search

docker / bake-action

GitHub Action to use Docker Buildx Bake as a high-level build command
https://github.com/marketplace/actions/docker-buildx-bake
Apache License 2.0
184 stars 28 forks source link

Unable to use merge commit hash in the source input #262

Open vivodi opened 6 days ago

vivodi commented 6 days ago

Contributing guidelines

I've found a bug, and:

Description

Unable to use merge commit hash in the source input:

- uses: docker/bake-action@v5
  with:
    source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.event.pull_request.merge_commit_sha }}

This is equivalent to:

- uses: actions/checkout@v4
  with:
    ref: ${{ github.event.pull_request.merge_commit_sha }}
- uses: docker/bake-action@v5

docker/bake-action@v5 cannot find the merge commit, while actions/checkout@v4 can.

This bug prevents building a Docker image based on a merge commit in a pull_request_target event.

Expected behaviour

Image is successfully built based on merge commit.

Actual behaviour

docker/bake-action@v5 cannot find the merge commit, while actions/checkout@v4 can.

Parsing raw definition
  /usr/bin/docker buildx bake https://github.com/vivodi/docker-flexget.git#569a8e0674b0f11330577cddb340fbc67871e4f2 --file ./docker-bake.hcl --file cwd:///tmp/docker-metadata-action-bake.json --set *.tags= --set *.platform=linux/amd64 --set *.output=type=registry,name=***/flexget,push-by-digest=true --print image
  #0 building with "builder-fa364b82-62ea-463a-8441-ff9792a5355a" instance using docker-container driver

  #1 [internal] load git source https://github.com/vivodi/docker-flexget.git#569a8e0674b0f11330577cddb340fbc67871e4f2
  #1 0.020 Initialized empty Git repository in /var/lib/buildkit/runc-overlayfs/snapshots/snapshots/1/fs/
  #1 0.024 fatal: Not a valid object name 569a8e0674b0f11330577cddb340fbc67871e4f2^{commit}
  #1 0.353 From https://github.com/vivodi/docker-flexget
  #1 0.353  * [new branch]      dependabot/docker/python-3.13-alpine -> origin/dependabot/docker/python-3.13-alpine
  #1 0.353  * [new branch]      dependabot/pip/python-levenshtein-0.26.1 -> origin/dependabot/pip/python-levenshtein-0.26.1
  #1 0.353  * [new branch]      fix-workflow -> origin/fix-workflow
  #1 0.353  * [new branch]      main         -> origin/main
  #1 0.354  * [new branch]      main2        -> origin/main2
  #1 0.354  * [new branch]      readme       -> origin/readme
  #1 0.362 fatal: unable to read tree (569a8e0674b0f11330577cddb340fbc67871e4f2)
  #1 ERROR: failed to checkout remote https://github.com/vivodi/docker-flexget.git: git stderr:
  fatal: unable to read tree (569a8e0674b0f11330577cddb340fbc67871e4f2)
  : exit status 128
  ------
   > [internal] load git source https://github.com/vivodi/docker-flexget.git#569a8e0674b0f11330577cddb340fbc67871e4f2:
  0.020 Initialized empty Git repository in /var/lib/buildkit/runc-overlayfs/snapshots/snapshots/1/fs/
  0.024 fatal: Not a valid object name 569a8e0674b0f11330577cddb340fbc67871e4f2^{commit}
  0.353 From https://github.com/vivodi/docker-flexget
  0.353  * [new branch]      dependabot/docker/python-3.13-alpine -> origin/dependabot/docker/python-3.13-alpine
  0.353  * [new branch]      dependabot/pip/python-levenshtein-0.26.1 -> origin/dependabot/pip/python-levenshtein-0.26.1
  0.353  * [new branch]      fix-workflow -> origin/fix-workflow
  0.353  * [new branch]      main         -> origin/main
  0.354  * [new branch]      main2        -> origin/main2
  0.354  * [new branch]      readme       -> origin/readme
  0.362 fatal: unable to read tree (569a8e0674b0f11330577cddb340fbc67871e4f2)
  ------
  ERROR: failed to solve: failed to checkout remote https://github.com/vivodi/docker-flexget.git: git stderr:
  fatal: unable to read tree (569a8e0674b0f11330577cddb340fbc67871e4f2)
  : exit status 128
Error: cannot parse bake definitions: : exit status 128

Repository URL

No response

Workflow run URL

No response

YAML workflow

- uses: docker/bake-action@v5
  with:
    source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.event.pull_request.merge_commit_sha }}

Workflow logs

No response

BuildKit logs

No response

Additional info

No response

crazy-max commented 6 days ago

I was looking at your last failed job in https://github.com/vivodi/docker-flexget/actions/runs/11629651174/job/32387025483#step:7:212

And doesn't seem commit 569a8e0674b0f11330577cddb340fbc67871e4f2 belongs to any branch on your repo as also shown on GitHub: https://github.com/vivodi/docker-flexget/tree/569a8e0674b0f11330577cddb340fbc67871e4f2.

Image

on a merge commit

I don't think you can safely rely on merge commit as this is a reference created by GitHub to keep track of what would happen if a pull request was merged and could therefore not be part of the working tree.

in a pull_request_target event.

Also why do you want to rely on pull_request_target and not pull_request? Fyi pull_request_target runs in the context of the base of the pull request, rather than in the context of the merge commit, as the pull_request event does so would not take any changes in your PR into account. Maybe that's why you need github.event.pull_request.merge_commit_sha but I'm confused on the purpose of your workflow.

- uses: docker/bake-action@v5
  with:
    source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.event.pull_request.merge_commit_sha }}

Did you try with?:

- uses: docker/bake-action@v5
  with:
    source: "{{defaultContext}}"
vivodi commented 6 days ago

pull_request_target can access secrets, while pull_request cannot.

I want to publish Docker images generated by PRs for testing, just with running docker pull vivodi/flexget:pr-<pr number>. To publish images I have to use pull_request_target instead of pull_request because the workflow needs access to secrets. (I save my Docker Hub password in repo secrets for publishing.)

For pull_request_target, {{defaultContext}} gets the context of the base of the pull request, so it doesn't satisfy my need as I need the context of the merge commit.

I think it's safe to rely on merge commits as pull_request runs in the context of the merge commit.

Most importantly, 

- uses: actions/checkout@v4
  with:
    ref: ${{ github.event.pull_request.merge_commit_sha }}
- uses: docker/bake-action@v5

works, but

- uses: docker/bake-action@v5
  with:
    source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.event.pull_request.merge_commit_sha }}

doesn't work, so I believe it's a bug with docker/bake-action.

vivodi commented 6 days ago

Merge commits are indeed not part of the working tree, but pull_request use them as context, so it is safe. actions/checkout can read them successfully, but docker/bake-action cannot, so I believe it's a bug with docker/bake-action.