registry-auths secret doesn't support dynamic tokens from GCP Workload Identity Federation #146
Description
Description
Problem
When using build.yml with GCP Artifact Registry authenticated via Workload Identity Federation (WIF), there's no way to pass dynamically obtained access tokens to registry-auths.
WIF is the recommended keyless authentication method for GCP. It requires running google-github-actions/auth to obtain a short-lived access token at runtime — there are no static credentials to store as GitHub secrets.
Current approach (fails)
Since build.yml is a reusable workflow (runs in its own job context), WIF auth must happen in a preceding job that outputs the tokens:
jobs:
auth:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
outputs:
token: ${{ steps.auth.outputs.access_token }}
steps:
- id: auth
uses: google-github-actions/auth@v3
with:
workload_identity_provider: 'projects/123/locations/global/workloadIdentityPools/github/providers/my-provider'
service_account: 'my-sa@my-project.iam.gserviceaccount.com'
token_format: access_token
build:
needs: auth
uses: docker/github-builder/.github/workflows/build.yml@v1
with:
output: image
push: true
platforms: linux/amd64,linux/arm64
meta-images: us-docker.pkg.dev/my-project/my-repo/my-app
secrets:
registry-auths: |
- registry: us-docker.pkg.dev
username: oauth2accesstoken
password: ${{ needs.auth.outputs.token }}Result
The build fails in Login to registry step with:
Warning: Can't add secret mask for empty string in ##[add-mask] command.
Login to us-docker.pkg.dev
Password required
Root cause
google-github-actions/auth masks the access token (via ::add-mask::). GitHub Actions sanitizes masked values in job outputs when they are passed to reusable workflow secrets inputs, resulting in empty strings.
Impact
This makes build.yml incompatible with any authentication flow that requires runtime token generation, including:
- GCP Workload Identity Federation (recommended by Google, no static keys)
- AWS OIDC provider (
aws-actions/configure-aws-credentials) for ECR - Azure OIDC for ACR
- Any setup where registry credentials are obtained dynamically via GitHub's OIDC provider
All of these are the industry-recommended keyless authentication methods for their respective cloud registries.
Underlying limitation
The core issue is that reusable workflows run in an isolated job context and can only receive credentials via secrets inputs. Unlike regular actions (e.g. docker/build-push-action) that run as steps within the caller's job — where pre-auth steps like google-github-actions/auth can run beforehand — reusable workflows have no mechanism for callers to inject dynamic, runtime-obtained credentials.
Since all major cloud providers now recommend OIDC-based keyless auth (GCP WIF, AWS OIDC, Azure OIDC), and GitHub itself promotes this pattern via id-token: write permission, the current registry-auths design effectively excludes the recommended auth flow for all major cloud registries.
Environment
- Repository visibility: private
- Workflow:
docker/github-builder/.github/workflows/build.yml@v1 - Auth action:
google-github-actions/auth@v3 - Registry: Google Artifact Registry (
*-docker.pkg.dev)
Question
What options do we have to use github-builder with dynamic creds for registry auth ?