Background
I have a npm monorepo using turborepo. Now I want to build this to production using github actions.
The problem
The docker/build-push-action github action pushes all my intermediary images for a total of three images pushed to my artifact repository. Only one tagged correctly.
Expected
Only my one final image (runner) pushed to artifact repo
My Dockerfile
FROM node:alpine AS builder
RUN apk add --no-cache libc6-compat
RUN apk update
# Set working directory
WORKDIR /app
RUN npm install turbo --global
COPY . .
RUN turbo prune --scope=admin --docker
# Add lockfile and package.json's of isolated subworkspace
FROM node:alpine AS installer
RUN apk add --no-cache libc6-compat
RUN apk update
WORKDIR /app
# First install the dependencies (as they change less often)
COPY .gitignore .gitignore
COPY --from=builder /app/out/json/ .
COPY --from=builder /app/out/package-lock.json ./package-lock.json
RUN npm ci
# Build the project
ARG MONOLITH_DOMAIN
ENV MONOLITH_DOMAIN=$MONOLITH_DOMAIN
COPY --from=builder /app/out/full/ .
COPY turbo.json turbo.json
RUN npx turbo run build --filter=admin
FROM node:alpine AS runner
WORKDIR /app
# Don't run production as root
RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs
USER nextjs
COPY --from=installer /app/apps/admin/next.config.js .
COPY --from=installer /app/apps/admin/package.json .
# Automatically leverage output traces to reduce image size
# https://nextjs.org/docs/advanced-features/output-file-tracing
COPY --from=installer --chown=nextjs:nodejs /app/apps/admin/.next/standalone ./
COPY --from=installer --chown=nextjs:nodejs /app/apps/admin/.next/static ./apps/admin/.next/static
COPY --from=installer --chown=nextjs:nodejs /app/apps/admin/public ./apps/admin/public
CMD node apps/admin/server.js
As recommendeded by https://turbo.build/repo/docs/handbook/deploying-with-docker
My github action
name: Build and Push Docker Image
on:
workflow_call:
inputs:
environment:
required: true
type: string
tag:
required: true
type: string
monolith_domain:
required: true
type: string
secrets:
GOOGLE_CLOUD_SERVICE_ACCOUNT_JSON_TOKEN:
required: true
jobs:
build-and-push:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- id: auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
token_format: access_token
credentials_json: ${{ secrets.GOOGLE_CLOUD_SERVICE_ACCOUNT_JSON_TOKEN }}
- uses: 'docker/login-action@v2'
with:
registry: europe-west1-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Build and push Docker image
uses: docker/build-push-action@v4
with:
context: .
file: ./apps/admin/Dockerfile
push: true
tags: europe-west1-docker.pkg.dev/xxxx/frontend/admin-frontend:${{ inputs.tag }}
build-args: |
MONOLITH_DOMAIN=${{ inputs.monolith_domain }}
I've just encountered this, a bit late to the party, but here is what have resolved it for me. Add provenance: false
flag to the action's build step.
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
provenance: false
Basically, provenance
's default value has been changed from false
to true
, that intentionally results in this behaviour. To disable it, we can set it to false. Check this github issue for further information.