uses: docker/build-push-action@v6
with:
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
annotations: ${{ steps.meta.outputs.annotations }}
```
In this configuration:
- `push: ${{ github.event_name != 'pull_request' }}` ensures that images are
only pushed when the event is not a pull request. This way, the workflow
builds and tests images for pull requests but only pushes images for commits
to the main branch.
- `tags` and `annotations` use the outputs from the metadata action to apply
consistent tags and [annotations](/manuals/build/metadata/annotations.md) to
the image automatically.
## Attestations
SBOM (Software Bill of Materials) and provenance attestations improve security
and traceability, ensuring your images meet modern software supply chain
requirements.
With a small amount of additional configuration, you can configure
`docker/build-push-action` to generate Software Bill of Materials (SBOM) and
provenance attestations for the image, at build-time.
To generate this additional metadata, you need to make two changes to your
workflow:
- Before the build step, add a step that uses `docker/setup-buildx-action`.
This action configures your Docker build client with additional capabilities
that the default client doesn't support.
- Then, update the **Build and push Docker image** step to also enable SBOM and
provenance attestations.
Here's the updated snippet:
```yaml
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push Docker image
uses: docker/build-push-action@v6
with:
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
annotations: ${{ steps.meta.outputs.annotations }}
provenance: true
sbom: true
```
For more details about attestations, refer to
[the documentation](/manuals/build/metadata/attestations/_index.md).
## Conclusion
With all the steps outlined in the previous section, here's the full workflow
configuration:
```yaml
name: Build and Push Docker Image
on:
push:
branches:
- main
pull_request:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Extract Docker image metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ vars.DOCKER_USERNAME }}/my-image
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ vars.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push Docker image
uses: docker/build-push-action@v6
with:
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
annotations: ${{ steps.meta.outputs.annotations }}
provenance: true
sbom: true
```
This workflow implements best practices for building and pushing Docker images
using GitHub Actions. This configuration can be used as-is or extended with
additional features based on your project's needs, such as
[multi-platform](/manuals/build/building/multi-platform.md).
### Further reading
- Learn more about advanced configurations and examples in the [Docker Build GitHub Actions](/manuals/build/ci/github-actions/_index.md) section.
- For more complex build setups, you may want to consider [Bake](/manuals/build/bake/_index.md). (See also the [Mastering Buildx Bake guide](/guides/bake/index.md).)
- Learn about Docker's managed build service, designed for faster, multi-platform builds, see [Docker Build Cloud](/guides/docker-build-cloud/_index.md).