buildx "tag is needed when pushing to registry" / output requires push in CI
When buildx exports to a registry (via --push or --output type=registry), it must know the target reference. Without a -t/--tag, there is no repository to push to, so buildx stops before building.
What this error means
A build with --push but no tag fails with "ERROR: tag is needed when pushing to registry". The image was never built because the destination is unknown.
buildx
ERROR: tag is needed when pushing to registryCommon causes
Pushing without a -t/--tag
--push is shorthand for --output type=registry, which needs a full image reference to push to.
A templated tag resolved to empty
A tag built from an action output or variable that was empty leaves the build with no reference.
How to fix it
Provide a fully qualified tag
- Add
-t registry/owner/image:tagto the build. - Confirm any templated tag resolves to a non-empty value.
- Re-run the push.
.github/workflows/ci.yml
docker buildx build --push \
-t ghcr.io/acme/app:${{ github.sha }} .Use docker/metadata-action for tags
Generate consistent tags and feed them into the build so the reference is never empty.
.github/workflows/ci.yml
- id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/acme/appHow to prevent it
- Always pair
--pushwith at least one-ttag. - Validate templated tag values are non-empty before building.
- Generate tags with metadata-action for consistency.
Related guides
buildx "docker exporter does not support exporting manifest lists" (--load multi-platform) in CIFix buildx "ERROR: docker exporter does not currently support exporting manifest lists" in CI - --load cannot…
buildx "Attestation is not supported for the docker driver" in CIFix buildx "ERROR: Attestation is not supported for the docker driver" in CI - SBOM and provenance attestatio…
buildx "failed to solve: failed to fetch anonymous token" pulling base image in CIFix buildx "failed to solve: failed to fetch oauth token / anonymous token" in CI - BuildKit could not authen…