GitHub Container Registry

The GitHub Container Registry (GHCR) is a component of GitHub Packages and allows users to store container images within the ImperialCollegeLondon organisation. Images can be associated with a repository and shared privately (specific users only), internally (all Imperial staff/students) or publicly. Permissions can be inherited from the repository or set independently. You can find out more information about GHCR at Working with the Container registry.

Using GHCR images in Azure

Azure supports a number of container services such as Azure Kubernetes Service, Azure Container Instances, and Azure Container Apps. With these container services, it’s possible to use a container image stored in GHCR. To do this, follow the steps below.

  1. Build and publish your image to GHCR. More details on how to do this can be found at Publishing a package using an action.

  2. Request a role account (aka service account) to be created via ASK.

  3. Once the service account has been created, login to the ImperialCollegeLondon organisation as the service account.

  4. After logging in via Imperial Single-sign on (SSO), you’ll be asked to create a GitHub account. This account should also be created under the service account. We recommend adding a shared mailing list (aka DL) as a verified email address in the GitHub settings of the service account. This ensures any GitHub emails/alerts are sent to the shared mailbox as well as the service account mailbox.

  5. Add the service account to the repository and assign the relevant permissions. The Read role should be sufficient.

  6. Create a classic personal access token (PAT) for the service account with the read:packages scope.

  7. Use this PAT token along with the variables below to pull the image from GHCR using your chosen Azure container service. The variable names may change depending on which Azure service you’re using. However, the values will remain the same.

Variable Name Description
IMAGE The full image name in GHCR, e.g. ghcr.io/imperialcollegelondon/my-repo/my-image:1.0.1
IMAGE_REGISTRY_LOGIN_SERVER The registry URL, typically ghcr.io
IMAGE_REGISTRY_USERNAME The GitHub username of the service account
IMAGE_REGISTRY_PASSWORD The personal access token (PAT) for the service account

Further reading

Page last modified: 10 Sep 2025.