actions/build-push-action
1
0
Fork 0
mirror of https://github.com/docker/build-push-action.git synced 2026-06-29 18:01:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge 1e1dacf41c into 4c1b68d83a

Browse Source
This commit is contained in:
elias-lundgren 2023-10-05 08:02:10 +00:00 committed by GitHub
commit 6f674e8e36
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 70 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
.github/workflows/ci.yml vendored
View File

@ -393,6 +393,31 @@ jobs:
MYSECRET=foo MYSECRET=foo
INVALID_SECRET= INVALID_SECRET=
env-secret:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker buildx
uses: docker/setup-buildx-action@v3
with:
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
driver-opts: |
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
-
name: Build
uses: ./
env:
ENV_SECRET: foo
with:
context: .
file: ./test/secret.Dockerfile
env-secrets: |
MYSECRET=ENV_SECRET
INVALID_SECRET=
network: network:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:

65
README.md
View File

@ -213,38 +213,39 @@ Following inputs can be used as `step.with` keys
> tags: name/app:latest,name/app:1.0.0 > tags: name/app:latest,name/app:1.0.0
> ``` > ```
| Name | Type | Description | | Name | Type | Description |
|--------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |--------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `add-hosts` | List/CSV | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`) | | `add-hosts` | List/CSV | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`) |
| `allow` | List/CSV | List of [extra privileged entitlement](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow) (e.g., `network.host,security.insecure`) | | `allow` | List/CSV | List of [extra privileged entitlement](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow) (e.g., `network.host,security.insecure`) |
| `attests` | List | List of [attestation](https://docs.docker.com/build/attestations/) parameters (e.g., `type=sbom,generator=image`) | | `attests` | List | List of [attestation](https://docs.docker.com/build/attestations/) parameters (e.g., `type=sbom,generator=image`) |
| `builder` | String | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action) | | `builder` | String | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action) |
| `build-args` | List | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg) | | `build-args` | List | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg) |
| `build-contexts` | List | List of additional [build contexts](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context) (e.g., `name=path`) | | `build-contexts` | List | List of additional [build contexts](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context) (e.g., `name=path`) |
| `cache-from` | List | List of [external cache sources](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from) (e.g., `type=local,src=path/to/dir`) | | `cache-from` | List | List of [external cache sources](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from) (e.g., `type=local,src=path/to/dir`) |
| `cache-to` | List | List of [cache export destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-to) (e.g., `type=local,dest=path/to/dir`) | | `cache-to` | List | List of [cache export destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-to) (e.g., `type=local,dest=path/to/dir`) |
| `cgroup-parent` | String | Optional [parent cgroup](https://docs.docker.com/engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent) for the container used in the build | | `cgroup-parent` | String | Optional [parent cgroup](https://docs.docker.com/engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent) for the container used in the build |
| `context` | String | Build's context is the set of files located in the specified [`PATH` or `URL`](https://docs.docker.com/engine/reference/commandline/build/) (default [Git context](#git-context)) | | `context` | String | Build's context is the set of files located in the specified [`PATH` or `URL`](https://docs.docker.com/engine/reference/commandline/build/) (default [Git context](#git-context)) |
| `file` | String | Path to the Dockerfile. (default `{context}/Dockerfile`) | | `env-secrets` | List | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build using environment variables from the GitHub runner (e.g., MY_SECRET=MY_ENV_VAR) |
| `labels` | List | List of metadata for an image | | `file` | String | Path to the Dockerfile. (default `{context}/Dockerfile`) |
| `load` | Bool | [Load](https://docs.docker.com/engine/reference/commandline/buildx_build/#load) is a shorthand for `--output=type=docker` (default `false`) | | `labels` | List | List of metadata for an image |
| `network` | String | Set the networking mode for the `RUN` instructions during build | | `load` | Bool | [Load](https://docs.docker.com/engine/reference/commandline/buildx_build/#load) is a shorthand for `--output=type=docker` (default `false`) |
| `no-cache` | Bool | Do not use cache when building the image (default `false`) | | `network` | String | Set the networking mode for the `RUN` instructions during build |
| `no-cache-filters` | List/CSV | Do not cache specified stages | | `no-cache` | Bool | Do not use cache when building the image (default `false`) |
| `outputs`¹ | List | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`) | | `no-cache-filters` | List/CSV | Do not cache specified stages |
| `platforms` | List/CSV | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build | | `outputs`¹ | List | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`) |
| `provenance` | Bool/String | Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build (shorthand for `--attest=type=provenance`) | | `platforms` | List/CSV | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build |
| `pull` | Bool | Always attempt to pull all referenced images (default `false`) | | `provenance` | Bool/String | Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build (shorthand for `--attest=type=provenance`) |
| `push` | Bool | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`) | | `pull` | Bool | Always attempt to pull all referenced images (default `false`) |
| `sbom` | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`) | | `push` | Bool | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`) |
| `secrets` | List | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`) | | `sbom` | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`) |
| `secret-files` | List | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`) | | `secrets` | List | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`) |
| `shm-size` | String | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) | | `secret-files` | List | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`) |
| `ssh` | List | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build | | `shm-size` | String | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) |
| `tags` | List/CSV | List of tags | | `ssh` | List | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build |
| `target` | String | Sets the target stage to build | | `tags` | List/CSV | List of tags |
| `ulimit` | List | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`) | | `target` | String | Sets the target stage to build |
| `github-token` | String | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`) | | `ulimit` | List | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`) |
| `github-token` | String | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`) |
> **Note** > **Note**
> >

