PullPreview
GitHub Get started

Private registries

Authenticate Docker Compose previews against private registries like GHCR or Docker Hub with the registries input.

When your Compose stack pulls images from a private registry, PullPreview needs credentials to authenticate before it can deploy. The registries input lets you pass one or more registry credentials so the preview server can log in and pull your images.

Compose only

The registries input is available only for deployment_target: compose. It is not supported for Helm previews — for Helm, use public images or configure chart-managed image pull secrets instead.

See deployment targets for the difference between the Compose and Helm targets.

Format

Each registry credential is a docker:// URI:

docker://username:[email protected]

The scheme must be docker://. To authenticate against multiple registries, separate the entries with commas.

- uses: pullpreview/action@v6
  with:
    deployment_target: compose
    registries: docker://${{ secrets.DOCKERHUB_USER }}:${{ secrets.DOCKERHUB_PASSWORD }}@index.docker.io,docker://${{ secrets.GHCR_PAT }}@ghcr.io

Always reference credentials through repository secrets — never hardcode them in the workflow file.

Token-only authentication

You can omit the password and pass just a token before the @:

docker://[email protected]

When no password is given, the value before @ is treated as the password/token and a placeholder username is used. This is the simplest way to authenticate against GitHub Container Registry, where the credential is a token rather than a username/password pair.

- uses: pullpreview/action@v6
  with:
    deployment_target: compose
    registries: docker://${{ secrets.GHCR_PAT }}@ghcr.io

For GitHub Container Registry, the token must be a Personal Access Token with package read access. In practice:

  1. Create a token with package read (read:packages) access.
  2. Store it as a repository secret, such as GHCR_PAT.
  3. Reference that secret in registries.

Multiple registries

Combine credentials for several registries in a single comma-separated value:

- uses: pullpreview/action@v6
  with:
    deployment_target: compose
    registries: docker://${{ secrets.GHCR_PAT }}@ghcr.io,docker://${{ secrets.DOCKERHUB_USER }}:${{ secrets.DOCKERHUB_PASSWORD }}@index.docker.io

Each entry is processed independently. An invalid entry — for example, one missing the docker:// scheme — is logged with a warning and skipped rather than failing the deploy, so a single malformed credential will not abort the run. Double-check the warning logs if an expected image fails to pull.

How it works

Before deploying your stack, PullPreview runs docker login --password-stdin once per registry entry on the preview server. After all credentials are applied, it pulls the images and brings up the Compose stack as usual.

If you need to perform additional setup before deploy — beyond registry login — use a pre-script. For the full list of inputs, see the configuration reference.