[Regression] Push to Harbor registry with S3 backend fails in v0.24.0, works in v0.23.2

[mnar-devo]

Contributing guidelines and issue reporting guide

• I've read the contributing guidelines and wholeheartedly agree. I've also read the issue reporting guide.

Well-formed report checklist

• I have found a bug that the documentation does not mention anything about my problem
• I have found a bug that there are no open or closed issues that are related to my problem
• I have provided version/information about my environment and done my best to provide a reproducer

Description of bug

Description

Since updating our build image from moby/buildkit:v0.23.2-rootless to moby/buildkit:v0.24.0-rootless, our GitLab CI jobs are failing when pushing images to our Harbor registry, which uses an AWS S3 backend for storage. The GitLab CI job fails with a misleading unauthorized error.

The same pipeline, pushing the same application to a different Harbor project, works perfectly fine with moby/buildkit:v0.24.0-rootless. The two Harbor projects appear to have the same configuration.

Steps to reproduce

1. Use moby/buildkit:v0.24.0-rootless as the build image in a GitLab CI job.
2. Build a Docker image.
3. Push the image to a Harbor registry that is configured with an AWS S3 storage backend.

Expected behavior

The push operation should succeed, as it does with moby/buildkit:v0.23.2-rootless.

Actual behavior

The GitLab CI job fails with an unauthorized error. However, the Harbor registry logs show that the authentication was successful, but the registry itself returned an HTTP 500 error. The detailed error message from the registry pod is:
s3aws: RequestCanceled: request context canceled

Logs

Harbor Registry Logs (Failing Harbor Project)
Here are the relevant logs from the harbor-registry pod when the push fails with moby/buildkit:v0.24.0-rootless. We can clearly see the HTTP 500 error caused by the S3 request cancellation:

time="2025-09-04T12:37:49.222Z" level=error msg="response completed with error" auth.user.name=harbor_registry_user err.code=unknown err.detail="s3aws: RequestCanceled: request context canceled\ncaused by: context canceled" err.message="unknown error" go.version=go1.23.7 http.request.host=harbor.example.com http.request.id=e8cbae5c-7ed2-4d2d-8899-fb477708fa15 http.request.method=HEAD http.request.remoteaddr=<REMOTE_IP_ADDRESS> http.request.uri="/v2/my-failing-project/my-app/blobs/sha256:cf466e9ba1cfaf9351b9b793d92033975eb18f8b2ffadf9b5720caea1fcb9f48" http.request.useragent=buildkit/v0.24 http.response.contenttype=application/json http.response.duration=205.279044ms http.response.status=500 http.response.written=147 instance.id=<INSTANCE_ID> service=registry vars.digest="sha256:cf466e9ba1cfaf9351b9b793d92033975eb18f8b2ffadf9b5720caea1fcb9f48" vars.name=my-failing-project/my-app version=3.0.0
<INTERNAL_IP> - - [04/Sep/2025:12:37:49 +0000] "HEAD /v2/my-failing-project/my-app/blobs/sha256:cf466e9ba1cfaf9351b9b793d92033975eb18f8b2ffadf9b5720caea1fcb9f48 HTTP/1.1" 500 147 "" "buildkit/v0.24"
time="2025-09-04T13:18:11.818Z" level=error msg="response completed with error" auth.user.name=harbor_registry_user err.code=unknown err.detail="s3aws: RequestCanceled: request context canceled\ncaused by: context canceled" err.message="unknown error" go.version=go1.23.7 http.request.host=harbor.example.com http.request.id=bafc8dea-1887-4e17-91a0-72c564fd6d5b http.request.method=HEAD http.request.remoteaddr=<REMOTE_IP_ADDRESS> http.request.uri="/v2/my-failing-project/my-app/blobs/sha256:36186c6d9540a596c2e2ab811d7de1bd3c0ff0ec96216cc82d504d049fab108e" http.request.useragent=buildkit/v0.24 http.response.contenttype=application/json http.response.duration=196.42082ms http.response.status=500 http.response.written=147 instance.id=<INSTANCE_ID> service=registry vars.digest="sha256:36186c6d9540a596c2e2ab811d7de1bd3c0ff0ec96216cc82d504d049fab108e" vars.name=my-failing-project/my-app version=3.0.0
<INTERNAL_IP> - - [04/Sep/2025:13:18:11 +0000] "HEAD /v2/my-failing-project/my-app/blobs/sha256:36186c6d9540a596c2e2ab811d7de1bd3c0ff0ec96216cc82d504d049fab108e HTTP/1.1" 500 147 "" "buildkit/v0.24"

