search

docker / build-push-action

GitHub Action to build and push Docker images with Buildx
https://github.com/marketplace/actions/build-and-push-docker-images
Apache License 2.0
4.24k stars 541 forks source link

Untagged images produced for multi platform builds #894

Closed daltonv closed 9 months ago

daltonv commented 1 year ago

Troubleshooting

Before submitting a bug report please read the Troubleshooting doc.

Behaviour

Multiplatform images produce untagged images for each platform built for

Steps to reproduce this issue

  1. Build a multiplatform image & push to ghcr
  2. Observe multiple images being posted like so image image

Expected behaviour

I would hope there is at least an option to tag each platforms image with special tag. In the example above perhaps pr-5-arm64 and pr-5-amd64

Actual behaviour

Multiple untagged images

Configuration

name: CI

on:
  push:
    tags:
        - 'v*.*.*'

  pull_request:

jobs:
  docker:
    runs-on: ubuntu-latest

    strategy:
      matrix:
          include:
            - image_name: ${{ github.repository }}-ci
              docker_target: ci
            - image_name: ${{ github.repository }}
              docker_target: developer

    permissions:
      contents: read
      packages: write

    env:
      REGISTRY: ghcr.io
      IMAGE_NAME: ${{ matrix.image_name }}

    steps:
      - uses: actions/checkout@v3

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Log in to the Container registry
        uses: docker/login-action@v2
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v4
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=ref,event=pr
            type=sha

      # Crazy thing needed to for the cache to work in the next step, as the
      # cache must be sent in lower case
      - name: downcase REPO
        run: |
          echo "REPO=${IMAGE_NAME,,}" >>${GITHUB_ENV}

      - name: Build and push Docker image
        uses: docker/build-push-action@v3
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          target: ${{ matrix.docker_target }}
          provenance: false
          build-args: |
            JFROG_USER=${{ secrets.JFROG_USER }}
            JFROG_KEY=${{ secrets.JFROG_KEY }}
          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.REPO }}:latest
          cache-to: type=inline
          platforms: |
            linux/amd64
            linux/arm64
saadbahir commented 1 year ago

I have the same problem without using multi-platforms

I am pushing images to two separate registries, including Github registry

      - name: Build and push
        id: docker_build
        uses: docker/build-push-action@v4
        with:
          context: .
          file: ${{ env.DOCKERFILE }}
          platforms: linux/amd64
          push: true
          tags: |
            ${{ needs.prepare.outputs.image_fly }}${{ env.IMAGE_SUFFIX }}
            ${{ needs.prepare.outputs.image_github }}${{ env.IMAGE_SUFFIX }}

In github registry, I end up with the correct version for example image-repo-name:1.0.0 and two untagged versions

#12 exporting to image
#12 exporting layers
#12 exporting layers 17.8s done
#12 exporting manifest sha256:b1ee819a2e3d5896b86d8d87e242cee35566f20afbb527441c46f7b0d1480a06 0.0s done
#12 exporting config sha256:9d265a628e53ff77b40026a825fb59758f08eb9935ad42ab9bb95170fbdbf3a3
#12 exporting config sha256:9d265a628e53ff77b40026a825fb59758f08eb9935ad42ab9bb95170fbdbf3a3 done
#12 exporting attestation manifest sha256:8f6eb2770bfada4f266d37985611558f866d281d366cc659486975817d602296 done
#12 exporting manifest list sha256:7264527bd66a26218825ead8b63be68931267f02b45d2bc76a7a2c2943b0d4a1 done
#12 pushing layers
#12 ...

In this case for example, I get two other images with tags

b1ee819a2e3d5896b86d8d87e242cee35566f20afbb527441c46f7b0d1480a06

and 

8f6eb2770bfada4f266d37985611558f866d281d366cc659486975817d602296

Does anyone know what triggers this behavior?

simonwep commented 10 months ago

Are there any updates to this? I'm having the same problem...

mattkrick commented 10 months ago

Can you confirm that those aren't provenance attestations? Try adding this to your GH action & seeing if it solves the problem:

        with:
          provenance: false
TheoJammes commented 10 months ago

I confirm @mattkrick solutions fixed our issue and removed the untagged layers from the images 👍

daltonv commented 10 months ago

Can you confirm that those aren't provenance attestations?

Try adding this to your GH action & seeing if it solves the problem:


        with:

          provenance: false

So for me that is not the issue as I already have that setting as false in my action I posted a above. Although I do know with that setting on single platform builds I get the same result.

crazy-max commented 9 months ago

I would hope there is at least an option to tag each platforms image with special tag. In the example above perhaps pr-5-arm64 and pr-5-amd64

Why? This was true before when manifest list was not a thing but now tools like Buildx/BuildKit create a manifest list including manifest for each built platform if there are more than one like ghcr.io/crazy-max/undock:0.3.0: https://github.com/crazy-max/undock/pkgs/container/undock/17739760?tag=0.3.0

$ docker buildx imagetools inspect ghcr.io/crazy-max/undock:0.3.0
Name:      ghcr.io/crazy-max/undock:0.3.0
MediaType: application/vnd.docker.distribution.manifest.list.v2+json
Digest:    sha256:84e9ae779070e61c8ae866c0d5873baf1d4580774c61dc76ee3c35335519d2dd

Manifests:
  Name:      ghcr.io/crazy-max/undock:0.3.0@sha256:5fc3dac5677c54697a55f9ba35c423269d0f2e89b5417f647bc5b388eca606ef
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/amd64

  Name:      ghcr.io/crazy-max/undock:0.3.0@sha256:f8fec216d1c2797da68a10a2587f4e8b8891a5731e2d7be28d1e21db45515574
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/arm/v6

  Name:      ghcr.io/crazy-max/undock:0.3.0@sha256:eff8d18996daea3ccfc3803f7f5dc1c8ddc1cdb6fca69ff0bd2296e4c72511a9
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/arm/v7

  Name:      ghcr.io/crazy-max/undock:0.3.0@sha256:6cdc61722906c4d73450b40767dd9f034a0731837249b45703803e650ae93796
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/arm64

  Name:      ghcr.io/crazy-max/undock:0.3.0@sha256:3e2d1cc6995e0d17daa1bf69ae1c6b9ba974029de041fee6ae755203740ec72e
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/ppc64le

  Name:      ghcr.io/crazy-max/undock:0.3.0@sha256:d37a61625ba5bd8f89e6eb46fce5641149ca8b7245b56f20b254d959f14257ad
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/s390x

This way a user doesn't need to bother choosing a specific tag matching the platform. Then can just use this tag and the right image will be pulled based on the host specs.

More info: https://docs.docker.com/build/building/multi-platform/

daltonv commented 9 months ago

I want that so I can automatically delete all images associated with a tag. There currently is no way to do this in multi arch builds.

Tomer20 commented 9 months ago

Same issue here, and provenance: false does not solve the issue.