Skip to main content

Pushing a Container Image

In this guide, we'll be going through the steps of securely building and pushing a container image to a remote registry. We currently use Azure Container Registry (ACR) as our registry at Gjensidige.

Import ACR credentials to your repository

Register your repository in terraform-github-repo-credentials and create a PR. A member of the Platform team will review and apply your changes, and this will create the GitHub Actions secret AZURE_CONTAINER_REGISTRY_CLIENT_ID in your repository which is needed to login to ACR using OpenID Connect.

Create a GitHub Actions CI workflow

We'll use GitHub Actions to automate container image build and push. The following example uses docker-build-scan-push-action which contains current requirements and best practices for building and pushing a container image at Gjensidige.

Required steps

It is required to scan your container image for known vulnerabilities before it's pushed to ACR. We use Aqua Security Trivy to achieve this in this guide and this is currently the recommended approach at Gjensidige.

name: "Build and Push to ACR"

- "main"

TEAM_NAME: "my-team-name" # Change this

id-token: write
contents: read
security-events: write

runs-on: "ubuntu-latest"
environment: "azure" # Must match one of the environments added in "terraform-github-repo-credentials"
- name: "Git checkout"
uses: "actions/checkout@v2"

# Depending on your Dockerfile, you might have to build your application before proceeding

- name: "Build, Scan and Push Docker image"
id: "build-scan-push"
uses: "gjensidige/docker-build-scan-push-action@oidc"
team-name: ${{ env.TEAM_NAME }}
tag: ${{ github.sha }}
azure-client-id: ${{ secrets.AZURE_CONTAINER_REGISTRY_CLIENT_ID }}

# Use container image output to proceed performing GitOps actions
# Image output is on the format: ""
- name: "Example using container image output"
run: echo ${{ }}
HotTips :fire:

Speed up your GitHub Actions workflows by leveraging Actions Cache

Congratulations! You have now pushed a container image to<team-name>/<repo-name>:<commit-sha> 🎉 🚀