Skip to content

docs(ci): clarify credentials setup for DBC CI/CD #22587

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 5, 2025
Merged

docs(ci): clarify credentials setup for DBC CI/CD #22587

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 43 additions & 20 deletions content/manuals/build-cloud/ci.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,30 +29,53 @@

> [!NOTE]
>
> Builds on Docker Build Cloud have a timeout limit of two hours. Builds that
> run for longer than two hours are automatically cancelled.
> Builds on Docker Build Cloud have a timeout limit of 90 minutes. Builds that
> run for longer than 90 minutes are automatically cancelled.

## CI platform examples
## Setting up credentials for CI/CD

Check warning on line 35 in content/manuals/build-cloud/ci.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Docker.Acronyms] 'CD' has no definition.

Raw Output:
{"message": "[Docker.Acronyms] 'CD' has no definition.", "location": {"path": "content/manuals/build-cloud/ci.md", "range": {"start": {"line": 35, "column": 34}}}, "severity": "WARNING"}

### GitHub Actions
To enable your CI/CD system to build and push images using Docker Build Cloud, provide both an access token and a username. The type of token and the username you use depend on your account type and permissions.

Check warning on line 37 in content/manuals/build-cloud/ci.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Docker.Acronyms] 'CD' has no definition.

Raw Output:
{"message": "[Docker.Acronyms] 'CD' has no definition.", "location": {"path": "content/manuals/build-cloud/ci.md", "range": {"start": {"line": 37, "column": 19}}}, "severity": "WARNING"}

- If you are an organization administrator or have permission to create [organization access tokens (OAT)](../security/for-admins/access-tokens.md), use an OAT and set `DOCKER_USER` to your Docker Hub organization name.

Check warning on line 39 in content/manuals/build-cloud/ci.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Docker.Acronyms] 'OAT' has no definition.

Raw Output:
{"message": "[Docker.Acronyms] 'OAT' has no definition.", "location": {"path": "content/manuals/build-cloud/ci.md", "range": {"start": {"line": 39, "column": 102}}}, "severity": "WARNING"}

Check warning on line 39 in content/manuals/build-cloud/ci.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Docker.Acronyms] 'OAT' has no definition.

Raw Output:
{"message": "[Docker.Acronyms] 'OAT' has no definition.", "location": {"path": "content/manuals/build-cloud/ci.md", "range": {"start": {"line": 39, "column": 157}}}, "severity": "WARNING"}
- If you do not have permission to create OATs or are using a personal account, use a [personal access token (PAT)](/security/for-developers/access-tokens/) and set `DOCKER_USER` to your Docker Hub username.

Check warning on line 40 in content/manuals/build-cloud/ci.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Docker.Acronyms] 'PAT' has no definition.

Raw Output:
{"message": "[Docker.Acronyms] 'PAT' has no definition.", "location": {"path": "content/manuals/build-cloud/ci.md", "range": {"start": {"line": 40, "column": 111}}}, "severity": "WARNING"}

### Creating access tokens

#### For organization accounts

If you are an organization administrator:

1. Create an [organization access token (OAT)](../security/for-admins/access-tokens.md):

Check warning on line 48 in content/manuals/build-cloud/ci.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Docker.Acronyms] 'OAT' has no definition.

Raw Output:
{"message": "[Docker.Acronyms] 'OAT' has no definition.", "location": {"path": "content/manuals/build-cloud/ci.md", "range": {"start": {"line": 48, "column": 42}}}, "severity": "WARNING"}
- The token must have these permissions:
- **cloud-connect** scope
- **Read public repositories** permission
- **Repository access** with **Image push** permission for the target repository:
- Expand the **Repository** drop-down.
- Select **Add repository** and choose your target repository.
- Set the **Image push** permission for the repository.

If you are not an organization administrator:

- Ask your organization administrator for an access token with the permissions listed above, or use a personal access token.

