Skip to main content
Version: 0.2.x


Implementation details for the push rule



Push an oci_image or oci_image_index to a remote registry.

Pushing and tagging are performed sequentially which MAY lead to non-atomic pushes if one the following events occur;

  • Remote registry rejects a tag due to various reasons. eg: forbidden characters, existing tags
  • Remote registry closes the connection during the tagging
  • Local network outages

In order to avoid incomplete pushes oci_push will push the image by its digest and then apply the default_tags sequentially at the remote registry.

Any failure during pushing or tagging will be reported with non-zero exit code cause remaining steps to be skipped.

Push an oci_image to docker registry with latest tag

oci_image(name = "image")

image = ":image",
repository = "<ORG>/image",
default_tags = ["latest"]

Push an oci_image_index to github container registry with a semver tag

oci_image(name = "app_linux_arm64")

oci_image(name = "app_linux_amd64")

oci_image(name = "app_windows_amd64")

name = "app_image",
images = [

image = ":app_image",
repository = "<OWNER>/image",
default_tags = ["0.0.0"]

Ideally the semver information is gathered from a vcs, like git, instead of being hardcoded to the BUILD files. However, due to nature of BUILD files being static, one has to use -t|--tag flag to pass the tag at runtime instead of using default_tags. eg. bazel run //target:push -- --tag $(git tag)

Similary, the repository attribute can be overridden at runtime with the -r|--repository flag. eg. bazel run //target:push -- --repository<ORG>/image

Example usage (generated):

load("@contrib_rules_oci//oci/private:push.bzl", "oci_push")

# A unique name for this target.
name = "",
# Repository URL where the image will be signed at, e.g.: `<user>/image`
repository = "",


Required name.

A unique name for this target.


Optional list of strings. Default: []

List of tags to apply to the image at remote registry.


Optional label. Default: None

Label to an oci_image or oci_image_index


Required string.

    Repository URL where the image will be signed at, e.g.: `<user>/image`.

Digests and tags are not allowed.