search

redhat-actions / push-to-registry

GitHub Action to push a container image to an image registry.
https://github.com/marketplace/actions/push-to-registry
MIT License
100 stars 33 forks source link

[BUG] Remote images take precedence over localhost images #66

Open PhrozenByte opened 2 years ago

PhrozenByte commented 2 years ago

Version

redhat-actions/push-to-registry@v2 (pointing to redhat-actions/push-to-registry@v2.6)

Describe the bug

push-to-registry currently does not support manually specifying the local image to push to the registry (also see #58, suggesting a local input). It rather uses the (unqualified) image name as reference. This will cause issues when Podman's registry search path (i.e. Podman's default registries.conf) doesn't resolve the unqualified image name to the local storage, but a registry. push-to-registry might end up pushing the wrong image...

Steps to reproduce, workflow links, screenshots

See https://github.com/SGSGermany/debian/runs/6995305321?check_suite_focus=true#step:8:113

Here I'm building a base image for Debian-based containers. The source is docker.io/debian:bullseye (digest sha256:ea4b2132c62e73f34156f416e5e21247b58f5cb4ab23105071ca94472f78d02d) and the image built (digest sha256:9b831a98b2faed194c86234c8f4e9111eb38c44652530a40601b698056315453) is tagged with debian:bullseye (among others, e.g. debian:v11). I'm trying to push this image with all its tags to ghcr.io/sgsgermany/debian.

As you can see, push-to-registry pushes docker.io/debian:bullseye for the bullseye tag, and not the expected localhost/debian:bullseye (compare digests; digests of the pushed debian:bullseye and debian:v11 don't match, even though localhost/debian:bullseye and localhost/debian:v11 match).

push-to-registry should always use a fully-qualified image name for the local image (i.e. /usr/bin/podman push --quiet --digestfile debian-v11.3_digest.txt localhost/debian:bullseye ghcr.io/sgsgermany/debian:bullseye --tls-verify=true). Another solution might be to set CONTAINERS_REGISTRIES_CONF=/dev/null for podman push, but this needs verification.

PhrozenByte commented 1 year ago

Any updates on this? push-to-registry still pushes the wrong images.

There should at least be some warning that the image name is ambiguous and push-to-registry should perform some basic problem resolution. This doesn't necessarily mean to always choose the localhost image; another solution might be to choose the image matching the first given tag (just be careful not to re-introduce #57), and fail if the image matching the first given tag is not among the image alternatives; yet another solution is to add a local input to specify the local image to push manually.

Since this is open for about a year now, the workflow logs were deleted. Here's a new one: https://github.com/SGSGermany/debian/actions/runs/5062208592/jobs/9087436977#step:9:115

travier commented 1 year ago

I think I've had a similar issue in https://github.com/redhat-actions/buildah-build/issues/129, which I "solved" via https://github.com/travier/quay-containerfiles/commit/637860497a26555986ec17d1859ba0db754b81ff.