Recently I ended up needing to start a Service Container on a GitHub Actions workflow that was based on an internal service image. Sadly, GitHub’s documentation regarding those specific cases are surprisingly incomplete; I do hope they sort it out eventually, but in the meantime, that’s how I managed to get it working.

To download an image from ghcr.io, a few preconditions must be met. Naturally, the container image must be present in the ghcr.io repository, and it also needs a special Internal visibility. To achieve that, go to the image’s package page, click Package Settings on the right-side menu, and scroll all the way down to the Danger Zone. There, select Change Visibility, and then pick Internal. That will allow the Actions Workflow to access it as long as the package and the workflow being executed belong to the same organisation.

Using the Service Container

Now, on the workflow, one may proceed as usual, using the image as stated in the package page, and using github.actor and secrets.GITHUB_TOKEN in the service’s credentials key:

on:
  push:
    branches: [master]

jobs:
  test:
    services:
      internal-service:
        image: ghcr.io/org/internal-service:latest
        credentials:
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

    steps:
    - uses: actions/checkout@v2
    # ...

This should be enough to download and start the internal container image as a service container in the Workflow.