Incorrect value for 'digest' output (same as 'imageid' for some reason)

[spinningarrow]

Troubleshooting

Before submitting a bug report please read the Troubleshooting doc.

Behaviour

Steps to reproduce this issue

1. Use the action to build and push a docker image
2. Inspect the value of the "outputs" shown in the console output in github actions

Expected behaviour

ImageID should be the ID of the docker image
Digest should be the digest of manifest

Actual behaviour

Digest is the same as the ImageID

Configuration

• Repository URL (if public):
• Build URL (if public):

# paste your YAML workflow file here and remove sensitive data

Logs

2022-03-26T14:37:51.9712149Z #13 DONE 4.4s
2022-03-26T14:37:51.9828664Z ##[group]ImageID
2022-03-26T14:37:51.9829520Z sha256:911746252f615a3a30e37f10d8f34824a441210b82ce7cb01404752879db6f14
2022-03-26T14:37:51.9876893Z ##[endgroup]
2022-03-26T14:37:51.9877499Z ##[group]Digest
2022-03-26T14:37:51.9878026Z sha256:911746252f615a3a30e37f10d8f34824a441210b82ce7cb01404752879db6f14
2022-03-26T14:37:51.9879226Z ##[endgroup]
2022-03-26T14:37:51.9879802Z ##[group]Metadata
2022-03-26T14:37:51.9880101Z {
2022-03-26T14:37:51.9880535Z   "containerimage.digest": "sha256:911746252f615a3a30e37f10d8f34824a441210b82ce7cb01404752879db6f14"
2022-03-26T14:37:51.9880942Z }

[crazy-max]

@spinningarrow Can you give a link to your repo or post your workflow please?

[spinningarrow]

@crazy-max unfortunately the repo is private. Here's the workflow:

name: pipeline

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]

env:
  USER_NAME: spinningarrow
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}
  WORKING_DIR_GCP: infrastructure/gcp/

jobs:
  build:
    runs-on: ubuntu-20.04
    outputs: 
      image_sha: ${{ steps.buildDocker.outputs.digest }}
    steps:
    - uses: actions/checkout@v2

    - name: Set up Go
      uses: actions/setup-go@v2
      with:
        go-version: 1.17.2

    - name: Run golangci-lint
      uses: golangci/golangci-lint-action@v2
      with:
        version: v1.43

    - name: Test
      run: go test -race -cover ./...

    - name: Build binary
      run: env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -v ./cmd/...

    - name: Log in to container registry
      uses: docker/login-action@v1
      with:
          registry: ${{ env.REGISTRY }}
          username: ${{ env.USER_NAME }}
          password: ${{ secrets.USER_PAT }}

    - name: Extract metadata (tags, labels) for Docker
      id: meta
      uses: docker/metadata-action@v3
      with:
        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

    - name: Build and push Docker image
      id: buildDocker
      uses: docker/build-push-action@v2
      with:
        context: .
        file: ./build/Dockerfile
        push: true
        tags: ${{ steps.meta.outputs.tags }}
        cache-from: type=registry,ref=${{ steps.meta.outputs.tags }}
        cache-to: type=inline
        labels: ${{ steps.meta.outputs.labels }}

  terraform-staging:
    needs: build
    name: 'terraform'
    runs-on: ubuntu-20.04
    env:
      GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }}
      TF_WORKSPACE: staging
      TF_VAR_ghcr_token_config: ${{ secrets.GHCR_TOKEN }}
      TF_VAR_worker_image_sha: ${{ needs.build.outputs.image_sha }}

    defaults:
      run:
        shell: bash
        working-directory: ${{ env.WORKING_DIR_GCP }}
  
    steps:
    - name: Checkout
      uses: actions/checkout@v2

    - name: Setup Terraform
      uses: hashicorp/setup-terraform@v1

    - name: Terraform Init
      run: terraform init

    - name: Terraform Format
      run: terraform fmt -check

    - name: Terraform Validate
      run: terraform validate

    - name: Terraform Plan
      run: terraform plan

    - name: Terraform Apply
      if: github.ref == 'refs/heads/master' && github.event_name == 'push'
      run: terraform apply -auto-approve

