Skip to content
Latchkey

buildah push: Publish an Image to a Registry

buildah push uploads a locally built image to a registry (or another transport like a directory or archive) without a Docker daemon.

After buildah bud or a commit, buildah push publishes the image. It shares skopeo transports, so it can push to a registry, a dir, or an OCI archive.

What it does

buildah push takes an image from local buildah storage and writes it to a destination. With no explicit transport the destination is a docker:// registry reference; you can also push to dir:, oci:, or docker-archive: targets.

Common usage

Terminal
# push to a registry
buildah push ghcr.io/acme/app:1.4.0

# push with explicit credentials
buildah push --creds "$USER:$PASS" \
  ghcr.io/acme/app:1.4.0 docker://ghcr.io/acme/app:1.4.0

# export to an OCI archive instead of a registry
buildah push ghcr.io/acme/app:1.4.0 oci-archive:app.tar

Options

FlagWhat it does
IMAGE [DEST]Source image and optional destination transport
--creds user:passRegistry credentials for the destination
--tls-verify=falseSkip TLS verification (insecure registry)
--format oci|v2s2Manifest format to push
--digestfile <path>Write the pushed image digest to a file

In CI

buildah push completes the daemonless build-and-publish loop. Use --digestfile to capture the pushed sha256:... and pin later stages to it. Authenticate with buildah login or --creds; a mounted docker config also works.

Common errors in CI

"unauthorized: authentication required" means run buildah login or pass --creds. "error pushing image ... x509: certificate signed by unknown authority" on an internal registry needs --tls-verify=false or a mounted CA. "image not known" means the source tag is not in buildah storage; check the tag from your bud/commit step.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →