docker / build-push-action Goto Github PK

Hello,
I am adding this Action via this PR (nf-core/kmermaid#56) and can't seem to get it to work (yaml below). Can you provide a complete minimal working example to guide the way for new users? Thank you!
Warmest,
Olga

name: Build Docker images
# This workflow tests building the docker image so I stop committing
# bad Dockerfiles and breaking the build
on: [push, pull_request]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Build Docker images
        uses: docker/[email protected]
        with:
          repository: nfcore/kmermaid
          push: false

I would like to have some time stamp based tag - built in. Can be done using (date +%s) or similar.
I could try to contribute it myself, but I couldn't find out where the actual script that run :(

The tags input is currently optional...

tags:
    description: Comma-delimited list of tags. These will be added to the registry/repository to form the image's tags
    required: false

... but when it's omitted, no images are actually pushed to the registry. You'll typically see something like this in the logs:

...
Successfully built 36c976682bcd
Pushing image []

The workflow will succeed, since technically it was successful in pushing 0 images, but that's a little misleading. It would be reasonable to expect it to push an image with the :latest default tag, like the Docker CLI does when there's no tag - e.g.

$ docker build org/repo .
$ docker push org/repo 

It would seem sensible here to either make tags a required input (explaining in the comment that latest needs be specified explicitly, if so desired) or implement a default tag latest, analogous to the Docker CLI.

My use case is I have a docker-compose file with the build steps on it. I build the images using docker-compose then I want to push to a registry. It would be nice to have this.

This is one of the things that was mentioned in this article https://www.docker.com/blog/first-docker-github-action-is-here/
And the reasoning behind the single-action approach is really good, this is the only issue, the build step is not skipable.

I've tried to set a build_arg from an env I set earlier with Github Actions, but I seem to be unable to. Am I doing something wrong, or is there a real issue here?

jobs:
  deliver-docker:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Determine version
        id: version
        run: echo "::set-env name=PACK_VERSION::`echo ${{ github.event.release.tag_name }} | cut -d "v" -f2`"
        shell: bash
      - name: Build and Push Image
        uses: docker/build-push-action@v1
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
          repository: dfreilich/pack
          tags: latest
          dockerfile: .github/workflows/delivery/docker/Dockerfile
          build_args: PACK_VERSION=`${{ env.PACK_VERSION }}

Can an example of how to use the cache-froms option in a github workflow be added to the documentation? I was unable to figure out a way to use it that actually took advantage of the option. Looking at the go utility code, it just adds the option to the build command, but that will do nothing when there is no local cache (ie a CB scenario like this). In my experience you need to pull the image first and the original issue asks for that as well. I did some testing and was unable to get it to work. It was indistinguishable from not using it.

- name: Docker Build
  uses: docker/build-push-action@v1
  with:
    registry: quay.io
    repository: ${{ env.quayio_repo }}
    username: ${{ env.quayio_user }}
    password: ${{ secrets.QUAY_AUTH }}
    tags: >-
      ${{ env.docker_tag }},
      ${{ env.docker_cache_tag }}
    cache_froms: ${{ env.quayio_repo }}:${{ env.docker_cache_tag }}

My original comment from the original issue.

I created a docker image for a monorepo using node:10 base docker image.
When I build it locally and push it on docker hub, I get, on docker hub, an image with size 616.11mb and when I run the service it is working fine.
Using the github action the image after pushing has size 572.49 mb and when I start the service it displays only a white page on the browser.

https://hub.docker.com/repository/docker/satapps/terriamap/tags?page=1
https://github.com/SatelliteApplicationsCatapult/TerriaMap

Any idea why ?
Thanks

Hi,
Thanks for the GitHub action! :)
I am trying to build an image based on private image which is available in same repo we use to push.

Currently it looks like 'login' to the private registry happens before 'push' but after 'build' steps.
Is it possible to shift the 'login' step to happen 'build' step?

Thanks!

In README.md and marketplace, uses: docker/build-push-action@v1 but v1 does not exists.

Download action repository 'docker/build-push-action@v1'
##[warning]Failed to download action 'https://api.github.com/repos/docker/build-push-action/tarball/v1'. Error Response status code does not indicate success: 404 (Not Found).
##[warning]Back off 19.862 seconds before retry.
##[warning]Failed to download action 'https://api.github.com/repos/docker/build-push-action/tarball/v1'. Error Response status code does not indicate success: 404 (Not Found).
##[warning]Back off 22.87 seconds before retry.
##[error]Response status code does not indicate success: 404 (Not Found).

Currently only worksuses: docker/[email protected]

Pull docker/github-actions:v1.04s
82dd17ef2c28: Download complete
Pull down action image 'docker/github-actions:v1.0'
...

FYI: Official action's taggs: https://github.com/actions/checkout/tags

I'm finding myself always needing to remember to add the following to my actions:

env:
        DOCKER_BUILDKIT: 1

I wonder if this should be a first-class part of the interface, rather than needing to know the environment variable? I also wonder if this should default to using BuildKit?

My job:

    build:
        runs-on: ubuntu-latest
        steps:
            -   name: Build and push docker image
                uses: docker/build-push-action@v1
                with:
                    username: ${{ secrets.DOCKER_USERNAME }}
                    password: ${{ secrets.DOCKER_PASSWORD }}
                    dockerfile: Dockerfile
                    repository: my/repository
                    tag_with_ref: true

What am I missing here? Dockerfile lives in my repositoryies root.

The action computes lots of useful values, for example it creates tags using options like tag_with_ref or tag_with_sha; and it adds many useful labels with add_git_labels

Feature Request

What's missing, however, is an option that allows passing all those values as build arguments, so we can make use of them in our dockerfile.

Since all the information is already there, the feature boils down to just adding one or two more options:

• Maybe a simple bool
  pass_git_labels_as_build_args: true (or maybe something shorter :P)
• Or maybe allow users to select what to pass
  computed_build_args: [ "git_ref", "git_sha", "org.opencontainers.image.created" ]

Use case

Most applications need to know their version/build time, so they can display it somewhere (in the header of their commandline output, or "about box", ...)

Name components may contain lowercase letters, digits and separators. A separator is defined as a period, one or two underscores, or one or more dashes. A name component may not start or end with a separator.
Src: https://docs.docker.com/engine/reference/commandline/tag/#extended-description.

I have no idea if the same rule applies to username or registry, but I have a failing build due to this. Note that repository name is feeded with ${{ github.repository }}/gateway. Currently, there is no toLower function in Actions.