Harbor Registry Logs (Working Harbor Project)
For comparison, here are the logs from a successful push to a different Harbor project, on the same Harbor instance (with the same S3 backend), also using buildkit/v0.24.0:

time="2025-09-04T12:15:28.275Z" level=info msg="response completed" auth.user.name=harbor_registry_user go.version=go1.23.7 http.request.contenttype=application/vnd.docker.distribution.manifest.v2+json http.request.host=harbor.example.com http.request.id=9c655e57-c30e-4f89-835c-d0ac5c46aac3 http.request.method=PUT http.request.remoteaddr=<REMOTE_IP_ADDRESS> http.request.uri=/v2/my-working-project/my-api/manifests/1.9.1-feat-snapshot http.request.useragent=buildkit/v0.24 http.response.duration=357.625689ms http.response.status=201 http.response.written=0 instance.id=<INSTANCE_ID> service=registry vars.name=my-working-project/my-api vars.reference=1.9.1-feat-snapshot version=3.0.0
<INTERNAL_IP> - - [04/Sep/2025:12:15:27 +0000] "PUT /v2/my-working-project/my-api/manifests/1.9.1-feat-snapshot HTTP/1.1" 201 0 "" "buildkit/v0.24"
time="2025-09-04T12:15:30.821Z" level=info msg="response completed" auth.user.name=harbor_registry_user go.version=go1.23.7 http.request.contenttype=application/vnd.oci.image.manifest.v1+json http.request.host=harbor.example.com http.request.id=ec4bc5f9-704c-4ab9-b71e-25c7cd256988 http.request.method=PUT http.request.remoteaddr=<REMOTE_IP_ADDRESS> http.request.uri=/v2/my-working-project/my-api/manifests/cache http.request.useragent=buildkit/v0.24 http.response.duration=252.61318ms http.response.status=201 http.response.written=0 instance.id=<INSTANCE_ID> service=registry vars.name=my-working-project/my-api vars.reference=cache version=3.0.0
<INTERNAL_IP> - - [04/Sep/2025:12:15:30 +0000] "PUT /v2/my-working-project/my-api/manifests/cache HTTP/1.1" 201 0 "" "buildkit/v0.24"

Additional information

• We have confirmed that the robot account credentials have the correct push/pull permissions on both Harbor projects.
• Clearing the GitLab runner cache does not solve the issue.
• The issue seems to be related to how moby/buildkit:v0.24.0-rootless performs requests, which might be causing timeouts or throttling issues on our S3 backend for one specific project.

Could there have been any changes in v0.24.0 regarding request parallelism, timeout handling, or the way HEAD requests are sent to the registry that could explain this behavior?

Thank you for your help!

[crazy-max]

Can you show the BuildKit logs?

Also just to check for repro on my side, what version of Harbor?

[mnar-devo]

Hi,

We are using version v2.12.2 of Harbor.

Here are the buildkit logs (failing):

Using Kubernetes executor with image moby/buildkit:v0.24.0-rootless ...
...
$ mkdir -p ~/.docker
$ echo "{\"auths\":{\"${HARBOR_DOMAIN}\":{\"username\":\"${HARBOR_PUBLISHER_USERNAME}\",\"password\":\"${HARBOR_PUBLISHER_TOKEN}\"}}}" > ~/.docker/config.json
$ ( # collapsed multi-line command
+ buildctl-daemonless.sh build --frontend dockerfile.v0 --local 'context=.' --local 'dockerfile=.' --opt 'filename=Dockerfile' --output 'type=image,"name=harbor.example.com/my-project/my-app:1.2.0-RC29",push=true'
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 556B done
#1 DONE 0.0s
#2 [internal] load metadata for docker.io/library/eclipse-temurin:21-jre-alpine
#2 DONE 1.1s
#3 [internal] load .dockerignore
#3 transferring context: 2B done
#3 DONE 0.0s
#4 [1/5] FROM docker.io/library/eclipse-temurin:21-jre-alpine@sha256:4ca7eff3ab0ef9b41f5fefa35efaeda9ed8d26e161e1192473b24b3a6c348aef
#4 resolve docker.io/library/eclipse-temurin:21-jre-alpine@sha256:4ca7eff3ab0ef9b41f5fefa35efaeda9ed8d26e161e1192473b24b3a6c348aef 0.0s done
#4 DONE 0.2s
#5 [internal] load build context
#5 transferring context: 20.75MB 0.2s done
#5 DONE 0.3s
#4 [1/5] FROM docker.io/library/eclipse-temurin:21-jre-alpine@sha256:4ca7eff3ab0ef9b41f5fefa35efaeda9ed8d26e161e1192473b24b3a6c348aef
#4 sha256:fb760d495f93020b467e7edca17a273394c877a25c14ce0d90a9a039e90bcb08 0B / 2.28kB 0.2s
#4 sha256:fb760d495f93020b467e7edca17a273394c877a25c14ce0d90a9a039e90bcb08 2.28kB / 2.28kB 0.3s done
#4 sha256:cf466e9ba1cfaf9351b9b793d92033975eb18f8b2ffadf9b5720caea1fcb9f48 0B / 127B 0.2s
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 0B / 53.14MB 0.2s
#4 sha256:6a46580b98941ec4960dce678993b8f83a0b4d2d146c9d4e59e3aa6e788c13e2 0B / 16.28MB 0.2s
#4 sha256:cf466e9ba1cfaf9351b9b793d92033975eb18f8b2ffadf9b5720caea1fcb9f48 127B / 127B 0.3s done
#4 sha256:9824c27679d3b27c5e1cb00a73adb6f4f8d556994111c12db3c5d61a0c843df8 0B / 3.80MB 0.2s
#4 sha256:6a46580b98941ec4960dce678993b8f83a0b4d2d146c9d4e59e3aa6e788c13e2 2.10MB / 16.28MB 0.5s
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 8.39MB / 53.14MB 0.6s
#4 sha256:6a46580b98941ec4960dce678993b8f83a0b4d2d146c9d4e59e3aa6e788c13e2 11.53MB / 16.28MB 0.6s
#4 sha256:9824c27679d3b27c5e1cb00a73adb6f4f8d556994111c12db3c5d61a0c843df8 3.80MB / 3.80MB 0.4s done
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 12.58MB / 53.14MB 0.8s
#4 sha256:6a46580b98941ec4960dce678993b8f83a0b4d2d146c9d4e59e3aa6e788c13e2 16.28MB / 16.28MB 0.7s done
#4 extracting sha256:9824c27679d3b27c5e1cb00a73adb6f4f8d556994111c12db3c5d61a0c843df8
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 16.78MB / 53.14MB 0.9s
#4 extracting sha256:9824c27679d3b27c5e1cb00a73adb6f4f8d556994111c12db3c5d61a0c843df8 0.1s done
#4 extracting sha256:6a46580b98941ec4960dce678993b8f83a0b4d2d146c9d4e59e3aa6e788c13e2
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 19.92MB / 53.14MB 1.1s
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 23.07MB / 53.14MB 1.2s
#4 extracting sha256:6a46580b98941ec4960dce678993b8f83a0b4d2d146c9d4e59e3aa6e788c13e2 0.5s done
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 26.21MB / 53.14MB 1.4s
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 30.41MB / 53.14MB 1.5s
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 34.60MB / 53.14MB 1.8s
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 39.85MB / 53.14MB 2.0s
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 44.04MB / 53.14MB 2.1s
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 50.33MB / 53.14MB 2.4s
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 53.14MB / 53.14MB 2.5s done
#4 extracting sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c
#4 extracting sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 1.4s done
#4 DONE 4.2s
#4 [1/5] FROM docker.io/library/eclipse-temurin:21-jre-alpine@sha256:4ca7eff3ab0ef9b41f5fefa35efaeda9ed8d26e161e1192473b24b3a6c348aef
#4 extracting sha256:cf466e9ba1cfaf9351b9b793d92033975eb18f8b2ffadf9b5720caea1fcb9f48 done
#4 extracting sha256:fb760d495f93020b467e7edca17a273394c877a25c14ce0d90a9a039e90bcb08 done
#4 DONE 4.2s
#6 [2/5] RUN addgroup -S springapp && adduser -S springapp -G springapp
#6 DONE 0.1s
#7 [3/5] RUN apk add --no-cache tzdata=2025b-r0
#7 0.047 fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/main/x86_64/APKINDEX.tar.gz
#7 0.111 fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/community/x86_64/APKINDEX.tar.gz
#7 0.371 OK: 39 MiB in 72 packages
#7 DONE 0.4s
#8 [4/5] COPY target/springapp-*.jar springapp.jar
#8 DONE 0.0s
#9 exporting to image
#9 exporting layers
#9 exporting layers 0.4s done
#9 exporting manifest sha256:9c6ccfab4836ca442da4ccc8040f076777015a3ec48dc13cad910ae4d266440b done
#9 exporting config sha256:be9860e934fd0cff73b5bede66064e5c0aed59aa3bb2e36dc0ed6970bac29382 done
#9 pushing layers 0.2s done
#9 ERROR: failed to push harbor.example.com/my-project/my-app:1.2.0-RC29: unauthorized: unauthorized to access repository: my-project/my-app, action: push: unauthorized to access repository: my-project/my-app, action: push
#10 [auth] my-project/my-app:pull,push token for harbor.example.com
#10 DONE 0.0s
#11 [auth] sharing credentials for harbor.example.com
#11 DONE 0.0s
------
 > exporting to image:
------
error: failed to solve: failed to push harbor.example.com/my-project/my-app:1.2.0-RC29: unauthorized: unauthorized to access repository: my-project/my-app, action: push: unauthorized to access repository: my-project/my-app, action: push

