git auth token support for private repos

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2026-01-22 12:22:21 +01:00 · 2024-04-13 15:20:19 +02:00
parent b6cc37d5b9
commit 908c98f276
4 changed files with 53 additions and 17 deletions
--- a/README.md
+++ b/README.md
@@ -117,6 +117,26 @@ to the default Git context:
          push: true
 ```
 Building from the current repository automatically uses the `GITHUB_TOKEN`
 secret that GitHub [automatically creates for workflows](https://docs.github.com/en/actions/security-guides/automatic-token-authentication),
 so you don't need to pass that manually. If you want to authenticate against
 another private repository for remote definitions, you can set the
 [`BUILDX_BAKE_GIT_AUTH_TOKEN` environment variable](https://docs.docker.com/build/building/variables/#buildx_bake_git_auth_token).
 > [!NOTE]
 > Supported since Buildx 0.14.0
 ```yaml
      -
        name: Build and push
        uses: docker/bake-action@v4
        with:
          source: "${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}"
          push: true
        env:
          BUILDX_BAKE_GIT_AUTH_TOKEN: ${{ secrets.MYTOKEN }}
 ```
 ## Customizing
 ### inputs
@@ -139,7 +159,7 @@ The following inputs can be used as `step.with` keys
 > ```
 | Name           | Type        | Description                                                                                                                                                        |
-|--------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|----------------|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `builder`      | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                        |
 | `source`       | String      | Context to build from. Can be either local (`.`) or a [remote bake definition](https://docs.docker.com/build/customize/bake/file-definition/#remote-definition)    |
 | `files`        | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                                                     |
@@ -152,6 +172,7 @@ The following inputs can be used as `step.with` keys
 | `push`         | Bool        | Push is a shorthand for `--set=*.output=type=registry` (default `false`)                                                                                           |
 | `sbom`         | Bool/String | [SBOM](https://docs.docker.com/build/attestations/sbom/) is a shorthand for `--set=*.attest=type=sbom`                                                             |
 | `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (eg: `targetpattern.key=value`)                        |
 | `github-token` | String      | API token used to authenticate to a Git repository for [remote definitions](https://docs.docker.com/build/bake/remote-definition/) (default `${{ github.token }}`) |
 ### outputs
--- a/action.yml
+++ b/action.yml
@@ -48,6 +48,10 @@ inputs:
  set:
    description: "List of targets values to override (eg. targetpattern.key=value)"
    required: false
  github-token:
    description: "API token used to authenticate to a Git repository for remote definitions"
    default: ${{ github.token }}
    required: false
 outputs:
  metadata:
--- a/src/context.ts
+++ b/src/context.ts
@@ -21,6 +21,7 @@ export interface Inputs {
  sbom: string;
  set: string[];
  source: string;
  githubToken: string;
 }
 export async function getInputs(): Promise<Inputs> {
@@ -36,7 +37,8 @@ export async function getInputs(): Promise<Inputs> {
    push: core.getBooleanInput('push'),
    sbom: core.getInput('sbom'),
    set: Util.getInputList('set', {ignoreComma: true, quote: false}),
-    source: getSourceInput('source')
+    source: getSourceInput('source'),
    githubToken: core.getInput('github-token')
  };
 }
--- a/src/main.ts
+++ b/src/main.ts
@@ -19,6 +19,7 @@ actionsToolkit.run(
  async () => {
    const inputs: context.Inputs = await context.getInputs();
    const toolkit = new Toolkit();
    const gitAuthToken = process.env.BUILDX_BAKE_GIT_AUTH_TOKEN ?? inputs.githubToken;
    await core.group(`GitHub Actions runtime token ACs`, async () => {
      try {
@@ -85,7 +86,8 @@ actionsToolkit.run(
          push: inputs.push,
          sbom: inputs.sbom,
          source: inputs.source,
-          targets: inputs.targets
+          targets: inputs.targets,
          githubToken: gitAuthToken
        },
        {
          cwd: inputs.workdir
@@ -98,15 +100,22 @@ actionsToolkit.run(
    const args: string[] = await context.getArgs(inputs, definition, toolkit);
    const buildCmd = await toolkit.buildx.getCommand(args);
    const buildEnv = Object.assign({}, process.env, {
      BUILDX_BAKE_GIT_AUTH_TOKEN: gitAuthToken
    }) as {
      [key: string]: string;
    };
    await core.group(`Bake definition`, async () => {
      await Exec.exec(buildCmd.command, [...buildCmd.args, '--print'], {
-        cwd: inputs.workdir
+        cwd: inputs.workdir,
        env: buildEnv
      });
    });
    await Exec.getExecOutput(buildCmd.command, buildCmd.args, {
      cwd: inputs.workdir,
      env: buildEnv,
      ignoreReturnCode: true
    }).then(res => {
      if (res.stderr.length > 0 && res.exitCode != 0) {