Build and push Docker images
ActionsVerified
GitHub Action to build and push Docker images withBuildxwith full support of the features provided byMoby BuildKitbuilder toolkit. This includes multi-platform build, secrets, remote cache, etc.and different builder deployment/namespacing options.
In the examples below we are also using 3 other actions:
setup-buildxaction willcreate and boot a builder using by default thedocker-containerdriver.This isnot required but recommended using it to be able to buildmulti-platform images, export cache, etc.setup-qemuaction can beuseful if you want to add emulation support with QEMU to be able to buildagainst more platforms.loginaction will take care tolog in against a Docker registry.
By default, this action uses theGit context,so you don't need to use theactions/checkoutaction to check out the repository as this will be done directly byBuildKit.
The git reference will be based on theevent that triggered your workflowand will result in the following context:https://github.com/<owner>/<repo>.git#<ref>.
name:cion:push:jobs:docker:runs-on:ubuntu-lateststeps: -name:Login to Docker Hubuses:docker/login-action@v3with:username:${{ vars.DOCKERHUB_USERNAME }}password:${{ secrets.DOCKERHUB_TOKEN }} -name:Set up QEMUuses:docker/setup-qemu-action@v3 -name:Set up Docker Buildxuses:docker/setup-buildx-action@v3 -name:Build and pushuses:docker/build-push-action@v6with:push:truetags:user/app:latest
Be careful becauseany file mutation in the steps that precede the build stepwill be ignored, including processing of the.dockerignore file sincethe context is based on the Git reference. However, you can use thePath context using thecontext input alongsidetheactions/checkout action to removethis restriction.
Default Git context can also be provided using theHandlebars templateexpression{{defaultContext}}. Here we can use it to provide a subdirectoryto the default Git context:
-name:Build and pushuses:docker/build-push-action@v6with:context:"{{defaultContext}}:mysubdir"push:truetags:user/app:latest
Building from the current repository automatically uses theGitHub Token,so it does not need to be passed. If you want to authenticate against anotherprivate repository, you have to use asecretnamedGIT_AUTH_TOKEN to be able to authenticate against it with Buildx:
-name:Build and pushuses:docker/build-push-action@v6with:push:truetags:user/app:latestsecrets:| GIT_AUTH_TOKEN=${{ secrets.MYTOKEN }}
name:cion:push:jobs:docker:runs-on:ubuntu-lateststeps: -name:Checkoutuses:actions/checkout@v5 -name:Login to Docker Hubuses:docker/login-action@v3with:username:${{ vars.DOCKERHUB_USERNAME }}password:${{ secrets.DOCKERHUB_TOKEN }} -name:Set up QEMUuses:docker/setup-qemu-action@v3 -name:Set up Docker Buildxuses:docker/setup-buildx-action@v3 -name:Build and pushuses:docker/build-push-action@v6with:context:.push:truetags:user/app:latest
- Multi-platform image
- Secrets
- Push to multi-registries
- Manage tags and labels
- Cache management
- Export to Docker
- Test before push
- Validating build configuration
- Local registry
- Share built image between jobs
- Named contexts
- Copy image between registries
- Update Docker Hub repo description
- SBOM and provenance attestations
- Annotations
- Reproducible builds
This action generates ajob summarythat provides a detailed overview of the build execution. The summary shows anoverview of all the steps executed during the build, including the build inputsand eventual errors.
The summary also includes a link for downloading the build record withadditional details about the build, including build stats, logs, outputs, andmore. The build record can be imported to Docker Desktop for inspecting thebuild in greater detail.
Warning
If you're using theactions/download-artifactaction in your workflow, you need to ignore the build record artifactsifname andpattern inputs are not specified (defaults to download all artifacts of the workflow),otherwise the action will fail:
-uses:actions/download-artifact@v4with:pattern:"!*.dockerbuild"
More info:actions/toolkit#1874
Summaries are enabled by default, but can be disabled with theDOCKER_BUILD_SUMMARYenvironment variable.
For more information about summaries, refer to thedocumentation.
