Github actions: Using a container from a private docker registry that is behind private network?

Question

I want to run my workflow in a container from private Docker registry:

jobs:
  build:
    runs-on: ubuntu-latest
    container:
      image: my-registry.net/my-image:latest
    steps:
      - ...

Now my docker registry is internal and can be accessed via vpn. So I thought I'd have a workaround by running another job that pulls the image:

jobs:
  tailscale:
    runs-on: ubuntu-latest
    steps:
      - name: Connect to Tailscale
        uses: tailscale/github-action@v1
        with:
          authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
          version: 1.18.2
      - name: Login to Private Container Registry
        uses: docker/login-action@v1
        with:
          registry: my-registry.net
          username: ${{ secrets.REGISTRY_USER }}
          password: ${{ secrets.REGISTRY_PASSWORD }}
      - name: Pull Image
        run: docker pull my-registry.net/my-image:latest
  build:
    needs: tailscale
    runs-on: ubuntu-latest
    container:
      image: my-registry.net/my-image:latest
    steps:
      - ...

However, this solution doesn't work because GitHub doesn't use the same runner for different jobs, as discussed here. How do I go about this without using my own runners?

Answer 1

Create an action with your "connecting" code and reuses it because without using your own runner, you need to connect every time in your VPN to get access to your registry.

Answer 2

I believe you could use one job to login into your private docker registry, and then set the docker credentials as the output of that job.

Then you can use these credentials in the subsequent job that will use your private image.

It doesn't seem that you are on AWS, but I think that this example might be helpful:

jobs:
  login-to-amazon-ecr:
    runs-on: ubuntu-latest
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/my-github-actions-role
          aws-region: us-east-1
          mask-aws-account-id: 'false'
      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2
        with:
          mask-password: 'false'
    outputs:
      registry: ${{ steps.login-ecr.outputs.registry }}
      docker_username: ${{ steps.login-ecr.outputs.docker_username_123456789012_dkr_ecr_us_east_1_amazonaws_com }} # More information on these outputs can be found below in the 'Docker Credentials' section
      docker_password: ${{ steps.login-ecr.outputs.docker_password_123456789012_dkr_ecr_us_east_1_amazonaws_com }}

  run-with-internal-service:
    name: Run something with an internal image as a service
    needs: login-to-amazon-ecr
    runs-on: ubuntu-latest
    services:
      internal-service:
        image: ${{ needs.login-to-amazon-ecr.outputs.registry }}/my-ecr-repo:latest
        credentials:
          username: ${{ needs.login-to-amazon-ecr.outputs.docker_username }}
          password: ${{ needs.login-to-amazon-ecr.outputs.docker_password }}
        ports:
          - '80:80'
    steps:
      - name: Run steps in container
        run: echo "run steps in container"

I took it from here: https://github.com/aws-actions/amazon-ecr-login?tab=readme-ov-file#run-an-image-as-a-service