Stage 5 · Platform
Build, Version & Release
Artifact Registries
Publishing images and packages to GHCR, ECR, GCR, Artifactory, and npm registries.
Why Use Registries?
Artifact registries store built artifacts — container images, npm packages, Maven artifacts, and Helm charts. They provide versioning, access control, vulnerability scanning, and distribution. Without a registry, you have no centralized place to store and share build outputs.
Registries are the bridge between build and deploy. Your CI pipeline publishes artifacts to the registry, and your CD pipeline pulls them for deployment. This decoupling lets you build once and deploy anywhere.
GitHub Container Registry
jobs:
build-and-push:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
attestations: write
id-token: write
steps:
- uses: actions/checkout@v4
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: |
ghcr.io/${{ github.repository }}:${{ github.sha }}
ghcr.io/${{ github.repository }}:latest
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: ghcr.io/${{ github.repository }}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: trueGHCR is integrated with GitHub — no separate credentials needed. The GITHUB_TOKEN provides authentication. Artifact attestation cryptographically links the image to its source commit.
Amazon ECR
jobs:
build-and-push:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/ecr-push
aws-region: us-east-1
- name: Login to ECR
id: login
uses: aws-actions/amazon-ecr-login@v2
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: |
${{ steps.login.outputs.registry }}/myapp:${{ github.sha }}
${{ steps.login.outputs.registry }}/myapp:latest
cache-from: type=gha
cache-to: type=gha,mode=maxOIDC eliminates stored AWS credentials. The IAM role grants ECR push access for the duration of the workflow run. The ECR login action outputs the registry URL for use in subsequent steps.
npm Registry
jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "20"
registry-url: https://registry.npmjs.org
- run: npm ci
- run: npm test
- run: npm run build
- name: Publish with provenance
run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}The --provenance flag generates a signed attestation linking the published package to its source repository and build process. npm displays provenance information on the package page, helping consumers verify authenticity.
Private Registries
- Artifactory — universal artifact repository supporting Docker, npm, Maven, PyPI, and more.
- Nexus Repository — open-source artifact repository with proxy and hosted capabilities.
- Azure Container Registry — Azure-native registry with geo-replication and vulnerability scanning.
- Google Artifact Registry — GCP-native registry replacing Container Registry with multi-format support.
Registry Security
GHCR, ECR, and GCR all offer built-in vulnerability scanning. Enable it for every repository. Set policies to block deployment of images with critical vulnerabilities. Scanning at push time catches issues before images are pulled.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.