GitHub Actions cache
Restricted
This is an experimental feature. The interface and behavior are unstable and may change in future releases.
The GitHub Actions cache utilizes the GitHub-provided Action's cache or other cache services supporting the GitHub Actions cache protocol. This is the recommended cache to use inside your GitHub Actions workflows, as long as your use case falls within the size and usage limits set by GitHub.
This cache storage backend is not supported with the default docker
driver.
To use this feature, create a new builder using a different driver. See
Build drivers for more information.
Synopsis
$ docker buildx build --push -t <registry>/<image> \
--cache-to type=gha[,parameters...] \
--cache-from type=gha[,parameters...] .
The following table describes the available CSV parameters that you can pass to
--cache-to
and --cache-from
.
Name | Option | Type | Default | Description |
---|---|---|---|---|
url |
cache-to ,cache-from |
String | $ACTIONS_CACHE_URL |
Cache server URL, see authentication. |
token |
cache-to ,cache-from |
String | $ACTIONS_RUNTIME_TOKEN |
Access token, see authentication. |
scope |
cache-to ,cache-from |
String | buildkit |
Which scope cache object belongs to, see scope |
mode |
cache-to |
min ,max |
min |
Cache layers to export, see cache mode. |
ignore-error |
cache-to |
Boolean | false |
Ignore errors caused by failed cache exports. |
timeout |
cache-to ,cache-from |
String | 10m |
Max duration for importing or exporting cache before it's timed out. |
repository |
cache-to |
String | GitHub repository used for cache storage. | |
ghtoken |
cache-to |
String | GitHub token required for accessing the GitHub API. |
Authentication
If the url
or token
parameters are left unspecified, the gha
cache backend
will fall back to using environment variables. If you invoke the docker buildx
command manually from an inline step, then the variables must be manually
exposed. Consider using the
crazy-max/ghaction-github-runtime
,
GitHub Action as a helper for exposing the variables.
Scope
Scope is a key used to identify the cache object. By default, it is set to
buildkit
. If you build multiple images, each build will overwrite the cache
of the previous, leaving only the final cache.
To preserve the cache for multiple builds, you can specify this scope attribute with a specific name. In the following example, the cache is set to the image name, to ensure each image gets its own cache:
$ docker buildx build --push -t <registry>/<image> \
--cache-to type=gha,url=...,token=...,scope=image \
--cache-from type=gha,url=...,token=...,scope=image .
$ docker buildx build --push -t <registry>/<image2> \
--cache-to type=gha,url=...,token=...,scope=image2 \
--cache-from type=gha,url=...,token=...,scope=image2 .
GitHub's cache access restrictions, still apply. Only the cache for the current branch, the base branch and the default branch is accessible by a workflow.
Using docker/build-push-action
When using the
docker/build-push-action
, the
url
and token
parameters are automatically populated. No need to manually
specify them, or include any additional workarounds.
For example:
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: "<registry>/<image>:latest"
cache-from: type=gha
cache-to: type=gha,mode=max
Avoid GitHub Actions cache API throttling
GitHub's
usage limits and eviction policy
causes stale cache entries to be removed after a certain period of time. By
default, the gha
cache backend uses the GitHub Actions cache API to check the
status of cache entries.
The GitHub Actions cache API is subject to rate limiting if you make too many
requests in a short period of time, which may happen as a result of cache
lookups during a build using the gha
cache backend.
#31 exporting to GitHub Actions Cache
#31 preparing build cache for export
#31 preparing build cache for export 600.3s done
#31 ERROR: maximum timeout reached
------
> exporting to GitHub Actions Cache:
------
ERROR: failed to solve: maximum timeout reached
make: *** [Makefile:35: release] Error 1
Error: Process completed with exit code 2.
To mitigate this issue, you can supply a GitHub token to BuildKit. This lets BuildKit utilize the standard GitHub API for checking cache keys, thereby reducing the number of requests made to the cache API.
To provide a GitHub token, you can use the ghtoken
parameter, and a
repository
parameter to specify the repository to use for cache storage. The
ghtoken
parameter is a GitHub token with the repo
scope, which is required
to access the GitHub Actions cache API.
The ghtoken
parameter is automatically set to the value of
secrets.GITHUB_TOKEN
when you build with the docker/build-push-action
action. You can also set the ghtoken
parameter manually using the
github-token
input, as shown in the following example:
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: "<registry>/<image>:latest"
cache-from: type=gha
cache-to: type=gha,mode=max
github-token: ${{ secrets.MY_CUSTOM_TOKEN }}
Further reading
For an introduction to caching see Docker build cache.
For more information on the gha
cache backend, see the
BuildKit README.
For more information about using GitHub Actions with Docker, see Introduction to GitHub Actions