Untagged images produced for multi platform builds

[daltonv]

Troubleshooting

Before submitting a bug report please read the Troubleshooting doc.

Behaviour

Multiplatform images produce untagged images for each platform built for

Steps to reproduce this issue

1. Build a multiplatform image & push to ghcr
2. Observe multiple images being posted like so
   
   

Expected behaviour

I would hope there is at least an option to tag each platforms image with special tag. In the example above perhaps pr-5-arm64 and pr-5-amd64

Actual behaviour

Multiple untagged images

Configuration

name: CI

on:
  push:
    tags:
        - 'v*.*.*'

  pull_request:

jobs:
  docker:
    runs-on: ubuntu-latest

    strategy:
      matrix:
          include:
            - image_name: ${{ github.repository }}-ci
              docker_target: ci
            - image_name: ${{ github.repository }}
              docker_target: developer

    permissions:
      contents: read
      packages: write

    env:
      REGISTRY: ghcr.io
      IMAGE_NAME: ${{ matrix.image_name }}

    steps:
      - uses: actions/checkout@v3

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Log in to the Container registry
        uses: docker/login-action@v2
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v4
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=ref,event=pr
            type=sha

      # Crazy thing needed to for the cache to work in the next step, as the
      # cache must be sent in lower case
      - name: downcase REPO
        run: |
          echo "REPO=${IMAGE_NAME,,}" >>${GITHUB_ENV}

      - name: Build and push Docker image
        uses: docker/build-push-action@v3
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          target: ${{ matrix.docker_target }}
          provenance: false
          build-args: |
            JFROG_USER=${{ secrets.JFROG_USER }}
            JFROG_KEY=${{ secrets.JFROG_KEY }}
          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.REPO }}:latest
          cache-to: type=inline
          platforms: |
            linux/amd64
            linux/arm64

[saadbahir]

I have the same problem without using multi-platforms

I am pushing images to two separate registries, including Github registry

      - name: Build and push
        id: docker_build
        uses: docker/build-push-action@v4
        with:
          context: .
          file: ${{ env.DOCKERFILE }}
          platforms: linux/amd64
          push: true
          tags: |
            ${{ needs.prepare.outputs.image_fly }}${{ env.IMAGE_SUFFIX }}
            ${{ needs.prepare.outputs.image_github }}${{ env.IMAGE_SUFFIX }}

In github registry, I end up with the correct version for example image-repo-name:1.0.0 and two untagged versions

#12 exporting to image
#12 exporting layers
#12 exporting layers 17.8s done
#12 exporting manifest sha256:b1ee819a2e3d5896b86d8d87e242cee35566f20afbb527441c46f7b0d1480a06 0.0s done
#12 exporting config sha256:9d265a628e53ff77b40026a825fb59758f08eb9935ad42ab9bb95170fbdbf3a3
#12 exporting config sha256:9d265a628e53ff77b40026a825fb59758f08eb9935ad42ab9bb95170fbdbf3a3 done
#12 exporting attestation manifest sha256:8f6eb2770bfada4f266d37985611558f866d281d366cc659486975817d602296 done
#12 exporting manifest list sha256:7264527bd66a26218825ead8b63be68931267f02b45d2bc76a7a2c2943b0d4a1 done
#12 pushing layers
#12 ...

In this case for example, I get two other images with tags

b1ee819a2e3d5896b86d8d87e242cee35566f20afbb527441c46f7b0d1480a06

and

8f6eb2770bfada4f266d37985611558f866d281d366cc659486975817d602296

Does anyone know what triggers this behavior?

[simonwep]

Are there any updates to this? I'm having the same problem...

[mattkrick]

Can you confirm that those aren't provenance attestations?
Try adding this to your GH action & seeing if it solves the problem:

        with:
          provenance: false

[TheoJammes]

I confirm @mattkrick solutions fixed our issue and removed the untagged layers from the images 👍

[daltonv]

Can you confirm that those aren't provenance attestations?

Try adding this to your GH action & seeing if it solves the problem:

        with:

          provenance: false

So for me that is not the issue as I already have that setting as false in my action I posted a above. Although I do know with that setting on single platform builds I get the same result.

[crazy-max]

I would hope there is at least an option to tag each platforms image with special tag. In the example above perhaps pr-5-arm64 and pr-5-amd64

Why? This was true before when manifest list was not a thing but now tools like Buildx/BuildKit create a manifest list including manifest for each built platform if there are more than one like ghcr.io/crazy-max/undock:0.3.0: https://github.com/crazy-max/undock/pkgs/container/undock/17739760?tag=0.3.0

$ docker buildx imagetools inspect ghcr.io/crazy-max/undock:0.3.0
Name:      ghcr.io/crazy-max/undock:0.3.0
MediaType: application/vnd.docker.distribution.manifest.list.v2+json
Digest:    sha256:84e9ae779070e61c8ae866c0d5873baf1d4580774c61dc76ee3c35335519d2dd

Manifests:
  Name:      ghcr.io/crazy-max/undock:0.3.0@sha256:5fc3dac5677c54697a55f9ba35c423269d0f2e89b5417f647bc5b388eca606ef
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/amd64

  Name:      ghcr.io/crazy-max/undock:0.3.0@sha256:f8fec216d1c2797da68a10a2587f4e8b8891a5731e2d7be28d1e21db45515574
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/arm/v6

  Name:      ghcr.io/crazy-max/undock:0.3.0@sha256:eff8d18996daea3ccfc3803f7f5dc1c8ddc1cdb6fca69ff0bd2296e4c72511a9
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/arm/v7

  Name:      ghcr.io/crazy-max/undock:0.3.0@sha256:6cdc61722906c4d73450b40767dd9f034a0731837249b45703803e650ae93796
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/arm64

  Name:      ghcr.io/crazy-max/undock:0.3.0@sha256:3e2d1cc6995e0d17daa1bf69ae1c6b9ba974029de041fee6ae755203740ec72e
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/ppc64le

  Name:      ghcr.io/crazy-max/undock:0.3.0@sha256:d37a61625ba5bd8f89e6eb46fce5641149ca8b7245b56f20b254d959f14257ad
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/s390x

This way a user doesn't need to bother choosing a specific tag matching the platform. Then can just use this tag and the right image will be pulled based on the host specs.

More info: https://docs.docker.com/build/building/multi-platform/

[daltonv]

I want that so I can automatically delete all images associated with a tag. There currently is no way to do this in multi arch builds.

[Tomer20]

Same issue here, and provenance: false does not solve the issue.