|
| 1 | +--- |
| 2 | +title: Introduction to GitHub Actions with Docker |
| 3 | +linkTitle: GitHub Actions and Docker |
| 4 | +summary: | |
| 5 | + Learn how to automate image build and push with GitHub Actions. |
| 6 | +params: |
| 7 | + tags: [devops] |
| 8 | + time: 10 minutes |
| 9 | +--- |
| 10 | + |
| 11 | +This guide provides an introduction to building CI pipelines using Docker and |
| 12 | +GitHub Actions. You will learn how to use Docker's official GitHub Actions to |
| 13 | +build your application as a Docker image and push it to Docker Hub. By the end |
| 14 | +of the guide, you'll have a simple, functional GitHub Actions configuration for |
| 15 | +Docker builds. Use it as-is, or extend it further to fit your needs. |
| 16 | + |
| 17 | +## Prerequisites |
| 18 | + |
| 19 | +If you want to follow along with the guide, ensure you have the following: |
| 20 | + |
| 21 | +- A Docker account. |
| 22 | +- Familiarity with Dockerfiles. |
| 23 | + |
| 24 | +This guide assumes basic knowledge of Docker concepts but provides explanations |
| 25 | +for using Docker in GitHub Actions workflows. |
| 26 | + |
| 27 | +## Get the sample app |
| 28 | + |
| 29 | +This guide is project-agnostic and assumes you have an application with a |
| 30 | +Dockerfile. |
| 31 | + |
| 32 | +If you need a sample project to follow along, you can use [this sample |
| 33 | +application](https://github.com/dvdksn/rpg-name-generator.git), which includes |
| 34 | +a Dockerfile for building a containerized version of the app. Alternatively, |
| 35 | +use your own GitHub project or create a new repository from the template. |
| 36 | + |
| 37 | +{{% dockerfile.inline %}} |
| 38 | + |
| 39 | +{{ $data := resources.GetRemote "https://raw.githubusercontent.com/dvdksn/rpg-name-generator/refs/heads/main/Dockerfile" }} |
| 40 | + |
| 41 | +```dockerfile {collapse=true} |
| 42 | +{{ $data.Content }} |
| 43 | +``` |
| 44 | + |
| 45 | +{{% /dockerfile.inline %}} |
| 46 | + |
| 47 | +## Configure your GitHub repository |
| 48 | + |
| 49 | +The workflow in this guide pushes the image you build to Docker Hub. To do |
| 50 | +that, you must authenticate with your Docker credentials (username and access |
| 51 | +token) as part of the GitHub Actions workflow. |
| 52 | + |
| 53 | +For instructions on how to create a Docker access token, see |
| 54 | +[Create and manage access tokens](/manuals/security/for-developers/access-tokens.md). |
| 55 | + |
| 56 | +Once you have your Docker credentials ready, add the credentials to your GitHub |
| 57 | +repository so you can use them in GitHub Actions: |
| 58 | + |
| 59 | +1. Open your repository's **Settings**. |
| 60 | +2. Under **Security**, go to **Secrets and variables > Actions**. |
| 61 | +3. Under **Secrets**, create a new repository secret named `DOCKER_PASSWORD`, |
| 62 | + containing your Docker access token. |
| 63 | +4. Next, under **Variables**, create a `DOCKER_USERNAME` repository variable |
| 64 | + containing your Docker Hub username. |
| 65 | + |
| 66 | +## Set up your GitHub Actions workflow |
| 67 | + |
| 68 | +GitHub Actions workflows define a series of steps to automate tasks, such as |
| 69 | +building and pushing Docker images, in response to triggers like commits or |
| 70 | +pull requests. In this guide, the workflow focuses on automating Docker builds |
| 71 | +and testing, ensuring your containerized application works correctly before |
| 72 | +publishing it. |
| 73 | + |
| 74 | +Create a file named `docker-ci.yml` in the `.github/workflows/` directory of |
| 75 | +your repository. Start with the basic workflow configuration: |
| 76 | + |
| 77 | +```yaml |
| 78 | +name: Build and Push Docker Image |
