Automated docker pulls from Github-hosted runner: which "organization" must pay?

I found this FAQ: Docker FAQs | Docker

Q: I want to run an automated agent that makes container requests on behalf of my organization. Which license do I need?
A: Automated agents or service accounts that make container image requests of Docker Hub must be licensed under a Docker Team subscription.

In the case of anonymous pulls from a Github-hosted runner which organization must pay? Github or the open-source project? This FAQ should be much clearer.

BTW I’m aware Github has some special agreement with Docker[*] (otherwise anonymous pulls would have hit a rate limit a long time ago) But this special agreement does IMHO not answer my question.

[*] Did Dockerhub rate limit affect Github Action? · Issue #1445 · actions/runner-images · GitHub

Also filed as support request 65940, not answered.

Filed again later in October 2021 as 68572, no answer either.

The wording has changed but it still does not answer the Github question:

We want to use Docker Desktop to run automated processes. Does this require a paid subscription?

Service Accounts can be used for automation. A Service Account is a Docker ID used for automated management of container images or containerized applications. Service Accounts are typically used in automated workflows and don’t share Docker IDs with other members of your organization. Learn more in our Service Account documentation.

If you run a build in a runner (regardless of github or whatever), you normally perform a docker login within your pipeline, either by running the commands in a pipeline job/step or by using a task that encapsulates them. Image pulls are accounted to the api-token owner’s pull rate.

If you don’t login in to dockerhub, then the anonymous pull rate applies, which is accounted by the public ip. If the host has a public ip, than its public ip. If it has a private ip, then the public ip of the internet breakout.

If you don’t have anything confidential in your image then you’re more likely to make it public. One of the big advantages is then that you don’t have to deal with authentication secrets - and of course you can tell everyone you know about your image.

tl;dr: I think public images are more popular and that’s why I stressed anonymously in my question.

This question is specifically about Github runners and Github acknowledged (a long time ago) that they have a special agreement with Docker. So it’s not that simple.

Anyway the question is NOT about rate limits. That’s because this FAQ is not about rate limits, it’s about what type of account is allowed for this at all; before even looking at rate limits.

Fair enough!

The question indeed was relevant while the FAQ’s were written like in the first post and judged by the answer of the old FAQ, any sort of automation agent required a service account == no anonymous access. The service account would never be from the organization that provides the infrastructure that runs the automation agent. It would be from the organization that maintains and uses the automation.

While the new FAQ, Service Account Documentation or Docker Terms of Service do not contain any hint that service accounts must be used with automation agents. From my perspective: nothing forbids anonymous access at the moment.

This ambiguous and confusing answer really looks like a “hint” to me:

We want to use Docker Desktop to run automated processes. Does this require a paid subscription?

Service Accounts can be used for automation. A Service Account is a Docker ID used for automated management of container images or containerized applications


From my perspective: nothing forbids anonymous access at the moment.

Again, this question is specifically about Github which can’t realistically be using anonymous access due to rate limits. So some Github-specific magic must be happening: which specific Terms and Conditions apply to this magic?