Publishing Resources
EMB can publish built resources (typically Docker images) to their registries. Publishing is opt-in per resource and is kept separate from building so you can safely run emb resources build in any context without accidentally pushing.
How Publishing Works
Section titled “How Publishing Works”The publish flow has three pieces:
- Resource opt-in — Mark resources you want to publish with
publish: truein their Embfile. - Destination config — Set the registry and optional publish-time tag in
defaults.docker.publish(or per-resource asparams.publish). - Publish command — Run
emb resources publishto push every publishable resource (or a subset).
emb resources publish never builds. Run emb resources build --publishable first (or emb resources build to build everything).
Marking Resources as Publishable
Section titled “Marking Resources as Publishable”In a component’s Embfile, add publish: true to any resource you want to ship:
resources: image: type: docker/image publish: true dependencies: - base:imageResources without publish: true are treated as internal — they can still be depended upon (for example, a base:image that other components build on top of), but emb resources publish will never push them.
List what’s marked as publishable:
emb resources --publishableConfiguring the Destination
Section titled “Configuring the Destination”Project Defaults
Section titled “Project Defaults”Set defaults.docker.publish in .emb.yml to control where images are pushed:
defaults: docker: tag: ${env:DOCKER_TAG:-latest} publish: registry: ghcr.io/myorg # Registry prefix to push to tag: ${env:VERSION} # Optional: retag at publish timeFields:
| Field | Description |
|---|---|
registry | Registry prefix prepended to the image name when pushing (e.g. ghcr.io/myorg) |
tag | Optional tag used only when publishing, overriding the build tag |
If publish.tag is set, EMB retags the locally built image before pushing — useful for shipping a semver tag at release time while keeping latest for local development.
Per-Resource Override
Section titled “Per-Resource Override”Any resource can override the defaults via its params.publish:
resources: image: type: docker/image publish: true params: publish: registry: internal-registry.example.com/platform tag: ${env:VERSION}Resource-level values win over project defaults.
Running a Publish
Section titled “Running a Publish”Publish every publishable resource:
emb resources publishPublish a specific resource:
emb resources publish api:imagePreview without pushing (prints the final image references EMB would push):
emb resources publish --dry-runApply a flavor (for example, to swap the registry for a production target):
emb resources publish --flavor productionTypical CI Workflow
Section titled “Typical CI Workflow”In a release pipeline, the common pattern is:
# 1. Build only what will be shipped (skips internal base images unless depended on)emb resources build --publishable --flavor production
# 2. Push everything marked publishable to the configured registryemb resources publish --flavor productionThe --publishable build flag trims the build graph to publishable resources and their transitive dependencies. Internal helpers that nothing publishable depends on are skipped, keeping CI fast.
Flavors and Publishing
Section titled “Flavors and Publishing”Flavors are the cleanest way to vary publish config by environment. Patch defaults.docker.publish in the flavor that should target a different registry or tag:
defaults: docker: publish: registry: ghcr.io/myorg tag: ${env:DOCKER_TAG:-latest}
flavors: production: patches: - op: replace path: /defaults/docker/publish/registry value: registry.prod.example.com/platform - op: replace path: /defaults/docker/publish/tag value: ${env:VERSION}Run with:
emb resources publish --flavor productionAuthentication
Section titled “Authentication”EMB does not manage registry credentials. Authenticate with the Docker CLI (or your CI’s registry login action) before running emb resources publish:
docker login ghcr.ioNon-Docker Resource Types
Section titled “Non-Docker Resource Types”Only resource types that implement publishing can be marked publish: true. Today this is docker/image. Setting publish: true on an unsupported type raises a PUBLISH_NOT_SUPPORTED error at publish time — either remove the flag or change the resource type.