The same job with version v0.23.2 works very well:

Using Kubernetes executor with image moby/buildkit:v0.23.2-rootless ...
...
$ mkdir -p ~/.docker
$ echo "{\"auths\":{\"${HARBOR_DOMAIN}\":{\"username\":\"${HARBOR_PUBLISHER_USERNAME}\",\"password\":\"${HARBOR_PUBLISHER_TOKEN}\"}}}" > ~/.docker/config.json
$ ( # collapsed multi-line command
+ buildctl-daemonless.sh build --frontend dockerfile.v0 --local 'context=.' --local 'dockerfile=.' --opt 'filename=Dockerfile' --output 'type=image,"name=harbor.example.com/my-project/my-app:1.2.0-RC28",push=true'
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 558B done
#1 DONE 0.0s
#2 [internal] load metadata for docker.io/library/eclipse-temurin:21-jre-alpine
#2 DONE 1.1s
#3 [internal] load .dockerignore
#3 transferring context: 2B done
#3 DONE 0.0s
#4 [1/5] FROM docker.io/library/eclipse-temurin:21-jre-alpine@sha256:4ca7eff3ab0ef9b41f5fefa35efaeda9ed8d26e161e1192473b24b3a6c348aef
#4 resolve docker.io/library/eclipse-temurin:21-jre-alpine@sha256:4ca7eff3ab0ef9b41f5fefa35efaeda9ed8d26e161e1192473b24b3a6c348aef 0.0s done
#4 ...
#5 [internal] load build context
#5 transferring context: 20.75MB 0.2s done
#5 DONE 0.3s
#4 [1/5] FROM docker.io/library/eclipse-temurin:21-jre-alpine@sha256:4ca7eff3ab0ef9b41f5fefa35efaeda9ed8d26e161e1192473b24b3a6c348aef
#4 sha256:fb760d495f93020b467e7edca17a273394c877a25c14ce0d90a9a039e90bcb08 0B / 2.28kB 0.2s
#4 sha256:fb760d495f93020b467e7edca17a273394c877a25c14ce0d90a9a039e90bcb08 2.28kB / 2.28kB 0.3s done
#4 sha256:cf466e9ba1cfaf9351b9b793d92033975eb18f8b2ffadf9b5720caea1fcb9f48 0B / 127B 0.2s
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 0B / 53.14MB 0.2s
#4 sha256:6a46580b98941ec4960dce678993b8f83a0b4d2d146c9d4e59e3aa6e788c13e2 0B / 16.28MB 0.2s
#4 sha256:cf466e9ba1cfaf9351b9b793d92033975eb18f8b2ffadf9b5720caea1fcb9f48 127B / 127B 0.3s done
#4 sha256:9824c27679d3b27c5e1cb00a73adb6f4f8d556994111c12db3c5d61a0c843df8 0B / 3.80MB 0.2s
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 7.34MB / 53.14MB 0.5s
#4 sha256:6a46580b98941ec4960dce678993b8f83a0b4d2d146c9d4e59e3aa6e788c13e2 1.05MB / 16.28MB 0.5s
#4 sha256:9824c27679d3b27c5e1cb00a73adb6f4f8d556994111c12db3c5d61a0c843df8 3.80MB / 3.80MB 0.3s done
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 17.83MB / 53.14MB 0.6s
#4 sha256:6a46580b98941ec4960dce678993b8f83a0b4d2d146c9d4e59e3aa6e788c13e2 5.24MB / 16.28MB 0.6s
#4 extracting sha256:9824c27679d3b27c5e1cb00a73adb6f4f8d556994111c12db3c5d61a0c843df8 0.1s done
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 36.70MB / 53.14MB 0.9s
