Stage 4 · Provision
Registries & Security
Registries & Tags
Push images to Docker Hub, GHCR, or ECR with semantic tags, digests, and immutable references.
What Is a Registry?
A container registry stores and distributes Docker images. When you run docker pull, Docker downloads the image from a registry. When you run docker push, it uploads to a registry. Docker Hub is the default registry, but you can use any OCI-compatible registry.
| Registry | Free Tier | Best For |
|---|---|---|
| Docker Hub | 1 private repo, unlimited public | Open source, public images |
| GHCR (ghcr.io) | Free for public, 500MB private | GitHub-integrated projects |
| AWS ECR | Pay per storage/transfer | AWS workloads |
| GCR (gcr.io) | Pay per storage/transfer | GCP workloads |
| Azure ACR | Pay per tier | Azure workloads |
Docker Hub
# Login to Docker Hub
docker login
# Tag an image for Docker Hub
docker tag myapp:1.0 myusername/myapp:1.0
# Push to Docker Hub
docker push myusername/myapp:1.0
# Pull from Docker Hub
docker pull myusername/myapp:1.0
# Search Docker Hub
docker search nginxDocker Hub images are prefixed with your username: myusername/myapp. Official images (nginx, postgres) omit the username. Docker Hub supports automated builds from GitHub repositories.
GitHub Container Registry
# Login to GHCR
echo $GITHUB_TOKEN | docker login ghcr.io -u $GITHUB_USERNAME --password-stdin
# Tag for GHCR
docker tag myapp:1.0 ghcr.io/myorg/myapp:1.0
# Push to GHCR
docker push ghcr.io/myorg/myapp:1.0
# Pull from GHCR
docker pull ghcr.io/myorg/myapp:1.0GHCR uses the ghcr.io prefix. Images are associated with GitHub repositories. Authentication uses GitHub personal access tokens. Public images are free to pull.
Tagging Strategies
Tags are mutable references to images. A tag like v1.2.3 points to a specific image today, but could point to a different image tomorrow if someone pushes a new version with the same tag. This mutability makes tag strategy important.
# Semantic versioning
docker tag myapp:latest myapp:1.2.3
docker tag myapp:latest myapp:1.2
docker tag myapp:latest myapp:1
# Git commit SHA
docker tag myapp:latest myapp:abc1234
# Build metadata
docker tag myapp:latest myapp:1.2.3-abc1234
# Date-based
docker tag myapp:latest myapp:2025-01-15
# Environment
docker tag myapp:latest myapp:prod-v1.2.3Use semantic versioning for releases, git SHA for CI builds, and combine them for traceability. Never rely on :latest for production — it is mutable and unpredictable.
The :latest tag can be overwritten at any time. If you deploy myapp:latest, the next push overwrites it. Your running containers use the old image, but new deployments pull a different one. Always pin to a specific version.
Image Digests
Digests are immutable SHA256 hashes that uniquely identify an image. Unlike tags, a digest never changes. If you pull nginx@sha256:abc123..., you always get the exact same image. Use digests for reproducible deployments.
# Pull by digest
docker pull nginx@sha256:abc123def456...
# Find the digest of a local image
docker inspect --format '{{index .RepoDigests 0}}' nginx:latest
# Tag with digest reference
docker tag myapp:1.0 myregistry.com/myapp@sha256:abc123...
# Use digests in Dockerfiles
FROM nginx@sha256:abc123def456...Digests guarantee you get the exact same image every time. Use them in Dockerfiles and deployment scripts for reproducibility. Tag images with both a tag and a digest for human readability and machine precision.
Pushing Images
# 1. Build with a tag
docker build -t myregistry.com/myapp:1.0 .
# 2. Login to the registry
docker login myregistry.com
# 3. Push the image
docker push myregistry.com/myapp:1.0
# 4. Verify it is available
docker manifest inspect myregistry.com/myapp:1.0
# 5. Pull on another machine
docker pull myregistry.com/myapp:1.0The image must be tagged with the registry prefix before pushing. docker manifest inspect verifies the image is accessible and shows its architecture and digest.
For CI/CD, use echo $TOKEN | docker login -u $USER --password-stdin instead of -p. This avoids exposing the password in process listings and shell history.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.