Docker image digest is different to the resulting digest once pushed to the Github Container Registry

1.8k views Asked by At

I have a CI pipeline on Github Actions that builds and pushes a docker image, then, I have a seperate repository that has an action that I trigget from the command line, that takes as an arg a docker image which then applies it to a Kustomize template

Here is an example of that CI

docker build . -t ghcr.io/myOrg/myApp:${{ commitSha }}
docker push ghcr.io/myOrg/myRepo:${{ commitSha }}

gh workflow run update_image.yml -R myOrg/myInfraRepo -f image=ghcr.io/myOrg/myRepo@$(docker images --no-trunc --quiet ghcr.io/myOrg/myApp:${{ commitSha }})

When testing, the whole flow works, and triggers the workflow with an image & digest, however, the digest doesn't seem to be correct

When I check the container via github packages, I can see the following manifest

{
  "digest": "sha256:9e32f9292cbe63d27374fd467ad5e530112cbfddf17c250ca90e087bdfcd436e",
  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
  "size": 1998,
  "config": {
    "digest": "sha256:6f7e582643c22f4e41021be851bb0394c0e326e8fe06c7d3e890316d1a0234e9",
    "mediaType": "application/vnd.docker.container.image.v1+json",
    "size": 8755
  },
  "layers": [
...

Both digests are different, and the output of docker images --no-trunc --quiet was the digest under config.digest, not the top level digest. I don't understand why they're different, is this a registry digest? If so, how can I get that digest via the command line?

1

There are 1 answers

0
Wazbat On BEST ANSWER

Well, I managed to resolve this. I was using the wrong command to get the digest.

docker images --no-trunc --quiet ghcr.io/myOrg/myApp:${{ commitSha }}

It works, but that's only the local digest. I replaced it with this from here

docker inspect --format='{{index .RepoDigests 0}}' $IMAGE

which returns the full name and remote digest. So now my final command looks like this:

gh workflow run update_image.yml -R myOrg/myInfraRepo -f image=$(docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/myOrg/myApp:${{ commitSha }})