uses: docker/build-push-action@v6
with:
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
annotations: ${{ steps.meta.outputs.annotations }}
provenance: true
sbom: true
```
This workflow implements best practices for building and pushing Docker images
using GitHub Actions. This configuration can be used as-is or extended with
additional features based on your project's needs, such as
[multi-platform](/manuals/build/building/multi-platform.md).
### Further reading
- Learn more about advanced configurations and examples in the [Docker Build GitHub Actions](/manuals/build/ci/github-actions/_index.md) section.
- For more complex build setups, you may want to consider [Bake](/manuals/build/bake/_index.md). (See also the [Mastering Buildx Bake guide](/guides/bake/index.md).)
- Learn about Docker's managed build service, designed for faster, multi-platform builds, see [Docker Build Cloud](/guides/docker-build-cloud/_index.md).
Reference in New Issue View Git Blame Copy Permalink