| 79 | + |
| 80 | +on: |
| 81 | + push: |
| 82 | + branches: |
| 83 | + - main |
| 84 | + pull_request: |
| 85 | +``` |
| 86 | +
|
| 87 | +This configuration runs the workflow on pushes to the main branch and on pull |
| 88 | +requests. By including both triggers, you can ensure that the image builds |
| 89 | +correctly for a pull request before it's merged. |
| 90 | +
|
| 91 | +## Extract metadata for tags and annotations |
| 92 | +
|
| 93 | +For the first step in your workflow, use the `docker/metadata-action` to |
| 94 | +generate metadata for your image. This action extracts information about your |
| 95 | +Git repository, such as branch names and commit SHAs, and generates image |
| 96 | +metadata such as tags and annotations. |
| 97 | + |
| 98 | +Add the following YAML to your workflow file: |
| 99 | + |
| 100 | +```yaml |
| 101 | +jobs: |
| 102 | + build: |
| 103 | + runs-on: ubuntu-latest |
| 104 | + steps: |
| 105 | + - name: Checkout |
| 106 | + uses: actions/checkout@v4 |
| 107 | + - name: Extract Docker image metadata |
| 108 | + id: meta |
| 109 | + uses: docker/metadata-action@v5 |
| 110 | + with: |
| 111 | + images: ${{ vars.DOCKER_USERNAME }}/my-image |
| 112 | +``` |
| 113 | + |
| 114 | +These steps prepare metadata to tag and annotate your images during the build |
| 115 | +and push process. |
| 116 | + |
| 117 | +- The **Checkout** step clones the Git repository. |
| 118 | +- The **Extract Docker image metadata** step extracts Git metadata and |
| 119 | + generates image tags and annotations for the Docker build. |
| 120 | + |
| 121 | +## Authenticate to your registry |
| 122 | + |
| 123 | +Before you build the image, authenticate to your registry to ensure that you |
| 124 | +can push your built image to the registry. |
| 125 | + |
| 126 | +To authenticate with Docker Hub, add the following step to your workflow: |
| 127 | + |
| 128 | +```yaml |
| 129 | + - name: Log in to Docker Hub |
| 130 | + uses: docker/login-action@v3 |
| 131 | + with: |
| 132 | + username: ${{ vars.DOCKER_USERNAME }} |
| 133 | + password: ${{ secrets.DOCKER_PASSWORD }} |
| 134 | +``` |
| 135 | + |
| 136 | +This step uses the Docker credentials [configured in the repository settings](#configure-your-github-repository). |
| 137 | + |
| 138 | +## Build and push the image |
| 139 | + |
| 140 | +Finally, build the final production image and push it to your registry. The |
| 141 | +following configuration builds the image and pushes it directly to a registry. |
| 142 | + |
| 143 | +```yaml |
| 144 | + - name: Build and push Docker image |
| 145 | + uses: docker/build-push-action@v6 |
| 146 | + with: |
| 147 | + push: ${{ github.event_name != 'pull_request' }} |
| 148 | + tags: ${{ steps.meta.outputs.tags }} |
| 149 | + annotations: ${{ steps.meta.outputs.annotations }} |
| 150 | +``` |
| 151 | + |
| 152 | +In this configuration: |
| 153 | + |
| 154 | +- `push: ${{ github.event_name != 'pull_request' }}` ensures that images are |
| 155 | + only pushed when the event is not a pull request. This way, the workflow |
| 156 | + builds and tests images for pull requests but only pushes images for commits |
| 157 | + to the main branch. |
| 158 | +- `tags` and `annotations` use the outputs from the metadata action to apply |
| 159 | + consistent tags and [annotations](/manuals/build/metadata/annotations.md) to |
| 160 | + the image automatically. |
| 161 | + |
| 162 | +## Attestations |
| 163 | + |
| 164 | +SBOM (Software Bill of Materials) and provenance attestations improve security |
| 165 | +and traceability, ensuring your images meet modern software supply chain |
| 166 | +requirements. |
| 167 | + |