#4 sha256:6a46580b98941ec4960dce678993b8f83a0b4d2d146c9d4e59e3aa6e788c13e2 8.39MB / 16.28MB 0.8s
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 46.14MB / 53.14MB 1.1s
#4 sha256:6a46580b98941ec4960dce678993b8f83a0b4d2d146c9d4e59e3aa6e788c13e2 11.53MB / 16.28MB 0.9s
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 53.14MB / 53.14MB 1.2s
#4 sha256:6a46580b98941ec4960dce678993b8f83a0b4d2d146c9d4e59e3aa6e788c13e2 13.63MB / 16.28MB 1.1s
#4 sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 53.14MB / 53.14MB 1.2s done
#4 sha256:6a46580b98941ec4960dce678993b8f83a0b4d2d146c9d4e59e3aa6e788c13e2 16.28MB / 16.28MB 1.2s done
#4 extracting sha256:6a46580b98941ec4960dce678993b8f83a0b4d2d146c9d4e59e3aa6e788c13e2
#4 extracting sha256:6a46580b98941ec4960dce678993b8f83a0b4d2d146c9d4e59e3aa6e788c13e2 0.5s done
#4 DONE 1.9s
#4 [1/5] FROM docker.io/library/eclipse-temurin:21-jre-alpine@sha256:4ca7eff3ab0ef9b41f5fefa35efaeda9ed8d26e161e1192473b24b3a6c348aef
#4 extracting sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c
#4 extracting sha256:57f9d657519484ce2f35f23c98dec4ef4411ffbb8df53ae594b3563de635b94c 1.5s done
#4 DONE 3.4s
#4 [1/5] FROM docker.io/library/eclipse-temurin:21-jre-alpine@sha256:4ca7eff3ab0ef9b41f5fefa35efaeda9ed8d26e161e1192473b24b3a6c348aef
#4 extracting sha256:cf466e9ba1cfaf9351b9b793d92033975eb18f8b2ffadf9b5720caea1fcb9f48 done
#4 extracting sha256:fb760d495f93020b467e7edca17a273394c877a25c14ce0d90a9a039e90bcb08 done
#4 DONE 3.4s
#6 [2/5] RUN addgroup -S springapp && adduser -S springapp -G springapp
#6 DONE 0.1s
#7 [3/5] RUN apk add --no-cache tzdata=2025b-r0
#7 0.046 fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/main/x86_64/APKINDEX.tar.gz
#7 0.323 fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/community/x86_64/APKINDEX.tar.gz
#7 0.578 OK: 39 MiB in 72 packages
#7 DONE 0.6s
#8 [4/5] COPY target/springapp-*.jar springapp.jar
#8 DONE 0.0s
#9 exporting to image
#9 exporting layers
#9 exporting layers 0.4s done
#9 ...
#10 [auth] my-project/my-app:pull,push token for harbor.example.com
#10 DONE 0.0s
#9 exporting to image
#9 exporting manifest sha256:8d769481fe8b0b365e8065d418d139d446ca5a213ca5add7c54a1a0060cd5766 done
#9 exporting config sha256:d85d02db97a2e6c466f28e43f460667317c82e561f01b9003a37b8b2356dda41 done
#9 pushing layers
#9 pushing layers 2.0s done
#9 pushing manifest for harbor.example.com/my-project/my-app:1.2.0-RC28@sha256:8d769481fe8b0b365e8065d418d139d446ca5a213ca5add7c54a1a0060cd5766
#9 pushing manifest for harbor.example.com/my-project/my-app:1.2.0-RC28@sha256:8d769481fe8b0b365e8065d418d139d446ca5a213ca5add7c54a1a0060cd5766 0.6s done
#9 DONE 3.0s

