[英]Tagging and pushing Docker image changes digest
Pulling, tagging, and then pushing a Docker image we produce in a Github actions flow is causing a new image with a new digest to be pushed, rather than simply tagging the existing image.拉取、标记然后推送我们在 Github 操作流中生成的 Docker 图像会导致推送带有新摘要的新图像,而不是简单地标记现有图像。
First, we build the image using the newish v2 of the Docker build-push action ( https://github.com/docker/build-push-action )首先,我们使用 Docker build-push 操作的新 v2 构建映像( https://github.com/docker/build-push-action )
jobs:
build-push:
name: Build and push docker image
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Login to GCR
uses: docker/login-action@v1
with:
registry: gcr.io
username: _json_key
password: ${{ secrets.GOOGLE_APPLICATION_CREDENTIALS }}
- id: docker_build
uses: docker/build-push-action@v2
with:
tags: gcr.io/our-project/foo:initial-tag
push: true
target: build
build-args: |
NPM_TOKEN=${{ secrets.NPM_TOKEN }}
Then, in a separate workflow later we pull that image ( gcr.io/our-project/foo:initial-tag
) down and add new tags.然后,在稍后的单独工作流程中,我们将该图像 (
gcr.io/our-project/foo:initial-tag
) 拉下来并添加新标签。
jobs:
tag-image:
name: Tag image
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Login to GCR
uses: docker/login-action@v1
with:
registry: gcr.io
username: _json_key
password: ${{ secrets.GOOGLE_APPLICATION_CREDENTIALS }}
- run: |
docker pull gcr.io/our-project/foo:initial-tag
docker tag gcr.io/our-project/foo:initial-tag gcr.io/our-project/foo:new-tag
docker push gcr.io/our-project/foo:new-tag
After pushing up new-tag
, I would expect our registry to contain one image digest with the initial-tag
and new-tag
on it.在推送
new-tag
之后,我希望我们的注册表包含一个带有initial-tag
和new-tag
的图像摘要。 Instead, this creates a new image digest with just new-tag
on it.相反,这会创建一个新的图像摘要,上面只有
new-tag
。
Digest: sha256:abc123
Tags: gcr.io/our-project/foo:initial-tag
Digest: sha256:def456
Tags: gcr.io/our-project/foo:new-tag
In addition, if we now pull and add a tag (say latest
) to new-tag
, it will NOT create a new image digest此外,如果我们现在将标签(比如
latest
)添加到new-tag
,它不会创建新的图像摘要
Digest: sha256:abc123
Tags: gcr.io/our-project/foo:initial-tag
Digest: sha256:def456
Tags: gcr.io/our-project/foo:new-tag, gcr.io/our-project/foo:latest
As a workaround, we have found that pushing the image name without tags correctly assigns the tag to the existing digest.作为一种解决方法,我们发现推送不带标签的图像名称会正确地将标签分配给现有的摘要。
docker pull gcr.io/our-project/foo:initial-tag
docker tag gcr.io/our-project/foo:initial-tag gcr.io/our-project/foo:new-tag
docker push gcr.io/our-project/foo
crane cp
will copy images efficiently and retaining the digest value crane cp
将有效地复制图像并保留摘要值
https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane_copy.md https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane_copy.md
you can export docker image and push like this.您可以导出 docker 图像并像这样推送。 then docker image digest does not change whenever you tag more.
然后 docker 图像摘要不会在您标记更多时更改。
- name: build docker image
uses: docker/build-push-action@v3
with:
context: .
file: 'Dockerfile'
load: true
tags: |
${{ steps.tag-container-image.outputs.TAG_A }}
${{ steps.tag-container-image.outputs.TAG_B }}
${{ steps.tag-container-image.outputs.LATEST }}
- name: push docker image
run: |
docker push ${{ steps.tag-container-image.outputs.TAG_A }}
docker push ${{ steps.tag-container-image.outputs.TAG_B }}
docker push ${{ steps.tag-container-image.outputs.LATEST }}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.