|
| 1 | +# Fix Workflow Image Tag Mismatch |
| 2 | + |
| 3 | +**Date:** 2025-10-09 |
| 4 | +**Issue:** GitHub Actions workflow failing when building Playwright variant image |
| 5 | + |
| 6 | +## Problem Statement |
| 7 | + |
| 8 | +The GitHub Actions workflow was failing at step 11 "Build and push Playwright image" with the following error: |
| 9 | + |
| 10 | +``` |
| 11 | +ERROR: failed to build: failed to solve: ghcr.io/gordonbeeming/copilot_here:sha-e4cc1c4dd89220fe053bcfe51911f93319c044f8: failed to resolve source metadata for ghcr.io/gordonbeeming/copilot_here:sha-e4cc1c4dd89220fe053bcfe51911f93319c044f8: ghcr.io/gordonbeeming/copilot_here:sha-e4cc1c4dd89220fe053bcfe51911f93319c044f8: not found |
| 12 | +``` |
| 13 | + |
| 14 | +**Workflow Run:** https://github.com/GordonBeeming/copilot_here/actions/runs/18372997964/job/52340446791 |
| 15 | + |
| 16 | +## Root Cause Analysis |
| 17 | + |
| 18 | +The issue was a mismatch between the Docker image tag formats: |
| 19 | + |
| 20 | +1. **Base Image Tags:** The `docker/metadata-action@v5` with `type=sha` creates tags with SHORT SHA format: |
| 21 | + - `main` |
| 22 | + - `latest` |
| 23 | + - `sha-e4cc1c4` (7-character short SHA) |
| 24 | + |
| 25 | +2. **Playwright Build Reference:** The workflow tried to build the Playwright image using: |
| 26 | + - `BASE_IMAGE_TAG=sha-${{ github.sha }}` |
| 27 | + - This expands to the FULL SHA: `sha-e4cc1c4dd89220fe053bcfe51911f93319c044f8` (40 characters) |
| 28 | + |
| 29 | +3. **Result:** The Playwright build step looked for a base image tag that didn't exist, causing the build to fail. |
| 30 | + |
| 31 | +## Solution Evolution |
| 32 | + |
| 33 | +### Initial Fix (Commits 8381311, 7158aee) |
| 34 | +Changed the variant image builds to use stable tags (`latest`, `playwright`) instead of SHA-based references. This worked but didn't address the need for unique tags during concurrent workflow runs. |
| 35 | + |
| 36 | +### Final Solution (Commit 8377015) |
| 37 | +Based on user feedback, updated the workflow to use SHA-based tags to prevent conflicts during concurrent runs: |
| 38 | + |
| 39 | +**Step 9 - Push base image with full SHA tag:** |
| 40 | +```yaml |
| 41 | +- name: Push image to registry |
| 42 | + if: steps.push_decision.outputs.push_needed == 'true' |
| 43 | + run: | |
| 44 | + docker push --all-tags ghcr.io/${{ steps.repo.outputs.name }} |
| 45 | + # Tag with full SHA for variant builds to reference |
| 46 | + docker tag ghcr.io/${{ steps.repo.outputs.name }}:latest ghcr.io/${{ steps.repo.outputs.name }}:sha-${{ github.sha }} |
| 47 | + docker push ghcr.io/${{ steps.repo.outputs.name }}:sha-${{ github.sha }} |
| 48 | +``` |
| 49 | +
|
| 50 | +**Step 10 - Playwright image references full SHA:** |
| 51 | +```yaml |
| 52 | +build-args: | |
| 53 | + BASE_IMAGE_TAG=sha-${{ github.sha }} # Now this tag exists! |
| 54 | +``` |
| 55 | +
|
| 56 | +**Step 11 - .NET image references Playwright's full SHA:** |
| 57 | +```yaml |
| 58 | +build-args: | |
| 59 | + PLAYWRIGHT_IMAGE_TAG=playwright-sha-${{ github.sha }} # References the variant's SHA tag |
| 60 | +``` |
| 61 | +
|
| 62 | +## Changes Made |
| 63 | +
|
| 64 | +**File:** `.github/workflows/publish.yml` |
| 65 | + |
| 66 | +### Initial Fix (Commits 8381311, 7158aee): |
| 67 | +- Line 121: Changed `BASE_IMAGE_TAG=sha-${{ github.sha }}` → `BASE_IMAGE_TAG=latest` |
| 68 | +- Line 138: Changed `PLAYWRIGHT_IMAGE_TAG=playwright-sha-${{ github.sha }}` → `PLAYWRIGHT_IMAGE_TAG=playwright` |
| 69 | + |
| 70 | +### Final Update (Commit 8377015): |
| 71 | +- Line 111-115: Added multi-line run command to tag and push base image with full SHA |
| 72 | +- Line 126: Changed `BASE_IMAGE_TAG=latest` → `BASE_IMAGE_TAG=sha-${{ github.sha }}` |
| 73 | +- Line 143: Changed `PLAYWRIGHT_IMAGE_TAG=playwright` → `PLAYWRIGHT_IMAGE_TAG=playwright-sha-${{ github.sha }}` |
| 74 | + |
| 75 | +## Why This Works |
| 76 | + |
| 77 | +1. **Full SHA Tag Created:** After pushing the base image with metadata tags, we explicitly tag it with the full SHA and push that tag |
| 78 | +2. **Unique References:** Each workflow run uses its own commit SHA, ensuring no conflicts between concurrent runs |
| 79 | +3. **Sequential Dependencies:** Variant images reference the SHA-specific tags from previous steps |
| 80 | +4. **Traceability:** All images maintain commit-specific tags for full traceability |
| 81 | + |
| 82 | +## Benefits of This Approach |
| 83 | + |
| 84 | +- ✅ **Concurrent-Safe:** Multiple workflow runs can execute simultaneously without tag conflicts |
| 85 | +- ✅ **Traceable:** Every image variant is tagged with its source commit SHA |
| 86 | +- ✅ **Reliable:** Tags are created immediately before they're needed |
| 87 | +- ✅ **No Format Issues:** Uses full SHA consistently across all build steps |
| 88 | + |
| 89 | +## Testing |
| 90 | + |
| 91 | +The fix was validated by: |
| 92 | +- Reviewing the workflow logic to ensure tags are created before being referenced |
| 93 | +- Verifying that each SHA-based tag is unique to the workflow run |
| 94 | +- Confirming sequential dependency chain works correctly |
| 95 | + |
| 96 | +## Follow-up |
| 97 | + |
| 98 | +None required. The fix is complete and addresses both the original issue and the concurrent execution requirement. |
0 commit comments