The `labels:` property doesn't work for me with docker/build-push-action@v4

erikmd commented 1 year ago

Behaviour

I recently migrated from the very-old version v1 (with add_git_labels: true) to v4 (with these labels).

However, none of these 4 labels is added in the image:

https://hub.docker.com/r/ocamlsf/learn-ocaml/tags?page=1&name=master

2023-05-01_22-19-24_Screenshot_missing_labels

Configuration

Repository URL (if public): https://github.com/ocaml-sf/learn-ocaml
Build URL (if public): https://github.com/ocaml-sf/learn-ocaml/actions/runs/4852892261/jobs/8648443649 (see log at the bottom of this description)

# Note: you may want to update this file and deploy-tags.yml at once
name: Publish dev (Docker image of master)
on:
  push:
    branches:
      - master
  schedule:
    # deploy master every Saturday at 08:00 UTC
    - cron: '0 8 * * 6'
jobs:
  push_server:
    name: Push learn-ocaml image to Docker Hub
    if: ${{ github.repository == 'ocaml-sf/learn-ocaml' }}
    runs-on: ubuntu-latest
    steps:
      - name: Check out the repo
        uses: actions/checkout@v3
      - name: Set up Docker Buildx
        # cf. https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#image
        # and https://docs.docker.com/engine/reference/commandline/buildx_create/#driver
        uses: docker/setup-buildx-action@v2
        with:
          driver: "docker"
      - name: Login to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Prepare
        id: prep
        run: |
          echo "::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
      - name: Push to Docker Hub
        # cf. https://github.com/docker/build-push-action#customizing
        # and https://github.com/docker/build-push-action/pull/119
        uses: docker/build-push-action@v4
        with:
          pull: true
          push: true
          tags: "ocamlsf/learn-ocaml:master"
          labels: |
            org.opencontainers.image.created=${{ steps.prep.outputs.created }}
            org.opencontainers.image.source=${{ github.repositoryUrl }}
            org.opencontainers.image.version=master
            org.opencontainers.image.revision=${{ github.sha }}
  push_client:
    name: Push learn-ocaml-client image to Docker Hub
    if: ${{ github.repository == 'ocaml-sf/learn-ocaml' }}
    runs-on: ubuntu-latest
    steps:
      - name: Check out the repo
        uses: actions/checkout@v3
      - name: Set up Docker Buildx
        # cf. https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#image
        # and https://docs.docker.com/engine/reference/commandline/buildx_create/#driver
        uses: docker/setup-buildx-action@v2
        with:
          driver: "docker"
      - name: Login to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Prepare
        id: prep
        run: |
          echo "::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
      - name: Push to Docker Hub
        # cf. https://github.com/docker/build-push-action#customizing
        # and https://github.com/docker/build-push-action/pull/119
        uses: docker/build-push-action@v4
        with:
          pull: true
          # load: true # implied by "driver: docker"
          push: true
          target: client
          tags: "ocamlsf/learn-ocaml-client:master"
          labels: |
            org.opencontainers.image.created=${{ steps.prep.outputs.created }}
            org.opencontainers.image.source=${{ github.repositoryUrl }}
            org.opencontainers.image.version=master
            org.opencontainers.image.revision=${{ github.sha }}
  push_emacs_client:
    name: Push emacs-learn-ocaml-client image to Docker Hub
    if: ${{ github.repository == 'ocaml-sf/learn-ocaml' }}
    needs: push_client
    runs-on: ubuntu-latest
    steps:
      - name: Check out the repo
        uses: actions/checkout@v3
      - name: Set up Docker Buildx
        # cf. https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#image
        # and https://docs.docker.com/engine/reference/commandline/buildx_create/#driver
        uses: docker/setup-buildx-action@v2
        with:
          driver: "docker"
      - name: Login to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Prepare
        id: prep
        run: |
          echo "::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
      - name: Push to Docker Hub
        # cf. https://github.com/docker/build-push-action#customizing
        # and https://github.com/docker/build-push-action/pull/119
        uses: docker/build-push-action@v4
        with:
          pull: false # because of the previous "load: true"
          push: true
          context: ci/docker-emacs-learn-ocaml-client
          build-args: |
            base=ocamlsf/learn-ocaml-client
            version=master
          tags: "ocamlsf/emacs-learn-ocaml-client:master"
          labels: |
            org.opencontainers.image.created=${{ steps.prep.outputs.created }}
            org.opencontainers.image.source=${{ github.repositoryUrl }}
            org.opencontainers.image.version=master
            org.opencontainers.image.revision=${{ github.sha }}

Logs

logs_2143.zip

crazy-max commented 1 year ago

Your image has the labels being set:

$ docker pull ocamlsf/learn-ocaml:master
$ docker image inspect --format='{{json .Config.Labels}}' ocamlsf/learn-ocaml:master | jq
{
  "org.opencontainers.image.created": "2023-05-06T08:01:04Z",
  "org.opencontainers.image.description": "learn-ocaml app manager",
  "org.opencontainers.image.revision": "1584a08636eb4ddb875a2b7051f78dbc94bec9b3",
  "org.opencontainers.image.source": "git://github.com/ocaml-sf/learn-ocaml.git",
  "org.opencontainers.image.title": "learn-ocaml",
  "org.opencontainers.image.url": "https://ocaml-sf.org/",
  "org.opencontainers.image.vendor": "The OCaml Software Foundation",
  "org.opencontainers.image.version": "master"
}

erikmd commented 1 year ago

Ah OK, thanks @crazy-max!

I got confused because the labels dynamically added by the GH action did not show up here:

https://hub.docker.com/layers/ocamlsf/learn-ocaml/master/images/sha256-622f164c057ce5f1963c56ceb230a3165378365238e3a683f5f399a2a99f4fd8?context=explore

From your viewpoint, is it "better" to:

remove the manual, static LABELs from the Dockerfile so that all labels are set by docker/build-push-action
remove the labels set by the docker/build-push-action and pass them instead as build ARGs, so that all labels have a corresponding line in the Docker Hub explorer etc.

?

At first sight, I'd lean towards 2. (because even if there is no actual bug, it happens the current situation is a bit confusing w.r.t. the principle of least surprise); WDYT?

crazy-max commented 1 year ago

I got confused because the labels dynamically added by the GH action did not show up here:

This is expected if they are being set as user input (label flag).

From your viewpoint, is it "better" to:

It depends. IMO labels should only be set as input (label flag) and not in your Dockerfile except if some labels are required for the operability of your container.

In your case I think it's only additional metadata at build time so should just be set as input. LABELs from your Dockerfile might make sense if they are useful to organize images, automation, etc... Also it's recommended to combine them to prevent extra layers:

LABEL org.opencontainers.image.title="learn-ocaml" \
      org.opencontainers.image.description="learn-ocaml app manager" \
      org.opencontainers.image.url="https://ocaml-sf.org/" \
      org.opencontainers.image.vendor="The OCaml Software Foundation"

erikmd commented 1 year ago

Great! thanks @crazy-max for your feedback 👍

So I think we can close the issue.

docker / build-push-action