Environment

Skaffold version: v2.16.0
OS: MacOS
Docker engine version: 28.2.2

Description

Since skaffold v2.14.0 https://github.com/GoogleContainerTools/skaffold/releases/tag/v2.14.0 the inputDigest tagger is failing for images that copy from an artifact dependency. The described issue is not reproducible in v2.13.x.

It may have been caused by #9664 which was part of that release.

When the inputDigest tagger fails, skaffold falls back to the sha256 builder which results in the image being tagged as latest.

This seems to have been previously fixed by skaffold in #5507 but #9664 did a refactoring of the code, potentially re-introducing the bug.
Of note however is that reproducing the steps defined in #5498 did not result in the problem. It seems this current bug is localised to usage of COPY --from.

Usage of COPY --from where from is an image provided by a docker ARG requires the use a named FROM due to --from not expanding variables (see moby/moby#34482).

The following is what the debug logs output when calculating the image tag.

DEBU[0013] generating tag: parsing ONBUILD instructions: retrieving image "image:latest": GET https://index.docker.io/v2/library/image/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/image Type:repository]] subtask=app task=Build
DEBU[0013] Using a fall-back tagger subtask=app task=Build

Expected behavior

Generating tags...
 - app -> app:645bd86c539773a11acd886285d3e527e2cc439caf28a7812aa4c334c3a2b3e4
 - base -> base:f06ab6582db5b2f039bbfe557419b897c31a4161c69c6e7c7832f839b021a7e4
Checking cache...
 - app: Not found. Building
 - base: Not found. Building
Starting build...
Building [base]...
Sending build context to Docker daemon  3.072kB
...
Successfully built e7294fc7e8ea
Successfully tagged base:f06ab6582db5b2f039bbfe557419b897c31a4161c69c6e7c7832f839b021a7e4
Build [base] succeeded
Building [app]...
Sending build context to Docker daemon  4.608kB
...
Successfully built a8ac08d9dedf
Successfully tagged app:645bd86c539773a11acd886285d3e527e2cc439caf28a7812aa4c334c3a2b3e4
Build [app] succeeded

Actual behavior

Generating tags...
 - app -> app:latest
 - base -> base:f06ab6582db5b2f039bbfe557419b897c31a4161c69c6e7c7832f839b021a7e4
Some taggers failed. Rerun with -vdebug for errors.
Checking cache...
 - app: Not found. Building
 - base: Not found. Building
Starting build...
Building [base]...
Sending build context to Docker daemon  3.072kB
...
Successfully built e7294fc7e8ea
Successfully tagged base:f06ab6582db5b2f039bbfe557419b897c31a4161c69c6e7c7832f839b021a7e4
Build [base] succeeded
Building [app]...
Sending build context to Docker daemon  4.608kB
...
Successfully built a8ac08d9dedf
Successfully tagged app:latest
Build [app] succeeded

Steps to reproduce the behavior

1. Go to examples/simple-artifact-dependency of the skaffold repostory.
2. Change skaffold.yaml to:

apiVersion: skaffold/v4beta13
kind: Config
build:
  tagPolicy:
    inputDigest: {}
  artifacts:
  - image: app
    context: app
    requires:
    - image: base
      alias: BASE
  - image: base
    context: base
manifests:
  rawYaml:
  - app/k8s-pod.yaml

3. Change app/Dockerfile to

ARG BASE
FROM $BASE AS base

FROM golang:1.18 AS builder
WORKDIR /code
COPY main.go .
COPY go.mod .
# `skaffold debug` sets SKAFFOLD_GO_GCFLAGS to disable compiler optimizations
ARG SKAFFOLD_GO_GCFLAGS
RUN go build -gcflags="${SKAFFOLD_GO_GCFLAGS}" -trimpath -o /app .

FROM scratch
# Define GOTRACEBACK to mark this container as using the Go language runtime
# for `skaffold debug` (https://skaffold.dev/docs/workflows/debug/).
ENV GOTRACEBACK=single
CMD ["./app"]
COPY --from=builder /app .
COPY --from=base hello.txt .

4. skaffold build --push=false or skaffold build --dry-run