Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creatation of a sha256.sig container/tag even if sha is false #510

Closed
3 tasks done
phrreakk opened this issue Mar 4, 2025 · 3 comments
Closed
3 tasks done

Creatation of a sha256.sig container/tag even if sha is false #510

phrreakk opened this issue Mar 4, 2025 · 3 comments
Labels
status/triage

Comments

@phrreakk
Copy link

phrreakk commented Mar 4, 2025

Contributing guidelines

I've found a bug, and:

  • The documentation does not mention anything about my problem
  • There are no open or closed issues that are related to my problem

Description

I am using a mainly default flow from GitHub Actions Marketplace. My flow is a simple multi-stage build.

Expected behaviour

I expect a container being tagged and uploaded to ghcr.io with the tags of latest, 1.x.x, and 1.x. This works perfectly as of right now. Additionally another container with a different sha256 but the label matches the previous sha of the working container shows in the list.

Actual behaviour

For every deployment, two containers are being created and I'm at a loss for why the second container is being created.

Repository URL

https://github.com/phrreakk/vwbackup

Workflow run URL

https://github.com/phrreakk/vwbackup/actions/runs/13650514649

YAML workflow

name: Docker

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

on:
  schedule:
    - cron: '15 4 * * *'
  push:
    # branches: [ "main" ]
    # Publish semver tags as releases.
    tags: [ 'v*' ]
  pull_request:
    # branches: [ "main" ]

env:
  # Use docker.io for Docker Hub if empty
  REGISTRY: ghcr.io
  # github.repository as <account>/<repo>
  IMAGE_NAME: ${{ github.repository }}


jobs:
  build:

    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.
      id-token: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      # Install the cosign tool except on PR
      # https://github.com/sigstore/cosign-installer
      - name: Install cosign
        if: github.event_name != 'pull_request'
        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
        with:
          cosign-release: 'v2.2.4'

      # Set up BuildKit Docker container builder to be able to build
      # multi-platform images and export cache
      # https://github.com/docker/setup-buildx-action
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

      # Login against a Docker registry except on PR
      # https://github.com/docker/login-action
      - name: Log into registry ${{ env.REGISTRY }}
        if: github.event_name != 'pull_request'
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # Extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}

      # Build and push Docker image with Buildx (don't push on PR)
      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      # Sign the resulting Docker image digest except on PRs.
      # This will only write to the public Rekor transparency log when the Docker
      # repository is public to avoid leaking data.  If you would like to publish
      # transparency data even for private images, pass --force to cosign below.
      # https://github.com/sigstore/cosign
      - name: Sign the published Docker image
        if: ${{ github.event_name != 'pull_request' }}
        env:
          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
          TAGS: ${{ steps.meta.outputs.tags }}
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
        # This step uses the identity token to provision an ephemeral certificate
        # against the sigstore community Fulcio instance.
        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}

Workflow logs

No response

BuildKit logs

Additional info

Container 1: Perfect
sha256: sha256:e18c6f149c98c280f7c43417975603e16d22e3f67a707733b17d2361331307ca
Tags: latest, 1.1.5, 1.1

Container 2: Fails terribly on pull...and it is the default/first in the list
sha256: sha256:cdb4e2eaf6d79e83c2bc9059e2c22ccadeb4be4e3a21eb077837c2586f7645bb
Tags: sha256-e18c6f149c98c280f7c43417975603e16d22e3f67a707733b17d2361331307ca.sig
@crazy-max
Copy link
Member

crazy-max commented Mar 4, 2025
edited
Loading

For every deployment, two containers are being created and I'm at a loss for why the second container is being created.

Doesn't look related to metadata-action but GHCR. This looks similar to docker/build-push-action#1323 and tag-less stick around until you delete them on GHCR.

Let me close this one but feel free to continue the convo in docker/build-push-action#1323

@phrreakk
Copy link
Author

phrreakk commented Mar 4, 2025

I think my issue is slightly different. I am not bothered by the "untagged" amount.

Image

The first tagged container doesn't work and I don't know why it was created in the first place. Every build creates the correct container and then creates a container that doesn't pull.

As you can see...the sha256s are weirdly aligned.

@crazy-max
Copy link
Member

crazy-max commented Mar 4, 2025
edited
Loading

I don't know why it was created in the first place.

It doesn't seem pushed by the build-push-action: https://github.com/phrreakk/vwbackup/actions/runs/13650514649/job/38157784947#step:7:300

 #28 exporting to image
#28 exporting manifest sha256:2bb254c4c0245215a1386da0b6d6d57ba8edc14e2d8f171c9b98373634e1eaeb done
#28 exporting config sha256:139d6597d3ae66e3c280b40d7d1fb19a15195a18d90fd494693ab370609375aa done
#28 exporting attestation manifest sha256:f49be5238576ce8d6d4a7a4f535af9a8ac3a7f537aee0951e9d35c104c5f9efe done
#28 exporting manifest list sha256:e18c6f149c98c280f7c43417975603e16d22e3f67a707733b17d2361331307ca done
#28 pushing layers
#28 pushing layers 1.3s done
#28 pushing manifest for ghcr.io/phrreakk/vwbackup:1.1.5@sha256:e18c6f149c98c280f7c43417975603e16d22e3f67a707733b17d2361331307ca
#28 pushing manifest for ghcr.io/phrreakk/vwbackup:1.1.5@sha256:e18c6f149c98c280f7c43417975603e16d22e3f67a707733b17d2361331307ca 1.0s done
#28 pushing layers 0.4s done
#28 pushing manifest for ghcr.io/phrreakk/vwbackup:1.1@sha256:e18c6f149c98c280f7c43417975603e16d22e3f67a707733b17d2361331307ca
#28 pushing manifest for ghcr.io/phrreakk/vwbackup:1.1@sha256:e18c6f149c98c280f7c43417975603e16d22e3f67a707733b17d2361331307ca 0.6s done
#28 pushing layers 0.4s done
#28 pushing manifest for ghcr.io/phrreakk/vwbackup:latest@sha256:e18c6f149c98c280f7c43417975603e16d22e3f67a707733b17d2361331307ca
#28 pushing manifest for ghcr.io/phrreakk/vwbackup:latest@sha256:e18c6f149c98c280f7c43417975603e16d22e3f67a707733b17d2361331307ca 0.7s done
#28 DONE 4.9s

#30 exporting to GitHub Actions Cache
#30 preparing build cache for export
#30 writing layer sha256:667daa1cd1f3bbdf060a15ca973e51df47505d6e650fca506e2f06f786e0d610
#30 writing layer sha256:667daa1cd1f3bbdf060a15ca973e51df47505d6e650fca506e2f06f786e0d610 0.1s done
#30 writing layer sha256:8ffcb813fbdfe1cc934191d166fd467880d6edec6ad0755f19619f5fa1951f0b 0.1s done
#30 writing layer sha256:c0ee35174313b07242dd78616f7216fc4b94cd8b580748106aad1ea8d45e6b70
#30 writing layer sha256:c0ee35174313b07242dd78616f7216fc4b94cd8b580748106aad1ea8d45e6b70 0.4s done
#30 preparing build cache for export 1.0s done
#30 DONE 1.0s

Maybe this is the Sign the published Docker image step that creates this tag, I'm not sure: https://github.com/phrreakk/vwbackup/actions/runs/13650514649/workflow#L88-L101

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@crazy-max @phrreakk