|
25 | 25 | * [Quay.io](#quayio) |
26 | 26 | * [DigitalOcean](#digitalocean-container-registry) |
27 | 27 | * [Authenticate to multiple registries](#authenticate-to-multiple-registries) |
| 28 | + * [Set scopes for the authentication token](#set-scopes-for-the-authentication-token) |
28 | 29 | * [Customizing](#customizing) |
29 | 30 | * [inputs](#inputs) |
30 | 31 | * [Contributing](#contributing) |
@@ -557,6 +558,60 @@ jobs: |
557 | 558 | password: ${{ secrets.GITHUB_TOKEN }} |
558 | 559 | ``` |
559 | 560 |
|
| 561 | +### Set scopes for the authentication token |
| 562 | + |
| 563 | +The `scope` input allows limiting registry credentials to a specific repository |
| 564 | +or namespace scope when building images with Buildx. |
| 565 | + |
| 566 | +This is useful in GitHub Actions to avoid overriding the Docker Hub |
| 567 | +authentication token embedded in GitHub-hosted runners, which is used for |
| 568 | +pulling images without rate limits. By scoping credentials, you can |
| 569 | +authenticate only where needed (typically for pushing), while keeping |
| 570 | +unauthenticated pulls for base images. |
| 571 | + |
| 572 | +When `scope` is set, credentials are written to the Buildx configuration |
| 573 | +instead of the global Docker configuration. This means: |
| 574 | +* Authentication applies only to the specified scope |
| 575 | +* The default Docker Hub credentials remain available for pulls |
| 576 | +* Credentials are used only by Buildx during the build |
| 577 | + |
| 578 | +> [!IMPORTANT] |
| 579 | +> Credentials written to the Buildx configuration are only accessible by Buildx. |
| 580 | +> They are not available to `docker pull`, `docker push`, or any other Docker |
| 581 | +> CLI commands outside Buildx. |
| 582 | + |
| 583 | +> [!NOTE] |
| 584 | +> This feature requires Buildx version 0.31.0 or later. |
| 585 | + |
| 586 | +```yaml |
| 587 | +name: ci |
| 588 | +
|
| 589 | +on: |
| 590 | + push: |
| 591 | + branches: main |
| 592 | +
|
| 593 | +jobs: |
| 594 | + login: |
| 595 | + runs-on: ubuntu-latest |
| 596 | + steps: |
| 597 | + - |
| 598 | + name: Login to Docker Hub (scoped) |
| 599 | + uses: docker/login-action@v3 |
| 600 | + with: |
| 601 | + username: ${{ vars.DOCKERHUB_USERNAME }} |
| 602 | + password: ${{ secrets.DOCKERHUB_TOKEN }} |
| 603 | + scope: 'myorg/myimage@push' |
| 604 | + - |
| 605 | + name: Build and push |
| 606 | + uses: docker/build-push-action@v6 |
| 607 | + with: |
| 608 | + push: true |
| 609 | + tags: myorg/myimage:latest |
| 610 | +``` |
| 611 | + |
| 612 | +In this example, base images are pulled using the embedded GitHub-hosted runner |
| 613 | +credentials, while authenticated access is used only to push `myorg/myimage`. |
| 614 | + |
560 | 615 | ## Customizing |
561 | 616 |
|
562 | 617 | ### inputs |
|
0 commit comments