The following inputs can be used asstep.with keys:
Listtype is a newline-delimited stringcache-from:| user/app:cache type=local,src=path/to/dir
CSVtype is a comma-delimited stringtags:name/app:latest,name/app:1.0.0
| Name | Type | Description |
|---|---|---|
add-hosts | List/CSV | List ofcustoms host-to-IP mapping (e.g.,docker:10.180.0.1) |
allow | List/CSV | List ofextra privileged entitlement (e.g.,network.host,security.insecure) |
annotations | List | List of annotation to set to the image |
attests | List | List ofattestation parameters (e.g.,type=sbom,generator=image) |
builder | String | Builder instance (seesetup-buildx action) |
build-args | List | List ofbuild-time variables |
build-contexts | List | List of additionalbuild contexts (e.g.,name=path) |
cache-from | List | List ofexternal cache sources (e.g.,type=local,src=path/to/dir) |
cache-to | List | List ofcache export destinations (e.g.,type=local,dest=path/to/dir) |
call | String | Setmethod for evaluating build (e.g.,check) |
cgroup-parent | String | Optionalparent cgroup for the container used in the build |
context | String | Build's context is the set of files located in the specifiedPATH orURL (defaultGit context) |
file | String | Path to the Dockerfile. (default{context}/Dockerfile) |
labels | List | List of metadata for an image |
load | Bool | Load is a shorthand for--output=type=docker (defaultfalse) |
network | String | Set the networking mode for theRUN instructions during build |
no-cache | Bool | Do not use cache when building the image (defaultfalse) |
no-cache-filters | List/CSV | Do not cache specified stages |
outputs | List | List ofoutput destinations (format:type=local,dest=path) |
platforms | List/CSV | List oftarget platforms for build |
provenance | Bool/String | Generateprovenance attestation for the build (shorthand for--attest=type=provenance) |
pull | Bool | Always attempt to pull all referenced images (defaultfalse) |
push | Bool | Push is a shorthand for--output=type=registry (defaultfalse) |
sbom | Bool/String | GenerateSBOM attestation for the build (shorthand for--attest=type=sbom) |
secrets | List | List ofsecrets to expose to the build (e.g.,key=string,GIT_AUTH_TOKEN=mytoken) |
secret-envs | List/CSV | List ofsecret env vars to expose to the build (e.g.,key=envname,MY_SECRET=MY_ENV_VAR) |
secret-files | List | List ofsecret files to expose to the build (e.g.,key=filename,MY_SECRET=./secret.txt) |
shm-size | String | Size of/dev/shm (e.g.,2g) |
ssh | List | List ofSSH agent socket or keys to expose to the build |
tags | List/CSV | List of tags |
target | String | Sets the target stage to build |
ulimit | List | Ulimit options (e.g.,nofile=1024:1024) |
github-token | String | GitHub Token used to authenticate against a repository forGit context (default${{ github.token }}) |
The following outputs are available:
| Name | Type | Description |
|---|---|---|
imageid | String | Image ID |
digest | String | Image digest |
metadata | JSON | Build result metadata |
| Name | Type | Default | Description |
|---|---|---|---|
DOCKER_BUILD_CHECKS_ANNOTATIONS | Bool | true | Iffalse, GitHub annotations are not generated forbuild checks |
DOCKER_BUILD_SUMMARY | Bool | true | Iffalse,build summary generation is disabled |
DOCKER_BUILD_RECORD_UPLOAD | Bool | true | Iffalse, build record upload asGitHub artifact is disabled |
DOCKER_BUILD_RECORD_RETENTION_DAYS | Number | Duration after which build record artifact will expire in days. Defaults to repository/orgretention settings if unset or0 | |
DOCKER_BUILD_EXPORT_LEGACY | Bool | false | Iftrue, exports build using legacy export-build tool instead ofbuildx history export command |
Want to contribute? Awesome! You can find information about contributing tothis project in theCONTRIBUTING.md
Resources
Build and push Docker images is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.
Verified
Resources
Build and push Docker images is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.