Multi-platform build sometimes tags a platform-specific manifest instead of the multi-platform manifest list

[Merlin-Taylor]

Contributing guidelines

• I've read the contributing guidelines and wholeheartedly agree

I've found a bug and checked that ...

• ... the documentation does not mention anything about my problem
• ... there are no open or closed issues that are related to my problem

Description

When pushing a multi-platform image to ECR, buildx sometimes tags one of the platform-specific manifests instead of the multi-platform manifest list.

Expected behaviour

When pushing a multi-platform image to ECR, buildx pushes one manifest for each platform and a manifest list for the multi-platform image. The tags supplied on the command line are applied to the manifest list.

Actual behaviour

The tags supplied on the command line are sometimes applied to the manifest list, but sometimes to one of the manifests.

Buildx version

github.com/docker/buildx v0.20.1 245093b

Docker info

Client:
   Version:    27.5.1
   Context:    setup-docker-action
   Debug Mode: false
   Plugins:
    buildx: Docker Buildx (Docker Inc.)
      Version:  v0.20.1
      Path:     /usr/libexec/docker/cli-plugins/docker-buildx
    compose: Docker Compose (Docker Inc.)
      Version:  v2.27.1
      Path:     /usr/libexec/docker/cli-plugins/docker-compose
  
  Server:
   Containers: 0
    Running: 0
    Paused: 0
    Stopped: 0
   Images: 0
   Server Version: 27.5.1
   Storage Driver: overlayfs
    driver-type: io.containerd.snapshotter.v1
   Logging Driver: json-file
   Cgroup Driver: systemd
   Cgroup Version: 2
   Plugins:
    Volume: local
    Network: bridge host ipvlan macvlan null overlay
    Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
   Swarm: inactive
   Runtimes: io.containerd.runc.v2 runc
   Default Runtime: runc
   Init Binary: docker-init
   containerd version: bcc810d6b9066471b0b6fa75f557a15a1cbf31bb
   runc version: v1.2.4-0-g6c52b3f
   init version: de40ad0
   Security Options:
    apparmor
    seccomp
     Profile: builtin
    cgroupns
   Kernel Version: 6.8.0-1020-azure
   Operating System: Ubuntu 24.04.1 LTS
   OSType: linux
   Architecture: x86_64
   CPUs: 2
   Total Memory: 7.753GiB
   Name: fv-az1362-19
   ID: d1f55861-2f31-40fd-9475-87454d732bba
   Docker Root Dir: /home/runner/setup-docker-action-aaf157fb/data
   Debug Mode: true
    File Descriptors: 22
    Goroutines: 47
    System Time: 2025-01-29T16:16:43.066091615Z
    EventsListeners: 0
   Username: githubactions
   Experimental: false
   Insecure Registries:
    127.0.0.0/8
   Live Restore Enabled: false

Builders list

{
    "nodes": [
      {
        "name": "builder-903766bc-0c25-492a-a1fa-53948e7696ad0",
        "endpoint": "unix:///var/run/docker.sock",
        "status": "running",
        "buildkitd-flags": "--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host",
        "buildkit": "v0.18.2",
        "platforms": "linux/amd64,linux/amd64/v2,linux/amd64/v3,linux/arm64,linux/riscv64,linux/ppc64le,linux/s390x,linux/386,linux/arm/v7,linux/arm/v6",
        "features": {
          "Automatically load images to the Docker Engine image store": true,
          "Cache export": true,
          "Docker exporter": true,
          "Multi-platform build": true,
          "OCI exporter": true
        },
        "labels": {
          "org.mobyproject.buildkit.worker.executor": "oci",
          "org.mobyproject.buildkit.worker.hostname": "6c37f66ab6e6",
          "org.mobyproject.buildkit.worker.network": "host",
          "org.mobyproject.buildkit.worker.oci.process-mode": "sandbox",
          "org.mobyproject.buildkit.worker.selinux.enabled": "false",
          "org.mobyproject.buildkit.worker.snapshotter": "overlayfs"
        },
        "gcPolicy": [
          {
            "all": false,
            "filter": [
              "type==source.local",
              "type==exec.cachemount",
              "type==source.git.checkout"
            ],
            "keepDuration": "48h0m0s"
          },
          {
            "all": false,
            "keepDuration": "1440h0m0s"
          },
          {
            "all": false
          },
          {
            "all": true
          }
        ]
      }
    ],
    "name": "builder-903766bc-0c25-492a-a1fa-53948e7696ad",
    "driver": "docker-container",
    "lastActivity": "2025-01-29T16:16:27.000Z"
  }

Configuration

N/A. The images are built correctly. Only the tagging is incorrect.

Build logs

docker buildx build --file ./images/ruby.dockerfile --iidfile /home/runner/work/_temp/docker-actions-toolkit-lJtHbh/build-iidfile-e9294aeb23.txt --platform linux/amd64,linux/arm64 --attest type=provenance,disabled=true --tag REDACTED.dkr.ecr.eu-west-1.amazonaws.com/REDACTED --metadata-file /home/runner/work/_temp/docker-actions-toolkit-lJtHbh/build-metadata-f4f0d42dea.json --push .
...

#16 exporting to image
#16 exporting layers
#16 exporting layers 58.6s done
#16 exporting manifest sha256:a7e3164c493fa320e663a16c1240219699aabadae2e1740d82f85035e87356dc done
#16 exporting config sha256:451e62abbda1c46efc6b40867aae797f2d45019f9ba72849700d0c16441389dd done
#16 exporting manifest sha256:998e8db38c6a5837d7f628d27c2e2911b1ee6c751e3df7fafbfee141dedbdaa0 done
#16 exporting config sha256:a6db1cd7230ffa76632f587cf009cd7a465fbe78877af8479f73dc3e335161e9 done
#16 exporting manifest list sha256:6fdfc137ade2425449bbdb25b78e2937ee5a8b0b8df9139ce6860fc8b9397394 done
#16 naming to *.dkr.ecr.eu-west-1.amazonaws.com/MY_IMAGE:MY_TAG done
#16 unpacking to *.dkr.ecr.eu-west-1.amazonaws.com/MY_IMAGE:MY_TAG
#16 unpacking to *.dkr.ecr.eu-west-1.amazonaws.com/MY_IMAGE:MY_TAG 9.2s done
#16 pushing layers
#16 ...

#17 [auth] sharing credentials for *.dkr.ecr.eu-west-1.amazonaws.com
#17 DONE 0.0s

#16 exporting to image
#16 pushing layers 13.0s done
#16 pushing manifest for *.dkr.ecr.eu-west-1.amazonaws.com/MY_IMAGE:MY_TAG@sha256:6fdfc137ade2425449bbdb25b78e2937ee5a8b0b8df9139ce6860fc8b9397394
#16 pushing manifest for *.dkr.ecr.eu-west-1.amazonaws.com/MY_IMAGE:MY_TAG@sha256:6fdfc137ade2425449bbdb25b78e2937ee5a8b0b8df9139ce6860fc8b9397394 1.2s done
#16 DONE 82.0s

#18 resolving provenance for metadata file
#18 DONE 0.0s

#19 pushing *.dkr.ecr.eu-west-1.amazonaws.com/MY_IMAGE:MY_TAG with docker
#19 pushing layer 6a5e414c44ce
#19 pushing layer 12d3b3adbe3f 0.1s
#19 pushing layer 75bacdba830c 0.1s
#19 pushing layer d02eac194484 0.1s
#19 pushing layer 6414378b6477 0.1s
#19 pushing layer 8ebf507145cd 0.1s
#19 pushing layer a186900671ab 0.1s
#19 pushing layer 85f81d6ca549 0.1s
#19 pushing layer ede020e7cef2 0.1s
#19 pushing layer 34e7954c9598
#19 pushing layer 6a5e414c44ce 0.9s done
#19 pushing layer 12d3b3adbe3f 0.9s done
#19 pushing layer 75bacdba830c 0.9s done
#19 pushing layer d02eac194484 0.9s done
#19 pushing layer 6414378b6477 0.9s done
#19 pushing layer 8ebf507145cd 0.9s done
#19 pushing layer a186900671ab 0.9s done
#19 pushing layer 85f81d6ca549 0.9s done
#19 pushing layer ede020e7cef2 0.9s done
#19 pushing layer 34e7954c9598 0.9s done
#19 DONE 1.0s
ImageID
  sha256:6fdfc137ade2425449bbdb25b78e2937ee5a8b0b8df9139ce6860fc8b9397394
Digest
  sha256:6fdfc137ade2425449bbdb25b78e2937ee5a8b0b8df9139ce6860fc8b9397394
Metadata
  {
    "buildx.build.ref": "setup-docker-action/setup-docker-action/m4rx5v33u2n82azjbm6fm4qp8",
    "containerimage.config.digest": "sha256:6fdfc137ade2425449bbdb25b78e2937ee5a8b0b8df9139ce6860fc8b9397394",
    "containerimage.descriptor": {
      "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
      "digest": "sha256:6fdfc137ade2425449bbdb25b78e2937ee5a8b0b8df9139ce6860fc8b9397394",
      "size": 685
    },
    "containerimage.digest": "sha256:6fdfc137ade2425449bbdb25b78e2937ee5a8b0b8df9139ce6860fc8b9397394",
    "image.name": "*.dkr.ecr.eu-west-1.amazonaws.com/MY_IMAGE:MY_TAG"
  }

Additional info

I'm running buildx from a GitHub Actions workflow, using docker/build-push-action@v6.

My ECR repository is mutable. This is the behaviour I would expect if buildx tags both the manifests and the manifest lists. The last one to be tagged "wins".