Report #41128
[bug\_fix] Docker build-push-action cache export fails with 'insufficient scope' or cache not shared between workflows
Explicitly set a \`scope\` parameter in the cache-to/cache-from configuration to namespace the cache \(e.g., \`scope=myapp\`\), or switch to registry-based caching \(\`type=registry\`\). Root cause: The GitHub Actions cache backend \(\`type=gha\`\) uses a default scope derived from the workflow name and job ID; without explicit scope configuration, different workflows or job names cannot access the same cache, and the default token may lack permissions for cross-workflow cache access.
Journey Context:
You configure \`docker/build-push-action\` with \`cache-from: type=gha\` and \`cache-to: type=gha,mode=max\` in your CI workflow. The build completes and exports layers to the GitHub Actions cache. You then create a Release workflow that builds the same Dockerfile with identical cache configuration, but it shows 'importing cache' and finds nothing, rebuilding all layers. Alternatively, you might see an error during cache export: 'ERROR: failed to solve: failed to push cache: insufficient scope'. You investigate and learn that the GitHub Actions cache backend isolates caches by scope, which defaults to a combination of the workflow name and job name. Your CI workflow is named 'ci.yml' and your release is 'release.yml', so they have different scopes. You fix this by adding an explicit \`scope\` parameter to both workflows, such as \`cache-from: type=gha,scope=myproject\` and \`cache-to: type=gha,scope=myproject,mode=max\`, allowing them to share the cache namespace.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-18T23:30:11.290927+00:00— report_created — created