3
action.yml
View File

@ -37,6 +37,9 @@ inputs:
context: context:
description: "Build's context is the set of files located in the specified PATH or URL" description: "Build's context is the set of files located in the specified PATH or URL"
required: false required: false
env-secrets:
description: "List of secrets to expose to the build using environment variables from the GitHub runner (e.g., MY_SECRET=MY_ENV_VAR)"
required: false
file: file:
description: "Path to the Dockerfile" description: "Path to the Dockerfile"
required: false required: false

9
src/context.ts
View File

@ -17,6 +17,7 @@ export interface Inputs {
cacheTo: string[]; cacheTo: string[];
cgroupParent: string; cgroupParent: string;
context: string; context: string;
envSecrets: string[];
file: string; file: string;
labels: string[]; labels: string[];
load: boolean; load: boolean;
@ -51,6 +52,7 @@ export async function getInputs(): Promise<Inputs> {
cacheTo: Util.getInputList('cache-to', {ignoreComma: true}), cacheTo: Util.getInputList('cache-to', {ignoreComma: true}),
cgroupParent: core.getInput('cgroup-parent'), cgroupParent: core.getInput('cgroup-parent'),
context: core.getInput('context') || Context.gitContext(), context: core.getInput('context') || Context.gitContext(),
envSecrets: Util.getInputList('env-secrets', {ignoreComma: true}),
file: core.getInput('file'), file: core.getInput('file'),
labels: Util.getInputList('labels', {ignoreComma: true}), labels: Util.getInputList('labels', {ignoreComma: true}),
load: core.getBooleanInput('load'), load: core.getBooleanInput('load'),
@ -116,6 +118,13 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
if (inputs.cgroupParent) { if (inputs.cgroupParent) {
args.push('--cgroup-parent', inputs.cgroupParent); args.push('--cgroup-parent', inputs.cgroupParent);
} }
await Util.asyncForEach(inputs.envSecrets, async envSecret => {
try {
args.push('--secret', BuildxInputs.resolveBuildSecretEnv(envSecret));
} catch (err) {
core.warning(err.message);
}
});
if (inputs.file) { if (inputs.file) {
args.push('--file', inputs.file); args.push('--file', inputs.file);
} }