Skip to content
ConfigurationRegistriesGHCR

GHCR (GitHub Container Registry)

The ghcr registry lets you configure GitHub Container Registry integration.

logo

The ghcr registry lets you configure GHCR integration.

Variables

Env varRequiredDescriptionSupported valuesDefault value when missing
DD_REGISTRY_GHCR_{REGISTRY_NAME}_USERNAMEGitHub username
DD_REGISTRY_GHCR_{REGISTRY_NAME}_TOKENGitHub tokenGitHub password or GitHub Personal Token

Auth behavior

  • Public images work without credentials.
  • If credentials are configured but GHCR rejects them (401/403), drydock surfaces a credential-specific authentication error — it does not fall back to anonymous access. Check the configured token and its scopes (read:packages is required).

GHCR token doubles as a GitHub release-notes token

If you configure a GHCR token (DD_REGISTRY_GHCR_{REGISTRY_NAME}_TOKEN), drydock automatically reuses it for the GitHub release-notes provider when the source repo was resolved from trusted metadata (OCI image labels or a GHCR image path). You do not need to set DD_RELEASE_NOTES_GITHUB_TOKEN separately for those containers — the GHCR token is tried first and used when it succeeds.

The GHCR fallback is not sent to repos resolved from a dd.source.repo container label or a persisted container.sourceRepo value. For container-label sources, configure DD_RELEASE_NOTES_GITHUB_TOKEN explicitly with a narrowly-scoped token: a classic PAT with public_repo scope only, or a fine-grained PAT with read-only Contents permission limited to public repositories and no write or account permissions. See Watchers — release notes popover for details on token behavior and intermediate release fetching.

If the GHCR token fails for trusted sources (e.g. scoped to read:packages only), set DD_RELEASE_NOTES_GITHUB_TOKEN explicitly.

Examples

Configure to access private images

services:
  drydock:
    image: codeswhat/drydock
    ...
    environment:
      - DD_REGISTRY_GHCR_PRIVATE_USERNAME=john@doe
      - DD_REGISTRY_GHCR_PRIVATE_TOKEN=xxxxx 
docker run \
  -e DD_REGISTRY_GHCR_PRIVATE_USERNAME="john@doe" \
  -e DD_REGISTRY_GHCR_PRIVATE_TOKEN="xxxxx" \
  ...
  codeswhat/drydock

How to create a GitHub Personal Token

Go to your GitHub settings and open the Personal Access Token tab

Open GitHub Personal Access Tokens

Click on Generate new token

Choose an expiration time & appropriate scopes (read:packages is only needed for drydock) and generate. image

Copy the token & use it as the DD_REGISTRY_GHCR_{REGISTRY_NAME}_TOKEN value

image