Using Google Container Registry, Docker Buildx, and GitHub Actions

Created on .

Read in 1 minute.

Today, I was trying to integrate the docker/build-push-action with Google Container Registry (GCR). I was able to get the build working, but I was unable to push the image to GCR due to authentication issues. The solution involved the following.

  1. Using the google-github-actions/auth action to authenticate with Google Cloud.
  2. Calling gcloud auth configure-docker --quiet to configure the Docker CLI to use the Google Cloud credentials.

The workflow looks like this.

- name: Setup auth
id: "auth"
uses: "google-github-actions/[email protected]"
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: "[email protected]${{ secrets.GOOGLE_CLOUD_PROJECT }}"
- name: Setup docker
uses: docker/setup-buildx-[email protected]
- name: Authenticate docker
run: |
gcloud auth configure-docker --quiet

- name: Build and push
uses: docker/build-push-[email protected]
context: .
push: true
tags: ${{ env.IMAGE }}
cache-from: type=gha
cache-to: type=gha,mode=max

I was unable to get the cache working with GCR. I’m not sure if it’s a bug or if I’m doing something wrong.

IAM Role

I also created a custom role based upon Storage Legacy Bucket Writer to add to the [email protected] service account.

Custom role for pushing images to

Custom role for pushing images to

This includes the following permissions.

  • storage.buckets.get
  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.list

And it works! πŸŽ‰


Strongly Typed Yup Schema in TypeScript


Environment Variables in GitHub Docker build-push-action


Get the RSS feeds: All, Run, Code.