Skip to main content

Overview

GitHub Container Registry (GHCR) is GitHub’s container image registry service, integrated with GitHub repositories and Actions. It provides free storage for public images and supports private images for GitHub users.

Registry URL

https://ghcr.io

Image Format

ghcr.io/<owner>/<image-name>:<tag>
Examples:
  • ghcr.io/mycompany/api:latest
  • ghcr.io/myusername/frontend:v1.2.3

Authentication

GitHub Container Registry uses GitHub Personal Access Tokens (PAT) for authentication.

Required Permissions

Your Personal Access Token (classic) needs the following scopes:
  • read:packages - Pull images from GHCR
  • read:org - Required for Qovery to validate your organization access
  • write:packages - Push images (only if needed)
  • repo - Required only if your container packages are linked to private repositories (this is the default behavior on GitHub)
If your container packages inherit their visibility from private repositories (GitHub’s default), the repo scope is required even for read-only access. This is a GitHub limitation, not a Qovery requirement. You can avoid this by configuring your package visibility independently in your GitHub package settings.

Configuration in Qovery

1

Create Personal Access Token

  1. Go to GitHub → SettingsDeveloper settings
  2. Click Personal access tokensTokens (classic)
  3. Click Generate new token (classic)
  4. Give it a descriptive name (e.g., “Qovery GHCR Access”)
  5. Select required scopes:
    • read:packages
    • read:org
    • repo (if your packages are linked to private repositories)
    • write:packages (only if pushing images)
  6. Click Generate token and copy immediately
GitHub shows the token only once. Save it securely.
2

Access Organization Settings

Navigate to Organization SettingsContainer Registries in Qovery
3

Add Registry

Click Add Registry
4

Select GitHub Container Registry

Choose GitHub Container Registry from the registry type dropdown
5

Enter Credentials

Provide:
  • Container Registry Prefix: Your GitHub organization name or username (e.g., mycompany for images like ghcr.io/mycompany/my-app)
  • Personal Access Token: Your GitHub Personal Access Token (classic) with the required scopes
6

Save

Qovery will verify the credentials and save the configuration

Organization Access

For organization-owned packages:
  • Ensure your PAT has access to the organization
  • The token owner must be a member of the organization
  • If your organization enforces SAML SSO, you must authorize the token for SSO after creation: go to GitHub SettingsDeveloper settingsPersonal access tokens (classic) → select your token → Configure SSOAuthorize for your organization
  • If your packages inherit visibility from private repositories, the repo scope is required on the token

Integration with GitHub Actions

GHCR integrates seamlessly with GitHub Actions for CI/CD workflows: 
- name: Push to GitHub Container Registry
  run: |
    echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
    docker push ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ github.sha }}

Container Registry Management

Manage all container registries

Deploy Application

Deploy applications from container images
https://mintcdn.com/qovery-feat-envoy-migration-advanced-settings/b1_l6CsCb0Hm2zhK/images/logos/gitlab-icon.svg?fit=max&auto=format&n=b1_l6CsCb0Hm2zhK&q=85&s=4b19c99ce73493fa4d86e8fd1d48d709

GitLab Container Registry

Alternative Git-based registry

Docker Hub

Public container registry option