Home

Awesome

GitHub release GitHub marketplace CI workflow Test workflow Codecov

About

GitHub Action to build and push Docker images with Buildx with full support of the features provided by Moby BuildKit builder toolkit. This includes multi-platform build, secrets, remote cache, etc. and different builder deployment/namespacing options.

Screenshot


Usage

In the examples below we are also using 3 other actions:

Git context

By default, this action uses the Git context, so you don't need to use the actions/checkout action to check out the repository as this will be done directly by BuildKit.

The git reference will be based on the event that triggered your workflow and will result in the following context: https://github.com/<owner>/<repo>.git#<ref>.

name: ci

on:
  push:

jobs:
  docker:
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Build and push
        uses: docker/build-push-action@v6
        with:
          push: true
          tags: user/app:latest

Be careful because any file mutation in the steps that precede the build step will be ignored, including processing of the .dockerignore file since the context is based on the Git reference. However, you can use the Path context using the context input alongside the actions/checkout action to remove this restriction.

Default Git context can also be provided using the Handlebars template expression {{defaultContext}}. Here we can use it to provide a subdirectory to the default Git context:

      -
        name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: "{{defaultContext}}:mysubdir"
          push: true
          tags: user/app:latest

Building from the current repository automatically uses the GitHub Token, so it does not need to be passed. If you want to authenticate against another private repository, you have to use a secret named GIT_AUTH_TOKEN to be able to authenticate against it with Buildx:

      -
        name: Build and push
        uses: docker/build-push-action@v6
        with:
          push: true
          tags: user/app:latest
          secrets: |
            GIT_AUTH_TOKEN=${{ secrets.MYTOKEN }}

Path context

name: ci

on:
  push:

jobs:
  docker:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          push: true
          tags: user/app:latest

Examples

Summaries

This action generates a job summary that provides a detailed overview of the build execution. The summary shows an overview of all the steps executed during the build, including the build inputs and eventual errors.

build-push-action job summary

The summary also includes a link for downloading the build record with additional details about the build, including build stats, logs, outputs, and more. The build record can be imported to Docker Desktop for inspecting the build in greater detail.

Summaries are enabled by default, but can be disabled with the DOCKER_BUILD_SUMMARY environment variable.

For more information about summaries, refer to the documentation.

Customizing

inputs

The following inputs can be used as step.with keys:

List type is a newline-delimited string

cache-from: |
  user/app:cache
  type=local,src=path/to/dir

CSV type is a comma-delimited string

tags: name/app:latest,name/app:1.0.0
NameTypeDescription
add-hostsList/CSVList of customs host-to-IP mapping (e.g., docker:10.180.0.1)
allowList/CSVList of extra privileged entitlement (e.g., network.host,security.insecure)
annotationsListList of annotation to set to the image
attestsListList of attestation parameters (e.g., type=sbom,generator=image)
builderStringBuilder instance (see setup-buildx action)
build-argsListList of build-time variables
build-contextsListList of additional build contexts (e.g., name=path)
cache-fromListList of external cache sources (e.g., type=local,src=path/to/dir)
cache-toListList of cache export destinations (e.g., type=local,dest=path/to/dir)
callStringSet method for evaluating build (e.g., check)
cgroup-parentStringOptional parent cgroup for the container used in the build
contextStringBuild's context is the set of files located in the specified PATH or URL (default Git context)
fileStringPath to the Dockerfile. (default {context}/Dockerfile)
labelsListList of metadata for an image
loadBoolLoad is a shorthand for --output=type=docker (default false)
networkStringSet the networking mode for the RUN instructions during build
no-cacheBoolDo not use cache when building the image (default false)
no-cache-filtersList/CSVDo not cache specified stages
outputsListList of output destinations (format: type=local,dest=path)
platformsList/CSVList of target platforms for build
provenanceBool/StringGenerate provenance attestation for the build (shorthand for --attest=type=provenance)
pullBoolAlways attempt to pull all referenced images (default false)
pushBoolPush is a shorthand for --output=type=registry (default false)
sbomBool/StringGenerate SBOM attestation for the build (shorthand for --attest=type=sbom)
secretsListList of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)
secret-envsList/CSVList of secret env vars to expose to the build (e.g., key=envname, MY_SECRET=MY_ENV_VAR)
secret-filesListList of secret files to expose to the build (e.g., key=filename, MY_SECRET=./secret.txt)
shm-sizeStringSize of /dev/shm (e.g., 2g)
sshListList of SSH agent socket or keys to expose to the build
tagsList/CSVList of tags
targetStringSets the target stage to build
ulimitListUlimit options (e.g., nofile=1024:1024)
github-tokenStringGitHub Token used to authenticate against a repository for Git context (default ${{ github.token }})

outputs

The following outputs are available:

NameTypeDescription
imageidStringImage ID
digestStringImage digest
metadataJSONBuild result metadata

environment variables

NameTypeDefaultDescription
DOCKER_BUILD_CHECKS_ANNOTATIONSBooltrueIf false, GitHub annotations are not generated for build checks
DOCKER_BUILD_SUMMARYBooltrueIf false, build summary generation is disabled
DOCKER_BUILD_RECORD_UPLOADBooltrueIf false, build record upload as GitHub artifact is disabled
DOCKER_BUILD_RECORD_RETENTION_DAYSNumberDuration after which build record artifact will expire in days. Defaults to repository/org retention settings if unset or 0

Troubleshooting

See TROUBLESHOOTING.md

Contributing

Want to contribute? Awesome! You can find information about contributing to this project in the CONTRIBUTING.md