Compare commits

..

14 Commits

Author SHA1 Message Date
CrazyMax
b6ff9e5753
chore: update generated content
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2024-04-26 13:06:55 +02:00
dependabot[bot]
929fba6cce
chore(deps): Bump undici from 5.28.3 to 5.28.4
Bumps [undici](https://github.com/nodejs/undici) from 5.28.3 to 5.28.4.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4)

---
updated-dependencies:
- dependency-name: undici
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-04-26 10:59:25 +00:00
CrazyMax
7f1f43ba33
Merge pull request #1105 from docker/dependabot/npm_and_yarn/docker/actions-toolkit-0.22.0
chore(deps): Bump @docker/actions-toolkit from 0.20.0 to 0.22.0
2024-04-26 12:22:27 +02:00
CrazyMax
40d6a900e0
chore: update generated content
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2024-04-26 11:54:16 +02:00
CrazyMax
d56be63626
Merge pull request #1106 from crazy-max/docs-rm-stubs
docs: remove stub files
2024-04-26 11:21:16 +02:00
CrazyMax
eb3cfeaf00
switch to new Build class
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2024-04-26 11:20:49 +02:00
CrazyMax
d0fc12d8a4
docs: remove stub files
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2024-04-26 11:12:45 +02:00
dependabot[bot]
68615d5b67
chore(deps): Bump @docker/actions-toolkit from 0.20.0 to 0.22.0
Bumps [@docker/actions-toolkit](https://github.com/docker/actions-toolkit) from 0.20.0 to 0.22.0.
- [Release notes](https://github.com/docker/actions-toolkit/releases)
- [Commits](https://github.com/docker/actions-toolkit/compare/v0.20.0...v0.22.0)

---
updated-dependencies:
- dependency-name: "@docker/actions-toolkit"
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-04-26 09:09:12 +00:00
CrazyMax
c3b570184c
Merge pull request #1086 from crazy-max/fix-attests-provenance-sbom
handle attests correctly with provenance and sbom inputs
2024-04-26 11:05:55 +02:00
CrazyMax
7e6f77677b
Merge pull request #1095 from crazy-max/ci-use-stable-1
ci: switch to stable buildkit image for load and push
2024-04-16 08:47:52 +02:00
CrazyMax
2ce6beaad4
readme: update following latest buildx/buildkit releases
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2024-04-15 09:50:33 +02:00
CrazyMax
4c8d1e6826
ci: switch to stable buildkit image for load and push
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2024-04-15 09:47:50 +02:00
CrazyMax
b0312962ef
chore: update generated content
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2024-04-02 10:58:32 +02:00
CrazyMax
96acf63e4c
handle attests correctly with provenance and sbom inputs
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2024-04-02 10:54:20 +02:00
23 changed files with 2900 additions and 149 deletions

View File

@ -1274,10 +1274,9 @@ jobs:
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
with: with:
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
# TODO: use buildx-stable-1 image when v0.13 promoted
driver-opts: | driver-opts: |
network=host network=host
image=moby/buildkit:v0.13.0 image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
buildkitd-flags: --debug buildkitd-flags: --debug
- -
name: Build name: Build
@ -1324,10 +1323,9 @@ jobs:
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
with: with:
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
# TODO: use buildx-stable-1 image when v0.13 promoted
driver-opts: | driver-opts: |
network=host network=host
image=moby/buildkit:v0.13.0 image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
buildkitd-flags: --debug buildkitd-flags: --debug
- -
name: Build name: Build

View File

@ -31,6 +31,9 @@ ___
* [Named contexts](https://docs.docker.com/build/ci/github-actions/named-contexts/) * [Named contexts](https://docs.docker.com/build/ci/github-actions/named-contexts/)
* [Copy image between registries](https://docs.docker.com/build/ci/github-actions/copy-image-registries/) * [Copy image between registries](https://docs.docker.com/build/ci/github-actions/copy-image-registries/)
* [Update Docker Hub repo description](https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/) * [Update Docker Hub repo description](https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/)
* [SBOM and provenance attestations](https://docs.docker.com/build/ci/github-actions/attestations/)
* [Annotations](https://docs.docker.com/build/ci/github-actions/annotations/)
* [Reproducible builds](https://docs.docker.com/build/ci/github-actions/reproducible-builds/)
* [Customizing](#customizing) * [Customizing](#customizing)
* [inputs](#inputs) * [inputs](#inputs)
* [outputs](#outputs) * [outputs](#outputs)
@ -118,14 +121,6 @@ to the default Git context:
tags: user/app:latest tags: user/app:latest
``` ```
> **Warning**
>
> Subdirectory for Git context is available from [BuildKit v0.9.0](https://github.com/moby/buildkit/releases/tag/v0.9.0).
