A Buildkite plugin for caching Docker images across builds using various registry providers (ECR, GAR, and Buildkite Packages currently supported).
This plugin speeds up your Docker builds by caching images between pipeline runs. Instead of rebuilding the same Docker image every time, it stores built images in ECR, Google Artifact Registry, or Buildkite Packages and reuses them when nothing has changed.
The plugin will check if a cached version of your image already exists. If it does, it pulls that instead of rebuilding. If not, it builds the image and saves it for next time. It automatically creates the necessary repositories in your registry if they don't exist (ECR and GAR only - Buildkite Packages registries are managed through the UI).
Cache keys are generated based on your Dockerfile content and build context, so the cache automatically invalidates when you make changes to your code or build configuration.
Also see the Docker Buildkite Plugin for running pipeline steps in Docker containers.
The following pipeline will cache Docker builds in Amazon ECR.
steps:
- label: "π³ Build with ECR cache"
command: "echo 'Building with cache'"
plugins:
- docker-cache#v1.0.0:
provider: ecr
image: my-app
ecr:
region: us-east-1
account-id: "123456789012"The following pipeline will cache Docker builds in Google Artifact Registry:
steps:
- label: "π³ Build with GAR cache"
command: "echo 'Building with cache'"
plugins:
- docker-cache#v1.0.0:
provider: gar
image: my-app
gar:
project: my-gcp-project
region: usThe following pipeline will cache Docker builds in Buildkite Packages Container Registry:
steps:
- label: "π³ Build with Buildkite Packages cache"
command: "echo 'Building with cache'"
plugins:
- docker-cache#v1.0.0:
provider: buildkite
image: my-app
buildkite:
org-slug: my-orgsteps:
- label: "π³ Build with Buildkite Packages cache (OIDC)"
command: "echo 'Building with cache'"
plugins:
- docker-cache#v1.0.0:
provider: buildkite
image: my-app
buildkite:
org-slug: my-org
auth-method: oidcYou can control how the cache is used with different strategies:
Pulls the complete cached image if available, builds from scratch if not:
steps:
- label: "π³ Artifact strategy"
plugins:
- docker-cache#v1.0.0:
provider: ecr
image: my-app
strategy: artifact
ecr:
region: us-east-1
account-id: "123456789012"Uses layer caching during the build process:
steps:
- label: "π³ Build strategy"
plugins:
- docker-cache#v1.0.0:
provider: ecr
image: my-app
strategy: build
ecr:
region: us-east-1
account-id: "123456789012"Tries artifact strategy first, falls back to build strategy if pull fails:
steps:
- label: "π³ Hybrid strategy"
plugins:
- docker-cache#v1.0.0:
provider: ecr
image: my-app
strategy: hybrid
ecr:
region: us-east-1
account-id: "123456789012"For multi-stage Dockerfiles, you can specify the target stage:
steps:
- label: "π³ Multi-stage build"
plugins:
- docker-cache#v1.0.0:
provider: ecr
image: my-app
target: production
ecr:
region: us-east-1
account-id: "123456789012"You can pass build arguments to Docker:
steps:
- label: "π³ Build with args"
plugins:
- docker-cache#v1.0.0:
provider: ecr
image: my-app
build-args:
- NODE_ENV=production
- API_URL=https://api.example.com
ecr:
region: us-east-1
account-id: "123456789012"These are all the options available to configure this plugin's behaviour.
Which registry provider to use for caching. Supported values: ecr, gar, buildkite.
Name of your Docker image.
Example: my-app
How to use the cache:
artifact: Pull complete cached image if available, build from scratch if notbuild: Use layer caching during build processhybrid: Try artifact strategy first, fall back to build strategy if pull fails
Path to your Dockerfile.
Inline Dockerfile content instead of reading from a file.
Docker build context path.
Target stage for multi-stage builds.
Build arguments to pass to Docker.
Example: ["NODE_ENV=production", "VERSION=1.0.0"]
Additional docker build arguments as a single string.
Example: "--network=host --build-arg CUSTOM_ARG=value"
Build secrets to pass to Docker (requires BuildKit).
Example: ["id=mysecret,src=/local/secret", "id=mypassword"]
Additional cache sources for Docker build.
Example: ["my-base-image:latest"]
Skip pulling from cache (useful for testing).
Whether to save cache after build.
Whether to restore cache before build.
Maximum age in days for cached images.
Custom cache key. If not provided, automatically generated from Dockerfile content and build context.
Example: ["my-key", "v1.0"] or "custom-key"
Environment variable name for exporting the final image reference.
