This GitHub Action is for building and pushing Docker images with Depot. The action implements the same inputs and outputs as the docker/build-push-action, but uses the depot CLI to execute the build.
Depot allows you to build Docker images 5-20x faster on GitHub Actions through optimized build compute and a Docker cache that’s persisted between builds on SSDs.
Depot also supports native multi-architecture builds.
The depot CLI will need to be available in your workflow, you can use the depot/setup-action to install it:
steps:
- uses: depot/setup-action@v1This action implements the same inputs and outputs as the docker/build-push-action. You will need to supply your project ID and Depot authentication information, although both can be inferred from the environment. See below for more details.
This action needs a Depot API token to communicate with your project's builders. You can supply this one of three ways. The third, using OICD, is the preferred method, but you can also supply a token directly.
-
You can supply a user or project API token via the
tokeninput:steps: - uses: depot/build-push-action@v1 with: token: ${{ secrets.DEPOT_TOKEN }}
-
You can supply a user or project API token via the
DEPOT_TOKENenvironment variable:steps: - uses: depot/build-push-action@v1 env: DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
-
Depot supports GitHub's OpenID Connect tokens via a trust relationship, so your Actions builds can securely authenticate with your Depot projects without any static access tokens. To configure the trust relationship, visit your Depot project settings, then add your repository and desired workflow config to
Trust Relationships. Then in your workflow, enable theid-token: writepermission:permissions: # allow issuing OIDC tokens for this workflow run id-token: write # allow at least reading the repo contents, add other permissions if necessary contents: read steps: # no need to provide a DEPOT_TOKEN - uses: depot/build-push-action@v1
-
Authentication — this action needs to authenticate with a Depot API token to communicate with your project's builders (see above).
-
If you have not configured a
depot.jsonfile withdepot init, you can explicitly specify your project ID via theprojectinput:steps: - uses: depot/build-push-action@v1 with: project: abc123xyz
-
The
builderinput is not supported - this action always runs builds using Depot's hosted builders, if you need to route builds to a local buildx builder, you should use thedocker/build-push-action. -
Depending on how you are using
cache-from/cache-to, you may be able to remove those options. Depot's builders launch with persistent local SSD cache, so unless you wish to push your cache to a registry for other reasons, you can remove them:steps: - - uses: docker/build-push-action@v1 + uses: depot/build-push-action@v1 with: - cache-from: type=gha - cache-to: type=gha,mode=max
| Name | Type | Description |
|---|---|---|
project |
String | Depot project ID to route the image build to your projects builders (default: the depot.json file at the root of your repo) |
token |
String | You must authenticate with the Depot API to communicate with your projects builders (see Authentication above) |
build-platform |
String | The platform to use for the build ( linux/amd64 or linux/arm64) |
buildx-fallback |
Boolean | If true, this action will fallback to using docker buildx build if depot build is unable to acquire a builder connection. This requires installing buildx with docker/setup-buildx-action (default: false) |
lint |
Boolean | Lint dockerfiles and fail build if any issues are of error severity. (default false) |
lint-fail-on |
String | Severity of linter issue to cause the build to fail. (error, warn, info, none) |
save |
Boolean | Save the image to the Depot ephemeral registry (for use with the depot/pull-action) |
The following inputs can be used as step.with keys and match the inputs from docker/build-push-action:
| Name | Type | Description |
|---|---|---|
add-hosts |
List/CSV | List of customs host-to-IP mapping (e.g., docker:10.180.0.1) |
allow |
List/CSV | List of extra privileged entitlement (e.g., network.host,security.insecure) |
attests |
List | List of attestation parameters (e.g., type=sbom,generator=image) |
build-args |
List | List of build-time variables |
build-contexts |
List | List of additional build contexts (e.g., name=path) |
cache-from |
List | List of external cache sources (e.g., type=local,src=path/to/dir) |
cache-to |
List | List of cache export destinations (e.g., type=local,dest=path/to/dir) |
cgroup-parent |
String | Optional parent cgroup for the container used in the build |
context |
String | Build's context is the set of files located in the specified PATH or URL (default Git context) |
file |
String | Path to the Dockerfile. (default {context}/Dockerfile) |
labels |
List | List of metadata for an image |
load |
Bool | Load is a shorthand for --output=type=docker (default false) |
network |
String | Set the networking mode for the RUN instructions during build |
no-cache |
Bool | Do not use cache when building the image (default false) |
no-cache-filters |
List/CSV | Do not cache specified stages |
outputs |
List | List of output destinations (format: type=local,dest=path) |
platforms |
List/CSV | List of target platforms for build |
provenance |
Bool/String | Generate provenance attestation for the build (shorthand for --attest=type=provenance) |
pull |
Bool | Always attempt to pull all referenced images (default false) |
push |
Bool | Push is a shorthand for --output=type=registry (default false) |
sbom |
Bool/String | Generate SBOM attestation for the build (shorthand for --attest=type=sbom) |
sbom-dir |
String | Save all image SBOM to this output directory |
secrets |
List | List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken) |
secret-files |
List | List of secret files to expose to the build (e.g., key=filename, MY_SECRET=./secret.txt) |
shm-size |
String | Size of /dev/shm (e.g., 2g) |
ssh |
List | List of SSH agent socket or keys to expose to the build |
tags |
List/CSV | List of tags |
target |
String | Sets the target stage to build |
ulimit |
List | Ulimit options (e.g., nofile=1024:1024) |
github-token |
String | GitHub Token used to authenticate against a repository for Git context (default ${{ github.token }}) |
| Name | Type | Description |
|---|---|---|
imageid |
String | Image ID |
digest |
String | Image digest |
metadata |
JSON | Build result metadata |
project-id |
String | Depot Project ID |
build-id |
String | Depot Build ID |
Below are examples of how to use depot/build-push-action to build your Docker images using Depot builders. For all examples, it is assumed that you are either specifying the Depot project ID via the project or input, environment variable, or using a depot.json file.
See our trust relationship documentation for details on configuring this exchange.
name: Build image
on:
push:
branches:
- main
jobs:
docker-image:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Set up Depot CLI
uses: depot/setup-action@v1
- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push
uses: depot/build-push-action@v1
with:
# if no depot.json file is at the root of your repo, you must specify the project id
project: <your-depot-project-id>
push: true
tags: user/app:latestYou can use either Depot project tokens or user tokens in the token input.
Note: Project tokens are the recommendation if OIDC tokens are not an option.
name: Build image
on:
push:
branches:
- main
jobs:
docker-image:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Set up Depot CLI
uses: depot/setup-action@v1
- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push
uses: depot/build-push-action@v1
with:
# if no depot.json file is at the root of your repo, you must specify the project id
project: <your-depot-project-id>
token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
push: true
tags: user/app:latest
build-args: |
FOO=barDepot supports building truly native multi-platform images, no emulation needed.
name: Build image
on:
push:
branches:
- main
jobs:
docker-image:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Set up Depot CLI
uses: depot/setup-action@v1
- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push
uses: depot/build-push-action@v1
with:
# if no depot.json file is at the root of your repo, you must specify the project id
project: <your-depot-project-id>
token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
platforms: linux/amd64,linux/arm64
push: true
tags: user/app:latest- Build and push image to Amazon ECR
- Build and push image to GCP Artifact Registry
- Build and push to multiple registries
- Export image to Docker
- Lint and Build image
- Build image with Software Bill of Materials (SBOM)
MIT License, see LICENSE.
Code derived from docker/build-push-action copyright 2013-2018 Docker, Inc., Apache License, Version 2.0.