> If you're using the `docker` builder (default if `setup-buildx-action` not used),
> then BuildKit in Docker Engine will be used. As Docker Engine < v22.x.x embeds
> Buildkit 0.8.2 at the moment, it does not support this feature. It's therefore
> required to use the `setup-buildx-action` at the moment.
Building from the current repository automatically uses the [GitHub Token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication), Building from the current repository automatically uses the [GitHub Token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication),
so it does not need to be passed. If you want to authenticate against another so it does not need to be passed. If you want to authenticate against another
private repository, you have to use a [secret](https://docs.docker.com/build/ci/github-actions/secrets) private repository, you have to use a [secret](https://docs.docker.com/build/ci/github-actions/secrets)
@ -194,6 +189,9 @@ jobs:
* [Named contexts](https://docs.docker.com/build/ci/github-actions/named-contexts/) * [Named contexts](https://docs.docker.com/build/ci/github-actions/named-contexts/)
* [Copy image between registries](https://docs.docker.com/build/ci/github-actions/copy-image-registries/) * [Copy image between registries](https://docs.docker.com/build/ci/github-actions/copy-image-registries/)
* [Update Docker Hub repo description](https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/) * [Update Docker Hub repo description](https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/)
* [SBOM and provenance attestations](https://docs.docker.com/build/ci/github-actions/attestations/)
* [Annotations](https://docs.docker.com/build/ci/github-actions/annotations/)
* [Reproducible builds](https://docs.docker.com/build/ci/github-actions/reproducible-builds/)
## Customizing ## Customizing
@ -232,7 +230,7 @@ Following inputs can be used as `step.with` keys
| `network` | String | Set the networking mode for the `RUN` instructions during build | | `network` | String | Set the networking mode for the `RUN` instructions during build |
| `no-cache` | Bool | Do not use cache when building the image (default `false`) | | `no-cache` | Bool | Do not use cache when building the image (default `false`) |
| `no-cache-filters` | List/CSV | Do not cache specified stages | | `no-cache-filters` | List/CSV | Do not cache specified stages |
| `outputs`¹ | List | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`) | | `outputs` | List | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`) |
| `platforms` | List/CSV | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build | | `platforms` | List/CSV | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build |
| `provenance` | Bool/String | Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build (shorthand for `--attest=type=provenance`) | | `provenance` | Bool/String | Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build (shorthand for `--attest=type=provenance`) |
| `pull` | Bool | Always attempt to pull all referenced images (default `false`) | | `pull` | Bool | Always attempt to pull all referenced images (default `false`) |
@ -248,10 +246,6 @@ Following inputs can be used as `step.with` keys
| `ulimit` | List | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`) | | `ulimit` | List | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`) |
| `github-token` | String | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`) | | `github-token` | String | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`) |
> **Note**
>
> * ¹ multiple `outputs` are [not yet supported](https://github.com/moby/buildkit/issues/1555)
### outputs ### outputs
The following outputs are available: The following outputs are available:

View File

@ -481,7 +481,7 @@ nproc=3`],
[ [
'build', 'build',
'--iidfile', path.join(tmpDir, 'iidfile'), '--iidfile', path.join(tmpDir, 'iidfile'),
"--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`, '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', path.join(tmpDir, 'metadata-file'), '--metadata-file', path.join(tmpDir, 'metadata-file'),
'.' '.'