2020-04-26T12:49:01.8839602Z ##[group]Run docker/build-push-action@v1
2020-04-26T12:49:01.8839748Z with:
2020-04-26T12:49:01.8839835Z   username: 0xbkt
2020-04-26T12:49:01.8840486Z   password: ***
2020-04-26T12:49:01.8840585Z   repository: 0xbkt/rEdAcTeD/gateway
2020-04-26T12:49:01.8840655Z   registry: docker.pkg.github.com
2020-04-26T12:49:01.8840739Z   tags: latest
2020-04-26T12:49:01.8840819Z   tag_with_ref: false
2020-04-26T12:49:01.8840902Z   tag_with_sha: false
2020-04-26T12:49:01.8840968Z   path: .
2020-04-26T12:49:01.8841048Z   always_pull: false
2020-04-26T12:49:01.8841130Z   add_git_labels: false
2020-04-26T12:49:01.8841225Z   push: true
2020-04-26T12:49:01.8841290Z ##[endgroup]
2020-04-26T12:49:01.8867757Z ##[command]/usr/bin/docker run --name dockergithubactionsv1_68dc5e --label c27d31 --workdir /github/workspace --rm -e INPUT_USERNAME -e INPUT_PASSWORD -e INPUT_REPOSITORY -e INPUT_REGISTRY -e INPUT_TAGS -e INPUT_TAG_WITH_REF -e INPUT_TAG_WITH_SHA -e INPUT_PATH -e INPUT_DOCKERFILE -e INPUT_TARGET -e INPUT_ALWAYS_PULL -e INPUT_BUILD_ARGS -e INPUT_CACHE_FROMS -e INPUT_LABELS -e INPUT_ADD_GIT_LABELS -e INPUT_PUSH -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/rEdAcTeD/rEdAcTeD":"/github/workspace" docker/github-actions:v1  "build-push"
2020-04-26T12:49:05.7322652Z Logging in to registry docker.pkg.github.com
2020-04-26T12:49:05.7555246Z WARNING! Using --password via the CLI is insecure. Use --password-stdin.
2020-04-26T12:49:05.8533235Z WARNING! Your password will be stored unencrypted in /github/home/.docker/config.json.
2020-04-26T12:49:05.8533483Z Login Succeeded
2020-04-26T12:49:05.8533831Z Configure a credential helper to remove this warning. See
2020-04-26T12:49:05.8534604Z https://docs.docker.com/engine/reference/commandline/login/#credentials-store
2020-04-26T12:49:05.8534726Z 
2020-04-26T12:49:05.8547653Z Building image [docker.pkg.github.com/0xbkt/rEdAcTeD/gateway:latest]
2020-04-26T12:49:05.8721089Z invalid argument "docker.pkg.github.com/0xbkt/rEdAcTeD/gateway:latest" for "-t, --tag" flag: invalid reference format: repository name must be lowercase
2020-04-26T12:49:05.8721637Z See 'docker build --help'.
2020-04-26T12:49:05.8734269Z Error: exit status 125
2020-04-26T12:49:05.8738409Z Usage:
2020-04-26T12:49:05.8738519Z exit status 125
2020-04-26T12:49:05.8739333Z   github-actions build-push [flags]
2020-04-26T12:49:05.8739585Z 
2020-04-26T12:49:05.8739769Z Flags:
2020-04-26T12:49:05.8740834Z   -h, --help   help for build-push
2020-04-26T12:49:05.8741420Z 

I would like, in addition to tags, add a variant part to docker image, like:

• metacontrollerio/metacontroller:v4.2.0-alpine
• metacontrollerio/metacontroller:v4.2.0-debian

etc. What is the easiest way to do it ?

I'm trying to build a docker container, from a private container on dockerhub, and push it to the github registry.

For public dockerhub packages, this works splendidly

  docker-rabbitmq:
    runs-on: ubuntu-latest
    needs: lerna
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
        with:
          ref: ${{ github.head_ref }}
      - name: Build the container
        uses: docker/build-push-action@v1
        with:
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
          registry: docker.pkg.github.com
          repository: xxx/yyy/rabbitmq
          tag_with_ref: true
          dockerfile: ./packages/yyy/containers/rabbitmq/Dockerfile
          cache_froms: xxx/yyy/rabbitmq:latest
          path: ./packages/yyy/containers/rabbitmq/

But for a private container, this fails because we are not logged in to DockerHub.

I tried to add the following before the build-push-action, but that does not get picked up

      - uses: azure/docker-login@v1
        with:
          username: "xxx"
          password: "xxx"

Any ideas on how to do this?

First of all: Thank you very much for your work on this GitHub actions. It looks very promising, but I could not get it to work so far.

Here is my configuration:

   - name: Build and Push Docker Image
      uses: docker/build-push-action@v1
      with:
          dockerfile: ./backend/guide/Dockerfile
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
          registry: docker.pkg.github.com
          repository: some/repo
          tags: latest

Here is the Dockerfile:

FROM openjdk:11-jre-slim
COPY ./core/build/libs/core.jar core.jar
ENTRYPOINT ["java","-jar","/core.jar"]

I keep on getting, the following error:

Step 2/3 : COPY core/build/libs/core.jar core.jar
COPY failed: stat /var/lib/docker/tmp/docker-builder622038188/core/build/libs/core.jar: no such file or directory

I've also tried the following:

FROM openjdk:11-jre-slim
COPY core/build/libs/core.jar core.jar
ENTRYPOINT ["java","-jar","/core.jar"]

But it did not work either.

When I ssh into the runner machine, I can use docker build just find, and everything works.

Can somebody spot my mistake? I'm close to losing my mind :)

Thanks.

GitHub Actions can be vulnerable to environment injection for optional inputs, see my article here:
https://francoisbest.com/posts/2020/the-security-of-github-actions

One form of defence against that for now is to add another input that lists input names that are safe to load (because explicitly defined by the user in their workflow).

