Portal Community
  No data copy: Tagging does not duplicate image layers. The new tag is simply an alias pointing to the same underlying image ID. This operation is instantaneous and uses no additional disk space.

When to Use

Configuration

Connection

FieldTypeDefaultDescription
dockerHoststringunix:///var/run/docker.sockDocker daemon socket path or TCP endpoint.
connectionTypestringunixsocketOne of: unixsocket, tcp, tcptls.
tlsCertPathstringTLS certificate directory. Required for tcptls. optional
timeoutSecondsint30Operation timeout in seconds. optional

Operation Fields

FieldTypeBadgeDescription
SourceImagestringrequiredExisting image name:tag or image ID to tag from (e.g., myapp:v2.1.0).
TargetImagestringrequiredNew tag to apply to the image (e.g., registry.mycompany.com/myapp:production).

Sample Configuration

{
  "resource": "image",
  "operation": "tag",
  "connection": {
    "dockerHost": "unix:///var/run/docker.sock",
    "connectionType": "unixsocket"
  },
  "SourceImage": "myapp:v2.1.0",
  "TargetImage": "registry.mycompany.com/myapp:production"
}

Validation Errors

Error CodeConditionResolution
MISSING_INPUTSourceImage or TargetImage is empty.Provide both the source and target image references.
NOT_FOUNDSourceImage does not exist on the host.Run image/pull first or verify the source image name.
CONFIG_ERRORConnection settings malformed.Check dockerHost and connectionType.
DOCKER_API_ERRORInvalid tag format (e.g., uppercase letters in repository name).Ensure tag conforms to Docker tag naming rules: lowercase, alphanumeric, hyphens, underscores.

Output

Success Port

FieldTypeDescription
statusstring"ok" when the tag is created successfully.
resourcestring"image"
operationstring"tag"
sourceImagestringThe source image reference.
targetImagestringThe new tag that was created.

Error Port

Fires when tagging fails. Output contains status: "error", errorCode, and errorMessage.

Sample Output

{
  "status": "ok",
  "resource": "image",
  "operation": "tag",
  "sourceImage": "myapp:v2.1.0",
  "targetImage": "registry.mycompany.com/myapp:production"
}

Expression Reference

ExpressionReturns
{{ $output.status }}"ok" — gate the subsequent push step on this value.
{{ $output.targetImage }}The newly created tag — pass to a registry push step or audit log.
{{ $output.sourceImage }}The original image reference — include in deployment audit trail.

Node Policies & GuardRails

PolicyEnforcement
Never expose Docker daemon TCP without TLSUse tcptls for remote connections. Plain tcp is blocked in production GuardRail profiles.
Store TLS certificates in Credentials ManagerReference tlsCertPath via {{ $credentials.dockerTlsCertPath }}.
Never interpolate user input into SourceImage or TargetImageTag names must come from trusted workflow variables or release manifests, not raw user input.
Validate tag format before taggingTags must be lowercase, alphanumeric with hyphens/underscores only. Invalid formats will produce DOCKER_API_ERROR.
Always handle the error portA NOT_FOUND error means the source image is missing — wire the error port to a pull-and-retry branch.
Restrict container/exec to approved commandsArbitrary exec access is root-equivalent. GuardRail exec policies restrict allowed command prefixes.

Examples

Example 1 — Promotion: Staging to Production Tag

After a staging deployment passes all automated tests and an approval gate, tag the staging image with the production registry reference so it can be pushed without re-pulling.

// After approval node success:
{
  "resource": "image",
  "operation": "tag",
  "SourceImage": "{{ $vars.stagingImage }}",
  "TargetImage": "registry.mycompany.com/app:production"
}
// Then call registry push via HTTP Request node using Docker API /images/push

Example 2 — Semantic Version Aliases

When releasing v2.1.0, create v2.1 and v2 alias tags in sequence for consumers that pin to minor or major versions.

// Tag 1: full semver → minor alias
{ "SourceImage": "myapp:v2.1.0", "TargetImage": "myapp:v2.1" }

// Tag 2: full semver → major alias
{ "SourceImage": "myapp:v2.1.0", "TargetImage": "myapp:v2" }

// Tag 3: full semver → latest
{ "SourceImage": "myapp:v2.1.0", "TargetImage": "myapp:latest" }

Example 3 — Rollback Preparation Before Upgrade

Before pulling the new release, tag the currently running production image as :previous to ensure a fast local rollback is always available.

// Step 1 — inspect current production container to get its image
{
  "resource": "container",
  "operation": "inspect",
  "ContainerId": "app-production"
}

// Step 2 — tag that image as :previous
{
  "resource": "image",
  "operation": "tag",
  "SourceImage": "{{ $node['container-inspect'].output.containerInfo.Config.Image }}",
  "TargetImage": "myapp:previous"
}

// Step 3 — now safe to pull the new version