search

docker / build-push-action

GitHub Action to build and push Docker images with Buildx
https://github.com/marketplace/actions/build-and-push-docker-images
Apache License 2.0
4.31k stars 552 forks source link

Fail to export cache #1100

Closed machsix closed 5 months ago

machsix commented 5 months ago

Contributing guidelines

I've found a bug, and:

Description

I had an old repo at https://github.com/machsix/RSShub. I renamed it to https://github.com/machsix/RSShub-upstream and created a new one at https://github.com/machsix/RSShub. The github action starts to fail with error

#88 exporting to GitHub Actions Cache
#88 preparing build cache for export
#88 preparing build cache for export 99.0s done
#88 ERROR: Signing certificate with thumbprint 943DC3545AEC524FF3E4C1FC45CE22256D24C501 not found in store /etc/certificates. See https://aka.ms/actionsDbBackups for possible mitigation.
------
 > importing cache manifest from gha:7159216815194238616:
------
------
 > exporting to GitHub Actions Cache:
------
ERROR: failed to solve: Signing certificate with thumbprint 943DC3545AEC524FF3E4C1FC45CE22256D24C501 not found in store /etc/certificates. See https://aka.ms/actionsDbBackups for possible mitigation.
Error: buildx failed with: ERROR: failed to solve: Signing certificate with thumbprint 943DC3545AEC524FF3E4C1FC45CE22256D24C501 not found in store /etc/certificates. See https://aka.ms/actionsDbBackups for possible mitigation.

Expected behaviour

The cache is exported

Actual behaviour

The cache is failed to be exported

Repository URL

https://github.com/machsix/RSShub

Workflow run URL

https://github.com/machsix/RSShub/actions/runs/8794907386/job/24135111195

YAML workflow

name: 'Docker Release'

on:
  push:
    paths:
      - 'lib/**'
      - '!lib/**/*.test.ts'
      - 'Dockerfile'
      - '.github/workflows/**'
  workflow_dispatch: {}

jobs:
  check-env:
    permissions:
      contents: none
    runs-on: ubuntu-latest
    timeout-minutes: 5
    outputs:
      check-docker: ${{ steps.check-docker.outputs.defined }}
    steps:
      - id: check-docker
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        if: ${{ env.DOCKER_USERNAME != '' }}
        run: echo "defined=true" >> $GITHUB_OUTPUT
  release:
    runs-on: ubuntu-latest
    needs: check-env
    if: needs.check-env.outputs.check-docker == 'true'
    timeout-minutes: 120
    permissions:
      packages: write
      contents: read
      id-token: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install cosign
        if: github.event_name != 'pull_request'
        uses: sigstore/cosign-installer@v3

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Log in to the Container registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract Docker metadata (ordinary version)
        id: meta-ordinary
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ secrets.DOCKER_USERNAME }}/rsshub
            ghcr.io/${{ github.repository }}
          tags: |
            type=raw,value=latest,enable=true
            type=raw,value={{date 'YYYY-MM-DD'}},enable=true
            type=sha,format=long,prefix=,enable=true
          flavor: latest=false

      - name: Build and push Docker image (ordinary version)
        id: build-and-push
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: ${{ steps.meta-ordinary.outputs.tags }}
          labels: ${{ steps.meta-ordinary.outputs.labels }}
          platforms: linux/amd64,linux/arm/v7,linux/arm64
          cache-from: type=gha,scope=docker-release
          cache-to: type=gha,mode=max,scope=docker-release

      - name: Sign the published Docker image
        if: ${{ github.event_name != 'pull_request' }}
        env:
          COSIGN_EXPERIMENTAL: 'true'
        run: echo "${{ steps.meta-ordinary.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }}

  description:
    runs-on: ubuntu-latest
    needs: check-env
    if: needs.check-env.outputs.check-docker == 'true'
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@v4

      - name: Docker Hub Description
        uses: peter-evans/dockerhub-description@v4
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
          repository: ${{ secrets.DOCKER_USERNAME }}/rsshub

Workflow logs

9_Build and push Docker image (ordinary version).txt

BuildKit logs

Provided in the workflow log

Additional info

N/A

machsix commented 5 months ago

logs_23041637507.zip Here is the workflow log

machsix commented 5 months ago

https://github.com/actions/cache/issues/1384 https://github.com/actions/cache/issues/1383 It seems it's related to Github server

machsix commented 5 months ago

The server is back and the issue is gone.

aialok commented 5 months ago

The server is back and the issue is gone.

I am still the getting the same error. https://github.com/actions/cache/issues/1383

xdrago1 commented 5 months ago

I have the same error on a forked project. The upstream repo works tho.. Why is that, what can we do?

machsix commented 5 months ago

I believe it's the Github's server issue. As a workaround, I defined the following job in my workflow so that if Github's cache is not reachable, cache-export and cache-from are kept as empty for build

https://github.com/machsix/RSShub/blob/8a7741f1d868a02d887dab83028e952a918582c7/.github/workflows/docker-release.yml#L27C2-L57C27

  set-cache:
    runs-on: ubuntu-latest
    outputs:
      cache-from: ${{ steps.final.outputs.cache-from }}
      cache-to: ${{ steps.final.outputs.cache-to }}
    steps:
      - name: Initial check
        id: check-cache
        uses: actions/cache@v4
        with:
          path: /tmp/check-cache
          key: check-cache

      - name: Create dummy cache
        if: steps.check-cache.outputs.cache-hit != 'true'
        run: cat /proc/version > /tmp/check-cache

      - name: Save cache if necessary
        if: steps.check-cache.outputs.cache-hit != 'true'
        uses: actions/cache/save@v4
        with:
          path: /tmp/check-cache
          key: check-cache

      - name: Second check
        if: steps.check-cache.outputs.cache-hit != 'true'
        id: check-cache-again
        uses: actions/cache@v4
        with:
          path: /tmp/check-cache
          key: check-cache

      - name: Finalize cache status
        id: final
        run: |
          if [ "${{ steps.check-cache.outputs.cache-hit }}" = "true" ] || [ "${{ steps.check-cache-again.outputs.cache-hit }}" = "true" ]; then
            echo "cache-from=type=gha,scope=docker-release" >> $GITHUB_OUTPUT
            echo "cache-to=type=gha,mode=max,scope=docker-release" >> $GITHUB_OUTPUT
          else
            echo "cache-from=" >> $GITHUB_OUTPUT
            echo "cache-to=" >> $GITHUB_OUTPUT
          fi
          rm /tmp/check-cache