Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cannot push docker image to Google Artifact Registry

See original GitHub issue

Hi,

I’ve got quite a simple workflow using build-push-action v2, but I am unfortunately unable to push image successfully to Google Artifact Registry.

Here is the workflow:


name: CI

on:
  push:
    tags:
      - 'v*.*.*'

env:
  REGISTRY: europe-west4-docker.pkg.dev
  PROJECT_ID: xxx
  REPOSITORY_ID: appconfig

jobs:
  docker:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Prepare
        id: prepare
        run: |
          DOCKER_IMAGE="${REGISTRY}/${PROJECT_ID}/${REPOSITORY_ID}"
          VERSION=${GITHUB_REF#refs/tags/}
          TAGS="${DOCKER_IMAGE}:${VERSION}"
          if [[ $VERSION =~ ^v[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
            MINOR=${VERSION%.*}
            MAJOR=${MINOR%.*}
            TAGS="$TAGS,${DOCKER_IMAGE}:${MINOR},${DOCKER_IMAGE}:${MAJOR},${DOCKER_IMAGE}:latest"
          elif [ "${{ github.event_name }}" = "push" ]; then
            TAGS="$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}"
          fi
          echo ::set-output name=version::${VERSION}
          echo ::set-output name=tags::${TAGS}
          echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
        with:
          buildkitd-flags: --debug

      - name: Login to GCR
        uses: docker/login-action@v1
        with:
          registry: ${{ env.REGISTRY }}
          username: _json_key
          password: ${{ secrets.GCP_SA_KEY }}

      - name: Build and push
        id: docker-build
        uses: docker/build-push-action@v2
        with:
          context: .
          file: ./Dockerfile
          target: bin
          push: true
          tags: ${{ steps.prepare.outputs.tags }}

It is failing with:

#10 pushing layers
#10 pushing layers 3.2s done
#10 pushing manifest for europe-west4-docker.pkg.dev/xxx/appconfig:v0.1.0
#10 pushing manifest for europe-west4-docker.pkg.dev/xxx/appconfig:v0.1.0 0.4s done
#10 ERROR: failed commit on ref "manifest-sha256:39c07bc2a80624b0ae6bb3c7a616b31a4ea846f8d679aca8835702328c57dccb": unexpected status: 400 Bad Request
------
 > exporting to image:
------
failed to solve: rpc error: code = Unknown desc = failed commit on ref "manifest-sha256:39c07bc2a80624b0ae6bb3c7a616b31a4ea846f8d679aca8835702328c57dccb": unexpected status: 400 Bad Request

I tried to debug it using a troubleshooting note, but it seems that ctr accepts only docker login and password, but not GCP’s service account JSON file.

Here is a full log of workflow: 1_docker.txt.zip

Issue Analytics

State:
Created 3 years ago
Comments:18 (8 by maintainers)

Top GitHub Comments

4reactions

jonjohnsonjrcommented, Oct 22, 2020

@jacek-jablonski I believe you need a third path component:

europe-west4-docker.pkg.dev/xxx/node:14.13.1-2

e.g. europe-west4-docker.pkg.dev/xxx/something-else/node:14.13.1-2

1reaction

calvinfcommented, Jan 8, 2022

For anyone coming along in 2022+ looking to get this working in Google Artifact Registry, here’s one that will work if you have the appropriate secrets defined (GCP_PROJECT_ID for your Google Cloud project ID and GCP_SA_KEY with the base64 encoded service account JSON):

name: CI

on:
  push:
    branches:
      - main
  pull_request:

env:
  # Github Container registry
  REGISTRY: us-docker.pkg.dev
  REGISTRY_PATH: ${{ secrets.GCP_PROJECT_ID }}/YOUR_GAR_REGISTRY_NAME
  GCP_REGION: us-central1
  SERVICE_NAME: YOUR_SERVICE_NAME

jobs:
  build:

    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.
      id-token: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v1

      # Login against a Docker registry except on PR
      - name: Log into registry Google Artifact Registry
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v1
        with:
          registry: ${{ env.REGISTRY }}
          username: _json_key_base64
          password: ${{ secrets.GCP_SA_KEY }}

      # Extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v3
        with:
          images: ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/${{ env.SERVICE_NAME }}

      # Build and push Docker image with Buildx (don't push on PR)
      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v2
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}