GHCR (Github Container Registry)

logo

The ghcr registry lets you configure GHCR integration.

Variables

Env var	Required	Description	Supported values	Default value when missing
`DD_REGISTRY_GHCR_{REGISTRY_NAME}_USERNAME`	⚪	Github username
`DD_REGISTRY_GHCR_{REGISTRY_NAME}_TOKEN`	⚪	Github token	Github password or Github Personal Token

Auth behavior

Public images work without credentials.
If credentials are configured but GHCR rejects them (401/403), drydock surfaces a credential-specific authentication error — it does not fall back to anonymous access. Check the configured token and its scopes (read:packages is required).

GHCR token doubles as a GitHub release-notes token

If you configure a GHCR token (DD_REGISTRY_GHCR_{REGISTRY_NAME}_TOKEN), drydock automatically reuses it for the GitHub release-notes provider. You do not need to set DD_RELEASE_NOTES_GITHUB_TOKEN separately — the GHCR token is tried first and used when it succeeds. If it fails (e.g. scoped to read:packages only), set DD_RELEASE_NOTES_GITHUB_TOKEN explicitly with a token that has the public_repo scope.

Examples

Configure to access private images

services:
  drydock:
    image: codeswhat/drydock
    ...
    environment:
      - DD_REGISTRY_GHCR_PRIVATE_USERNAME=john@doe
      - DD_REGISTRY_GHCR_PRIVATE_TOKEN=xxxxx

docker run \
  -e DD_REGISTRY_GHCR_PRIVATE_USERNAME="john@doe" \
  -e DD_REGISTRY_GHCR_PRIVATE_TOKEN="xxxxx" \
  ...
  codeswhat/drydock

How to create a Github Personal Token

Go to your Github settings and open the Personal Access Token tab

Open GitHub Personal Access Tokens

Click on `Generate new token`

Choose an expiration time & appropriate scopes (read:packages is only needed for drydock) and generate.