search

redhat-actions / buildah-build

GitHub Action to use 'buildah' to build a container image.
https://github.com/marketplace/actions/buildah-build
MIT License
136 stars 35 forks source link

[BUG] In multi-stage builds, incorrect `latest` tag pushed #129

Closed travier closed 9 months ago

travier commented 9 months ago

Version

redhat-actions/push-to-registry@v2

Describe the bug

Using this action with a multi-stage build and pushing to the latest tag, the wrong tag is pushed and latest tag from the first stage image is pushed instead.

Steps to reproduce, workflow links, screenshots

Containerfile:

FROM docker.io/filebrowser/filebrowser:latest

# Keep container image for ~6 months
LABEL quay.expires-after=24w

# Run unprivileged
USER 2000:2000

# Disable healthchecks
HEALTHCHECK NONE

GitHub Action:

name: "Build Filebrowser image"

env:
  IMAGE_NAME: "filebrowser"
  REGISTRY: "quay.io/travier"

on:
  pull_request:
    branches:
      - main
    paths:
      - filebrowser/*
      - .github/workflows/filebrowser.yml
  push:
    branches:
      - main
    paths:
      - filebrowser/*
      - .github/workflows/filebrowser.yml
  schedule:
    - cron:  '0 0 * * MON'

permissions: read-all

# Prevent multiple workflow runs from racing to ensure that pushes are made
# sequentialy for the main branch. Also cancel in progress workflow runs for
# pull requests only.
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

jobs:
  build-push-image:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v4

      - name: Build container image
        uses: redhat-actions/buildah-build@v2
        with:
          context: ${{ env.IMAGE_NAME }}
          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: latest ${{ github.sha }}
          containerfiles: ${{ env.IMAGE_NAME }}/Containerfile
          layers: false
          oci: true

      - name: Push to Quay.io
        uses: redhat-actions/push-to-registry@v2
        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'
        with:
          username: ${{ secrets.BOT_USERNAME }}
          password: ${{ secrets.BOT_SECRET }}
          image: ${{ env.IMAGE_NAME }}
          registry: ${{ env.REGISTRY }}
          tags: latest ${{ github.sha }}

From https://github.com/travier/quay-containerfiles/commit/be393e6cb327d3ac621421523b1c1c7092a46087

travier commented 9 months ago

Job: https://github.com/travier/quay-containerfiles/actions/runs/6430376470/job/17462161445

It looks like the issue is that the image name is not fully qualified with the registry name when pushing.

travier commented 9 months ago

So this looks like an issue in https://github.com/redhat-actions/push-to-registry instead.

travier commented 9 months ago

OK, it appears that needed to not fully qualify the image name in the build step instead.: https://github.com/travier/quay-containerfiles/commit/637860497a26555986ec17d1859ba0db754b81ff