] ]
@ -500,7 +500,7 @@ nproc=3`],
[ [
'build', 'build',
'--iidfile', path.join(tmpDir, 'iidfile'), '--iidfile', path.join(tmpDir, 'iidfile'),
"--provenance", `builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`, '--attest', `type=provenance,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', path.join(tmpDir, 'metadata-file'), '--metadata-file', path.join(tmpDir, 'metadata-file'),
'.' '.'
] ]
@ -519,7 +519,7 @@ nproc=3`],
[ [
'build', 'build',
'--iidfile', path.join(tmpDir, 'iidfile'), '--iidfile', path.join(tmpDir, 'iidfile'),
"--provenance", `mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`, '--attest', `type=provenance,mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', path.join(tmpDir, 'metadata-file'), '--metadata-file', path.join(tmpDir, 'metadata-file'),
'.' '.'
] ]
@ -538,7 +538,7 @@ nproc=3`],
[ [
'build', 'build',
'--iidfile', path.join(tmpDir, 'iidfile'), '--iidfile', path.join(tmpDir, 'iidfile'),
"--provenance", 'false', '--attest', 'type=provenance,disabled=true',
'--metadata-file', path.join(tmpDir, 'metadata-file'), '--metadata-file', path.join(tmpDir, 'metadata-file'),
'.' '.'
] ]
@ -557,7 +557,7 @@ nproc=3`],
[ [
'build', 'build',
'--iidfile', path.join(tmpDir, 'iidfile'), '--iidfile', path.join(tmpDir, 'iidfile'),
"--provenance", 'builder-id=foo', '--attest', 'type=provenance,builder-id=foo',
'--metadata-file', path.join(tmpDir, 'metadata-file'), '--metadata-file', path.join(tmpDir, 'metadata-file'),
'.' '.'
] ]
@ -620,7 +620,7 @@ nproc=3`],
] ]
], ],
[ [
25, 26,
'0.10.0', '0.10.0',
new Map<string, string>([ new Map<string, string>([
['context', '.'], ['context', '.'],
@ -642,7 +642,7 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
] ]
], ],
[ [
26, 27,
'0.10.0', '0.10.0',
new Map<string, string>([ new Map<string, string>([
['context', '.'], ['context', '.'],
@ -663,7 +663,7 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
] ]
], ],
[ [
27, 28,
'0.11.0', '0.11.0',
new Map<string, string>([ new Map<string, string>([
['context', '.'], ['context', '.'],
@ -677,13 +677,13 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
[ [
'build', 'build',
'--output', 'type=local,dest=./release-out', '--output', 'type=local,dest=./release-out',
"--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`, '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', path.join(tmpDir, 'metadata-file'), '--metadata-file', path.join(tmpDir, 'metadata-file'),
'.' '.'
] ]
], ],
[ [
28, 29,
'0.12.0', '0.12.0',
new Map<string, string>([ new Map<string, string>([
['context', '.'], ['context', '.'],
@ -701,13 +701,13 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
'--annotation', 'manifest:example3=yyy', '--annotation', 'manifest:example3=yyy',
'--annotation', 'manifest-descriptor[linux/amd64]:example4=zzz', '--annotation', 'manifest-descriptor[linux/amd64]:example4=zzz',
'--output', 'type=local,dest=./release-out', '--output', 'type=local,dest=./release-out',
"--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`, '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', path.join(tmpDir, 'metadata-file'), '--metadata-file', path.join(tmpDir, 'metadata-file'),
'.' '.'
] ]
], ],
[ [
29, 30,
'0.12.0', '0.12.0',
new Map<string, string>([ new Map<string, string>([
['context', '.'], ['context', '.'],
@ -721,11 +721,71 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
'build', 'build',
'--iidfile', path.join(tmpDir, 'iidfile'), '--iidfile', path.join(tmpDir, 'iidfile'),
"--output", `type=image,"name=localhost:5000/name/app:latest,localhost:5000/name/app:foo",push-by-digest=true,name-canonical=true,push=true`, "--output", `type=image,"name=localhost:5000/name/app:latest,localhost:5000/name/app:foo",push-by-digest=true,name-canonical=true,push=true`,
"--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`, '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', path.join(tmpDir, 'metadata-file'), '--metadata-file', path.join(tmpDir, 'metadata-file'),
'.' '.'
] ]
] ],
[
31,
'0.13.1',
new Map<string, string>([
['context', '.'],
['load', 'false'],
['no-cache', 'false'],
['push', 'false'],
['pull', 'false'],
['provenance', 'mode=max'],
['sbom', 'true'],
]),
[
'build',
'--iidfile', path.join(tmpDir, 'iidfile'),
'--attest', `type=provenance,mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--attest', `type=sbom,disabled=false`,
'--metadata-file', path.join(tmpDir, 'metadata-file'),
'.'
]
],
[
32,
'0.13.1',
new Map<string, string>([
['context', '.'],
['load', 'false'],
['no-cache', 'false'],
['push', 'false'],
['pull', 'false'],
['attests', 'type=provenance,mode=min'],
['provenance', 'mode=max'],
]),
[
'build',
'--iidfile', path.join(tmpDir, 'iidfile'),
'--attest', `type=provenance,mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', path.join(tmpDir, 'metadata-file'),
'.'
]
],
[
33,
'0.13.1',
new Map<string, string>([
['context', '.'],
['load', 'false'],
['no-cache', 'false'],
['push', 'false'],
['pull', 'false'],
['attests', 'type=provenance,mode=min'],
]),
[
'build',
'--iidfile', path.join(tmpDir, 'iidfile'),
'--attest', `type=provenance,mode=min,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', path.join(tmpDir, 'metadata-file'),
'.'
]
],
])( ])(
'[%d] given %p with %p as inputs, returns %p', '[%d] given %p with %p as inputs, returns %p',
async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => { async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {

86
dist/index.js generated vendored

File diff suppressed because one or more lines are too long

2
dist/index.js.map generated vendored

File diff suppressed because one or more lines are too long

1941
dist/licenses.txt generated vendored

File diff suppressed because it is too large Load Diff

View File

@ -1,3 +0,0 @@
# Cache
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/cache/)

View File

@ -1,3 +0,0 @@
# Copy images between registries
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/copy-image-registries/)

View File

@ -1,3 +0,0 @@
# Update Docker Hub repo description
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/)

View File

@ -1,3 +0,0 @@
# Export image to Docker
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/export-docker/)

View File

@ -1,3 +0,0 @@
# Isolated builders
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/configure-builder/#isolated-builders)

View File

@ -1,3 +0,0 @@
# Local registry
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/local-registry/)

View File

@ -1,3 +0,0 @@
# Multi-platform image
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/multi-platform/)

View File

@ -1,3 +0,0 @@
# Named contexts
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/named-contexts/)

View File

@ -1,3 +0,0 @@
# Push to multi-registries
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/push-multi-registries/)

View File

@ -1,3 +0,0 @@
# Secrets
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/secrets/)

View File

@ -1,3 +0,0 @@
# Share built image between jobs
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/share-image-jobs/)

View File

@ -1,3 +0,0 @@
# Handle tags and labels
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/manage-tags-labels/)

View File

@ -1,3 +0,0 @@
# Test your image before pushing it
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/test-before-push/)

View File

@ -27,7 +27,7 @@
"license": "Apache-2.0", "license": "Apache-2.0",
"dependencies": { "dependencies": {
"@actions/core": "^1.10.1", "@actions/core": "^1.10.1",
"@docker/actions-toolkit": "0.20.0", "@docker/actions-toolkit": "0.22.0",
"handlebars": "^4.7.7" "handlebars": "^4.7.7"
}, },
"devDependencies": { "devDependencies": {

View File

@ -1,8 +1,9 @@
