GHCR (GitHub Container Registry)
The ghcr registry lets you configure GitHub Container Registry integration.

The ghcr registry lets you configure GHCR integration.
Variables
| Env var | Required | Description | Supported values | Default value when missing |
|---|---|---|---|---|
DD_REGISTRY_GHCR_{REGISTRY_NAME}_USERNAME | ⚪ | GitHub username | ||
DD_REGISTRY_GHCR_{REGISTRY_NAME}_TOKEN | ⚪ | GitHub token | GitHub password or GitHub Personal Token |
Auth behavior
- Public images work without credentials.
- If credentials are configured but GHCR rejects them (
401/403), drydock surfaces a credential-specific authentication error — it does not fall back to anonymous access. Check the configured token and its scopes (read:packagesis required).
GHCR token doubles as a GitHub release-notes token
If you configure a GHCR token (DD_REGISTRY_GHCR_{REGISTRY_NAME}_TOKEN), drydock automatically reuses it for the GitHub release-notes provider when the source repo was resolved from trusted metadata (OCI image labels or a GHCR image path). You do not need to set DD_RELEASE_NOTES_GITHUB_TOKEN separately for those containers — the GHCR token is tried first and used when it succeeds.
The GHCR fallback is not sent to repos resolved from a dd.source.repo container label or a persisted container.sourceRepo value. For container-label sources, configure DD_RELEASE_NOTES_GITHUB_TOKEN explicitly with a narrowly-scoped token: a classic PAT with public_repo scope only, or a fine-grained PAT with read-only Contents permission limited to public repositories and no write or account permissions. See Watchers — release notes popover for details on token behavior and intermediate release fetching.
If the GHCR token fails for trusted sources (e.g. scoped to read:packages only), set DD_RELEASE_NOTES_GITHUB_TOKEN explicitly.
Examples
Configure to access private images
services:
drydock:
image: codeswhat/drydock
...
environment:
- DD_REGISTRY_GHCR_PRIVATE_USERNAME=john@doe
- DD_REGISTRY_GHCR_PRIVATE_TOKEN=xxxxx docker run \
-e DD_REGISTRY_GHCR_PRIVATE_USERNAME="john@doe" \
-e DD_REGISTRY_GHCR_PRIVATE_TOKEN="xxxxx" \
...
codeswhat/drydockHow to create a GitHub Personal Token
Go to your GitHub settings and open the Personal Access Token tab
Open GitHub Personal Access Tokens
Click on Generate new token
Choose an expiration time & appropriate scopes (read:packages is only needed for drydock) and generate.

Copy the token & use it as the DD_REGISTRY_GHCR_{REGISTRY_NAME}_TOKEN value
