10/22/2021, 10:16 AM
I’m wondering about something to improve our CI build and deploy speeds. Rigth now we are building a bunch of docker images (outside of pulumi) and tagging them with both the branch name and the sha of the git repo. By using registry caching in buildx this is as optimal as it can be. But we can also only build the containers that are changed, which is much faster, but then i have a deployment (with pulumi) problem. I now pass in an env var with the current SHA and use that throughout the deploy, updating the deployments on k8s. Using the branch name this would not do anything since the cluster already has the image. So i’m looking for a way to get the latest sha in the github container registry for a branch tagged container in pulumi to use that instead of the git sha. Using the docker provider’s getRegistryImage i thought i was going to get there, but i can’t get it to be authenticated to ghcr. Ahs anyone done something like this before?


10/22/2021, 11:34 AM
@proud-pizza-80589 we create images using reverse date notation (
) as the image tag and add git metadata as image annotations: We then push the reverse date image tag to our delivery pipelines. I deliberately stay away from a floating tag (like your branch tag) for tracking purposes. We then use this image tag for our observability (


10/22/2021, 4:47 PM
We do something similar: 1. Images are tagged with the git SHA when built. 2. Release candidates are re-tagged "{SHA}-RC". 3. At deploy time, for each image, we walk back through git history until we find a "{SHA}-RC" tag for that image in the registry. Steps 1 & 2 don't happen for images that haven't changed (per your problem statement), so the search backwards finds the last RC build. The only issue here is that you actually need the full git history. This works for us because our Pulumi program is in the same repository that builds our images - but you could apply a similar scheme, like a global build counter you decremented to search.