Example:

uses: docker/build-push-action@v1
with:
  username: ${{ secrets.DOCKER_USERNAME }}
  password: ${{ secrets.DOCKER_PASSWORD }}
  repository: myorg/myrepository
  tags: latest
  inputsSafeList: username,password,repository,tags

In this example, if a malicious action defines and exports INPUT_REGISTRY, it would be ignored as registry is not part of the safelist. Without it, the image could be pushed to a registry controlled by the attacker.

I think the action should have the option to remove the v from git tags that are semver. And I think it should be the default behavior.

Git tag: v1.1.1 -> Docker tag: 1.1.1

Currently, if we use the Github action with this repo, the image is built and pushed to the Docker hub, but the Readme and description are not updated on the Docker hub webpage. It would be nice to have this in the future to use this action and altogether disable auto build.

My repo contains multiple images and I am trying to prevent some of them to be built if the underlying Dockerfile and related files do not change. For this I tried to use BUILDKIT_INLINE_CACHE, cache_froms and always_pull.

From the logs, login to the private registry works well as well as pushing the image(s). Caching fails because the cache image cannot be pulled from the registry. See the ERROR log:

2020-06-18T13:38:46.0362521Z Logging in to registry gcr.io
2020-06-18T13:38:46.0655216Z WARNING! Using --password via the CLI is insecure. Use --password-stdin.
2020-06-18T13:38:46.2805517Z WARNING! Your password will be stored unencrypted in /github/home/.docker/config.json.
2020-06-18T13:38:46.2806701Z Login Succeeded
2020-06-18T13:38:46.2823664Z Configure a credential helper to remove this warning. See
2020-06-18T13:38:46.2846885Z https://docs.docker.com/engine/reference/commandline/login/#credentials-store
2020-06-18T13:38:46.2848444Z 
2020-06-18T13:38:46.2902754Z Building image [gcr.io/my-project-id/my-image:latest gcr.io/my-project-id/my-image-ca3422b]
2020-06-18T13:38:46.4792304Z #1 [internal] load .dockerignore
2020-06-18T13:38:46.4792661Z #1 transferring context: 2B done
2020-06-18T13:38:46.4792982Z #1 DONE 0.0s
2020-06-18T13:38:46.4793265Z 
2020-06-18T13:38:46.4793549Z #2 [internal] load build definition from Dockerfile
2020-06-18T13:38:46.4793869Z #2 transferring dockerfile: 554B done
2020-06-18T13:38:46.4794173Z #2 DONE 0.0s
2020-06-18T13:38:46.4794317Z 
2020-06-18T13:38:46.4794611Z #3 [internal] load metadata for docker.io/library/ubuntu:20.04
2020-06-18T13:38:47.0797488Z #3 DONE 0.6s
2020-06-18T13:38:47.0798118Z 
2020-06-18T13:38:47.0854806Z #5 [1/5] FROM docker.io/library/ubuntu:20.04@sha256:52259450119427dab05c0c4...
2020-06-18T13:38:47.0861553Z #5 DONE 0.0s
2020-06-18T13:38:47.0861844Z 
2020-06-18T13:38:47.0862243Z #7 [internal] load build context
2020-06-18T13:38:47.0862666Z #7 DONE 0.0s
2020-06-18T13:38:47.0862893Z 
2020-06-18T13:38:47.0864116Z #4 importing cache manifest from my-project-id/my-image:latest
2020-06-18T13:38:47.2298524Z #4 ERROR: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
2020-06-18T13:38:47.2299344Z 
2020-06-18T13:38:47.2299694Z #7 [internal] load build context
2020-06-18T13:38:47.2300054Z #7 transferring context: 855B done
2020-06-18T13:38:47.2300405Z #7 DONE 0.0s

The error is ERROR: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed but pushing works so I am pretty sure scope is correctly setup on the Google IAM side. Any ideas?

