Compare commits

..

1 Commits

Author SHA1 Message Date
dependabot[bot]
e5002eaab2
chore(deps): Bump undici from 5.28.3 to 5.28.4
Bumps [undici](https://github.com/nodejs/undici) from 5.28.3 to 5.28.4.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4)

---
updated-dependencies:
- dependency-name: undici
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-04-04 17:26:50 +00:00
23 changed files with 149 additions and 2900 deletions

View File

@ -1274,9 +1274,10 @@ jobs:
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
with: with:
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
# TODO: use buildx-stable-1 image when v0.13 promoted
driver-opts: | driver-opts: |
network=host network=host
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} image=moby/buildkit:v0.13.0
buildkitd-flags: --debug buildkitd-flags: --debug
- -
name: Build name: Build
@ -1323,9 +1324,10 @@ jobs:
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
with: with:
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
# TODO: use buildx-stable-1 image when v0.13 promoted
driver-opts: | driver-opts: |
network=host network=host
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} image=moby/buildkit:v0.13.0
buildkitd-flags: --debug buildkitd-flags: --debug
- -
name: Build name: Build

View File

@ -31,9 +31,6 @@ ___
* [Named contexts](https://docs.docker.com/build/ci/github-actions/named-contexts/) * [Named contexts](https://docs.docker.com/build/ci/github-actions/named-contexts/)
* [Copy image between registries](https://docs.docker.com/build/ci/github-actions/copy-image-registries/) * [Copy image between registries](https://docs.docker.com/build/ci/github-actions/copy-image-registries/)
* [Update Docker Hub repo description](https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/) * [Update Docker Hub repo description](https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/)
* [SBOM and provenance attestations](https://docs.docker.com/build/ci/github-actions/attestations/)
* [Annotations](https://docs.docker.com/build/ci/github-actions/annotations/)
* [Reproducible builds](https://docs.docker.com/build/ci/github-actions/reproducible-builds/)
* [Customizing](#customizing) * [Customizing](#customizing)
* [inputs](#inputs) * [inputs](#inputs)
* [outputs](#outputs) * [outputs](#outputs)
@ -121,6 +118,14 @@ to the default Git context:
tags: user/app:latest tags: user/app:latest
``` ```
> **Warning**
>
> Subdirectory for Git context is available from [BuildKit v0.9.0](https://github.com/moby/buildkit/releases/tag/v0.9.0).
> If you're using the `docker` builder (default if `setup-buildx-action` not used),
> then BuildKit in Docker Engine will be used. As Docker Engine < v22.x.x embeds
> Buildkit 0.8.2 at the moment, it does not support this feature. It's therefore
> required to use the `setup-buildx-action` at the moment.
Building from the current repository automatically uses the [GitHub Token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication), Building from the current repository automatically uses the [GitHub Token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication),
so it does not need to be passed. If you want to authenticate against another so it does not need to be passed. If you want to authenticate against another
private repository, you have to use a [secret](https://docs.docker.com/build/ci/github-actions/secrets) private repository, you have to use a [secret](https://docs.docker.com/build/ci/github-actions/secrets)
@ -189,9 +194,6 @@ jobs:
* [Named contexts](https://docs.docker.com/build/ci/github-actions/named-contexts/) * [Named contexts](https://docs.docker.com/build/ci/github-actions/named-contexts/)
* [Copy image between registries](https://docs.docker.com/build/ci/github-actions/copy-image-registries/) * [Copy image between registries](https://docs.docker.com/build/ci/github-actions/copy-image-registries/)
* [Update Docker Hub repo description](https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/) * [Update Docker Hub repo description](https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/)
* [SBOM and provenance attestations](https://docs.docker.com/build/ci/github-actions/attestations/)
* [Annotations](https://docs.docker.com/build/ci/github-actions/annotations/)
* [Reproducible builds](https://docs.docker.com/build/ci/github-actions/reproducible-builds/)
## Customizing ## Customizing
@ -230,7 +232,7 @@ Following inputs can be used as `step.with` keys
| `network` | String | Set the networking mode for the `RUN` instructions during build | | `network` | String | Set the networking mode for the `RUN` instructions during build |
| `no-cache` | Bool | Do not use cache when building the image (default `false`) | | `no-cache` | Bool | Do not use cache when building the image (default `false`) |
| `no-cache-filters` | List/CSV | Do not cache specified stages | | `no-cache-filters` | List/CSV | Do not cache specified stages |
| `outputs` | List | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`) | | `outputs`¹ | List | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`) |
| `platforms` | List/CSV | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build | | `platforms` | List/CSV | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build |
| `provenance` | Bool/String | Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build (shorthand for `--attest=type=provenance`) | | `provenance` | Bool/String | Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build (shorthand for `--attest=type=provenance`) |
| `pull` | Bool | Always attempt to pull all referenced images (default `false`) | | `pull` | Bool | Always attempt to pull all referenced images (default `false`) |
@ -246,6 +248,10 @@ Following inputs can be used as `step.with` keys
| `ulimit` | List | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`) | | `ulimit` | List | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`) |
| `github-token` | String | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`) | | `github-token` | String | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`) |
> **Note**
>
> * ¹ multiple `outputs` are [not yet supported](https://github.com/moby/buildkit/issues/1555)
### outputs ### outputs
The following outputs are available: The following outputs are available:

View File

@ -481,7 +481,7 @@ nproc=3`],
[ [
'build', 'build',
'--iidfile', path.join(tmpDir, 'iidfile'), '--iidfile', path.join(tmpDir, 'iidfile'),
'--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`, "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', path.join(tmpDir, 'metadata-file'), '--metadata-file', path.join(tmpDir, 'metadata-file'),
'.' '.'
] ]
@ -500,7 +500,7 @@ nproc=3`],
[ [
'build', 'build',
'--iidfile', path.join(tmpDir, 'iidfile'), '--iidfile', path.join(tmpDir, 'iidfile'),
'--attest', `type=provenance,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`, "--provenance", `builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', path.join(tmpDir, 'metadata-file'), '--metadata-file', path.join(tmpDir, 'metadata-file'),
'.' '.'
] ]
@ -519,7 +519,7 @@ nproc=3`],
[ [
'build', 'build',
'--iidfile', path.join(tmpDir, 'iidfile'), '--iidfile', path.join(tmpDir, 'iidfile'),
'--attest', `type=provenance,mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`, "--provenance", `mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', path.join(tmpDir, 'metadata-file'), '--metadata-file', path.join(tmpDir, 'metadata-file'),
'.' '.'
] ]
@ -538,7 +538,7 @@ nproc=3`],
[ [
'build', 'build',
'--iidfile', path.join(tmpDir, 'iidfile'), '--iidfile', path.join(tmpDir, 'iidfile'),
'--attest', 'type=provenance,disabled=true', "--provenance", 'false',
'--metadata-file', path.join(tmpDir, 'metadata-file'), '--metadata-file', path.join(tmpDir, 'metadata-file'),
'.' '.'
] ]
@ -557,7 +557,7 @@ nproc=3`],
[ [
'build', 'build',
'--iidfile', path.join(tmpDir, 'iidfile'), '--iidfile', path.join(tmpDir, 'iidfile'),
'--attest', 'type=provenance,builder-id=foo', "--provenance", 'builder-id=foo',
'--metadata-file', path.join(tmpDir, 'metadata-file'), '--metadata-file', path.join(tmpDir, 'metadata-file'),
'.' '.'
] ]
@ -620,7 +620,7 @@ nproc=3`],
] ]
], ],
[ [
26, 25,
'0.10.0', '0.10.0',
new Map<string, string>([ new Map<string, string>([
['context', '.'], ['context', '.'],
@ -642,7 +642,7 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
] ]
], ],
[ [
27, 26,
'0.10.0', '0.10.0',
new Map<string, string>([ new Map<string, string>([
['context', '.'], ['context', '.'],
@ -663,7 +663,7 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
] ]
], ],
[ [
28, 27,
'0.11.0', '0.11.0',
new Map<string, string>([ new Map<string, string>([
['context', '.'], ['context', '.'],
@ -677,13 +677,13 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
[ [
'build', 'build',
'--output', 'type=local,dest=./release-out', '--output', 'type=local,dest=./release-out',
'--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`, "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', path.join(tmpDir, 'metadata-file'), '--metadata-file', path.join(tmpDir, 'metadata-file'),
'.' '.'
] ]
], ],
[ [
29, 28,
'0.12.0', '0.12.0',
new Map<string, string>([ new Map<string, string>([
['context', '.'], ['context', '.'],
@ -701,13 +701,13 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
'--annotation', 'manifest:example3=yyy', '--annotation', 'manifest:example3=yyy',
'--annotation', 'manifest-descriptor[linux/amd64]:example4=zzz', '--annotation', 'manifest-descriptor[linux/amd64]:example4=zzz',
'--output', 'type=local,dest=./release-out', '--output', 'type=local,dest=./release-out',
'--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`, "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', path.join(tmpDir, 'metadata-file'), '--metadata-file', path.join(tmpDir, 'metadata-file'),
'.' '.'
] ]
], ],
[ [
30, 29,
'0.12.0', '0.12.0',
new Map<string, string>([ new Map<string, string>([
['context', '.'], ['context', '.'],
@ -721,71 +721,11 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
'build', 'build',
'--iidfile', path.join(tmpDir, 'iidfile'), '--iidfile', path.join(tmpDir, 'iidfile'),
"--output", `type=image,"name=localhost:5000/name/app:latest,localhost:5000/name/app:foo",push-by-digest=true,name-canonical=true,push=true`, "--output", `type=image,"name=localhost:5000/name/app:latest,localhost:5000/name/app:foo",push-by-digest=true,name-canonical=true,push=true`,
'--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`, "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', path.join(tmpDir, 'metadata-file'), '--metadata-file', path.join(tmpDir, 'metadata-file'),
'.' '.'
] ]
], ]
[
31,
'0.13.1',
new Map<string, string>([
['context', '.'],
['load', 'false'],
['no-cache', 'false'],
['push', 'false'],
['pull', 'false'],
['provenance', 'mode=max'],
['sbom', 'true'],
]),
[
'build',
'--iidfile', path.join(tmpDir, 'iidfile'),
'--attest', `type=provenance,mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--attest', `type=sbom,disabled=false`,
'--metadata-file', path.join(tmpDir, 'metadata-file'),
'.'
]
],
[
32,
'0.13.1',
new Map<string, string>([
['context', '.'],
['load', 'false'],
['no-cache', 'false'],
['push', 'false'],
['pull', 'false'],
['attests', 'type=provenance,mode=min'],
['provenance', 'mode=max'],
]),
[
'build',
'--iidfile', path.join(tmpDir, 'iidfile'),
'--attest', `type=provenance,mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', path.join(tmpDir, 'metadata-file'),
'.'
]
],
[
33,
'0.13.1',
new Map<string, string>([
['context', '.'],
['load', 'false'],
['no-cache', 'false'],
['push', 'false'],
['pull', 'false'],
['attests', 'type=provenance,mode=min'],
]),
[
'build',
'--iidfile', path.join(tmpDir, 'iidfile'),
'--attest', `type=provenance,mode=min,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', path.join(tmpDir, 'metadata-file'),
'.'
]
],
])( ])(
'[%d] given %p with %p as inputs, returns %p', '[%d] given %p with %p as inputs, returns %p',
async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => { async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {

86
dist/index.js generated vendored

File diff suppressed because one or more lines are too long

2
dist/index.js.map generated vendored

File diff suppressed because one or more lines are too long

1941
dist/licenses.txt generated vendored

File diff suppressed because it is too large Load Diff

3
docs/advanced/cache.md Normal file
View File

@ -0,0 +1,3 @@
# Cache
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/cache/)

View File

@ -0,0 +1,3 @@
# Copy images between registries
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/copy-image-registries/)

View File

@ -0,0 +1,3 @@
# Update Docker Hub repo description
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/)

View File

@ -0,0 +1,3 @@
# Export image to Docker
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/export-docker/)

View File

@ -0,0 +1,3 @@
# Isolated builders
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/configure-builder/#isolated-builders)

View File

@ -0,0 +1,3 @@
# Local registry
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/local-registry/)

View File

@ -0,0 +1,3 @@
# Multi-platform image
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/multi-platform/)

View File

@ -0,0 +1,3 @@
# Named contexts
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/named-contexts/)

View File

@ -0,0 +1,3 @@
# Push to multi-registries
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/push-multi-registries/)

3
docs/advanced/secrets.md Normal file
View File

@ -0,0 +1,3 @@
# Secrets
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/secrets/)

View File

@ -0,0 +1,3 @@
# Share built image between jobs
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/share-image-jobs/)

View File

@ -0,0 +1,3 @@
# Handle tags and labels
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/manage-tags-labels/)

View File

@ -0,0 +1,3 @@
# Test your image before pushing it
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/test-before-push/)

View File

@ -27,7 +27,7 @@
"license": "Apache-2.0", "license": "Apache-2.0",
"dependencies": { "dependencies": {
"@actions/core": "^1.10.1", "@actions/core": "^1.10.1",
"@docker/actions-toolkit": "0.22.0", "@docker/actions-toolkit": "0.20.0",
"handlebars": "^4.7.7" "handlebars": "^4.7.7"
}, },
"devDependencies": { "devDependencies": {

View File

@ -1,9 +1,8 @@
import * as core from '@actions/core'; import * as core from '@actions/core';
import * as handlebars from 'handlebars'; import * as handlebars from 'handlebars';
import {Build} from '@docker/actions-toolkit/lib/buildx/build';
import {Context} from '@docker/actions-toolkit/lib/context'; import {Context} from '@docker/actions-toolkit/lib/context';
import {GitHub} from '@docker/actions-toolkit/lib/github'; import {GitHub} from '@docker/actions-toolkit/lib/github';
import {Inputs as BuildxInputs} from '@docker/actions-toolkit/lib/buildx/inputs';
import {Toolkit} from '@docker/actions-toolkit/lib/toolkit'; import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
import {Util} from '@docker/actions-toolkit/lib/util'; import {Util} from '@docker/actions-toolkit/lib/util';
@ -63,7 +62,7 @@ export async function getInputs(): Promise<Inputs> {
noCacheFilters: Util.getInputList('no-cache-filters'), noCacheFilters: Util.getInputList('no-cache-filters'),
outputs: Util.getInputList('outputs', {ignoreComma: true, quote: false}), outputs: Util.getInputList('outputs', {ignoreComma: true, quote: false}),
platforms: Util.getInputList('platforms'), platforms: Util.getInputList('platforms'),
provenance: Build.getProvenanceInput('provenance'), provenance: BuildxInputs.getProvenanceInput('provenance'),
pull: core.getBooleanInput('pull'), pull: core.getBooleanInput('pull'),
push: core.getBooleanInput('push'), push: core.getBooleanInput('push'),
sbom: core.getInput('sbom'), sbom: core.getInput('sbom'),
@ -99,6 +98,13 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
if (inputs.allow.length > 0) { if (inputs.allow.length > 0) {
args.push('--allow', inputs.allow.join(',')); args.push('--allow', inputs.allow.join(','));
} }
if (await toolkit.buildx.versionSatisfies('>=0.10.0')) {
await Util.asyncForEach(inputs.attests, async attest => {
args.push('--attest', attest);
});
} else if (inputs.attests.length > 0) {
core.warning("Attestations are only supported by buildx >= 0.10.0; the input 'attests' is ignored.");
}
if (await toolkit.buildx.versionSatisfies('>=0.12.0')) { if (await toolkit.buildx.versionSatisfies('>=0.12.0')) {
await Util.asyncForEach(inputs.annotations, async annotation => { await Util.asyncForEach(inputs.annotations, async annotation => {
args.push('--annotation', annotation); args.push('--annotation', annotation);
@ -127,7 +133,7 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
} }
await Util.asyncForEach(inputs.secretEnvs, async secretEnv => { await Util.asyncForEach(inputs.secretEnvs, async secretEnv => {
try { try {
args.push('--secret', Build.resolveSecretEnv(secretEnv)); args.push('--secret', BuildxInputs.resolveBuildSecretEnv(secretEnv));
} catch (err) { } catch (err) {
core.warning(err.message); core.warning(err.message);
} }
@ -135,8 +141,8 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
if (inputs.file) { if (inputs.file) {
args.push('--file', inputs.file); args.push('--file', inputs.file);
} }
if (!Build.hasLocalExporter(inputs.outputs) && !Build.hasTarExporter(inputs.outputs) && (inputs.platforms.length == 0 || (await toolkit.buildx.versionSatisfies('>=0.4.2')))) { if (!BuildxInputs.hasLocalExporter(inputs.outputs) && !BuildxInputs.hasTarExporter(inputs.outputs) && (inputs.platforms.length == 0 || (await toolkit.buildx.versionSatisfies('>=0.4.2')))) {
args.push('--iidfile', Build.getImageIDFilePath()); args.push('--iidfile', BuildxInputs.getBuildImageIDFilePath());
} }
await Util.asyncForEach(inputs.labels, async label => { await Util.asyncForEach(inputs.labels, async label => {