Enable verbose logging.
Custom tag for the cached image. If not provided, generated from git commit or pipeline context.
When using provider: ecr, these options are available:
AWS region for ECR registry. If not provided, will be auto-detected from AWS configuration.
Example: us-east-1
AWS account ID (12 digits). If not provided, will be auto-detected from AWS credentials.
Example: 123456789012
Custom ECR registry URL. If not provided, will be constructed from account ID and region.
Example: 123456789012.dkr.ecr.us-east-1.amazonaws.com
Note: Authentication is handled by the gcloud CLI. Ensure your Buildkite agent has authenticated with Google Cloud before running this plugin (e.g., using a service account key or Workload Identity Federation).
When using provider: gar, these options are available:
Google Cloud project ID.
Example: my-gcp-project
GAR region.
Valid values: us, europe, asia, or specific regional endpoints like us-central1-docker.pkg.dev
Example: us
Artifact Registry repository name. If not provided, defaults to the image name.
Example: docker (for repository name, results in full path like us-docker.pkg.dev/project/docker/image)
Note: Authentication requires either a Buildkite API token with Read Packages and Write Packages scopes, or OIDC authentication using buildkite-agent (available in Buildkite pipeline jobs).
When using provider: buildkite, these options are available:
Buildkite organization slug. If omitted, it will use the BUILDKITE_ORGANIZATION_SLUG environment variable.
Example: my-org
Container registry slug. If omitted, it defaults to the image name.
Example: docker-images
Authentication method to use. Supported values: api-token, oidc.
api-token: Uses theapi-tokenparameter or falls back toBUILDKITE_API_TOKENenvironment variableoidc: Usesbuildkite-agent oidc request-tokencommand (available in pipeline jobs)
Buildkite API token with Read Packages and Write Packages scopes. Required when auth-method is api-token. Can also be provided via the BUILDKITE_API_TOKEN environment variable for backward compatibility.
The plugin handles ECR authentication automatically using your existing AWS credentials. Make sure your build environment has AWS credentials configured through:
- IAM roles (recommended for EC2/ECS)
- AWS credentials file
- Environment variables (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY)
Required permissions:
sts:GetCallerIdentityecr:GetAuthorizationTokenecr:DescribeRepositoriesecr:CreateRepositoryecr:BatchGetImageecr:GetDownloadUrlForLayerecr:BatchCheckLayerAvailabilityecr:PutImageecr:InitiateLayerUploadecr:UploadLayerPartecr:CompleteLayerUpload
The plugin uses gcloud for GAR authentication with your existing Google Cloud credentials. Make sure your build environment has Google Cloud credentials configured through:
- Service account keys
- Workload Identity (recommended for GKE)
- Application Default Credentials
Required permissions:
artifactregistry.repositories.getartifactregistry.repositories.createartifactregistry.docker.images.getartifactregistry.docker.images.pushartifactregistry.docker.images.pull
The plugin supports two authentication methods for Buildkite Packages:
Uses a Buildkite API token with Read Packages and Write Packages scopes:
plugins:
- docker-cache#v1.0.0:
provider: buildkite
image: my-app
buildkite:
org-slug: my-org
api-token: $BUILDKITE_API_TOKENOr set the BUILDKITE_API_TOKEN environment variable in your build environment.
Required token scopes:
read_packages- To pull cached imageswrite_packages- To push new cache images
Uses buildkite-agent OIDC tokens for passwordless authentication:
plugins:
- docker-cache#v1.0.0:
provider: buildkite
image: my-app
buildkite:
org-slug: my-org
auth-method: oidcOIDC authentication requires:
- buildkite-agent v3.38.0 or later
- Proper OIDC policy configuration in your Buildkite organization
- Pipeline access to the target registry
Cache keys are automatically generated from:
- Dockerfile content hash (primary)
- Build context hash (if different from Dockerfile location)
- Build arguments
- Target stage (for multi-stage builds)
This ensures the cache is invalidated whenever anything that affects the build changes.
| Elastic Stack | Agent Stack K8s | Hosted (Mac) | Hosted (Linux) | Notes |
|---|---|---|---|---|
| β | β | β | β | ECR β Requires awscliGAR β Requires gcloudHosted (Mac) β Docker engine not available |
- β Fully supported (all combinations of attributes have been tested to pass)
β οΈ Partially supported (some combinations cause errors/issues)- β Not supported
To run tests, you can use the docker Plugin Tester:
docker run --rm -ti -v "${PWD}":/plugin buildkite/plugin-tester:latestMIT (see LICENSE)