name: Build and Push Docker Images

env:
  PROJECT_ID: my-project-id

on:
  push:
    branches:
      - master
    tags:
      - "*"
  pull_request:

jobs:
  build-images:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v1

      - name: Build my-image
        uses: docker/[email protected]
        env:
          DOCKER_BUILDKIT: 1
        with:
          repository: ${{ env.PROJECT_ID }}/my-image
          path: base
          build_args: BASE_IMAGE=ubuntu:20.04,BUILDKIT_INLINE_CACHE=1
          username: _json_key
          password: ${{ secrets.GCR_PUSH_KEY }}
          registry: gcr.io
          add_git_labels: true
          tag_with_ref: true
          tag_with_sha: true
          push: true
          cache_froms: ${{ env.PROJECT_ID }}/my-image:latest
          always_pull: true

ARG BASE_IMAGE="ubuntu:20.04"

FROM ${BASE_IMAGE}

ARG DEBIAN_FRONTEND=noninteractive

RUN apt update --fix-missing && \
    apt install --no-install-recommends -y \
    wget bzip2 ca-certificates libglib2.0-0 libxext6 \
    libsm6 libxrender1 git mercurial subversion && \
    apt clean

ENV CONDA_PATH "/opt/conda"
ENV PATH "$CONDA_PATH/bin:$PATH"

ADD ./bootstrap.sh /bootstrap.sh
ADD ./entrypoint.sh /entrypoint.sh
RUN bash /bootstrap.sh

SHELL ["/bin/bash", "--login", "-c"]
ENTRYPOINT ["/entrypoint.sh"]

I am using this action to build an image with a lot of dependencies in it for the application I am developing. These several dependencies take a long time to build and install onto the docker image, and therefore the docker image takes a long time to build.

When I am developing the docker image locally, the docker cache stores the intermediate layers so that it only needs to rebuild the layers after and including any changes I made. I am wondering if this action has a similar feature. Does it pull down the image from dockerhub to see which layer to start from?

Thank you

I'd would be cool if there was a option for this action to automatically split the version of the git reference version up and create multiple docker tags based on the major and minor version numbers of the git reference.

For example: refs/tags/v1.3.1 would turn into

• v1.3.1
• v1.3
• v1

Sorry don't know if there is a proper name for this practice 😅 But this seems to be common among the more popular images.

See how I've setted path to ./php in gogaille/docker#1
...but value remains to . value during step execution 😭.

Would it possible to add support for using docker cache?

Especially for PR validation, it would be great if it would be possible to specify a docker image that would be used for resolving layer cache. That image name would be passed to a docker build option:

--cache-from strings      Images to consider as cache sources

Also the image should be pulled from the registry first.

This GHA is a good start; I'd like to suggest for the ability to check for existing docker image on the registry without downloading or building a local image by directing using docker registry API.

This is especially useful when doing a CI/CD workflow where you promote non-master to master; so there isn't an actual need to rebuild docker image but simply re-tag existing docker image.

Hi. Thanks very much for making this GitHub Action!

I'd like to suggest that in the dockerfile option the text

Name of the Dockerfile

be changed to

Path to the Dockerfile relative to path.

When I first read the docs I got confused by the use of "path" and "name" (instead of "context" and "path") and for a directory that structure that is structured with

$ tree
.
├── other_files_needed_for_build
├── docker
│   └── Dockerfile

attempted to use

    - name: Build and Publish to Registry
      uses: docker/build-push-action@v1
      with:
        username: ${{ secrets.DOCKER_USERNAME }}
        password: ${{ secrets.DOCKER_PASSWORD }}
        repository: org/repo-name
        path: docker
        dockerfile: Dockerfile

instead of the following (correct)

    - name: Build and Publish to Registry
      uses: docker/build-push-action@v1
      with:
        username: ${{ secrets.DOCKER_USERNAME }}
        password: ${{ secrets.DOCKER_PASSWORD }}
        repository: org/repo-name
        dockerfile: docker/Dockerfile

I think the use of "path" would be more clear than "name". If you agree with me I have a branch with this change on my fork that I can open a PR here on (though telling me to do so might involve more typing).

There does not appear to be a way to turn on the newish --ssh forwarding capability of docker build with this action. This is needed to access private github repos from inside the Dockerfile (etc). If this is in some way available, it is not documented.

