Using GHA cache always leads to `Image` update
tlinhart opened this issue · comments
What happened?
We use GitHub Actions for CI/CD so I would like to use GHA cache for the Docker image build process. However the Image
resource always gets updated because the cacheFrom
and cacheTo
differ. As per the docs, when url
and token
arguments are not provided for the GHA cacheFrom
and cacheTo
, they are taken from the environment variables ACTIONS_RUNTIME_URL
and ACTIONS_RUNTIME_TOKEN
. However, even though the runtime URL stays the same, the token is always different as it is a JWT token related to the current workflow run and job (see e.g. here). I expect Pulumi not to trigger an update when url
and token
are not provided explicitely.
Example
This is the relevant part of the Pulumi program:
image_name = pulumi.Output.concat(repository.repository_url, ":latest")
if os.getenv("GITHUB_ACTIONS"):
cache_from = docker_build.CacheFromArgs(
gha=docker_build.CacheFromGitHubActionsArgs()
)
cache_to = docker_build.CacheToArgs(
gha=docker_build.CacheToGitHubActionsArgs(
mode=docker_build.CacheMode.MAX, ignore_error=True
)
)
else:
cache_from = docker_build.CacheFromArgs(
registry=docker_build.CacheFromRegistryArgs(ref=image_name)
)
cache_to = docker_build.CacheToArgs(
inline=docker_build.CacheToInlineArgs()
)
image = docker_build.Image(
"xxx",
context=docker_build.BuildContextArgs(location=".."),
platforms=[docker_build.Platform.LINUX_AMD64],
tags=[image_name],
cache_from=[cache_from],
cache_to=[cache_to],
push=True,
registries=[
docker_build.RegistryArgs(
address=repository.repository_url,
username=auth_token.user_name,
password=pulumi.Output.secret(auth_token.password),
)
],
)
This is the relevant part of the GitHub Actions log from the pulumi up
step:
~ docker-build:index:Image: (update)
[id=sha256:xxx]
[urn=urn:pulumi:xxx-test::xxx::docker-build:index:Image::xxx]
[provider=urn:pulumi:xxx-test::xxx::pulumi:providers:docker-build::default_0_0_2::1c6deb57-2a3f-4817-8d97-752bb9f399d4]
~ cacheFrom : [
~ [0]: {
disabled: false
~ gha : {
~ token: "***" => ***
url : "https://pipelinesghubeus3.actions.githubusercontent.com/xxx"
}
}
]
~ cacheTo : [
~ [0]: {
disabled: false
~ gha : {
ignoreError: true
mode : "max"
~ token : "***" => ***
url : "https://pipelinesghubeus3.actions.githubusercontent.com/xxx"
}
}
]
Output of pulumi about
CLI
Version 3.116.1
Go Version go1.22.2
Go Compiler gc
Host
OS ubuntu
Version 24.04
Arch x86_64
Backend
Name xxx
URL s3://xxx
User xxx
Organizations
Token type personal
Pulumi locates its logs in /tmp by default
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
Ah, great catch. We ignore changes to the registry's password for the same reason, we should do something similar for the GHA token.