buildah push: Publish an Image to a Registry
buildah push uploads a locally built image to a registry (or another transport like a directory or archive) without a Docker daemon.
After buildah bud or a commit, buildah push publishes the image. It shares skopeo transports, so it can push to a registry, a dir, or an OCI archive.
What it does
buildah push takes an image from local buildah storage and writes it to a destination. With no explicit transport the destination is a docker:// registry reference; you can also push to dir:, oci:, or docker-archive: targets.
Common usage
# push to a registry
buildah push ghcr.io/acme/app:1.4.0
# push with explicit credentials
buildah push --creds "$USER:$PASS" \
ghcr.io/acme/app:1.4.0 docker://ghcr.io/acme/app:1.4.0
# export to an OCI archive instead of a registry
buildah push ghcr.io/acme/app:1.4.0 oci-archive:app.tarOptions
| Flag | What it does |
|---|---|
| IMAGE [DEST] | Source image and optional destination transport |
| --creds user:pass | Registry credentials for the destination |
| --tls-verify=false | Skip TLS verification (insecure registry) |
| --format oci|v2s2 | Manifest format to push |
| --digestfile <path> | Write the pushed image digest to a file |
In CI
buildah push completes the daemonless build-and-publish loop. Use --digestfile to capture the pushed sha256:... and pin later stages to it. Authenticate with buildah login or --creds; a mounted docker config also works.
Common errors in CI
"unauthorized: authentication required" means run buildah login or pass --creds. "error pushing image ... x509: certificate signed by unknown authority" on an internal registry needs --tls-verify=false or a mounted CA. "image not known" means the source tag is not in buildah storage; check the tag from your bud/commit step.