build-push-action: Cannot push docker image to Google Artifact Registry

Hi,

I’ve got quite a simple workflow using build-push-action v2, but I am unfortunately unable to push image successfully to Google Artifact Registry.

Here is the workflow:


name: CI

on:
  push:
    tags:
      - 'v*.*.*'

env:
  REGISTRY: europe-west4-docker.pkg.dev
  PROJECT_ID: xxx
  REPOSITORY_ID: appconfig

jobs:
  docker:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Prepare
        id: prepare
        run: |
          DOCKER_IMAGE="${REGISTRY}/${PROJECT_ID}/${REPOSITORY_ID}"
          VERSION=${GITHUB_REF#refs/tags/}
          TAGS="${DOCKER_IMAGE}:${VERSION}"
          if [[ $VERSION =~ ^v[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
            MINOR=${VERSION%.*}
            MAJOR=${MINOR%.*}
            TAGS="$TAGS,${DOCKER_IMAGE}:${MINOR},${DOCKER_IMAGE}:${MAJOR},${DOCKER_IMAGE}:latest"
          elif [ "${{ github.event_name }}" = "push" ]; then
            TAGS="$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}"
          fi
          echo ::set-output name=version::${VERSION}
          echo ::set-output name=tags::${TAGS}
          echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
        with:
          buildkitd-flags: --debug

      - name: Login to GCR
        uses: docker/login-action@v1
        with:
          registry: ${{ env.REGISTRY }}
          username: _json_key
          password: ${{ secrets.GCP_SA_KEY }}

      - name: Build and push
        id: docker-build
        uses: docker/build-push-action@v2
        with:
          context: .
          file: ./Dockerfile
          target: bin
          push: true
          tags: ${{ steps.prepare.outputs.tags }}

It is failing with:

#10 pushing layers
#10 pushing layers 3.2s done
#10 pushing manifest for europe-west4-docker.pkg.dev/xxx/appconfig:v0.1.0
#10 pushing manifest for europe-west4-docker.pkg.dev/xxx/appconfig:v0.1.0 0.4s done
#10 ERROR: failed commit on ref "manifest-sha256:39c07bc2a80624b0ae6bb3c7a616b31a4ea846f8d679aca8835702328c57dccb": unexpected status: 400 Bad Request
------
 > exporting to image:
------
failed to solve: rpc error: code = Unknown desc = failed commit on ref "manifest-sha256:39c07bc2a80624b0ae6bb3c7a616b31a4ea846f8d679aca8835702328c57dccb": unexpected status: 400 Bad Request

I tried to debug it using a troubleshooting note, but it seems that ctr accepts only docker login and password, but not GCP’s service account JSON file.

Here is a full log of workflow: 1_docker.txt.zip

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 18 (8 by maintainers)

Most upvoted comments

@jacek-jablonski I believe you need a third path component:

europe-west4-docker.pkg.dev/xxx/node:14.13.1-2

e.g. europe-west4-docker.pkg.dev/xxx/something-else/node:14.13.1-2

+4
jonjohnsonjr on Oct 22, 2020

For anyone coming along in 2022+ looking to get this working in Google Artifact Registry, here’s one that will work if you have the appropriate secrets defined (GCP_PROJECT_ID for your Google Cloud project ID and GCP_SA_KEY with the base64 encoded service account JSON):

name: CI

on:
  push:
    branches:
      - main
  pull_request:

env:
  # Github Container registry
  REGISTRY: us-docker.pkg.dev
  REGISTRY_PATH: ${{ secrets.GCP_PROJECT_ID }}/YOUR_GAR_REGISTRY_NAME
  GCP_REGION: us-central1
  SERVICE_NAME: YOUR_SERVICE_NAME

jobs:
  build:

    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.
      id-token: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v1

      # Login against a Docker registry except on PR
      - name: Log into registry Google Artifact Registry
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v1
        with:
          registry: ${{ env.REGISTRY }}
          username: _json_key_base64
          password: ${{ secrets.GCP_SA_KEY }}

      # Extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v3
        with:
          images: ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/${{ env.SERVICE_NAME }}

      # Build and push Docker image with Buildx (don't push on PR)
      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v2
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+3
calvinf on Jan 8, 2022

@crazy-max I can confirm that it was due to missing repository_id from the path. After adding a new segment, everything works as expected.

+1
jacek-jablonski on Oct 25, 2020

@jacek-jablonski

Looks like the same issue as docker/setup-buildx-action#29. Can you try my suggestion?

cc. @tonistiigi

+1
crazy-max on Oct 8, 2020
Read more comments on GitHub
← build-push-action: buildx failed with: ERROR: failed to solve: failed to push ghcr.io/finchsec/kali:latest: failed to copy: io: read/write on closed pipe
build-push-action: error: failed to solve: failed to compute cache key: failed to copy: invalid status response 416 →