import * as core from '@actions/core'; import * as core from '@actions/core';
import * as handlebars from 'handlebars'; import * as handlebars from 'handlebars';
import {Build} from '@docker/actions-toolkit/lib/buildx/build';
import {Context} from '@docker/actions-toolkit/lib/context'; import {Context} from '@docker/actions-toolkit/lib/context';
import {GitHub} from '@docker/actions-toolkit/lib/github'; import {GitHub} from '@docker/actions-toolkit/lib/github';
import {Inputs as BuildxInputs} from '@docker/actions-toolkit/lib/buildx/inputs';
import {Toolkit} from '@docker/actions-toolkit/lib/toolkit'; import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
import {Util} from '@docker/actions-toolkit/lib/util'; import {Util} from '@docker/actions-toolkit/lib/util';
@ -62,7 +63,7 @@ export async function getInputs(): Promise<Inputs> {
noCacheFilters: Util.getInputList('no-cache-filters'), noCacheFilters: Util.getInputList('no-cache-filters'),
outputs: Util.getInputList('outputs', {ignoreComma: true, quote: false}), outputs: Util.getInputList('outputs', {ignoreComma: true, quote: false}),
platforms: Util.getInputList('platforms'), platforms: Util.getInputList('platforms'),
provenance: BuildxInputs.getProvenanceInput('provenance'), provenance: Build.getProvenanceInput('provenance'),
pull: core.getBooleanInput('pull'), pull: core.getBooleanInput('pull'),
push: core.getBooleanInput('push'), push: core.getBooleanInput('push'),
sbom: core.getInput('sbom'), sbom: core.getInput('sbom'),
@ -98,13 +99,6 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
if (inputs.allow.length > 0) { if (inputs.allow.length > 0) {
args.push('--allow', inputs.allow.join(',')); args.push('--allow', inputs.allow.join(','));
} }
if (await toolkit.buildx.versionSatisfies('>=0.10.0')) {
await Util.asyncForEach(inputs.attests, async attest => {
args.push('--attest', attest);
});
} else if (inputs.attests.length > 0) {
core.warning("Attestations are only supported by buildx >= 0.10.0; the input 'attests' is ignored.");
}
if (await toolkit.buildx.versionSatisfies('>=0.12.0')) { if (await toolkit.buildx.versionSatisfies('>=0.12.0')) {
await Util.asyncForEach(inputs.annotations, async annotation => { await Util.asyncForEach(inputs.annotations, async annotation => {
args.push('--annotation', annotation); args.push('--annotation', annotation);
@ -133,7 +127,7 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
} }
await Util.asyncForEach(inputs.secretEnvs, async secretEnv => { await Util.asyncForEach(inputs.secretEnvs, async secretEnv => {
try { try {
args.push('--secret', BuildxInputs.resolveBuildSecretEnv(secretEnv)); args.push('--secret', Build.resolveSecretEnv(secretEnv));
} catch (err) { } catch (err) {
core.warning(err.message); core.warning(err.message);
} }
@ -141,8 +135,8 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
if (inputs.file) { if (inputs.file) {
args.push('--file', inputs.file); args.push('--file', inputs.file);
} }
if (!BuildxInputs.hasLocalExporter(inputs.outputs) && !BuildxInputs.hasTarExporter(inputs.outputs) && (inputs.platforms.length == 0 || (await toolkit.buildx.versionSatisfies('>=0.4.2')))) { if (!Build.hasLocalExporter(inputs.outputs) && !Build.hasTarExporter(inputs.outputs) && (inputs.platforms.length == 0 || (await toolkit.buildx.versionSatisfies('>=0.4.2')))) {
args.push('--iidfile', BuildxInputs.getBuildImageIDFilePath()); args.push('--iidfile', Build.getImageIDFilePath());
} }
await Util.asyncForEach(inputs.labels, async label => { await Util.asyncForEach(inputs.labels, async label => {
args.push('--label', label); args.push('--label', label);
@ -157,43 +151,26 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
args.push('--platform', inputs.platforms.join(',')); args.push('--platform', inputs.platforms.join(','));
} }
if (await toolkit.buildx.versionSatisfies('>=0.10.0')) { if (await toolkit.buildx.versionSatisfies('>=0.10.0')) {
if (inputs.provenance) { args.push(...(await getAttestArgs(inputs, toolkit)));
args.push('--provenance', inputs.provenance); } else {
} else if ((await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !BuildxInputs.hasDockerExporter(inputs.outputs, inputs.load)) { core.warning("Attestations are only supported by buildx >= 0.10.0; the inputs 'attests', 'provenance' and 'sbom' are ignored.");
// if provenance not specified and BuildKit version compatible for
// attestation, set default provenance. Also needs to make sure user
// doesn't want to explicitly load the image to docker.
