メニュー
Use Docker in CI/CD pipelines with GitHub Actions, multi-platform builds, registry push, and layer caching strategies.
Debug running containers with log analysis, shell access, state inspection, and network diagnostics.
Multi-stage pipelines, sidecar patterns, healthchecks, init containers, signal handling, and graceful shutdown.
Write, debug, and optimize docker-compose.yml files with service definitions, networking, volumes, and healthchecks.
Manage Docker contexts for multi-host and remote Docker engine workflows
Set up development environments with Docker including hot reload, dev containers, bind mounts, and database containers.
Docker Content Trust - image signing, verification, key management, and CI/CD signing pipelines
| name | docker-ci-cd |
| description | Use Docker in CI/CD pipelines with GitHub Actions, multi-platform builds, registry push, and layer caching strategies. |
| standards-version | 1.10.0 |
Use this skill when:
docker/metadata-action or equivalent.docker/build-push-action or docker buildx build --push.User: Set up a GitHub Actions workflow to build and push a Docker image to GHCR.
Agent: Here's a complete workflow with multi-platform builds, caching, and tagging:
# .github/workflows/docker.yml
name: Build and Push Docker Image
on:
push:
branches: [main]
tags: ["v*"]
pull_request:
branches: [main]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GHCR
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha,prefix=
type=ref,event=branch
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
User: How do I add vulnerability scanning to that pipeline?
Agent: Add a scan step after the build:
- name: Scan for vulnerabilities
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
format: table
exit-code: 1
severity: CRITICAL,HIGH
ignore-unfixed: true
Or use Docker Scout if you prefer the built-in option:
- name: Docker Scout scan
uses: docker/scout-action@v1
with:
command: cves
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
only-severities: critical,high
exit-code: true
User: What about GitLab CI?
Agent: Here's the GitLab equivalent using Docker-in-Docker:
# .gitlab-ci.yml
stages:
- build
variables:
DOCKER_TLS_CERTDIR: "/certs"
IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
build:
stage: build
image: docker:27
services:
- docker:27-dind
before_script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
script:
- docker build
--cache-from $CI_REGISTRY_IMAGE:latest
--build-arg BUILDKIT_INLINE_CACHE=1
-t $IMAGE_TAG
-t $CI_REGISTRY_IMAGE:latest
.
- docker push $IMAGE_TAG
- docker push $CI_REGISTRY_IMAGE:latest
rules:
- if: $CI_COMMIT_BRANCH == "main"
User: What caching strategies are available?
Agent: Three main options, each with tradeoffs:
# 1. GitHub Actions cache (gha) - fast, 10GB limit per repo
cache-from: type=gha
cache-to: type=gha,mode=max
# 2. Registry cache - unlimited size, stored alongside your image
cache-from: type=registry,ref=ghcr.io/myorg/myapp:buildcache
cache-to: type=registry,ref=ghcr.io/myorg/myapp:buildcache,mode=max
# 3. Local cache - useful for self-hosted runners
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
The mode=max flag caches all layers, not just the final image layers. This is critical for multi-stage builds where intermediate layers would otherwise be uncached.
User: How do I pass build args from CI secrets?
Agent:
- name: Build with secrets
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
build-args: |
APP_VERSION=${{ github.ref_name }}
NODE_ENV=production
secrets: |
npmrc=${{ secrets.NPM_TOKEN }}
In the Dockerfile, consume the secret (not the build arg) for sensitive values:
RUN --mount=type=secret,id=npmrc,target=/root/.npmrc npm ci
Build args are fine for non-sensitive values like version strings. Never pass passwords or tokens as build args.
| Tool | Purpose |
|---|---|
docker_listImages | Verify built images exist locally and check their sizes |
docker_inspectImage | Check labels, architecture, and layers of a built image |
docker_searchHub | Find official base images and their tags for CI pipelines |
docker_systemInfo | Verify buildx and multi-platform support is available |
docker_diskUsage | Monitor build cache size on self-hosted runners |
docker_listContainers | Check test containers spawned during CI smoke tests |
Verifying a CI-built image locally:
1. docker_listImages - find the built image and check its size
2. docker_inspectImage - verify:
- Architecture matches target platforms
- Labels include version and commit SHA
- Config.User is not root
- No secrets in Config.Env
3. docker_listContainers - after smoke test, verify test containers ran
Checking build cache usage on runners:
Call docker_diskUsage to see how much space the build cache
consumes. If it's growing unbounded on self-hosted runners,
add a cache cleanup step to the pipeline.
mode=max to cache all stages.latest on every push - latest should only point to the most recent stable release. Tag PRs with the branch name or SHA, not latest.docker history. Use --mount=type=secret for anything sensitive./var/run/docker.sock in CI gives the build container full control over the host's Docker daemon. Use Docker-in-Docker (dind) with TLS for better isolation.@master for GitHub Actions can break workflows. Pin to a specific version tag or SHA.FROM --platform=$BUILDPLATFORM is needed for cross-compilation stages. Without it, intermediate stages run under emulation.cache-from carefully and consider read-only cache for PR builds.--progress=plain to find slow layers and optimize.