Publish Docker images to Azure Container Registry (ACR) with GitHub Actions

Overview
Optional: Set up local Azure CLI in WSL and log in
Creating new service principals for accessing Azure Container Registry
Setting up GitHub Actions to publish Docker images
- Add required GitHub Actions secrets
- Update your GitHub Actions workflow

This article describes how to publish Docker container images to the Azure Container Registry with help of GitHub Actions.

Overview

In order for a CI platform like GitHub Actions or Jenkins to access the Azure Container Registry (ACR), credentials are required. These credentials can be either service principals or tokens. Tokens allow you to define access permissions within repositories in an ACR registry. Access using tokens is currently only available in the ACR Premium Tier. When using service principals, permissions can also be set, but these refer to all repositories within a registry.

New repositories are not created in ACR via the CLI or the web interface. Instead, they are implicitly created by Azure itself with the first docker push command.

Optional: Set up local Azure CLI in WSL and log in

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
az login --use-device-code

Creating new service principals for accessing Azure Container Registry

First, look up the name of your ACR registry:

With help of the Gist create_azure_container_registry_service_principals.sh you can then easily create two new service principals in your Azure subscription account.

curl -O https://gist.githubusercontent.com/schakko/52d7743282b6d70a692e5d5282597567/raw/55d588745af7531fb4aa7bf4b75517f56322f652/create_azure_container_registry_service_principals.sh
chmod +x create_azure_container_registry_service_principals.sh

./create_azure_container_registry_service_principals.sh ${REGISTRY_NAME} ${SERVICE_PRINCIPAL_PREFIX}

${REGISTRY_NAME} equals to the ACR registry name you have looked up
${SERVICE_PRINCIPAL_PREFIX} is the prefix name of both service principal's. If you use sp-acr-my-service-principal as ${SERVICE_PRINCIPAL_PREFIX} two service principals sp-acr-my-service-principal-ro and sp-acr-my-service-principal-rw would be created.

After running the command, you receive the following output:

Store both service principals and their usernames and passwords in your password manager.

Setting up GitHub Actions to publish Docker images

Add required GitHub Actions secrets

In the Azure Container Registry UI, lookup the login server. It should be ${REGISTRY_NAME}.azurecr.io:

Now head over to your GitHub project Settings > Secrets > Actions and add the following secrets:

Name	Secret
`ACR_HOST`	Login server (`${REGISTRY_NAME}.azurecr.io`)
`ACR_USERNAME`	Username of previously created -rw service principal
`ACR_PASSWORD`	Password of previously created -rw service principal

After that, the Secrets > Actions overview should look like this:

Update your GitHub Actions workflow

We are using elgohr/Publish-Docker-Github-Action to publish new Docker images to ACR. Open your GitHub Actions workflow YAML file and add the following steps:

  - name: Publish to Registry
    id: publish_to_registry
    uses: elgohr/Publish-Docker-Github-Action@main
    with:
      name: my-repository/my-artifact
      username: ${{ secrets.ACR_USERNAME }}
      password: ${{ secrets.ACR_PASSWORD }}
      registry: ${{ secrets.ACR_HOST }}
      snapshot: true

After the first Actions run, the newly created Docker image should appear in your Azure Container Registry: