Hey all!
Has anyone used Balena with a private base image hosted on the Github container registry?
Usually you authenticate with a Github Access Token, but I’m not sure how to use that with Balena.
@keenanjohnson did you get any error when you try to pull a github container registry on a container with balena? I will try to test myself tomorrow!
1 Like
Thanks! Yeah I did try, but I couldn’t figure out where to put my Github personal access token (PAT) in the balena secrets file, so I received an error.
Not sure if using a token like that is supported by balena, so perhaps the Github private registry isn’t supported by Balena?
Did you try this @keenanjohnson → GitHub - balena-io-examples/sample-gcr-registry-secrets: Sample balena push/deploy with Google Container Registry (GCR) private images
Let me know if that works
I did try that, but those instructions are for the Google Registry, not Github, so they have a totally different auth scheme than Github it seems and it didn’t work for me.
Hi,
In the link you posted, they suggest you can simply fill in your github username as username and the PAT as password when logging in.
I think these will be picked up when specified as such in your secrets?
1 Like
@keenanjohnson did this work?
It did not work for me no unfortunately. I couldn’t find the doc link that suggested putting the PAT as the password mentioned by the previous responder.
It seems like the github container repo is probably just not supported by balena at the moment.
Hi,
The bit
$ export CR_PAT=YOUR_TOKEN
$ echo $CR_PAT | docker login ghcr.io -u USERNAME --password-stdin
> Login Succeeded
Is what made me think it might work.
I had a look into docker cli sources, where it seems they turn this into a JSON request.
Maybe you can try something similar to the Google registry approach, but with a different body.
The way I interpret it, is you start at docker login command, where they copy command line options to an auth struct.
This auth struct is then passed to the registry login function, which creates a JSON post request.
In this request, the auth struct is used as body, which gets encoded as JSON.
I don’t have access to a private GitHub registry myself, so I can’t test it myself.
1 Like
Yeah it was a good idea @TJvV ! Unfortunately, I think the issue is that balena expects a specific format in the secrets.yml file.
Hey @keenanjohnson
I have used the GH container registry in the past. I had to format the registry secrets file like this:
'containers.pkg.github.com':
username: phildwilson
password: <personal-access-token>
and do the balena push like this:
balena push testfleet --registry-secrets <path>/registry-secrets.yml
Also, I don’t know if you saw, but you can now use the balena registry to host block images:
Improving our device image management workflow with the balenaHub Container Registry
which does allow you to have a private block, but still pull from it with a docker login:
balena-io/open-balena-registry-proxy: Pull images from balenaCloud container registry with fleet slugs! (github.com)
note: this isn’t fully tested/released as a feature yet, and you may still need to use registry-secrets for now, issue here:
registry: Unable to pull private balenaCloud blocks via builder · Issue #944 · balena-io/balena-builder (github.com)
HTH
Phil
1 Like
Interesting. I will try this @phil-d-wilson and report back shortly.
Success!
I was able to use the Balena builder using a registry-secrets.yml as shown below:
'ghcr.io':
username: keenanjohnson
password: <github-personal-access-token>
I think one of my issues was related to github renaming their package registry, but glad this is all working. Thanks all!
3 Likes
Good news Keenan. 
Do try out the balena registry at some point though - as it reduces the maintenance burden on keeping source and images in-sync, and allows you to do release management for your blocks (e.g. create draft releases so that you can test the image before finalising it and making it the ‘latest’).
Phil
1 Like
I hadn’t yet, but it seems like a great feature!
1 Like