args.push('--label', label); args.push('--label', label);
@ -151,26 +157,43 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
args.push('--platform', inputs.platforms.join(',')); args.push('--platform', inputs.platforms.join(','));
} }
if (await toolkit.buildx.versionSatisfies('>=0.10.0')) { if (await toolkit.buildx.versionSatisfies('>=0.10.0')) {
args.push(...(await getAttestArgs(inputs, toolkit))); if (inputs.provenance) {
} else { args.push('--provenance', inputs.provenance);
core.warning("Attestations are only supported by buildx >= 0.10.0; the inputs 'attests', 'provenance' and 'sbom' are ignored."); } else if ((await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !BuildxInputs.hasDockerExporter(inputs.outputs, inputs.load)) {
// if provenance not specified and BuildKit version compatible for
// attestation, set default provenance. Also needs to make sure user
// doesn't want to explicitly load the image to docker.
if (GitHub.context.payload.repository?.private ?? false) {
// if this is a private repository, we set the default provenance
// attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=min,inline-only=true`));
} else {
// for a public repository, we set max provenance mode.
args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=max`));
}
}
if (inputs.sbom) {
args.push('--sbom', inputs.sbom);
}
} else if (inputs.provenance || inputs.sbom) {
core.warning("Attestations are only supported by buildx >= 0.10.0; the inputs 'provenance' and 'sbom' are ignored.");
} }
await Util.asyncForEach(inputs.secrets, async secret => { await Util.asyncForEach(inputs.secrets, async secret => {
try { try {
args.push('--secret', Build.resolveSecretString(secret)); args.push('--secret', BuildxInputs.resolveBuildSecretString(secret));
} catch (err) { } catch (err) {
core.warning(err.message); core.warning(err.message);
} }
}); });
await Util.asyncForEach(inputs.secretFiles, async secretFile => { await Util.asyncForEach(inputs.secretFiles, async secretFile => {
try { try {
args.push('--secret', Build.resolveSecretFile(secretFile)); args.push('--secret', BuildxInputs.resolveBuildSecretFile(secretFile));
} catch (err) { } catch (err) {
core.warning(err.message); core.warning(err.message);
} }
}); });
if (inputs.githubToken && !Build.hasGitAuthTokenSecret(inputs.secrets) && context.startsWith(Context.gitContext())) { if (inputs.githubToken && !BuildxInputs.hasGitAuthTokenSecret(inputs.secrets) && context.startsWith(Context.gitContext())) {
args.push('--secret', Build.resolveSecretString(`GIT_AUTH_TOKEN=${inputs.githubToken}`)); args.push('--secret', BuildxInputs.resolveBuildSecretString(`GIT_AUTH_TOKEN=${inputs.githubToken}`));
} }
if (inputs.shmSize) { if (inputs.shmSize) {
args.push('--shm-size', inputs.shmSize); args.push('--shm-size', inputs.shmSize);
@ -199,7 +222,7 @@ async function getCommonArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<st
args.push('--load'); args.push('--load');
} }
if (await toolkit.buildx.versionSatisfies('>=0.6.0')) { if (await toolkit.buildx.versionSatisfies('>=0.6.0')) {
args.push('--metadata-file', Build.getMetadataFilePath()); args.push('--metadata-file', BuildxInputs.getBuildMetadataFilePath());
} }
if (inputs.network) { if (inputs.network) {
args.push('--network', inputs.network); args.push('--network', inputs.network);
@ -215,52 +238,3 @@ async function getCommonArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<st
} }
return args; return args;
} }
async function getAttestArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<string>> {
const args: Array<string> = [];
// check if provenance attestation is set in attests input
let hasAttestProvenance = false;
await Util.asyncForEach(inputs.attests, async (attest: string) => {
if (Build.hasAttestationType('provenance', attest)) {
hasAttestProvenance = true;
}
});
let provenanceSet = false;
let sbomSet = false;
if (inputs.provenance) {
args.push('--attest', Build.resolveAttestationAttrs(`type=provenance,${inputs.provenance}`));
provenanceSet = true;
} else if (!hasAttestProvenance && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Build.hasDockerExporter(inputs.outputs, inputs.load)) {
// if provenance not specified in provenance or attests inputs and BuildKit
// version compatible for attestation, set default provenance. Also needs
// to make sure user doesn't want to explicitly load the image to docker.
