Using GHA cache always leads to Image update

[tlinhart]

What happened?

We use GitHub Actions for CI/CD so I would like to use GHA cache for the Docker image build process. However the Image resource always gets updated because the cacheFrom and cacheTo differ. As per the docs, when url and token arguments are not provided for the GHA cacheFrom and cacheTo, they are taken from the environment variables ACTIONS_RUNTIME_URL and ACTIONS_RUNTIME_TOKEN. However, even though the runtime URL stays the same, the token is always different as it is a JWT token related to the current workflow run and job (see e.g. here). I expect Pulumi not to trigger an update when url and token are not provided explicitely.

Example

This is the relevant part of the Pulumi program:

image_name = pulumi.Output.concat(repository.repository_url, ":latest")
if os.getenv("GITHUB_ACTIONS"):
    cache_from = docker_build.CacheFromArgs(
        gha=docker_build.CacheFromGitHubActionsArgs()
    )
    cache_to = docker_build.CacheToArgs(
        gha=docker_build.CacheToGitHubActionsArgs(
            mode=docker_build.CacheMode.MAX, ignore_error=True
        )
    )
else:
    cache_from = docker_build.CacheFromArgs(
        registry=docker_build.CacheFromRegistryArgs(ref=image_name)
    )
    cache_to = docker_build.CacheToArgs(
        inline=docker_build.CacheToInlineArgs()
    )
image = docker_build.Image(
    "xxx",
    context=docker_build.BuildContextArgs(location=".."),
    platforms=[docker_build.Platform.LINUX_AMD64],
    tags=[image_name],
    cache_from=[cache_from],
    cache_to=[cache_to],
    push=True,
    registries=[
        docker_build.RegistryArgs(
            address=repository.repository_url,
            username=auth_token.user_name,
            password=pulumi.Output.secret(auth_token.password),
        )
    ],
)

This is the relevant part of the GitHub Actions log from the pulumi up step:

    ~ docker-build:index:Image: (update)
          [id=sha256:xxx]
          [urn=urn:pulumi:xxx-test::xxx::docker-build:index:Image::xxx]
          [provider=urn:pulumi:xxx-test::xxx::pulumi:providers:docker-build::default_0_0_2::1c6deb57-2a3f-4817-8d97-752bb9f399d4]
        ~ cacheFrom  : [
            ~ [0]: {
                      disabled: false
                    ~ gha     : {
                        ~ token: "***" => ***
                          url  : "https://pipelinesghubeus3.actions.githubusercontent.com/xxx"
                      }
                  }
          ]
        ~ cacheTo    : [
            ~ [0]: {
                      disabled: false
                    ~ gha     : {
                          ignoreError: true
                          mode       : "max"
                        ~ token      : "***" => ***
                          url        : "https://pipelinesghubeus3.actions.githubusercontent.com/xxx"
                      }
                  }
          ]

Output of pulumi about

CLI          
Version      3.116.1
Go Version   go1.22.2
Go Compiler  gc

Host     
OS       ubuntu
Version  24.04
Arch     x86_64

Backend        
Name           xxx
URL            s3://xxx
User           xxx
Organizations  
Token type     personal

Pulumi locates its logs in /tmp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[blampe]

Ah, great catch. We ignore changes to the registry's password for the same reason, we should do something similar for the GHA token.