build-push-action: Not worked with ECR actions

I haven’t been able to get this to work for me. I’m trying to use ECR as the cache repo of my multi-stage docker build. I’m not doing a push to the repo in this step, that happens later (…although I could change that if it makes it easier). I’ve been trying to use snippets from this thread as a guide but with no luck. I tried the following:

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      - name: Docker build using docker build layer cacheing
        uses: docker/build-push-action@v2
        env:
          DOCKER_BUILDKIT: 1
        with:
          registry: ${{ steps.login-ecr.outputs.registry }}
          repository: ${{ steps.login-ecr.outputs.registry }}/myproject-frontend
          context: .
          push: false
          build-args: |
            BUILD_APP_VERSION=${{ env.RELEASE_VERSION }}
          tags: |
            myproject-frontend:latest
            myproject-frontend:${{ env.RELEASE_VERSION }}
          cache-from: type=registry,ref=myproject-frontend:buildcache
          cache-to: type=registry,ref=myproject-frontend:buildcache,mode=max

This gave me the error Unexpected input(s) 'registry', 'repository', valid inputs are [<lotsofthings>] and ultimately a 401: authorization failed error.

Going by the error and since I couldn’t find mention of the registry or repository in the documentation for the docker/build-push-action@v2 action, I removed those inputs and tried moving them to the cache-to/from parameters instead, like so:

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      - name: Docker build using docker build layer cacheing
        uses: docker/build-push-action@v2
        env:
          DOCKER_BUILDKIT: 1
        with:
          context: .
          push: false
          build-args: |
            BUILD_APP_VERSION=${{ env.RELEASE_VERSION }}
          tags: |
            myproject-frontend:latest
            myproject-frontend:${{ env.RELEASE_VERSION }}
          cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/myproject-frontend:buildcache
          cache-to: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/myproject-frontend:buildcache,mode=max

This gave me a 400 bad request error: buildx failed with: error: failed to solve: error writing manifest blob: failed commit on ref "sha256:66ce855480d97b26457d6639cd3542ee6d8b0959e81d372111829f3aedd31a6e": unexpected status: 400 Bad Request

I’ve not been able to find any other documentation/examples of how to use ECR for the build cache. Can someone point me to where I’m going wrong?

It’s my temporary solution.

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1
      - name: Get ECR password (temporary)
        id: get-ecr-password
        run: echo "::set-output name=password::$(aws ecr get-login-password)"
      - name: Build & Push image
        uses: docker/build-push-action@v1
        with:
          registry: ${{ steps.login-ecr.outputs.registry }}
          repository: ${{ secrets.REGISTRY }}
          username: AWS  # temporary
          password: ${{ steps.get-ecr-password.outputs.password }}  # temporary
          add_git_labels: true
          tag_with_ref: true

@Surgo

        with:
          registry: ${{ steps.login-ecr.outputs.registry }}
          repository: ${{ steps.login-ecr.outputs.registry }}/${{ secrets.REGISTRY }}
          add_git_labels: true
          tag_with_ref: true

Be careful, inputs have changed in v2. See Usage section and also this workflow as an example.

Works fine for me

Great!

+1 on the issue - I’m having an analogous problem with digitalocean’s container registry: this configuration doesn’t work (nor variants with dummy credentials do):

jobs:
  build-publish-deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Install doctl
      uses: digitalocean/action-doctl@v2
      with:
        token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
    - name: login to registry
      run: doctl registry login
    - name: Push
      uses: docker/build-push-action@v1
      with:
        repository: my/test-registry
        registry: registry.digitalocean.com
        tag_with_ref: true
        tag_with_sha: true
        add_git_labels: true

login succeeds in its own step, then build-push-action doesn’t pick up the existing login. while, analogous to suggested workarounds, this works:

jobs:
  build-publish-deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Install doctl
      uses: digitalocean/action-doctl@v2
      with:
        token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
    - name: login to registry
      id: do-registry
      run: "echo \"::set-output name=password::$(doctl registry docker-config --read-write --expiry-seconds 3600 | jq -r '.auths[\"registry.digitalocean.com\"].auth' | base64 -d | cut -d: -f 1)\""
    - name: is jq even here
      run: echo '{"a":1}' | jq .
    - name: Push
      uses: docker/build-push-action@v1
      with:
        repository: my/test-registry
        registry: registry.digitalocean.com
        username: ${{ steps.do-registry.outputs.password }}
        password: ${{ steps.do-registry.outputs.password }}
        tag_with_ref: true
        tag_with_sha: true
        add_git_labels: true

yes, this has nothing do to with ECR - but to me it looks like the same underlying problem of not picking up existing logins. (ofc please lmk if I’m completely mistaken and this is out of place in this issue)

A full example with ECR would be great! I’ve tried both:

- name: Login to ECR
   uses: docker/login-action@v1
   with:
          registry: 000000000000.dkr.ecr.nn-nnnn-1.amazonaws.com
          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

- name: Set up Docker Buildx
   uses: docker/setup-buildx-action@v1

- name: Cache Docker layers
   uses: actions/cache@v2
   with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-

- name: Build & Push image
   uses: docker/build-push-action@v2
   env:
          DOCKER_BUILDKIT: 1
   with:
          context: .
          file: ./Dockerfile
          push: true
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache
          tags: |
            repo:${{ github.sha }}
            repo:latest

and

- name: Build & Push image
   uses: docker/build-push-action@v2
   env:
          DOCKER_BUILDKIT: 1
   with:
          context: .
          file: ./Dockerfile
          push: true
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache
          tags: |
            000000000000.dkr.ecr.nn-nnnn-1.amazonaws.com/repo:${{ github.sha }}
            000000000000.dkr.ecr.nn-nnnn-1.amazonaws.com/repo:latest

First gave me a 401 Unauthorized and the second gave me insufficient_scope: authorization failed at the end of the docker image building (all layers completed).

v2 released 🎉

@Surgo You should be able to use the ECR action with our future build-push-action v2 (#92). Can you try it? You can also use the login-action which works perfectly for ECR (both for AWS CLI v1 and v2 on the ubuntu-20.04 GitHub runner).

Here’s a slightly improved version of the workaround. It fixes:

• Avoid possible leaks of the key
• Fails the step if the login fails

- name: Login to ECR
  env:
    AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
    AWS_REGION: ${{ secrets.AWS_REGION }}
    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  id: get-ecr-password
  run: |
    aws ecr get-login-password \
    | {
      read PASSWORD
      echo "::add-mask::$PASSWORD"
      echo "::set-output name=password::$PASSWORD"
    }