if (GitHub.context.payload.repository?.private ?? false) {
// if this is a private repository, we set the default provenance
// attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
args.push('--attest', `type=provenance,${Build.resolveProvenanceAttrs(`mode=min,inline-only=true`)}`);
} else {
// for a public repository, we set max provenance mode.
args.push('--attest', `type=provenance,${Build.resolveProvenanceAttrs(`mode=max`)}`);
}
}
if (inputs.sbom) {
args.push('--attest', Build.resolveAttestationAttrs(`type=sbom,${inputs.sbom}`));
sbomSet = true;
}
// set attests but check if provenance or sbom types already set as
// provenance and sbom inputs take precedence over attests input.
await Util.asyncForEach(inputs.attests, async (attest: string) => {
if (!Build.hasAttestationType('provenance', attest) && !Build.hasAttestationType('sbom', attest)) {
args.push('--attest', Build.resolveAttestationAttrs(attest));
} else if (!provenanceSet && Build.hasAttestationType('provenance', attest)) {
args.push('--attest', Build.resolveProvenanceAttrs(attest));
} else if (!sbomSet && Build.hasAttestationType('sbom', attest)) {
args.push('--attest', attest);
}
});
return args;
}

View File

@ -3,14 +3,12 @@ import * as path from 'path';
import * as stateHelper from './state-helper'; import * as stateHelper from './state-helper';
import * as core from '@actions/core'; import * as core from '@actions/core';
import * as actionsToolkit from '@docker/actions-toolkit'; import * as actionsToolkit from '@docker/actions-toolkit';
import {Build} from '@docker/actions-toolkit/lib/buildx/build';
import {Context} from '@docker/actions-toolkit/lib/context'; import {Context} from '@docker/actions-toolkit/lib/context';
import {Docker} from '@docker/actions-toolkit/lib/docker/docker'; import {Docker} from '@docker/actions-toolkit/lib/docker/docker';
import {Exec} from '@docker/actions-toolkit/lib/exec'; import {Exec} from '@docker/actions-toolkit/lib/exec';
import {GitHub} from '@docker/actions-toolkit/lib/github'; import {GitHub} from '@docker/actions-toolkit/lib/github';
import {Inputs as BuildxInputs} from '@docker/actions-toolkit/lib/buildx/inputs';
import {Toolkit} from '@docker/actions-toolkit/lib/toolkit'; import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
import {ConfigFile} from '@docker/actions-toolkit/lib/types/docker'; import {ConfigFile} from '@docker/actions-toolkit/lib/types/docker';
import * as context from './context'; import * as context from './context';
@ -91,9 +89,9 @@ actionsToolkit.run(
} }
}); });
const imageID = Build.resolveImageID(); const imageID = BuildxInputs.resolveBuildImageID();
const metadata = Build.resolveMetadata(); const metadata = BuildxInputs.resolveBuildMetadata();
const digest = Build.resolveDigest(); const digest = BuildxInputs.resolveDigest();
if (imageID) { if (imageID) {
await core.group(`ImageID`, async () => { await core.group(`ImageID`, async () => {
@ -109,9 +107,8 @@ actionsToolkit.run(
} }
if (metadata) { if (metadata) {
await core.group(`Metadata`, async () => { await core.group(`Metadata`, async () => {
const metadatadt = JSON.stringify(metadata, null, 2); core.info(metadata);
core.info(metadatadt); core.setOutput('metadata', metadata);
core.setOutput('metadata', metadatadt);
}); });
} }
}, },

750
yarn.lock

File diff suppressed because it is too large Load Diff