Add container registry credentials support via secrets

Co-authored-by: neilime <[email protected]>

Author: Copilot

.github/workflows/continuous-integration.md

@@ -207,26 +207,51 @@ container: |
     "env": {
       "NODE_ENV": "production"
     },
-    "ports": [8080],
-    "volumes": ["/tmp:/tmp"],
     "options": "--cpus 2"
   }
 ```
 
-All properties from [GitHub's container specification](https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/run-jobs-in-a-container) are supported except `credentials` (use secrets instead).
+**Supported properties:**
+
+- `image` (string, required) - Container image name
+- `env` (object) - Environment variables
+- `options` (string) - Additional Docker options
+
+**Note:** `ports` and `volumes` are not currently supported due to GitHub Actions workflow syntax limitations.
+
+#### Container Registry Credentials
+
+For private container images, use the `container-registry-username` and `container-registry-password` secrets:
+
+```yaml
+jobs:
+  continuous-integration:
+    uses: hoverkraft-tech/ci-github-nodejs/.github/workflows/continuous-integration.yml@main
+    secrets:
+      container-registry-username: ${{ secrets.REGISTRY_USERNAME }}
+      container-registry-password: ${{ secrets.REGISTRY_PASSWORD }}
+    with:
+      container: "ghcr.io/myorg/my-private-image:latest"
+```
+
+See [GitHub's container specification](https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/run-jobs-in-a-container) for more details.
 
 When specified, steps will execute inside this container instead of checking out code. The container should have the project code and dependencies pre-installed.
 
 <!-- secrets:start -->
 
 ## Secrets
 
-| **Secret**          | **Description**                                                                                                      | **Required** |
-| ------------------- | -------------------------------------------------------------------------------------------------------------------- | ------------ |
-| **`build-secrets`** | Secrets to be used during the build step.                                                                            | **false**    |
-|                     | Must be a multi-line env formatted string.                                                                           |              |
-|                     | Example:                                                                                                             |              |
-|                     | <!-- textlint-disable --><pre lang="txt">SECRET_EXAMPLE=$\{{ secrets.SECRET_EXAMPLE }}</pre><!-- textlint-enable --> |              |
+| **Secret**                        | **Description**                                                                                                      | **Required** |
+| --------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ------------ |
+| **`build-secrets`**               | Secrets to be used during the build step.                                                                            | **false**    |
+|                                   | Must be a multi-line env formatted string.                                                                           |              |
+|                                   | Example:                                                                                                             |              |
+|                                   | <!-- textlint-disable --><pre lang="txt">SECRET_EXAMPLE=$\{{ secrets.SECRET_EXAMPLE }}</pre><!-- textlint-enable --> |              |
+| **`container-registry-username`** | Username for authenticating to the container registry.                                                               | **false**    |
+|                                   | Required when using private container images.                                                                        |              |
+| **`container-registry-password`** | Password or token for authenticating to the container registry.                                                      | **false**    |
+|                                   | Required when using private container images.                                                                        |              |
 
 <!-- secrets:end -->
 
@@ -342,7 +367,7 @@ jobs:
 
 ### Continuous Integration with Advanced Container Options
 
-This example shows how to use advanced container options like environment variables, ports, volumes, and additional Docker options.
+This example shows how to use advanced container options like environment variables and additional Docker options.
 
 ```yaml
 name: Continuous Integration - Advanced Container Options
@@ -366,8 +391,6 @@ jobs:
             "NODE_ENV": "production",
             "CI": "true"
           },
-          "ports": [3000, 8080],
-          "volumes": ["/tmp:/tmp", "/cache:/cache"],
           "options": "--cpus 2 --memory 4g"
         }
       # When using container mode, code-ql and dependency-review are typically disabled

.github/workflows/continuous-integration.yml

@@ -99,13 +99,16 @@ on:
             "env": {
               "NODE_ENV": "production"
             },
-            "ports": [8080],
-            "volumes": ["/tmp:/tmp"],
             "options": "--cpus 2"
           }
           ```
 
-          All properties from GitHub's container specification are supported except credentials (use secrets instead).
+          Supported properties: image (required), env (object), options (string).
+          Note: ports and volumes are not currently supported due to GitHub Actions limitations.
+
+          For container registry credentials (username/password), use the container-registry-username 
+          and container-registry-password secrets.
+
           See https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/run-jobs-in-a-container
 
           When specified, steps will execute inside this container instead of checking out code.
@@ -123,6 +126,16 @@ on:
           SECRET_EXAMPLE=$\{{ secrets.SECRET_EXAMPLE }}
           ```
         required: false
+      container-registry-username:
+        description: |
+          Username for authenticating to the container registry.
+          Required when using private container images.
+        required: false
+      container-registry-password:
+        description: |
+          Password or token for authenticating to the container registry.
+          Required when using private container images.
+        required: false
     outputs:
       build-artifact-id:
         description: "ID of the build artifact) uploaded during the build step."
@@ -167,16 +180,6 @@ jobs:
                   config.env = container.env;
                 }
                 
-                // Add ports if provided
-                if (container.ports && container.ports.length > 0) {
-                  config.ports = container.ports;
-                }
-                
-                // Add volumes if provided
-                if (container.volumes && container.volumes.length > 0) {
-                  config.volumes = container.volumes;
-                }
-                
                 // Merge user options with default --user root:root
                 if (container.options) {
                   config.options = `${config.options} ${container.options}`;
@@ -218,7 +221,13 @@ jobs:
   setup:
     name: ⚙️ Setup
     runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }}
-    container: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config) || null }}
+    container:
+      image: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).image || null }}
+      env: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).env || null }}
+      options: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).options || null }}
+      credentials:
+        username: ${{ secrets.container-registry-username }}
+        password: ${{ secrets.container-registry-password }}
     needs: parse-container
     if: ${{ always() && !cancelled() && !failure() }}
     permissions:
@@ -336,7 +345,13 @@ jobs:
     name: 👕 Lint
     if: inputs.checks == true && inputs.lint && always() && !cancelled() && !failure()
     runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }}
-    container: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config) || null }}
+    container:
+      image: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).image || null }}
+      env: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).env || null }}
+      options: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).options || null }}
+      credentials:
+        username: ${{ secrets.container-registry-username }}
+        password: ${{ secrets.container-registry-password }}
     needs:
       - parse-container
       - setup
@@ -392,7 +407,13 @@ jobs:
     if: inputs.checks == true && always() && !cancelled() && !failure()
     runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }}
     # jscpd:ignore-start
-    container: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config) || null }}
+    container:
+      image: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).image || null }}
+      env: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).env || null }}
+      options: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).options || null }}
+      credentials:
+        username: ${{ secrets.container-registry-username }}
+        password: ${{ secrets.container-registry-password }}
     needs:
       - parse-container
       - setup
@@ -438,7 +459,13 @@ jobs:
     name: 🧪 Test
     if: inputs.checks == true && inputs.test && always() && !cancelled() && !failure()
     runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }}
-    container: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config) || null }}
+    container:
+      image: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).image || null }}
+      env: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).env || null }}
+      options: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config).options || null }}
+      credentials:
+        username: ${{ secrets.container-registry-username }}
+        password: ${{ secrets.container-registry-password }}
     needs:
       - parse-container
       - setup