For your information, the GitLab job looks like this:

docker:build:
  image: moby/buildkit:v0.24.0-rootless
  stage: package-build-push
  variables:
    BUILDKITD_FLAGS: --oci-worker-no-process-sandbox
  before_script:
    - mkdir -p ~/.docker
    - echo "{\"auths\":{\"${HARBOR_DOMAIN}\":{\"username\":\"${HARBOR_PUBLISHER_USERNAME}\",\"password\":\"${HARBOR_PUBLISHER_TOKEN}\"}}}" > ~/.docker/config.json
  script:
    - |
      (
        set -x

        buildctl-daemonless.sh build \
          --frontend dockerfile.v0 \
          --local context=. \
          --local dockerfile=. \
          --opt filename=Dockerfile \
          --output type=image,\"name=${HARBOR_DOMAIN}/${HARBOR_DOCKER_PROJECTNAME}/${PROJECT_NAME}:${PROJECT_VERSION}\",push=true
      )

[crazy-max]

Hum wonder if this relates to docker/cli#6156. Do you have DOCKER_AUTH_CONFIG set in your GitLab Runner?

[mnar-devo]

Thank you very much for the feedback. The issue does indeed stem from the DOCKER_AUTH_CONFIG variable (with a read-only account), which now takes precedence as mentioned in the issue.

I resolved the issue by adding unset DOCKER_AUTH_CONFIG to my GitLab job.

I am unsure whether this can be considered a bug in the buildkit project.

[crazy-max]

I was looking at docker/cli#6163 that warns if DOCKER_AUTH_CONFIG takes precedence when running docker login but looking at your before_script, I guess the runner doesn't have the docker cli available?

I also see this draft PR docker/cli#6171 that could help.

[mnar-devo]

Indeed, the runner does not have the Docker CLI interface.

My question is whether I should leave this issue open, or is it considered closed?

[tonistiigi]

I think we can close this and continue tracking in the linked issues in docker/cli repo.