Is there an existing issue for this?
Describe the bug
Deployments to Azure App Service began failing with:
Container start up failed with reason: ContainerCreateFailure
The container image could be pulled successfully from GHCR, but Azure failed during container creation before the application process started.
Inspection of the published image manifest showed that the image config media type had been overwritten with a BuildKit cache manifest:
"mediaType": "application/vnd.buildkit.cacheconfig.v0"
instead of a valid runnable image config such as:
"mediaType": "application/vnd.docker.container.image.v1+json"
This appears to be caused by the GitHub Actions workflow exporting the BuildKit registry cache to the same tag as the published application image.
Current workflow:
cache-to: ${{ case(inputs.publish == 'true', format('type=registry,ref={0}', steps.meta.outputs.tags), 'type=gha,mode=max') }}When publishing, this resolves to something similar to:
cache-to: type=registry,ref=ghcr.io/<repo>:latest
which overwrites the image manifest with cache metadata.
Expected Behavior
Published container tags should remain valid runnable OCI/Docker images and should not be overwritten by BuildKit cache artifacts.
Azure App Service deployments should successfully start containers from GHCR images.
Steps To Reproduce
- Configure the workflow with:
cache-to: type=registry,ref=<published-image-tag>
- Build and push using
docker/build-push-action@v6
- Deploy the resulting image to Azure App Service
- Observe startup failure:
- Inspect the manifest:
docker manifest inspect ghcr.io/<repo>:latest
- Observe invalid config type:
"mediaType": "application/vnd.buildkit.cacheconfig.v0"
Environment
OS: Ubuntu Linux
Docker Buildx: via docker/build-push-action@v6
Registry: GitHub Container Registry (GHCR)
Deployment target: Azure App Service (Linux Containers)
Software versions:
docker/build-push-action@v6
docker/setup-buildx-action@v4
Anything else?
A manual rebuild and push using:
docker buildx build \
--platform linux/amd64 \
--provenance=false \
-t ghcr.io/<repo>:v0.4.1 \
--push .
produced a valid deployable image.
Proposed fix:
Use a dedicated cache tag instead of the application image tag.
Example:
cache-from: |
type=gha
type=registry,ref=ghcr.io/${{ github.repository }}:buildcache
cache-to: type=registry,ref=ghcr.io/${{ github.repository }}:buildcache,mode=maxAlso recommended:
to avoid Azure App Service architecture incompatibilities.
Is there an existing issue for this?
Describe the bug
Deployments to Azure App Service began failing with:
The container image could be pulled successfully from GHCR, but Azure failed during container creation before the application process started.
Inspection of the published image manifest showed that the image config media type had been overwritten with a BuildKit cache manifest:
instead of a valid runnable image config such as:
This appears to be caused by the GitHub Actions workflow exporting the BuildKit registry cache to the same tag as the published application image.
Current workflow:
When publishing, this resolves to something similar to:
which overwrites the image manifest with cache metadata.
Expected Behavior
Published container tags should remain valid runnable OCI/Docker images and should not be overwritten by BuildKit cache artifacts.
Azure App Service deployments should successfully start containers from GHCR images.
Steps To Reproduce
docker/build-push-action@v6Environment
Anything else?
A manual rebuild and push using:
produced a valid deployable image.
Proposed fix:
Use a dedicated cache tag instead of the application image tag.
Example:
Also recommended:
to avoid Azure App Service architecture incompatibilities.