Wrong digest Output after pushing to GCP Artifact

[NikitaSemenovAiforia]

What happened?

I set registries to GCP Artifact URL. The image was pushed. But digest Output is set to docker.io/library/sha256:.
There are no other registries or exports except GitHub cache.

Example

repo_url = pulumi.Output.concat(
    f"{region}-docker.pkg.dev",
    "/",
    project_id,
    "/",
    migrator_repository_id,
)
image_name = repo_url.apply(
    lambda ru: f"{ru}/transport-layer-migrator:{github_sha}",
)
tl_migrator_image = docker_build.Image(
    resource_name="transport-layer-migrator-image",
    tags=[
        image_name,
        repo_url.apply(
            lambda ru: f"{ru}/transport-layer-migrator:{github_ref_name}",
        ),
    ],
    context=docker_build.BuildContextArgs(location="../"),
    target="migration",
    cache_from=[
        docker_build.CacheFromArgs(
            gha=docker_build.CacheFromGitHubActionsArgs(
                scope="transport-layer-migrator",
            ),
        ),
        docker_build.CacheFromArgs(
            registry=docker_build.CacheFromRegistryArgs(
                ref=repo_url.apply(
                    lambda ru: f"{ru}/transport-layer-migrator:cache",
                ),
            ),
        ),
        docker_build.CacheFromArgs(
            registry=docker_build.CacheFromRegistryArgs(
                ref=repo_url.apply(
                    lambda ru: f"{ru}/transport-layer-migrator:{github_ref_name}",
                ),
            ),
        ),
    ],
    cache_to=[
        docker_build.CacheToArgs(
            gha=docker_build.CacheToGitHubActionsArgs(
                mode=docker_build.CacheMode.MAX,
                scope="transport-layer-migrator",
            ),
        ),
        docker_build.CacheToArgs(
            registry=docker_build.CacheToRegistryArgs(
                ref=repo_url.apply(
                    lambda ru: f"{ru}/transport-layer-migrator:cache",
                ),
                mode=docker_build.CacheMode.MAX,
            ),
        ),
        docker_build.CacheToArgs(
            registry=docker_build.CacheToRegistryArgs(
                ref=repo_url.apply(
                    lambda ru: f"{ru}/transport-layer-migrator:{github_ref_name}",
                ),
            ),
        ),
    ],
    push=True,
    registries=[
        docker_build.RegistryArgs(
            address=repo_url,
            username="oauth2accesstoken",
            password=google_access_token,
        ),
    ],
)

Output of pulumi about

CLI
Version 3.126.0
Go Version go1.22.5
Go Compiler gc

Plugins
KIND NAME VERSION
resource docker-build 0.0.6
resource gcp 7.38.0
language python unknown

Host
OS ubuntu
Version 22.04
Arch x86_64

This project is written in python: python' version='3.12.1'

Dependencies:
NAME VERSION
pip 24.2
pulumi_docker_build 0.0.6
pulumi_gcp 7.38.0
pyright 1.1.378
setuptools 74.0.0
wheel 0.44.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[blampe]

Hi @NikitaSemenovAiforia, a few clarifying questions.

• Can you confirm the digest you're talking about is tl_migrator_image.digest?
• What is the output of docker version?
• Did you already have something cached when you built the image with Pulumi?

[NikitaSemenovAiforia]

Hi @NikitaSemenovAiforia, a few clarifying questions.

* Can you confirm the digest you're talking about is `tl_migrator_image.digest`?

Confirmed.

* What is the output of `docker version`?

Client: Docker Engine - Community
Version: 26.1.3
API version: 1.45
Go version: go1.21.10
Git commit: b72abbb
Built: Thu May 16 08:33:29 2024
OS/Arch: linux/amd64
Context: default

buildx v0.16.2

* Did you already have something cached when you built the image with Pulumi?

Yes. The old script for this job was running simultaneously. Here is the step:

- id: build_and_push
  name: Build and push
  uses: docker/build-push-action@v6
  with:
     push: true
     tags: ${{ vars.BASE_DOCKER_HUB_URL }}/${{ vars.PROJECT_NAME }}/docker-repository/transport-layer-migrator:k8s
     target: 'migration'
     cache-from: type=registry,ref=${{ vars.BASE_DOCKER_HUB_URL }}/${{ vars.PROJECT_NAME }}/docker-repository/transport-layer-migrator:k8s
     cache-to: type=inline

[blampe]

Super helpful context, thank you @NikitaSemenovAiforia!

I haven't been able to reproduce this yet -- the digest we use should be returned by the daemon whenever we export something to the registry. One thing you might try is changing this cache-to entry:

docker_build.CacheToArgs(
            registry=docker_build.CacheToRegistryArgs(
                ref=repo_url.apply(
                    lambda ru: f"{ru}/transport-layer-migrator:{github_ref_name}",
                ),
            ),
        ),

to an inline cache (inline=docker_build.CacheToInlineArgs()). Your code currently pushes an image tag and a cache manifest to transport-layer-migrator:{github_ref_name} and I suspect GCP might not be handling that well. Using an inline cache is the "right" way to use one tag for an image as well as a cache-from source.