if (GitHub.context.payload.repository?.private ?? false) {
// if this is a private repository, we set the default provenance
// attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=min,inline-only=true`));
} else {
// for a public repository, we set max provenance mode.
args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=max`));
}
}
if (inputs.sbom) {
args.push('--sbom', inputs.sbom);
}
} else if (inputs.provenance || inputs.sbom) {
core.warning("Attestations are only supported by buildx >= 0.10.0; the inputs 'provenance' and 'sbom' are ignored.");
} }
await Util.asyncForEach(inputs.secrets, async secret => { await Util.asyncForEach(inputs.secrets, async secret => {
try { try {
args.push('--secret', BuildxInputs.resolveBuildSecretString(secret)); args.push('--secret', Build.resolveSecretString(secret));
} catch (err) { } catch (err) {
core.warning(err.message); core.warning(err.message);
} }
}); });
await Util.asyncForEach(inputs.secretFiles, async secretFile => { await Util.asyncForEach(inputs.secretFiles, async secretFile => {
try { try {
args.push('--secret', BuildxInputs.resolveBuildSecretFile(secretFile)); args.push('--secret', Build.resolveSecretFile(secretFile));
} catch (err) { } catch (err) {
core.warning(err.message); core.warning(err.message);
} }
}); });
if (inputs.githubToken && !BuildxInputs.hasGitAuthTokenSecret(inputs.secrets) && context.startsWith(Context.gitContext())) { if (inputs.githubToken && !Build.hasGitAuthTokenSecret(inputs.secrets) && context.startsWith(Context.gitContext())) {
args.push('--secret', BuildxInputs.resolveBuildSecretString(`GIT_AUTH_TOKEN=${inputs.githubToken}`)); args.push('--secret', Build.resolveSecretString(`GIT_AUTH_TOKEN=${inputs.githubToken}`));
} }
if (inputs.shmSize) { if (inputs.shmSize) {
args.push('--shm-size', inputs.shmSize); args.push('--shm-size', inputs.shmSize);
@ -222,7 +199,7 @@ async function getCommonArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<st
args.push('--load'); args.push('--load');
} }
if (await toolkit.buildx.versionSatisfies('>=0.6.0')) { if (await toolkit.buildx.versionSatisfies('>=0.6.0')) {
args.push('--metadata-file', BuildxInputs.getBuildMetadataFilePath()); args.push('--metadata-file', Build.getMetadataFilePath());
} }
if (inputs.network) { if (inputs.network) {
args.push('--network', inputs.network); args.push('--network', inputs.network);
@ -238,3 +215,52 @@ async function getCommonArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<st
} }
return args; return args;
} }
async function getAttestArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<string>> {
const args: Array<string> = [];
// check if provenance attestation is set in attests input
let hasAttestProvenance = false;
await Util.asyncForEach(inputs.attests, async (attest: string) => {
if (Build.hasAttestationType('provenance', attest)) {
hasAttestProvenance = true;
}
});
let provenanceSet = false;
let sbomSet = false;
if (inputs.provenance) {
args.push('--attest', Build.resolveAttestationAttrs(`type=provenance,${inputs.provenance}`));
provenanceSet = true;
} else if (!hasAttestProvenance && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Build.hasDockerExporter(inputs.outputs, inputs.load)) {
// if provenance not specified in provenance or attests inputs and BuildKit
// version compatible for attestation, set default provenance. Also needs
// to make sure user doesn't want to explicitly load the image to docker.
