build-push-action icon indicating copy to clipboard operation
build-push-action copied to clipboard
verified publisher icon docker

Build/Push fails if the tag name matches an existing tag in the registry

Open jstuessy opened this issue 1 year ago • 5 comments

Contributing guidelines

I've found a bug, and:

  • [X] The documentation does not mention anything about my problem
  • [X] There are no open or closed issues that are related to my problem

Description

The build/push step fails if the tag name matches a tag currently in ECR.

Expected behaviour

Docker Build/Push shouldn't fail if the tags match since the image is pulled before it is pushed.

Actual behaviour

The push fails any time the tag is matching a tag currently in ECR

Repository URL

No response

Workflow run URL

No response

YAML workflow

- uses: docker/build-push-action@v5
        with:
          context: "xxxxx/"
          push: true
          pull: true
          tags: ${{ steps.login-ecr.outputs.registry }}/XXXXXXX:${{ hashFiles('xxxx/**') }}
          file: "xxxxx/docker/Dockerfile"
          cache-from: type=gha
          cache-to: type=gha,mode=max
          provenance: false

Workflow logs

pushing manifest for XXXXXX.dkr.ecr.us-west-2.amazonaws.com/XXXXXXXXXXX@sha256:XXXXXXXXXX pushing manifest for XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/XXXXXX:XXXXXXXXXXXXX@sha256:XXXXXXX 0.7s done ERROR: failed to push XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/XXXXX:XXXXXXXXXXXX: failed commit on ref "manifest-sha256:XXXXXXXXXXXX": unexpected status from PUT request to https://XXXXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/v2/XXXXXX/manifests/XXXXXXXXXXXXXXX: 400 Bad Request

BuildKit logs

No response

Additional info

No response

jstuessy avatar Jan 26 '24 17:01 jstuessy

Sounds like a registry configuration. Tag immutability is probably turned on for this repository: https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html

crazy-max avatar Jan 28 '24 09:01 crazy-max

@crazy-max Right the tag immutability is turned on. Should build-push-action be able to handle this case? Immutability is a commonly accepted practice, from a quick glance.

krainboltgreene avatar Feb 06 '24 03:02 krainboltgreene

@krainboltgreene this started happening for us last week as well; we push to two repos at deployment for different environments. Both repos have tag immutability turned on, but pushing images with new tags started failing in to one repository. The other one worked, and continues to work fine. Tags are not duplicated within each repository.

asveepay avatar Feb 06 '24 22:02 asveepay

Just hit this. We default our ecr repos to IMMUTABLE (agreed this is good practice). Ideally we wouldn't have to disable this to get caching working. Can there be an option to get build-push-action to delete any existing buildcache image before pushing the new one?

WesleyKapow avatar Feb 12 '24 17:02 WesleyKapow

For what it's worth our solution was to add a step prior to this that uses docker manifest image to see if the image at that name exists, if it fails then that means the image doesn't exist and can run the build.

krainboltgreene avatar Feb 12 '24 20:02 krainboltgreene