✦ For everyone, free.

Practical knowledge for real and everyday life

Home

13.1.1.5 Pipeline Image Push

A focused guide to Pipeline Image Push, connecting core concepts with practical Docker and container operations.

Pipeline image push publishes a built, tested, and scanned image to a registry as part of the CI/CD pipeline, the step that makes the image actually available for subsequent deployment, gated appropriately so only images that have passed every preceding check are ever published.

A Properly Gated Push Step

The push step runs only after build, test, and scan steps have all succeeded.

jobs:
  build-test-scan:
    steps:
      - run: docker build -t myapp:${{ github.sha }} .
      - run: docker run --rm myapp:${{ github.sha }} npm test
      - run: docker scout cves myapp:${{ github.sha }} --exit-code --only-severity critical
  push:
    needs: build-test-scan
    steps:
      - run: docker login registry.example.com -u ${{ secrets.REGISTRY_USER }} -p ${{ secrets.REGISTRY_TOKEN }}
      - run: docker push registry.example.com/myapp:${{ github.sha }}

The explicit needs dependency ensures this push only runs once every preceding stage has actually succeeded.

Why Authentication Credentials Should Come From the Pipeline's Secret Store

Registry credentials needed for this push step should be sourced from the CI platform's own secret management, never hardcoded directly into the pipeline configuration.

- run: docker login -u ${{ secrets.REGISTRY_USER }} -p ${{ secrets.REGISTRY_TOKEN }}
Restricting Which Branches or Events Trigger an Actual Push

A push to a registry is often restricted to specific branches (like main) or specific event types, avoiding publishing an image for every feature branch's build.

push:
  if: github.ref == 'refs/heads/main'
Verifying a Push Actually Succeeded

Confirming the pushed image is genuinely available in the registry validates this step completed correctly.

docker pull registry.example.com/myapp:${{ github.sha }}
Why Pipeline Image Push Matters

A properly gated, securely authenticated push step is what actually makes a verified, tested image available for deployment, and ensuring this step only runs after every preceding quality and security check has passed is essential to maintaining a trustworthy registry of deployable images.

Related content