if (GitHub.context.payload.repository?.private ?? false) {
// if this is a private repository, we set the default provenance
// attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
args.push('--attest', `type=provenance,${Build.resolveProvenanceAttrs(`mode=min,inline-only=true`)}`);
} else {
// for a public repository, we set max provenance mode.
args.push('--attest', `type=provenance,${Build.resolveProvenanceAttrs(`mode=max`)}`);
}
}
if (inputs.sbom) {
args.push('--attest', Build.resolveAttestationAttrs(`type=sbom,${inputs.sbom}`));
sbomSet = true;
}
// set attests but check if provenance or sbom types already set as
// provenance and sbom inputs take precedence over attests input.
await Util.asyncForEach(inputs.attests, async (attest: string) => {
if (!Build.hasAttestationType('provenance', attest) && !Build.hasAttestationType('sbom', attest)) {
args.push('--attest', Build.resolveAttestationAttrs(attest));
} else if (!provenanceSet && Build.hasAttestationType('provenance', attest)) {
args.push('--attest', Build.resolveProvenanceAttrs(attest));
} else if (!sbomSet && Build.hasAttestationType('sbom', attest)) {
args.push('--attest', attest);
}
});
return args;
}

View File

@ -3,12 +3,14 @@ import * as path from 'path';
import * as stateHelper from './state-helper'; import * as stateHelper from './state-helper';
import * as core from '@actions/core'; import * as core from '@actions/core';
import * as actionsToolkit from '@docker/actions-toolkit'; import * as actionsToolkit from '@docker/actions-toolkit';
import {Build} from '@docker/actions-toolkit/lib/buildx/build';
import {Context} from '@docker/actions-toolkit/lib/context'; import {Context} from '@docker/actions-toolkit/lib/context';
import {Docker} from '@docker/actions-toolkit/lib/docker/docker'; import {Docker} from '@docker/actions-toolkit/lib/docker/docker';
import {Exec} from '@docker/actions-toolkit/lib/exec'; import {Exec} from '@docker/actions-toolkit/lib/exec';
import {GitHub} from '@docker/actions-toolkit/lib/github'; import {GitHub} from '@docker/actions-toolkit/lib/github';
import {Inputs as BuildxInputs} from '@docker/actions-toolkit/lib/buildx/inputs';
import {Toolkit} from '@docker/actions-toolkit/lib/toolkit'; import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
import {ConfigFile} from '@docker/actions-toolkit/lib/types/docker'; import {ConfigFile} from '@docker/actions-toolkit/lib/types/docker';
import * as context from './context'; import * as context from './context';
@ -89,9 +91,9 @@ actionsToolkit.run(
} }
}); });
const imageID = BuildxInputs.resolveBuildImageID(); const imageID = Build.resolveImageID();
const metadata = BuildxInputs.resolveBuildMetadata(); const metadata = Build.resolveMetadata();
const digest = BuildxInputs.resolveDigest(); const digest = Build.resolveDigest();
if (imageID) { if (imageID) {
await core.group(`ImageID`, async () => { await core.group(`ImageID`, async () => {
@ -107,8 +109,9 @@ actionsToolkit.run(
} }
if (metadata) { if (metadata) {
await core.group(`Metadata`, async () => { await core.group(`Metadata`, async () => {
core.info(metadata); const metadatadt = JSON.stringify(metadata, null, 2);
core.setOutput('metadata', metadata); core.info(metadatadt);
core.setOutput('metadata', metadatadt);
}); });
} }
}, },

750
yarn.lock

File diff suppressed because it is too large Load Diff