search

docker / build-push-action

GitHub Action to build and push Docker images with Buildx
https://github.com/marketplace/actions/build-and-push-docker-images
Apache License 2.0
4.28k stars 548 forks source link

Error / Unauthorized when trying to leverage GitHub Actions cache #869

Closed pantelis-karamolegkos closed 1 year ago

pantelis-karamolegkos commented 1 year ago

Behaviour

I am trying to use GHA cache in docker build/push workflow.

Here is my set up:

name: Build and push images to registry

permissions:
  id-token: write
  contents: read

....

    - name: build and push 
        uses: docker/build-push-action@v4
        with:
          context: ${{ inputs.context }}
          file: ${{ inputs.context }}/${{ inputs.dockerfile }}
          build-args: ${{ inputs.build_args }}
          cache-to: ${{ inputs.cache_to }}
          cache-from: ${{ inputs.cache_from }}

Why does this fail with:

#19 [auth] library/gha:pull,push token for registry-1.docker.io
#19 DONE 0.0s
------
 > importing cache manifest from gha:
------
------
 > exporting content cache:
------
ERROR: failed to solve: error writing layer blob: failed to authorize: failed to fetch oauth token: unexpected status: 401 Unauthorized
Error: buildx failed with: ERROR: failed to solve: error writing layer blob: failed to authorize: failed to fetch oauth token: unexpected status: 401 Unauthorized

Is there something additional action that needs to be taken? Why is it trying to communicate with registry-1.docker.io? Is it there where the caching takes place? (will this make my layers public?)

The docs are extremely poor on the subject.

Expected behaviour

Tell us what should happen

Actual behaviour

Tell us what happens instead

Configuration

name: Build and push images to registry

permissions:
  id-token: write
  contents: read

....

    - name: build and push 
        uses: docker/build-push-action@v4
        with:
          context: ${{ inputs.context }}
          file: ${{ inputs.context }}/${{ inputs.dockerfile }}
          build-args: ${{ inputs.build_args }}
          cache-to: ${{ inputs.cache_to }}
          cache-from: ${{ inputs.cache_from }}

Logs

#19 [auth] library/gha:pull,push token for registry-1.docker.io
#19 DONE 0.0s
------
 > importing cache manifest from gha:
------
------
 > exporting content cache:
------
ERROR: failed to solve: error writing layer blob: failed to authorize: failed to fetch oauth token: unexpected status: 401 Unauthorized
Error: buildx failed with: ERROR: failed to solve: error writing layer blob: failed to authorize: failed to fetch oauth token: unexpected status: 401 Unauthorized
crazy-max commented 1 year ago

Would need logs of the build push action. Without build command and value of inputs hard to figure out what's going on.

Also what do you get in GitHub Actions runtime token ACs?:

image

pantelis-karamolegkos commented 1 year ago

Apologies, I had a typo in the workflow šŸ™šŸ» . Closing this. Just if you could spare a minute to clarify the layers are kept private when working on a private repo (both in terms of GH and docker registry) - trying to be cautious in terms of security. Thanks in advance.