Fixing Docker Build Arguments In GitHub Actions

Introduction

Hey guys! Today, we're diving deep into a tricky bug encountered in the qubership-workflow-hub, specifically concerning Docker Action build arguments. This issue, reported within the Netcracker ecosystem, highlights a common pitfall when working with GitHub Actions and Docker. We'll break down the problem, how to reproduce it, and more importantly, how to ensure your build arguments are correctly passed to your Docker builds. Let's get started!

Understanding the Bug: Boolean Evaluation of Build Arguments

The core of the issue lies in how the build-args input is being evaluated within the GitHub Actions workflow. The initial configuration uses a conditional expression: ${{ inputs.build-args != '' }}. Now, this expression evaluates to a boolean value (true or false) based on whether the inputs.build-args string is empty or not. While this might seem harmless at first glance, it has a significant consequence: instead of passing the actual build arguments to the Docker build process, it's passing a boolean value.

This means that even if you provide specific build arguments, they won't be forwarded to the Dockerfile during the build. Imagine you're trying to override a base image or set a specific version; the Docker build will simply ignore these instructions, potentially leading to unexpected behavior or build failures. It's like telling your chef to add ingredients but only specifying "yes" or "no" instead of the actual ingredients and quantities. This can happen with anyone using Netcracker or qubership-workflow-hub.

Why This Matters

Passing build arguments to Dockerfiles is a crucial aspect of modern containerization workflows. Build arguments allow you to:

• Customize your images without modifying the Dockerfile directly.
• Pass sensitive information (like API keys) securely during the build process.
• Create variations of your images based on different environments or configurations.

Failing to pass these arguments correctly can lead to:

• Inconsistent builds across different environments.
• Security vulnerabilities if sensitive information is hardcoded.
• Increased complexity in managing your Docker images.

Reproducing the Bug: A Step-by-Step Guide

To fully grasp the issue, let's walk through how to reproduce the bug. The provided example workflow snippet demonstrates a typical scenario where this problem can occur.

Workflow Configuration

The workflow uses the axcelblaze003/qubership-workflow-hub/actions/docker-action@main action to build a Docker image. Here's the relevant part of the configuration:

- name: Docker build
  uses: axcelblaze003/qubership-workflow-hub/actions/docker-action@main
  with:
    ref: release-${{ inputs.release }}
    download-artifact: false
    dry-run: false
    component: ${{ toJson(matrix.component) }}
    platforms: ${{ needs.load-docker-build-components-stage2.outputs.platforms }}
    tags: "${{ env.IMAGE_VERSION }},latest"
    build-args: |
      base_img=ghcr.io/axcelblaze003/qubership-spark-customized:${{ inputs.release }}
  env:
    GITHUB_TOKEN: ${{ github.token }}

The critical line here is the build-args section. It attempts to pass the base_img argument, which is intended to override the base image used in the Dockerfile. However, due to the boolean evaluation issue, this isn't happening as expected.

Steps to Reproduce

1. Set up a GitHub Repository: You'll need a GitHub repository with a Dockerfile. In this case, the example references https://github.com/AxcelBlaze003/qubership-spark-on-k8s/blob/5ba7c32840bde3311edf0f0407c273a105fe035b/spark-customized/py/Dockerfile. You can either use this repository or create your own.
2. Create a GitHub Actions Workflow: Create a workflow file (e.g., .github/workflows/docker-build.yml) in your repository and paste the configuration snippet above into it. Make sure to adjust the inputs.release value or any other relevant parameters to match your setup.
3. Run the Workflow: Trigger the workflow by pushing a commit or manually dispatching it in the GitHub Actions UI.
4. Inspect the Build Logs: Examine the build logs for the Docker build step. You'll notice that the base_img argument isn't being used to override the base image in the Dockerfile. The Dockerfile will likely use its default base image, which might not be what you intended.
5. Verify the Issue: To further confirm the issue, you can modify the Dockerfile to include a command that prints the value of the base_img argument. If the argument isn't being passed correctly, the output will either be empty or the default value defined in the Dockerfile.

Expected Result (ER)

The expected result, as mentioned in the bug report, is that the base_img in the Dockerfile should be replaced by the value provided in the job configuration. Specifically, the line FROM some-default-image in the Dockerfile should effectively be overridden by FROM ghcr.io/axcelblaze003/qubership-spark-customized:${{ inputs.release }}.

The Solution: Correctly Passing Build Arguments

Now that we understand the problem and how to reproduce it, let's talk about the solution. The key is to ensure that the build-args input receives the actual build arguments as a string, rather than a boolean value.

The Correct Approach

The corrected configuration should look like this:

- name: Docker build
  uses: axcelblaze003/qubership-workflow-hub/actions/docker-action@main
  with:
    ref: release-${{ inputs.release }}
    download-artifact: false
    dry-run: false
    component: ${{ toJson(matrix.component) }}
    platforms: ${{ needs.load-docker-build-components-stage2.outputs.platforms }}
    tags: "${{ env.IMAGE_VERSION }},latest"
    build-args: base_img=ghcr.io/axcelblaze003/qubership-spark-customized:${{ inputs.release }}
  env:
    GITHUB_TOKEN: ${{ github.token }}

The crucial change is in the build-args line. Instead of using a conditional expression, we directly assign the build argument string base_img=ghcr.io/axcelblaze003/qubership-spark-customized:${{ inputs.release }}. This ensures that the Docker build process receives the correct argument.

Explanation

The reason this works is that GitHub Actions will now interpret the value assigned to build-args as a string containing the build arguments. The Docker Action will then parse this string and pass the arguments to the docker build command. This is the standard and correct way to pass build arguments in GitHub Actions.

Best Practices for Build Arguments

To avoid similar issues in the future, consider these best practices when working with build arguments in GitHub Actions:

1. Always Pass Arguments as Strings: Ensure that your build-args input receives a string value. Avoid using boolean expressions or other data types.
2. Use Environment Variables: For sensitive information, use environment variables instead of hardcoding values in your workflow. You can access environment variables within your build arguments using the ${{ env.VARIABLE_NAME }} syntax.
3. Test Your Builds: Always test your Docker builds with different build arguments to ensure they behave as expected. This can help you catch issues early in the development process.
4. Document Your Arguments: Clearly document the build arguments used in your workflows and Dockerfiles. This makes it easier for others (and your future self) to understand and maintain your builds.

Additional Information and Context

The bug report didn't include specific version information or logs, but the solution provided here is generally applicable to any GitHub Actions workflow using the axcelblaze003/qubership-workflow-hub/actions/docker-action@main action or similar Docker build actions. The core issue is the incorrect evaluation of the build-args input, which can occur in various scenarios.

Conclusion

Troubleshooting build arguments in Docker Actions can be tricky, but understanding the underlying principles and potential pitfalls can save you a lot of time and frustration. By ensuring that you pass build arguments as strings and following best practices, you can create reliable and consistent Docker builds in your GitHub Actions workflows. Remember, it's all about providing the right instructions to the Docker build process, just like giving the chef the exact ingredients they need! This fix will help anyone working with qubership-workflow-hub.

If you encounter similar issues, always double-check how your build arguments are being evaluated and passed to the Docker build command. Happy building!