Background
I have a npm monorepo using turborepo. Now I want to build this to production using github actions.
The problem
The docker/build-push-action github action pushes all my intermediary images for a total of three images pushed to my artifact repository. Only one tagged correctly.
Expected
Only my one final image (runner) pushed to artifact repo
My Dockerfile
FROM node:alpine AS builder
RUN apk add --no-cache libc6-compat
RUN apk update
# Set working directory
WORKDIR /app
RUN npm install turbo --global
COPY . .
RUN turbo prune --scope=admin --docker
# Add lockfile and package.json's of isolated subworkspace
FROM node:alpine AS installer
RUN apk add --no-cache libc6-compat
RUN apk update
WORKDIR /app
# First install the dependencies (as they change less often)
COPY .gitignore .gitignore
COPY --from=builder /app/out/json/ .
COPY --from=builder /app/out/package-lock.json ./package-lock.json
RUN npm ci
# Build the project
ARG MONOLITH_DOMAIN
ENV MONOLITH_DOMAIN=$MONOLITH_DOMAIN
COPY --from=builder /app/out/full/ .
COPY turbo.json turbo.json
RUN npx turbo run build --filter=admin
FROM node:alpine AS runner
WORKDIR /app
# Don't run production as root
RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs
USER nextjs
COPY --from=installer /app/apps/admin/next.config.js .
COPY --from=installer /app/apps/admin/package.json .
# Automatically leverage output traces to reduce image size
# https://nextjs.org/docs/advanced-features/output-file-tracing
COPY --from=installer --chown=nextjs:nodejs /app/apps/admin/.next/standalone ./
COPY --from=installer --chown=nextjs:nodejs /app/apps/admin/.next/static ./apps/admin/.next/static
COPY --from=installer --chown=nextjs:nodejs /app/apps/admin/public ./apps/admin/public
CMD node apps/admin/server.js
As recommendeded by https://turbo.build/repo/docs/handbook/deploying-with-docker
My github action
name: Build and Push Docker Image
on:
workflow_call:
inputs:
environment:
required: true
type: string
tag:
required: true
type: string
monolith_domain:
required: true
type: string
secrets:
GOOGLE_CLOUD_SERVICE_ACCOUNT_JSON_TOKEN:
required: true
jobs:
build-and-push:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- id: auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
token_format: access_token
credentials_json: ${{ secrets.GOOGLE_CLOUD_SERVICE_ACCOUNT_JSON_TOKEN }}
- uses: 'docker/login-action@v2'
with:
registry: europe-west1-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Build and push Docker image
uses: docker/build-push-action@v4
with:
context: .
file: ./apps/admin/Dockerfile
push: true
tags: europe-west1-docker.pkg.dev/xxxx/frontend/admin-frontend:${{ inputs.tag }}
build-args: |
MONOLITH_DOMAIN=${{ inputs.monolith_domain }}
I've just encountered this, a bit late to the party, but here is what have resolved it for me. Add provenance: false flag to the action's build step.
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
provenance: false
Basically, provenance's default value has been changed from false to true, that intentionally results in this behaviour. To disable it, we can set it to false. Check this github issue for further information.