Check warning on line 59 in content/manuals/build-cloud/ci.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Docker.RecommendedWords] Consider using 'previous' instead of 'above'

Raw Output:
{"message": "[Docker.RecommendedWords] Consider using 'previous' instead of 'above'", "location": {"path": "content/manuals/build-cloud/ci.md", "range": {"start": {"line": 59, "column": 87}}}, "severity": "INFO"}

#### For personal accounts

1. Create a [personal access token (PAT)](/security/for-developers/access-tokens/):

Check warning on line 63 in content/manuals/build-cloud/ci.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Docker.Acronyms] 'PAT' has no definition.

Raw Output:
{"message": "[Docker.Acronyms] 'PAT' has no definition.", "location": {"path": "content/manuals/build-cloud/ci.md", "range": {"start": {"line": 63, "column": 37}}}, "severity": "WARNING"}
- Create a new token with **Read & write** access.
- Note: Building with Docker Build Cloud only requires read access, but you need write access to push images to a Docker Hub repository.


## CI platform examples

Check warning on line 68 in content/manuals/build-cloud/ci.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Docker.HeadingSentenceCase] Use sentence case for headings: 'CI platform examples'.

Raw Output:
{"message": "[Docker.HeadingSentenceCase] Use sentence case for headings: 'CI platform examples'.", "location": {"path": "content/manuals/build-cloud/ci.md", "range": {"start": {"line": 68, "column": 4}}}, "severity": "WARNING"}

> [!NOTE]
>
> Version 4.0.0 and later of `docker/build-push-action` and
> `docker/bake-action` builds images with [provenance attestations by
> default](/manuals/build/ci/github-actions/attestations.md#default-provenance). Docker
> Build Cloud automatically attempts to load images to the local image store if
> you don't explicitly push them to a registry.
>
> This results in a conflicting scenario where if you build a tagged image
> without pushing it to a registry, Docker Build Cloud attempts to load images
> containing attestations. But the local image store on the GitHub runner
> doesn't support attestations, and the image load fails as a result.
> In your CI/CD configuration, set the following variables:

Check warning on line 72 in content/manuals/build-cloud/ci.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Docker.Acronyms] 'CD' has no definition.

Raw Output:
{"message": "[Docker.Acronyms] 'CD' has no definition.", "location": {"path": "content/manuals/build-cloud/ci.md", "range": {"start": {"line": 72, "column": 14}}}, "severity": "WARNING"}
> - `DOCKER_PAT` — your access token (PAT or OAT)
> - `DOCKER_USER` — your Docker Hub username (for PAT) or organization name (for OAT)
>
> If you want to load images built with `docker/build-push-action` together
> with Docker Build Cloud, you must disable provenance attestations by setting
> `provenance: false` in the GitHub Action inputs (or in `docker-bake.hcl` if
> you use Bake).
> This ensures your builds authenticate correctly with Docker Build Cloud.

### GitHub Actions

```yaml
name: ci
Expand Down Expand Up @@ -381,7 +404,7 @@
curl --silent -L --output ~/.docker/cli-plugins/docker-buildx $BUILDX_URL
chmod a+x ~/.docker/cli-plugins/docker-buildx

# Login to Docker Hub. For security reasons $DOCKER_PAT should be a Personal Access Token. See https://docs.docker.com/security/for-developers/access-tokens/
# Login to Docker Hub. For security reasons $DOCKER_PAT should be a Personal Access Token. See https://docs.docker.com/build-cloud/ci/#creating-access-tokens
echo "$DOCKER_PAT" | docker login --username $DOCKER_USER --password-stdin

# Connect to your builder and set it as the default builder
Expand Down Expand Up @@ -426,7 +449,7 @@
chmod a+x ~/.docker/cli-plugins/docker-buildx
chmod a+x ~/.docker/cli-plugins/docker-compose

# Login to Docker Hub. For security reasons $DOCKER_PAT should be a Personal Access Token. See https://docs.docker.com/security/for-developers/access-tokens/
# Login to Docker Hub. For security reasons $DOCKER_PAT should be a Personal Access Token. See https://docs.docker.com/build-cloud/ci/#creating-access-tokens
echo "$DOCKER_PAT" | docker login --username $DOCKER_USER --password-stdin

# Connect to your builder and set it as the default builder
Expand Down
Loading