Action fails to publish to GHCR and instead targets DockerHub.

[chainhead]

Troubleshooting

Before submitting a bug report please read the Troubleshooting doc.

Behaviour

I have a GH Action (see below) that is set-up to build and publish container image to ghcr.io. The env.REGISTRY is set to ghcr.io. Going by the example here, the following YAML should work because the tag ghcr.io/repo/project:tag is automatically generated by the meta step. However, rather than pushing to GHCR, the push is attempted for Docker Hub and fails.

      - id: login
        name: Log in to the Container registry
        uses: docker/login-action@v2
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - id: meta
        name: Extract metadata (tags, labels) for Docker
        uses: docker/metadata-action@v4
        with:
          images: ${{ env.REGISTRY }}/${{ github.repository }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            # set latest tag for default branch
            type=raw,value=latest,enable={{is_default_branch}}

      - id: build-push-native-micro
        name: Build and push Docker image
        uses: docker/build-push-action@v4
        with:
          context: .
          file:  ./${{ env.DOCKERFILE_PATH }}/Dockerfile.${{ env.QUARKUS_MODE }}
          push: true
          tags: | 
            ${{ github.ref_name }}-${{ steps.commit.outputs.short }}
            ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

Steps to reproduce this issue

1. Run a GH Action file to publish to ghcr as shown below.

```yaml
      - id: login
        name: Log in to the Container registry
        uses: docker/login-action@v2
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - id: meta
        name: Extract metadata (tags, labels) for Docker
        uses: docker/metadata-action@v4
        with:
          images: ${{ env.REGISTRY }}/${{ github.repository }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            # set latest tag for default branch
            type=raw,value=latest,enable={{is_default_branch}}

      - id: build-push-native-micro
        name: Build and push Docker image
        uses: docker/build-push-action@v4
        with:
          context: .
          file:  ./${{ env.DOCKERFILE_PATH }}/Dockerfile.${{ env.QUARKUS_MODE }}
          push: true
          tags: | 
            ${{ github.ref_name }}-${{ steps.commit.outputs.short }}
            ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

Expected behaviour

GH Action should push to ghcr.io

Actual behaviour

GH Action pushes to Docker Hub and fails.

Configuration

• Repository URL (if public):
• Build URL (if public):

```yaml
      - id: login
        name: Log in to the Container registry
        uses: docker/login-action@v2
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - id: meta
        name: Extract metadata (tags, labels) for Docker
        uses: docker/metadata-action@v4
        with:
          images: ${{ env.REGISTRY }}/${{ github.repository }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            # set latest tag for default branch
            type=raw,value=latest,enable={{is_default_branch}}

      - id: build-push-native-micro
        name: Build and push Docker image
        uses: docker/build-push-action@v4
        with:
          context: .
          file:  ./${{ env.DOCKERFILE_PATH }}/Dockerfile.${{ env.QUARKUS_MODE }}
          push: true
          tags: | 
            ${{ github.ref_name }}-${{ steps.commit.outputs.short }}
            ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

### Logs

> Download the [log file of your build](https://docs.github.com/en/actions/managing-workflow-runs/using-workflow-run-logs#downloading-logs) and [attach it](https://docs.github.com/en/github/managing-your-work-on-github/file-attachments-on-issues-and-pull-requests) to this issue.

Relevant portion of log pasted here.

```bash
/usr/bin/docker buildx build --file ./src/main/docker/Dockerfile.native-micro --iidfile /tmp/docker-actions-toolkit-2J2WaA/iidfile --label org.opencontainers.image.created=2023-07-22T12:50:28.795Z --label org.opencontainers.image.description=Calculate alarm durations from raw data --label org.opencontainers.image.licenses= --label org.opencontainers.image.revision=5783df2eb38aa4b19ef820c2c344455d6ffd6f13 --label org.opencontainers.image.source=https://github.com/nsubrahm/alarms --label org.opencontainers.image.title=alarms --label org.opencontainers.image.url=https://github.com/nsubrahm/alarms --label org.opencontainers.image.version=v0.0.0 --provenance mode=min,inline-only=true,builder-id=https://github.com/nsubrahm/alarms/actions/runs/5630715191 --tag 5783df2 --tag ghcr.io/nsubrahm/alarms:v0.0.0 --metadata-file /tmp/docker-actions-toolkit-2J2WaA/metadata-file --push .

.... 

> exporting to image:
------
ERROR: failed to solve: failed to push 5783df2: failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://auth.docker.io/token?scope=repository%3Alibrary%2F5783df2%3Apull%2Cpush&service=registry.docker.io: 401 Unauthorized
Error: buildx failed with: ERROR: failed to solve: failed to push 5783df2: failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://auth.docker.io/token?scope=repository%3Alibrary%2F5783df2%3Apull%2Cpush&service=registry.docker.io: 401 Unauthorized

[crazy-max]

Linked to --tag 5783df2. You're trying to push the image named 5783df2 which looks wrong. Related to this line in your workflow:

${{ github.ref_name }}-${{ steps.commit.outputs.short }}

Can you post the logs of the name: Extract metadata (tags, labels) for Docker step please?

Also please post your full workflow. I don't know what is ${{ env.REGISTRY }}.

[chainhead]

I realised the mistake I made. I had two tags one of which didn't have a registry. This defaulted to docker.io. My intention was to use the short commit hash as part of the tag and so, should have concatenated the ghcr.io/nsubrahm/alarms:v0.00 and the hash.

This worked.

      - id: build-push-native-micro
        name: Build and push Docker image
        uses: docker/build-push-action@v4
        with:
          context: .
          file:  ./${{ env.DOCKERFILE_PATH }}/Dockerfile.${{ env.QUARKUS_MODE }}
          push: true
          tags: | 
            ${{ steps.meta.outputs.tags }}-${{ steps.commit.outputs.short }}
          labels: ${{ steps.meta.outputs.labels }}

[crazy-max]

Be careful, ${{ steps.meta.outputs.tags } can be a multiline value. Please refer to the docs to know more about the tags input in the metadata action.

[chainhead]

So, when raising a PR against main branch, the generated tag becomes latest-<commit_hash>. This will not do.

Here is my requirement.

1. When I do a git push against a non-main branch, I want the image to be tagged as <branch_name>-<commit_hash>.
2. When a PR is raised, then I want the image to be tagged as latest.

The following works for 1 above. However, for 2, the generated tag becomes latest-<commit_hash>. How do I resolve this?

      - id: meta
        name: Extract metadata (tags, labels) for Docker
        uses: docker/metadata-action@v4
        with:
          images: ${{ env.REGISTRY }}/${{ github.repository }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr

      - id: build-push-native-micro
        name: Build and push Docker image
        uses: docker/build-push-action@v4
        with:
          context: .
          file:  ./${{ env.DOCKERFILE_PATH }}/Dockerfile.${{ env.QUARKUS_MODE }}
          push: true
          tags: | 
            ${{ steps.meta.outputs.tags }}-${{ steps.commit.outputs.short }}
          labels: ${{ steps.meta.outputs.labels }}

[crazy-max]

This is not related to the build-push action but the metadata action. Please open a discussion thread: https://github.com/docker/metadata-action/discussions