depot-container-builds

Configures and runs Depot remote container builds using `depot build` and `depot bake`. Use when building Docker images, creating Dockerfiles with Depot, pushing images to registries, building multi-platform/multi-arch images (linux/amd64, linux/arm64), debugging container build failures, optimizing Dockerfile layer caching, using docker-bake.hcl or docker-compose builds, or migrating from `docker build` / `docker buildx build` to Depot. Also use when the user mentions depot build, depot bake, container builds, image builds, or asks about Depot's build cache, build parallelism, or ephemeral registry.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "depot-container-builds" with this command: npx skills add depot/skills/depot-skills-depot-container-builds

Depot Container Builds

Depot runs Docker image builds on remote high-performance builders (16 CPU, 32 GB RAM, NVMe SSD cache). depot build is a drop-in replacement for docker build / docker buildx build. depot bake replaces docker buildx bake.

Key Concepts

  • Builds run remotely on ephemeral EC2 instances — images stay in remote cache by default
  • Use --load to download to local Docker, --push to push to a registry, --save to store in Depot's ephemeral registry
  • Cache is fully automatic on persistent NVMe SSDs — no manual cache config needed
  • Multi-platform builds use native CPU builders (no QEMU emulation) for amd64 and arm64 simultaneously
  • All team members on a project share the same layer cache

depot build — Essential Patterns

# Build remotely (image stays in remote cache)
depot build -t repo/image:tag .

# Build + download to local Docker daemon
depot build -t repo/image:tag . --load

# Build + push directly to registry (fast — doesn't route through local network)
depot build -t repo/image:tag . --push

# Multi-platform build (native CPUs, no emulation)
depot build --platform linux/amd64,linux/arm64 -t repo/image:tag . --push

# Save to Depot ephemeral registry (default 7-day retention)
depot build --save .
depot build --save --save-tag my-tag .

# Suppress provenance metadata (fixes "unknown/unknown" platform in registries)
depot build -t repo/image:tag --push --provenance=false .

# Lint Dockerfile before building
depot build -t repo/image:tag . --lint

# Build with secrets
depot build --secret id=mysecret,src=./secret.txt -t repo/image:tag .

# Build with SSH forwarding
depot build --ssh default -t repo/image:tag .

# Specify a Depot project explicitly
depot build --project <project-id> -t repo/image:tag .

Key Flags

FlagDescription
--loadDownload image to local Docker daemon
--pushPush to registry
--saveSave to Depot ephemeral registry
--save-tagCustom tag for Depot Registry
--platformTarget platforms (linux/amd64, linux/arm64, or both)
--build-platformForce build to run on specific arch (dynamic default)
--projectDepot project ID
--tokenDepot API token
--lintLint Dockerfile before build
--provenanceControl provenance attestation (set false to fix unknown/unknown)
--no-cacheDisable cache for this build
-f / --filePath to Dockerfile
-t / --tagImage name and tag
--targetBuild specific stage
--build-argSet build-time variables
--secretExpose secrets (id=name[,src=path])
--sshExpose SSH agent
--output / -oCustom output (type=local,dest=path)

depot bake — Multi-Image Builds

Drop-in replacement for docker buildx bake. Builds multiple images in parallel.

depot bake                                    # Default file lookup
depot bake -f docker-bake.hcl                 # Specific HCL file
depot bake -f docker-compose.yml --load       # Build compose services + load locally
depot bake --save --save-tag myrepo/app:v1    # Save to Depot Registry
depot bake --print                            # Print resolved config without building

Default file lookup order: compose.yaml → compose.yml → docker-compose.yml → docker-compose.yaml → docker-bake.json → docker-bake.override.json → docker-bake.hcl → docker-bake.override.hcl

HCL Bake File Example

variable "TAG" {
  default = "latest"
}

group "default" {
  targets = ["app", "worker"]
}

target "app" {
  dockerfile = "Dockerfile"
  platforms  = ["linux/amd64", "linux/arm64"]
  tags       = ["myrepo/app:${TAG}"]
  args = { NODE_VERSION = "20" }
}

target "worker" {
  dockerfile = "Dockerfile.worker"
  tags       = ["myrepo/worker:${TAG}"]
  contexts   = { app = "target:app" }  # Share base between targets
}

Override variables: TAG=v2.0 depot bake

Docker Compose with Per-Service Project IDs

services:
  api:
    build:
      dockerfile: ./Dockerfile.api
      x-depot:
        project-id: abc123
  web:
    build:
      dockerfile: ./Dockerfile.web
      x-depot:
        project-id: def456

Docker Compose Integration

# Preferred: build all services in parallel, then load
depot bake -f docker-compose.yml --load
docker compose up

# Alternative: zero code change (less efficient, each service = separate build)
depot configure-docker
docker compose build

Migration from Docker

# docker build → depot build (same flags, one-line swap)
depot build -t my-image .

# docker buildx bake → depot bake
depot bake -f docker-bake.hcl

# Zero code change via Docker plugin
depot configure-docker
docker build .  # Routes through Depot (look for [depot] prefix in logs)

When migrating, remove these flags — Depot handles caching automatically:

  • --cache-from type=gha — causes "services aren't available" errors
  • --cache-to type=gha — same issue
  • Any manual BuildKit cache configuration

Common Mistakes

MistakeFix
Using --cache-from type=gha or --cache-to type=ghaRemove them. Depot caches automatically on NVMe SSDs.
Multi-platform image shows unknown/unknown platformAdd --provenance=false
Expecting image locally after depot buildAdd --load to download, or --push to push to registry
.git directory missing in build contextAdd --build-arg BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
Build hangs or "failed to mount" errorsReset cache in project settings or via depot cache reset
"401 Unauthorized" pulling base imagesDocker Hub rate limit — authenticate with docker login or use public.ecr.aws/docker/library/ mirror
"Keep alive ping failed" / OOMScale up builder size in project settings or enable autoscaling

Builder Sizes

SizeCPUsRAMPer-MinutePlans
Default1632 GB$0.004All
Large3264 GB$0.008Startup+
Extra Large64128 GB$0.016Startup+

Billed per-second. Bake counts as one build regardless of target count.

Depot Registry

# Save image to Depot Registry
depot build --save -t myapp .

# Pull a saved image
depot pull --project <id> <build-id>

# Push saved image to another registry
depot push --project <id> -t registry/image:tag <build-id>

# Docker auth for Depot Registry
docker login registry.depot.dev -u x-token -p <depot-token>
# Registry URL: registry.depot.dev/<project-id>:<tag>

Special Output Formats

# estargz (lazy-pulling for faster container startup)
depot build --output "type=image,name=repo/image:tag,push=true,compression=estargz,oci-mediatypes=true,force-compression=true" .

# zstd compression (faster Fargate/K8s startup)
depot build --output type=image,name=repo/image:tag,oci-mediatypes=true,compression=zstd,compression-level=3,force-compression=true,push=true .

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

depot-general

No summary provided by upstream source.

Repository SourceNeeds Review
46-depot
General

depot-ci

No summary provided by upstream source.

Repository SourceNeeds Review
43-depot
Coding

depot-github-runners

No summary provided by upstream source.

Repository SourceNeeds Review
45-depot
General

OpenClaw Skill Growth

Make OpenClaw Skills observable, diagnosable, and safely improvable over time. Use this when the user wants to maintain many SKILL.md files, inspect repeated...

Registry SourceRecently Updated
171Profile unavailable