Skip to content

feat(docker-build-image): support separate docker cache registry and buildKit config #648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
NikitaCOEUR wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat(docker-build-image): support separate docker cache registry and buildKit config #648

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d04604b
fix(build-image): fix command to test docker existence
NikitaCOEUR Jan 16, 2026
ab9783f
feat(docker-images): add cache-registry and buildkit configuration su…
NikitaCOEUR Jan 16, 2026
a587b65
chore(deps): update docker login action after rebase
NikitaCOEUR Mar 5, 2026
62df580
fix(build-image): use built-in which to detect docker
NikitaCOEUR Mar 5, 2026
06944d4
docs: specify ini to insecure registry inputs
NikitaCOEUR Mar 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions .github/workflows/docker-build-images.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,30 @@ on: # yamllint disable-line rule:truthy
default: "gha"
type: string
required: false
buildkitd-config-inline:
description: |
Inline BuildKit daemon configuration.
See https://github.com/docker/setup-buildx-action#inputs.
Example for insecure registry:
```ini
[registry."my-registry.local:5000"]
http = true
insecure = true
```
type: string
required: false
cache-registry:
description: |
Optional separate registry for Docker build cache.
Use this when cache is stored on a different registry than the final image.
type: string
required: false
cache-registry-username:
description: |
Username for the cache registry.
Required if cache-registry is set and requires authentication.
type: string
required: false
Comment on lines +108 to +119
Copy link
Member

@neilime neilime Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO we can provide a bettern way to define multiple registry auth using https://github.com/docker/login-action?tab=readme-ov-file#authenticate-to-multiple-registries
Instead of duplicating the thre auth inputs/secrets, because we can add support topull from another extra registries

I know docs says it is not recommanded way, but even docker is using it in its own workflows

So we can imagine to improve oci-registry, oci-registry-username, oci-registry-password, accepting string or key:value

pull:ghcr.io
private-pull:acme.com
push:ghcr.io
cache:ghcr.io

What do you think?

Copy link
Contributor Author

@NikitaCOEUR NikitaCOEUR Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit split on this. I agree the idea is interesting and could avoid duplicating the auth inputs/secrets, especially if we want to support more registries (pull, push, cache, etc.).

My main concern is the implementation complexity without introducing a breaking change. Today the inputs are simple strings, and supporting both the current format and a "key:value" style would make the parsing and validation more complex.

I'm also wondering how many real use cases we’d have beyond the main registry and the cache registry introduced in this PR.

sign:
description: |
Sign built images.
Expand All @@ -116,6 +140,11 @@ on: # yamllint disable-line rule:truthy
GitHub App private key to generate GitHub token to be passed as build secret env.
See https://github.com/actions/create-github-app-token.
required: false
cache-registry-password:
description: |
Password for the cache registry.
Required if cache-registry is set and requires authentication.
required: false
outputs:
built-images:
description: |
Expand Down Expand Up @@ -414,6 +443,10 @@ jobs:
secret-envs: ${{ steps.prepare-secret-envs.outputs.secret-envs }}
secrets: ${{ secrets.build-secrets }}
cache-type: ${{ inputs.cache-type }}
cache-registry: ${{ inputs.cache-registry }}
cache-registry-username: ${{ inputs.cache-registry-username }}
cache-registry-password: ${{ secrets.cache-registry-password }}
buildkitd-config-inline: ${{ inputs.buildkitd-config-inline }}
multi-platform: ${{ matrix.image.multi-platform }}

# FIXME: Set built images infos in file to be uploaded as artifacts, because github action does not handle job outputs for matrix
Expand Down
51 changes: 49 additions & 2 deletions actions/docker/build-image/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,33 @@ inputs:
See https://docs.docker.com/build/cache/backends.
default: "gha"
required: false
cache-registry:
description: |
Optional separate registry for Docker build cache.
Use this when cache is stored on a different registry than the final image.
If not set, cache operations use the main oci-registry.
required: false
cache-registry-username:
description: |
Username for the cache registry.
Required if cache-registry is set and requires authentication.
required: false
cache-registry-password:
description: |
Password for the cache registry.
Required if cache-registry is set and requires authentication.
required: false
buildkitd-config-inline:
description: |
Inline BuildKit daemon configuration.
See https://github.com/docker/setup-buildx-action#inputs.
Example for insecure registry:
```ini
[registry."my-registry.local:5000"]
http = true
insecure = true
```
required: false
multi-platform:
description: |
Whether this build participates in a multi-platform image publication.
Expand Down Expand Up @@ -174,11 +201,23 @@ runs:

const cacheType = `${{ inputs.cache-type }}`.trim();
const metadataImage = `${{ steps.metadata.outputs.image }}`;
const cacheImage = cacheType === 'registry' ? `${metadataImage}/cache` : metadataImage;
const cacheRegistry = `${{ inputs.cache-registry }}`.trim();

let cacheImage;
if (cacheRegistry) {
// Use separate cache registry: replace the registry part of the image
const imageParts = metadataImage.split('/');
// Remove the original registry (first part) and join with cache registry
imageParts.shift();
cacheImage = `${cacheRegistry}/${imageParts.join('/')}/cache`;
} else {
// Use main registry for cache
cacheImage = cacheType === 'registry' ? `${metadataImage}/cache` : metadataImage;
}
core.setOutput('cache-image', cacheImage);

try {
await exec.exec('command -v docker', { stdio: 'ignore' });
await io.which('docker', true);
core.setOutput('docker-exists', 'true');
} catch (error) {
// docker not available on runner
Expand Down Expand Up @@ -248,6 +287,7 @@ runs:
# FIXME: upgrade version when available (https://hub.docker.com/r/moby/buildkit)
driver-opts: |
image=moby/buildkit:v0.27.0
buildkitd-config-inline: ${{ inputs.buildkitd-config-inline }}

# Caching setup
- id: cache-arguments
Expand Down Expand Up @@ -278,6 +318,13 @@ runs:
registry: ${{ inputs.oci-registry }}
username: ${{ inputs.oci-registry-username }}
password: ${{ inputs.oci-registry-password }}

- uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
if: inputs.cache-registry
with:
registry: ${{ inputs.cache-registry }}
username: ${{ inputs.cache-registry-username }}
password: ${{ inputs.cache-registry-password }}
# jscpd:ignore-end

- id: build
Expand Down