Merge pull request #239 from cisagov/bug/push_after_building

mcdonnnj · web-flow · commit b2d3c00ba88d · 2025-07-09T13:53:03.000Z
Build and push Docker images as separate steps
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -342,6 +342,8 @@ jobs:
           # documentation:
           # https://docs.docker.com/build/ci/github-actions/cache/#cache-backend-api
           cache-to: type=gha,mode=max
+          # For a list of pre-defined annotation keys and value types see:
+          # https://github.com/opencontainers/image-spec/blob/master/annotations.md
           labels: ${{ needs.prepare.outputs.labels }}
           outputs: type=docker,dest=dist/image.tar
           # Uncomment the following option if you are building an image for use
@@ -350,8 +352,6 @@ jobs:
           # information: https://github.com/docker/buildx/issues/1533
           # provenance: false
           tags: ${{ needs.repo-metadata.outputs.image-name }}:latest  # not to be pushed
-          # For a list of pre-defined annotation keys and value types see:
-          # https://github.com/opencontainers/image-spec/blob/master/annotations.md
       - name: Compress image
         run: gzip dist/image.tar
       - name: Upload artifacts
@@ -500,7 +500,17 @@ jobs:
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: Build and push platform images to registries
+      # We only build to ensure that the image layers are cached to push later. This is
+      # because if the build takes over 10 minutes the token acquired to push to the
+      # GitHub Container Registry will have expired. This results in errors like:
+      #
+      # <AuthenticationErrorDetail>Signature not valid in the specified time frame:
+      # Start [Tue, 08 Jul 2025 06:05:02 GMT] - Expiry [Tue, 08 Jul 2025 06:15:07 GMT]
+      # - Current [Tue, 08 Jul 2025 06:16:10 GMT]</AuthenticationErrorDetail>
+      #
+      # Please see https://github.com/docker/build-push-action/issues/1371 for more
+      # information.
+      - name: Build platform images
         id: docker_build
         uses: docker/build-push-action@v6
         with:
@@ -511,17 +521,40 @@ jobs:
           # documentation:
           # https://docs.docker.com/build/ci/github-actions/cache/#cache-backend-api
           cache-to: type=gha,mode=max
+          # For a list of pre-defined annotation keys and value types see:
+          # https://github.com/opencontainers/image-spec/blob/master/annotations.md
           labels: ${{ needs.prepare.outputs.labels }}
           platforms: ${{ join(fromJSON(needs.repo-metadata.outputs.image-platforms)) }}
           # Uncomment the following option if you are building an image for use
           # on Google Cloud Run or AWS Lambda. The current default image output
           # is unable to run on either. Please see the following issue for more
           # information: https://github.com/docker/buildx/issues/1533
           # provenance: false
-          push: true
           tags: ${{ needs.prepare.outputs.tags }}
+      # Now that the image layers should be available from the cache we can push to the
+      # registries.
+      - name: Push platform images to registries
+        id: docker_push
+        uses: docker/build-push-action@v6
+        with:
+          cache-from: type=gha
+          # We use the max mode to cache all layers which includes ones from
+          # intermediate steps. This will provide us the potential for more cache hits
+          # and thus better build times. It is also the suggested setting per the
+          # documentation:
+          # https://docs.docker.com/build/ci/github-actions/cache/#cache-backend-api
+          cache-to: type=gha,mode=max
           # For a list of pre-defined annotation keys and value types see:
           # https://github.com/opencontainers/image-spec/blob/master/annotations.md
+          labels: ${{ needs.prepare.outputs.labels }}
+          platforms: ${{ join(fromJSON(needs.repo-metadata.outputs.image-platforms)) }}
+          # Uncomment the following option if you are building an image for use
+          # on Google Cloud Run or AWS Lambda. The current default image output
+          # is unable to run on either. Please see the following issue for more
+          # information: https://github.com/docker/buildx/issues/1533
+          # provenance: false
+          push: true
+          tags: ${{ needs.prepare.outputs.tags }}
       - name: Setup tmate debug session
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE
