Skip to content

🔧(build): Use commit SHA for image tag and add push-cache control #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Rhodri-Morgan merged 2 commits into from
Mar 7, 2026
Merged

🔧(build): Use commit SHA for image tag and add push-cache control #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d0312f3
🔧 fix(build): use commit SHA for image tag instead of git ref
Rhodri-Morgan Mar 7, 2026
c0eff91
✨ feat(build): add push-cache input to control cache writes
Rhodri-Morgan Mar 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,3 +59,4 @@ Before setting up build workflows, note the following:
- If your project needs different images for dev and prod (e.g. statically replaced variables, build-time validation that requires environment-specific values), use a [matrix strategy](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow) so dev and prod builds run in parallel.
- If you have a **monorepo**, use separate jobs per image so they build concurrently on tag push.
- **Validate your Dockerfile layer caching.** Check each layer for cache-busting pitfalls: changing commit SHAs baked into build args, rotating secrets passed as build args instead of `--mount=type=secret`, non-deterministic package installs (missing lockfiles), timestamps in generated files, and `COPY . .` placed before dependency installation layers.
- **Only enable `push-cache` for images you intend to push to ECR.** The build action reads from the registry cache by default, but only writes back to it when `push-cache: "true"` is set. Enable this on builds that will be pushed so the cache stays up to date; leave it off for local-only or throwaway builds to avoid polluting the cache.
18 changes: 6 additions & 12 deletions build/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,13 @@ inputs:
description: "Newline-separated list of Docker build secrets (id=value)"
required: false
default: ""
image-tag:
description: "Image tag override (defaults to tag from git ref)"
push-cache:
description: "Push layer cache to registry (set to 'true' to enable)"
required: false
default: ""

default: "false"
outputs:
image-tag:
description: "Resolved image tag"
description: "Resolved image tag (first 6 chars of commit SHA)"
value: ${{ steps.resolve-tag.outputs.image-tag }}

runs:
Expand All @@ -47,12 +46,7 @@ runs:
id: resolve-tag
shell: bash
run: |
if [[ -n "${{ inputs.image-tag }}" ]]; then
IMAGE_TAG="${{ inputs.image-tag }}"
else
TAG_NAME=${GITHUB_REF##*/}
IMAGE_TAG=$(echo $TAG_NAME | sed 's/^v//')
fi
IMAGE_TAG="${GITHUB_SHA:0:6}"
echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
echo "image-tag=$IMAGE_TAG" >> $GITHUB_OUTPUT

Expand Down Expand Up @@ -85,4 +79,4 @@ runs:
build-args: ${{ inputs.build-args }}
secrets: ${{ inputs.secrets }}
cache-from: type=registry,ref=${{ env.IMAGE_REGISTRY }}/${{ inputs.image-repo }}:cache
cache-to: type=registry,ref=${{ env.IMAGE_REGISTRY }}/${{ inputs.image-repo }}:cache,mode=max
cache-to: ${{ inputs.push-cache == 'true' && format('type=registry,ref={0}/{1}:cache,mode=max', env.IMAGE_REGISTRY, inputs.image-repo) || '' }}