Using Cache (GHA [gha] / AWS ECR [registry]) Requires BuildX, which failes in Github Actions Workflows.

[alper-t]

Hi everyone,

I'm building my CDK Stack using GitHub Actions workflow, and building my containers with the ECRDeployment class using the Python SDK.

I would like to use BuildX specifically to leverage caching, as it's essential for speeding up subsequent builds.
GitHub Actions Cache

(Sub-question: I would also really like the Prebuild Lambda to be cached, but I have no idea how)

When I try to run the ECRDeployment step after the BuildX step, I receive an error that prevents the image from being pushed to the ECR registry.

Example Workflow:

steps:

  - uses: actions/checkout@v4

  - uses: actions/setup-python@v5
    id: setup-python
    with:
      python-version: 3.12

  - uses: actions/setup-node@v4
    with:
      node-version: 20

  - name: Configure AWS Credentials
    uses: aws-actions/configure-aws-credentials@master
    with:
      role-to-assume: ${{ env.AWS_ROLE }}
      aws-region: ${{ env.AWS_REGION }}

  - name: Install CDK
    shell: bash
    run: |
      sudo npm install -g aws-cdk

  - name: Login to Amazon ECR
    id: login-ecr
    uses: aws-actions/amazon-ecr-login@v2

  - name: Set up Docker Buildx
    uses: docker/setup-buildx-action@v3
    with:
      install: true
      use: true

  - name: Adding required env vars for caching Docker build
    uses: actions/github-script@v7
    env:
      github-token: ${{ secrets.GITHUB_TOKEN }}
    with:
      script: |
        core.exportVariable('ACTIONS_CACHE_URL', process.env['ACTIONS_CACHE_URL'])
        core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env['ACTIONS_RUNTIME_TOKEN'])
        core.exportVariable('ACTIONS_RUNTIME_URL', process.env['ACTIONS_RUNTIME_URL'])

  - name: Echo required env vars
    shell: bash
    run: |
      echo "ACTIONS_CACHE_URL: $ACTIONS_CACHE_URL"
      echo "ACTIONS_RUNTIME_TOKEN: $ACTIONS_RUNTIME_TOKEN"     
      echo "ACTIONS_RUNTIME_URL: $ACTIONS_RUNTIME_URL"

  - name: CDK Deploy
    env:
      AWS_ENV: aws://${{ env.AWS_ACCOUNT }}/${{ env.AWS_REGION }}
      ENV: ${{ env.ENV }}
      ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
      AWS_REGION: ${{ env.AWS_REGION }}
    shell: bash
    run: |
      cdk deploy --app "poetry run python -m main" --all --require-approval never

The error I get:

--> STDERR:  Unable to find image 'cdk-1...:latest' locally
             Error response from daemon: pull access denied for cdk-1..., repository does not exist or may require 'docker login': denied: requested access to the resource is denied

I have also added the step:

    - name: Login to ECR
      uses: docker/login-action@v3
      with:
        registry: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com
        username: ${{ secrets.AWS_ACCESS_KEY_ID }}
        password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

This didn't help either.

What I suspect: It seems like the image that gets built by Buildx might not be properly tagged or not available for ECRDeployment to pick up. Or perhaps there's a mismatch in the way the image is being built vs how it's referenced in the ECRDeployment step.

Has anyone else experienced this issue or have suggestions for a fix?

Thanks in advance for any help or pointers!