Some way to place the ssh key(s) (or inject them from a repo secret) and get them to work with RUN --mount=type=ssh would be great. If this ability is already present, then documentation would be greate!

How to use build artifact from previous workflow step?

I did not find examples
My script does not work (does not see the artifact collected in the previous step)

Thanks!

My guess is that pulling a previously built image will facilitate layer-reusing, like using the old image as a cache. Am I right?

Exposing the --squash option would be nice.

I have the following dockerfile

FROM python:3.8-slim

# Packages that we need
COPY requirements.txt /app/
WORKDIR /app

# build the venv and install the requirements
RUN python3 -m venv app_env
RUN pip install -r requirements.txt

# use TINI
ENV TINI_VERSION v0.19.0
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
RUN chmod +x /tini
ENTRYPOINT ["/tini", "--", "myapp"]
CMD "-h"

When I run it on my computer with
docker build -t dockerfile .

I am able to run and see the help of the application with the command
docker run -t dockerfile

However, if I pull the container from github, with the command
docker run -t docker.pkg.github.com/myrepo/myapp

I have an error:
[FATAL tini (7)] exec myapp failed: No such file or directory

I got the same error, no matter what argument is passed to the container

The rule that I use in the github action is

        uses: docker/build-push-action@v1
        with:
          dockerfile: ./docker/dockerfile
          registry: docker.pkg.github.com
          repository: ${{ github.repository }}/myapp
          tags: latest
          username: ${{ github.ref }}
          password: ${{ secrets.GH_TOKEN }}

Hi,

I'm currently trying to figure out if this action can be used with GitHub package registry. So this was my attempt:

      with:
        username: ${{ env.GITHUB_ACTOR }}
        password: ${{ secrets.GITHUB_TOKEN }}
        registry: docker.pkg.github.com
        ...

However, this nonetheless fails with

Error: both username and password must be set to login

I suspect the username is the problem, however this is how this docker action is authenticating: https://github.com/matootie/github-docker/blob/master/index.js#L39

I do not want to add a personal access token so I could publish this with my username and my personal access token, although that would probably work.

Does anyone know how to make this work with the injected GITHUB_TOKEN?

I have a workflow containing multiple jobs building and pushing images to Github Packages.
This works great most of the time, but sometimes a random job is failing during docker push with an unknown blob error.

The jobs are declared like this:

  build-maintenance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: docker/build-push-action@v1
        with:
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
          registry: docker.pkg.github.com
          repository: XXX/YYY/maintenance
          path: maintenance
          target: production
          tag_with_sha: true

Tail of job output:

Successfully built c6ac9d5faeba
Successfully tagged docker.pkg.github.com/XXX/YYY/maintenance:sha-eac817d
Pushing image [docker.pkg.github.com/XXX/YYY/maintenance:sha-eac817d]
The push refers to repository [docker.pkg.github.com/XXX/YYY/maintenance]
1e64616ff473: Preparing
02e9da9d44c5: Preparing
3810cc0c140f: Preparing
3e207b409db3: Preparing
3e207b409db3: Layer already exists
3810cc0c140f: Layer already exists
unknown blob
Error: exit status 1
exit status 1
Usage:
  github-actions build-push [flags]

Flags:
  -h, --help   help for build-push

At present it's possible to set push to false and just build an image. This is useful when you want to test the image before pushing it. But when you do that, pushing becomes either a matter of doing so manually (potentially with multiple tags), or triggering the full action again, including a build.

It would be useful to run just the push action, maybe by adding a property for build that defaults to true?

Add image tag as action output so other actions in pipeline can use it.

we would love it if we could skip the publish part, so we can create a pipeline that only runs a test stage in a multistage dockerfile

From the tag_with_ref docs:

If {branch-name} is master then the tag will be latest.

We use a workflow that has separate master and dev branches, with strict rules around the interaction between them. Anything that requires a rebuild of the image (i.e. updating dependencies, rather than source files) must go through dev first. We have set dev as our main branch in Github, and it's locked, with controls around how devs can push to it.

We would like to have the latest tag always applied to the dev branch.