| 168 | +With a small amount of additional configuration, you can configure |
| 169 | +`docker/build-push-action` to generate Software Bill of Materials (SBOM) and |
| 170 | +provenance attestations for the image, at build-time. |
| 171 | + |
| 172 | +To generate this additional metadata, you need to make two changes to your |
| 173 | +workflow: |
| 174 | + |
| 175 | +- Before the build step, add a step that uses `docker/setup-buildx-action`. |
| 176 | + This action configures your Docker build client with additional capabilities |
| 177 | + that the default client doesn't support. |
| 178 | +- Then, update the **Build and push Docker image** step to also enable SBOM and |
| 179 | + provenance attestations. |
| 180 | + |
| 181 | +Here's the updated snippet: |
| 182 | + |
| 183 | +```yaml |
| 184 | + - name: Set up Docker Buildx |
| 185 | + uses: docker/setup-buildx-action@v3 |
| 186 | + |
| 187 | + - name: Build and push Docker image |
| 188 | + uses: docker/build-push-action@v6 |
| 189 | + with: |
| 190 | + push: ${{ github.event_name != 'pull_request' }} |
| 191 | + tags: ${{ steps.meta.outputs.tags }} |
| 192 | + annotations: ${{ steps.meta.outputs.annotations }} |
| 193 | + provenance: true |
| 194 | + sbom: true |
| 195 | +``` |
| 196 | + |
| 197 | +For more details about attestations, refer to |
| 198 | +[the documentation](/manuals/build/metadata/attestations/_index.md). |
| 199 | + |
| 200 | +## Conclusion |
| 201 | + |
| 202 | +With all the steps outlined in the previous section, here's the full workflow |
| 203 | +configuration: |
| 204 | + |
| 205 | +```yaml |
| 206 | +name: Build and Push Docker Image |
| 207 | +
|
| 208 | +on: |
| 209 | + push: |
| 210 | + branches: |
| 211 | + - main |
| 212 | + pull_request: |
| 213 | +
|
| 214 | +jobs: |
| 215 | + build: |
| 216 | + runs-on: ubuntu-latest |
| 217 | + steps: |
| 218 | + - name: Checkout |
| 219 | + uses: actions/checkout@v4 |
| 220 | +
|
| 221 | + - name: Extract Docker image metadata |
| 222 | + id: meta |
| 223 | + uses: docker/metadata-action@v5 |
| 224 | + with: |
| 225 | + images: ${{ vars.DOCKER_USERNAME }}/my-image |
| 226 | +
|
| 227 | + - name: Log in to Docker Hub |
| 228 | + uses: docker/login-action@v3 |
| 229 | + with: |
| 230 | + username: ${{ vars.DOCKER_USERNAME }} |
| 231 | + password: ${{ secrets.DOCKER_PASSWORD }} |
| 232 | +
|
| 233 | + - name: Set up Docker Buildx |
| 234 | + uses: docker/setup-buildx-action@v3 |
| 235 | + |
| 236 | + - name: Build and push Docker image |
| 237 | + uses: docker/build-push-action@v6 |
| 238 | + with: |
| 239 | + push: ${{ github.event_name != 'pull_request' }} |
| 240 | + tags: ${{ steps.meta.outputs.tags }} |
| 241 | + annotations: ${{ steps.meta.outputs.annotations }} |
| 242 | + provenance: true |
| 243 | + sbom: true |
| 244 | +``` |
| 245 | + |
| 246 | +This workflow implements best practices for building and pushing Docker images |
| 247 | +using GitHub Actions. This configuration can be used as-is or extended with |
| 248 | +additional features based on your project's needs, such as |
| 249 | +[multi-platform](/manuals/build/building/multi-platform.md). |
| 250 | + |
| 251 | +### Further reading |
| 252 | + |
| 253 | +- Learn more about advanced configurations and examples in the [Docker Build GitHub Actions](/manuals/build/ci/github-actions/_index.md) section. |
| 254 | +- For more complex build setups, you may want to consider [Bake](/manuals/build/bake/_index.md). (See also the [Mastering Buildx Bake guide](/guides/bake/index.md).) |
| 255 | +- Learn about Docker's managed build service, designed for faster, multi-platform builds, see [Docker Build Cloud](/guides/docker-build-cloud/_index.md). |
0 commit comments