GitHub Actions delivers an immersive platform for testing and deploying all kinds of software, including software that runs in containers. It also offers a container registry with repositories where you can push containers and serve them to anyone on the internet.

By combining these capabilities with Red Hat’s Universal Base Image (UBI) and container technologies such as Podman and Buildah, you can build your own containers on top of a stable Red Hat Enterprise Linux (RHEL) base in GitHub Actions.

The code shown in this post is already in the major/ubi-flask repository in GitHub.

A simple container

Most of my development involves Python and my favorite web framework: Flask. It simplifies web applications by handling a route (a path on a URL) and running code anytime someone accesses the URL. In this example, I wrote a “Hello World” example with a timestamp included:

from datetime import datetime

from flask import Flask

app = Flask(__name__)

def hello_world():
return f"Hello, World! The current date is: {}"

In this example, when someone accesses the root path, they see the “Hello, World!” text followed by the date and time the request was made. Let’s assemble a brief container build file that tells buildah how to build the container from a UBI:

# Make a directory for our code and copy it over.
RUN mkdir /opt/hello
COPY hello/* /opt/hello
# Install pip and Python requirements (and clean up).
RUN dnf -y install python3-pip && \
      dnf clean all
RUN pip3 install -r /opt/hello/requirements.txt && \
      rm -rf /root/.cache
# Set the working directory to where we copied the code.
WORKDIR /opt/hello
# Expose port 8000.
# Run the Flask application via gunicorn.
CMD ["gunicorn", "-b", "", "hello:app"]

Get to the (GitHub) Action

The container build file and Flask code already exist in my ubi-flask repository in GitHub. We now need to tell GitHub Actions how to build and publish the container on each commit. Everything starts with a workflow YAML file (follow along with mine):

name: Build ubi-flask container
  - push

    name: Build image
    runs-on: ubuntu-latest
      IMAGE_NAME: ubi-flask

The initial part of the workflow file controls when the container is built (on every push) and the GitHub container registry URL. The build steps are:

- name: Clone the repository
  uses: actions/checkout@v2

- name: Buildah Action
  id: build-image
  uses: redhat-actions/buildah-build@v2
    image: ${{ env.IMAGE_NAME }}
    tags: latest ${{ github.sha }}
    containerfiles: |

- name: Log in to the GitHub Container registry
  uses: redhat-actions/podman-login@v1
    registry: ${{ env.REGISTRY }}
    username: ${{ }}
    password: ${{ secrets.GITHUB_TOKEN }}

- name: Push to GitHub Container Repository
  id: push-to-ghcr
  uses: redhat-actions/push-to-registry@v2
    image: ${{ }}
    tags: ${{ }}
    registry: ${{ env.REGISTRY }}

Let’s analyze this step by step:

  • First, we clone our repository into the GitHub Actions runner.

  • Next, we build the container using our container build file with buildah. The container has two tags: “latest” and the SHA of the most recent commit in git.

  • The GitHub container registry requires authentication before pushing containers, so we use podman to authenticate. (GitHub Actions automatically provides a token in lieu of an API key or password.)

  • Finally, we push the container to the repository with podman and apply both tags from the build stage.

GitHub Actions runs the workflow, in under two minutes in my testing, and a container appears in the list of packages afterwards. 

Your container should appear as ubi-flask inside your GitHub account under My GitHub account is major, so I can pull my container using this URL:

Testing the container

We can test the container by using podman to download the container and run it:

$ podman run -d -p 8000:8000
$ curl localhost:8000
Hello, World! The current date is: 2021-10-26 17:12:29.639179

Staying up to date

Keep updated with the latest changes in the redhat-actions repositories by using GitHub’s dependabot. Add a small file in your repo to monitor changes to any of the GitHub Actions that you use:

# File: .github/dependabot.yml
version: 2
  - package-ecosystem: "github-actions"
    directory: "/"
    interval: "daily"

When GitHub detects that one of your actions has an update, dependabot makes a pull request in your repository to update the action version.


Now you can use the technologies you know and trust, such as Podman and Buildah, alongside your software in GitHub. RHEL UBI provide a stable base for testing and deployment on RHEL systems, in Red Hat OpenShift, or on any other container platform.

Read about the various types of RHEL UBI container images and how to build and run containers as a non-root user with podman.

About the author

Major Hayden is a Principal Software Engineer at Red Hat with a focus on making it easier to deploy Red Hat Enterprise Linux wherever a customer needs it. He is also an amateur radio operator (W5WUT), and he maintains a technical blog at

Read full bio