Appreciate we may be outliers here, but if it was possible to add a setting, it would really make a difference for us. I'll dig around myself and if I can see how to do it, will submit a PR.

I created a docer registry but have no https certificate, and I don't known how to push automatic by github actions.

I can push image locally if I configer in /etc/docker/daemon.json

{
    "insecure-registries": [
        "xxxx:5000"
    ]
}

But I don't know how to push it when I use the Github Actions, I tried to edit the /etc/docker/daemon.json at the workflows, but It told me Permission denied.

Push image directly:

Sorry for creating an issue for a question but there is no other place where I can ask a question.

How environment variables should be set? Can I simply use the env setup of the Github's workflow or do I have to use the ENV command in the Dockerfile?

I think an input for tag_prefix would be very useful in some usecases. If given, this value would be prefixed to all tags on on the image. With the current inputs, the tag_prefix would be prefixed to the following tag inputs. Note that I've included tags here as wel as I think that would be most consistent, but that is the one I'm the least sure about whether that would make sense.

• tags
• tag_with_ref
• tag_with_sha

One example, which is my usecas for this input and is something the official ubuntu image tags reflect as well.

When we have one GitHub repository with multiple Dockerfiles (see mine as example here) to build different images (Ubuntu versions in my case). Let's say we have the following images we want to build.

• bionic
• xenial
• focal

WIth the tag_prefix with the values of the list above and e.g. a SHA of abc1234, these images would get the following tags.

• bionic-sha-abc1234
• xenial-sha-abc1234
• focal-sha-abc1234

I hope I explained everything in here correctly, but I'd be happy to elaborate and discuss.

Edit:
I've locally tested this and it should work as described above.

input_tag_prefix.patch.txt

I'm working on a project that has multiple Dockerfiles, each of them in a separate directory. One of those is named api, so the dockerfile is in api/Dockerfile. I have the following in my workflow:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - uses: docker/build-push-action@v1
      with:
        path: api
        username: companyusername
        password: companypassword
        repository: company/myproject/api
        registry: companyregistry
        tags: latest

I get the following error:

unable to prepare context: unable to evaluate symlinks in Dockerfile path: lstat /github/workspace/api/Dockerfile: no such file or directory

However, I see the checkout action logging the following:

Initializing the repository
  /usr/bin/git init /home/runner/work/myproject/myproject

From the documentation it is unclear that I should be using some variable to determine /home/runner/work/myproject/myproject instead of /github/workspace/. What am I doing wrong?

I also tried using dockerfile:, but also with the same results: always relative to /github/workspace.

New boolean input tag_with_latest

It would add the ability for users to better set when to push as latest, such as evaluating an expression for example.

Example: tag as latest when push git tags

- uses: docker/build-push-action@v1
  with:
    username: ${{ secrets.DOCKER_USERNAME }}
    password: ${{ secrets.DOCKER_PASSWORD }}
    repository: felipecassiors/argbash-test
    add_git_labels: true
    # Only push as latest when push a git tag
    tag_with_latest: ${{ startsWith(github.ref, 'refs/tags/') }}
    tag_with_ref: true
    tag_with_sha: true

Usage with tag_with_ref

If tag_with_latest property is defined alongside tag_with_ref, then the strategy of push as latest when the branch is master from tag_with_ref should be ignored.

Sorry, I am probably blind but I can't find the source code of this action. Where is it? For example where is code for tag_with_ref tags add? It would be nice to link to this in README.md.

To better support image pinning, this action should output the image digest after pushing to a registry. The digest could then be used as a parameter for a future step in the workflow, like triggering a deployment.

