Use docker actions for buildx caching and secure login#43
Merged
baelter merged 7 commits intoheroku-container-workflowfrom Mar 11, 2026
Merged
Use docker actions for buildx caching and secure login#43baelter merged 7 commits intoheroku-container-workflowfrom
baelter merged 7 commits intoheroku-container-workflowfrom
Conversation
Contributor
dentarg
commented
Mar 11, 2026
dentarg
commented
Replace raw docker login with docker/login-action for secure secret handling, add docker/setup-buildx-action for BuildKit with GHA layer caching, and switch to docker buildx build --push with cache flags. Removes the standalone --target build warmup step since the GHA cache handles shared layer reuse across targets.
1 task
Single docker buildx build with multiple -t flags instead of building per target. Rename targets input to process-types to reflect what they actually are (Heroku process types, not Dockerfile targets).
Construct build-args as a multiline step output instead of mixing expressions with YAML block scalars. Add context: . to use the local checkout instead of git context.
dentarg
force-pushed
the
container-build-and-push
branch
from
0d97cb9 to
9276d6a
Compare
Heroku's container registry doesn't support OCI manifest lists that buildx creates when provenance attestations are enabled.
baelter
approved these changes
Mar 11, 2026
Contributor
Author
|
@baelter I am actively (well, have to go very soon) testing this :) I haven't gotten successful deploy yet |
baelter
pushed a commit
that referenced
this pull request
Mar 17, 2026
* Use docker actions for buildx caching and secure login Replace raw docker login with docker/login-action for secure secret handling, add docker/setup-buildx-action for BuildKit with GHA layer caching, and switch to docker buildx build --push with cache flags. Removes the standalone --target build warmup step since the GHA cache handles shared layer reuse across targets. * Build once and push to all process types Single docker buildx build with multiple -t flags instead of building per target. Rename targets input to process-types to reflect what they actually are (Heroku process types, not Dockerfile targets). * Pass RUBY_VERSION build arg from .ruby-version file if present * Bump actions so Node.js 24 is used https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/ * Use docker/build-push-action instead of shell docker buildx build * Fix build-args passing and add context to build-push-action Construct build-args as a multiline step output instead of mixing expressions with YAML block scalars. Add context: . to use the local checkout instead of git context. * Disable provenance attestation for Heroku registry compatibility Heroku's container registry doesn't support OCI manifest lists that buildx creates when provenance attestations are enabled.
baelter
added a commit
that referenced
this pull request
Mar 17, 2026
* Add shared workflow for Heroku container deploys Builds Docker images in CI and pushes to Heroku's container registry. Companion to heroku.yml (git-push) for repos using container stack. Inputs: heroku-app, branch, targets (Dockerfile build targets) Secrets: heroku-key, build-args (for private dependency auth) * Use docker actions for buildx caching and secure login (#43) * Use docker actions for buildx caching and secure login Replace raw docker login with docker/login-action for secure secret handling, add docker/setup-buildx-action for BuildKit with GHA layer caching, and switch to docker buildx build --push with cache flags. Removes the standalone --target build warmup step since the GHA cache handles shared layer reuse across targets. * Build once and push to all process types Single docker buildx build with multiple -t flags instead of building per target. Rename targets input to process-types to reflect what they actually are (Heroku process types, not Dockerfile targets). * Pass RUBY_VERSION build arg from .ruby-version file if present * Bump actions so Node.js 24 is used https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/ * Use docker/build-push-action instead of shell docker buildx build * Fix build-args passing and add context to build-push-action Construct build-args as a multiline step output instead of mixing expressions with YAML block scalars. Add context: . to use the local checkout instead of git context. * Disable provenance attestation for Heroku registry compatibility Heroku's container registry doesn't support OCI manifest lists that buildx creates when provenance attestations are enabled. * Build per process type to get correct CMD per image Single-build-multiple-tag pushed the same image (same CMD) to all process types, causing e.g. worker to start Puma instead of its own command. Build with --target per process type so each image gets the CMD from its Dockerfile stage. * Remove Ruby-specific RUBY_VERSION logic from shared workflow The shared workflow should be language-agnostic. Repos that need RUBY_VERSION can pass it via build-args in their own deploy workflow. * Add standalone deploy script for when GitHub Actions is unavailable Same build logic as the workflow but without GHA-specific bits (layer caching, login-action). Run from a developer machine with docker, heroku CLI, and HEROKU_API_KEY. * Auto-detect .*-version files as build args Scans for .*-version files (e.g. .ruby-version, .node-version) after checkout and passes them as --build-arg flags. This lets Dockerfiles use ARG RUBY_VERSION (or similar) without callers having to explicitly pass the version. * Harden workflow security and fix shell quoting - Pin actions to SHA hashes (checkout, login-action, setup-buildx) - Fix template injection: move inputs/context to env vars - Use jq --arg for safe JSON construction - Convert build_arg_flags from string to bash array - Map cancelled job status to error for deployment API - Guard deployment status step on DEPLOYMENT_ID existence - Add persist-credentials: false to checkout --------- Co-authored-by: Patrik Ragnarsson <patrik@starkast.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.