Choosing a Container Registry (GHCR, Docker Hub, ECR, GAR)
The best registry is usually the one closest to where your images are built and where they get deployed.
A container registry stores and serves your images between build and deploy. The major options differ in pricing, authentication, and how tightly they integrate with your CI and cloud. This lesson compares the four most common choices.
The main options
- GHCR (ghcr.io): tight GitHub Actions integration, free for public images, easy GITHUB_TOKEN auth.
- Docker Hub: ubiquitous and simple, but anonymous pull rate limits affect CI.
- Amazon ECR: lowest-latency for AWS deploys, IAM-based auth, private by default.
- Google Artifact Registry (GAR): the native choice for GCP, with fine-grained IAM.
What to weigh
Consider proximity to your deploy target (egress and pull latency), authentication model (a registry that speaks your CI or cloud identity avoids long-lived secrets), pull rate limits, and built-in features like vulnerability scanning and image signing.
Rate limits bite in CI
Docker Hub enforces pull limits that ephemeral CI runners hit easily, since each run pulls fresh. Authenticate your pulls, mirror frequently used base images, or host them in a registry without aggressive anonymous limits.
A practical default
If you build on GitHub Actions, GHCR is the path of least resistance -- it authenticates with the built-in token and lives beside your code. If you deploy into AWS or GCP, the cloud-native registry (ECR or GAR) minimizes latency and lets you authenticate with cloud identity instead of static credentials.
Key takeaways
- Pick the registry closest to where you build and deploy to cut latency and auth friction.
- GHCR integrates best with GitHub Actions; ECR and GAR suit AWS and GCP deploys.
- Watch Docker Hub pull rate limits, which ephemeral CI runners hit quickly.