[spinningarrow]

I created a public repo to demonstrate this bug: https://github.com/spinningarrow/docker-action-test

You can see it in the workflow output here: https://github.com/spinningarrow/docker-action-test/runs/5758955970?check_suite_focus=true#step:5:239

Here's the excerpt from the log:

2022-03-30T17:51:02.1325354Z ##[group]ImageID
2022-03-30T17:51:02.1329977Z sha256:6c2ac97e0808d20653054d5f7a877757368a6da6c8886bba438861f7b1de614a
2022-03-30T17:51:02.1338748Z ##[endgroup]
2022-03-30T17:51:02.1340387Z ##[group]Digest
2022-03-30T17:51:02.1346396Z sha256:6c2ac97e0808d20653054d5f7a877757368a6da6c8886bba438861f7b1de614a
2022-03-30T17:51:02.1347496Z ##[endgroup]
2022-03-30T17:51:02.1347912Z ##[group]Metadata
2022-03-30T17:51:02.1348113Z {
2022-03-30T17:51:02.1348471Z   "containerimage.digest": "sha256:6c2ac97e0808d20653054d5f7a877757368a6da6c8886bba438861f7b1de614a"
2022-03-30T17:51:02.1348810Z }

The ImageID is the same as the digest, which already indicates a problem.

Doing a docker pull with the "digest" above gives the following error output:

docker pull ghcr.io/spinningarrow/docker-action-test@sha256:6c2ac97e0808d20653054d5f7a877757368a6da6c8886bba438861f7b1de614a
Error response from daemon: manifest unknown

When doing a docker pull with the main tag which corresponds to the ImageID above, it succeeds:

docker pull ghcr.io/spinningarrow/docker-action-test:main
main: Pulling from spinningarrow/docker-action-test
Digest: sha256:f3b960e43f1d568eda25060463b2c69ccd6e30debf2de3e8da7ca35b86fef427
Status: Image is up to date for ghcr.io/spinningarrow/docker-action-test:main
ghcr.io/spinningarrow/docker-action-test:main

Above we have the actual digest of this image, which can be seen in further detail with docker inspect:

docker inspect ghcr.io/spinningarrow/docker-action-test:main | head
[
    {
        "Id": "sha256:6c2ac97e0808d20653054d5f7a877757368a6da6c8886bba438861f7b1de614a",
        "RepoTags": [
            "ghcr.io/spinningarrow/docker-action-test:main"
        ],
        "RepoDigests": [
            "ghcr.io/spinningarrow/docker-action-test@sha256:f3b960e43f1d568eda25060463b2c69ccd6e30debf2de3e8da7ca35b86fef427"
        ],
        "Parent": "",

It looks like the action is somehow using the Id for both the ImageID and the digest.

[spinningarrow]

You can also see the correct digest on the GitHub packages page for this docker image: https://github.com/spinningarrow/docker-action-test/pkgs/container/docker-action-test/versions

[ethan-gallant]

I can confirm we're seeing the same issue within one of our private repos.

[crazy-max]

@spinningarrow imageid and digest are the same because your GitHub Runner is still on buildx 0.7.1: https://github.com/spinningarrow/docker-action-test/runs/5758955970?check_suite_focus=true#step:5:59.

As you don't have the setup-buildx-action step in your workflow, it will use the docker driver. Support for remote digest is in place since docker/buildx#989 (buildx v0.8.0) for this driver.

Suggest to add the setup-buildx-action step to solve your issue while waiting for GitHub Runners to have the latest buildx in place:

      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
        with:
          version: v0.8.2

[spinningarrow]

@crazy-max thanks, that did the trick!

However, this is definitely not obvious from the documentation - can you add a note about that somewhere? Right now the usage section in the readme says that setup-buildx is "not required but recommended". If not having it causes these kinds of hard-to-debug issues then it should be always required imho.

[nicorikken]

I encountered the same behavior where the digest output was actually the image ID. After installing Buildx I no longer get those outputs nor a digest returned in the JSON metadata output. I have decided to give up on digests with this action for now.