After ECR login action, can pull and push images from ECR repository on run docker command directly.
Maybe it required to support local ~/.docker/config.json
But cannot pull and push on docker/build-push-action caused by no basic auth credentials error.
My workflow is

  build_and_push_image:
    name: Build and push docker image to ECR.
    runs-on: ubuntu-latest
    steps:
      - name: Check out
        uses: actions/checkout@v2
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: **********
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1
      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1
      - name: Pull from ECR (pull test)
        run: docker pull ${{ steps.login-ecr.outputs.registry }}/${{ secrets.REGISTRY }}:latest
      - name: Debug auth (pull test)
        run: cat ~/.docker/config.json
      - name: Build & Push
        uses: docker/build-push-action@v1
        with:
          repository: ${{ steps.login-ecr.outputs.registry }}/${{ secrets.REGISTRY }}
          add_git_labels: true
          tag_with_ref: true
      - name: Logout of Amazon ECR
        if: always()
        run: docker logout ${{ steps.login-ecr.outputs.registry }}

Successfully pull on command line: Pull from ECR (pull test)

Pull from ECR (pull test)6s
***.dkr.ecr.us-east-1.amazonaws.com/***:latest

...

18ebb058d5da: Pull complete
Digest: sha256:ac4754ea1154010603db8d7cbe07bb1a33954e59b088efab46445c69d8b0fc58
Status: Downloaded newer image for ***.dkr.ecr.us-east-1.amazonaws.com/***:latest
***.dkr.ecr.us-east-1.amazonaws.com/***:latest

Logged in to ECR: Debug auth (pull test)

Run cat ~/.docker/config.json
{
	"auths": {
		"***.dkr.ecr.us-east-1.amazonaws.com": {
			"auth": "***"
		}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/3.0.11+azure (linux)"
	}
}

Failed to push or pull on docker/build-push-action@v1

...

Successfully built a60891a407a2
Successfully tagged ***.dkr.ecr.us-east-1.amazonaws.com/***:topic-use_original_docker_actions
Pushing image [***.dkr.ecr.us-east-1.amazonaws.com/***:topic-use_original_docker_actions]
The push refers to repository [***.dkr.ecr.us-east-1.amazonaws.com/***]
no basic auth credentials
Error: exit status 1
Usage:
  github-actions build-push [flags]

Flags:
  -h, --help   help for build-push

exit status 1

Hello, I am trying to integrate maven build and docker push. There are no errors after workflow script execution, but there is no image in my package.

Workflow script:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
java-version: 11
- name: Build with Maven
run: mvn -B package --file pom.xml
- name: Push to GitHub Packages
uses: docker/build-push-action@v1
with:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: docker.pkg.github.com
repository: bwhyman/githubactions-examples/githubactions
tag: latest
logs

And the following script by using docker command works fine.
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
java-version: 11
- name: Build with Maven
run: mvn -B package --file pom.xml
- name: docker push
run: |
docker login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} docker.pkg.github.com
docker build . -t docker.pkg.github.com/bwhyman/githubactions-examples/githubactions
docker push docker.pkg.github.com/bwhyman/githubactions-examples/githubactions

Did I miss something??
Thanks a lot

I have a monorepo with multiple docker images and I would like to publish an image only if the digest of the image is not present in the registry, regardless of the tag. I'm using fluxcd and right now because a tag is pushed on every push to master, all the pods are being restarted.

I suggest the option skipUnchangedDigest to the build-push-action and when set to true the action will skip the push if the digest already present.

Bazel build supports this with skipUnchangedDigest flag to the container_push rule, code is here:
https://github.com/bazelbuild/rules_docker/blob/06c5419265e84baf168ba4d3982f45fe1fe312b4/container/go/cmd/pusher/pusher.go#L132
https://github.com/bazelbuild/rules_docker/blob/06c5419265e84baf168ba4d3982f45fe1fe312b4/container/go/cmd/pusher/pusher.go#L163

When using this action, the following warning is displayed and it states that secrets are visible inside the container in plaintext in /github/home/.docker/config.json. I am aware that action containers are ephemeral, but isn't this file accessible to subsequent executed actions?

15 Logging in to registry 16 WARNING! Using --password via the CLI is insecure. Use --password-stdin. 17 WARNING! Your password will be stored unencrypted in /github/home/.docker/config.json. 18 Configure a credential helper to remove this warning. See 19 https://docs.docker.com/engine/reference/commandline/login/#credentials-store

The GitHub runner windows-2019 has Docker installed, so you can build and push images with a workflow like this:

• https://github.com/sixeyed/pi/blob/master/.github/workflows/build-windows.yaml

Would be great if this action supported Windows image builds on Windows runners.