image/tag
Create a new tag for an existing image without pulling or pushing — a purely local metadata operation.
No data copy: Tagging does not duplicate image layers. The new tag is simply an alias pointing to the same underlying image ID. This operation is instantaneous and uses no additional disk space.
When to Use
- Promotion tagging: After a staging image passes all validation gates in an approval workflow, tag it with a production-registry reference before pushing — without re-pulling.
- Latest alias: After pulling a specific versioned image, tag it as
:latestso tooling that defaults to:latestpicks up the correct version. - Registry migration: Retag an image with a new registry hostname (e.g., from
docker.io/app:v1toregistry.mycompany.com/app:v1) before pushing to the new registry. - Semantic version aliasing: Tag
v2.1.0as bothv2.1andv2to maintain major and minor version aliases alongside the full semver tag. - Rollback preparation: Tag the current production image as
:previousbefore pulling the upgrade, providing a fast local rollback reference.
Configuration
Connection
| Field | Type | Default | Description |
|---|---|---|---|
dockerHost | string | unix:///var/run/docker.sock | Docker daemon socket path or TCP endpoint. |
connectionType | string | unixsocket | One of: unixsocket, tcp, tcptls. |
tlsCertPath | string | — | TLS certificate directory. Required for tcptls. optional |
timeoutSeconds | int | 30 | Operation timeout in seconds. optional |
Operation Fields
| Field | Type | Badge | Description |
|---|---|---|---|
SourceImage | string | required | Existing image name:tag or image ID to tag from (e.g., myapp:v2.1.0). |
TargetImage | string | required | New tag to apply to the image (e.g., registry.mycompany.com/myapp:production). |
Sample Configuration
{
"resource": "image",
"operation": "tag",
"connection": {
"dockerHost": "unix:///var/run/docker.sock",
"connectionType": "unixsocket"
},
"SourceImage": "myapp:v2.1.0",
"TargetImage": "registry.mycompany.com/myapp:production"
}
Validation Errors
| Error Code | Condition | Resolution |
|---|---|---|
MISSING_INPUT | SourceImage or TargetImage is empty. | Provide both the source and target image references. |
NOT_FOUND | SourceImage does not exist on the host. | Run image/pull first or verify the source image name. |
CONFIG_ERROR | Connection settings malformed. | Check dockerHost and connectionType. |
DOCKER_API_ERROR | Invalid tag format (e.g., uppercase letters in repository name). | Ensure tag conforms to Docker tag naming rules: lowercase, alphanumeric, hyphens, underscores. |
Output
Success Port
| Field | Type | Description |
|---|---|---|
status | string | "ok" when the tag is created successfully. |
resource | string | "image" |
operation | string | "tag" |
sourceImage | string | The source image reference. |
targetImage | string | The new tag that was created. |
Error Port
Fires when tagging fails. Output contains status: "error", errorCode, and errorMessage.
Sample Output
{
"status": "ok",
"resource": "image",
"operation": "tag",
"sourceImage": "myapp:v2.1.0",
"targetImage": "registry.mycompany.com/myapp:production"
}
Expression Reference
| Expression | Returns |
|---|---|
{{ $output.status }} | "ok" — gate the subsequent push step on this value. |
{{ $output.targetImage }} | The newly created tag — pass to a registry push step or audit log. |
{{ $output.sourceImage }} | The original image reference — include in deployment audit trail. |
Node Policies & GuardRails
| Policy | Enforcement |
|---|---|
| Never expose Docker daemon TCP without TLS | Use tcptls for remote connections. Plain tcp is blocked in production GuardRail profiles. |
| Store TLS certificates in Credentials Manager | Reference tlsCertPath via {{ $credentials.dockerTlsCertPath }}. |
| Never interpolate user input into SourceImage or TargetImage | Tag names must come from trusted workflow variables or release manifests, not raw user input. |
| Validate tag format before tagging | Tags must be lowercase, alphanumeric with hyphens/underscores only. Invalid formats will produce DOCKER_API_ERROR. |
| Always handle the error port | A NOT_FOUND error means the source image is missing — wire the error port to a pull-and-retry branch. |
| Restrict container/exec to approved commands | Arbitrary exec access is root-equivalent. GuardRail exec policies restrict allowed command prefixes. |
Examples
Example 1 — Promotion: Staging to Production Tag
After a staging deployment passes all automated tests and an approval gate, tag the staging image with the production registry reference so it can be pushed without re-pulling.
// After approval node success:
{
"resource": "image",
"operation": "tag",
"SourceImage": "{{ $vars.stagingImage }}",
"TargetImage": "registry.mycompany.com/app:production"
}
// Then call registry push via HTTP Request node using Docker API /images/push
Example 2 — Semantic Version Aliases
When releasing v2.1.0, create v2.1 and v2 alias tags in sequence for consumers that pin to minor or major versions.
// Tag 1: full semver → minor alias
{ "SourceImage": "myapp:v2.1.0", "TargetImage": "myapp:v2.1" }
// Tag 2: full semver → major alias
{ "SourceImage": "myapp:v2.1.0", "TargetImage": "myapp:v2" }
// Tag 3: full semver → latest
{ "SourceImage": "myapp:v2.1.0", "TargetImage": "myapp:latest" }
Example 3 — Rollback Preparation Before Upgrade
Before pulling the new release, tag the currently running production image as :previous to ensure a fast local rollback is always available.
// Step 1 — inspect current production container to get its image
{
"resource": "container",
"operation": "inspect",
"ContainerId": "app-production"
}
// Step 2 — tag that image as :previous
{
"resource": "image",
"operation": "tag",
"SourceImage": "{{ $node['container-inspect'].output.containerInfo.Config.Image }}",
"TargetImage": "myapp:previous"
}
// Step 3 — now safe to pull the new version