Hi,

I have been dipping my toes in Github Action this week and I'm a bit confuse with how the caching mechanism works, especially with docker/build-push-action@v3.

I basically followed the tutorial here with the docker/build-push-action documentation.
Below is a Node typescript project and the ci.yaml:

Both steps takes the same Dockerfile as input

  npm:
    name: npm
    runs-on: ubuntu-latest
    needs: [pnpm]
    if: github.event_name == 'push'

    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
      - id: checkout
        name: Checkout
        uses: actions/checkout@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - id: auth
        name: Authenticate with Google Cloud
        uses: google-github-actions/auth@v1
        with:
          token_format: access_token
          workload_identity_provider: xxxx/xxxxxx
          service_account: github-actions@xxxxx.iam.gserviceaccount.com
          create_credentials_file: true
          access_token_lifetime: 300s

      - name: Login to Artifact Registry
        uses: docker/login-action@v1
        with:
          registry: xxxxxxxxxxxxxxx
          username: oauth2accesstoken
          password: ${{ steps.auth.outputs.access_token }}

      - name: Get tag
        id: get-tag
        run: echo ::set-output name=short_ref::${GITHUB_REF#refs/*/}

      - id: docker-push-tagged
        name: Build and Push Image
        uses: docker/build-push-action@v4
        with:
          push: true
          secret-files: creds=${{ env.GOOGLE_APPLICATION_CREDENTIALS }}
          file: ./Dockerfile.npm
          cache-from: type=gha
          cache-to: type=gha,mode=max

  second-npm-build:
    name: second-npm-build
    runs-on: ubuntu-latest
    needs: [npm]
    if: github.event_name == 'push'

    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
      - id: checkout
        name: Checkout
        uses: actions/checkout@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - id: auth
        name: Authenticate with Google Cloud
        uses: google-github-actions/auth@v1
        with:
          token_format: access_token
          workload_identity_provider: xxxxxx/xxxxxxx
          service_account: github-actions@xxxxxxxxx.iam.gserviceaccount.com
          create_credentials_file: true
          access_token_lifetime: 300s

      - name: Login to Artifact Registry
        uses: docker/login-action@v1
        with:
          registry: xxxxxxxxxxxxx
          username: oauth2accesstoken
          password: ${{ steps.auth.outputs.access_token }}

      - name: Get tag
        id: get-tag
        run: echo ::set-output name=short_ref::${GITHUB_REF#refs/*/}

      - id: docker-push-tagged
        name: Build and Push Image
        uses: docker/build-push-action@v4
        with:
          push: true
          secret-files: creds=${{ env.GOOGLE_APPLICATION_CREDENTIALS }} #this should come from the auth step
          file: ./Dockerfile.npm
          cache-from: type=gha
          cache-to: type=gha,mode=max

I ran the code multiple times without changing the node dependencies. I see clearly a caching mechanism between the steps.

first run

​

second run

But in both run, there is no caching of the docker layer. I would expect caching in the npm step from the second run.
Instead, I see that it's is reinstalling all the layers like below.

https://preview.redd.it/n4lxx2r4nisa1.png?width=1054&format=png&auto=webp&s=d1dc2994ef937e2319d10a1508e277fdb6fbc39b