Core concepts
Private images
Pull private registry images with app-scoped secret credentials.
Private image credentials use app-scoped secrets. The agent uses them for Docker registry authentication before pulling images.
nethera.yml
services: web: image: ghcr.io/acme/private-app:latest nethera: imagePullCredentials: - registry: ghcr.io usernameSecret: GHCR_USERNAME passwordSecret: GHCR_TOKENSet the secrets before deploy:
bash
$neth secrets set GHCR_USERNAME$neth secrets set GHCR_TOKENImage pull credentials are used by the agent for Docker login. They are not injected into the container unless you also list them under nethera.secrets.
Private image deployment may be plan-gated.