Merge pull request #453 from crazy-max/yarn-update

update yarn to 4.15.0
2026-06-04 17:28:40 +02:00 · 2026-05-28 18:41:14 +02:00 · 2026-05-28 15:11:47 +02:00 · 2026-05-28 10:40:54 +02:00 · 2026-05-28 08:18:46 +00:00 · 2026-05-28 08:17:51 +00:00
73 changed files with 15512 additions and 4688 deletions
@@ -1,2 +1,12 @@
 /coverage
-/node_modules
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# yarn v2
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.*
@@ -1,23 +0,0 @@
-{
-  "env": {
-    "node": true,
-    "es2021": true,
-    "jest/globals": true
-  },
-  "extends": [
-    "eslint:recommended",
-    "plugin:@typescript-eslint/recommended",
-    "plugin:jest/recommended",
-    "plugin:prettier/recommended"
-  ],
-  "parser": "@typescript-eslint/parser",
-  "parserOptions": {
-    "ecmaVersion": "latest",
-    "sourceType": "module"
-  },
-  "plugins": [
-    "@typescript-eslint",
-    "jest",
-    "prettier"
-  ]
-}
@@ -1,2 +1,4 @@
+/.yarn/releases/** binary
+/.yarn/plugins/** binary
 /dist/** linguist-generated=true
 /lib/** linguist-generated=true
@@ -1 +0,0 @@
-*	@crazy-max
@@ -0,0 +1,3 @@
+# Code of conduct
+
+- [Moby community guidelines](https://github.com/moby/moby/blob/master/CONTRIBUTING.md#moby-community-guidelines)
@@ -0,0 +1,101 @@
+# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-githubs-form-schema
+name: Bug Report
+description: Report a bug
+labels:
+  - status/triage
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to report a bug!
+        If this is a security issue please report it to the [Docker Security team](mailto:security@docker.com).
+
+  - type: checkboxes
+    attributes:
+      label: Contributing guidelines
+      description: >
+        Make sure you've read the contributing guidelines before proceeding.
+      options:
+        - label: I've read the [contributing guidelines](https://github.com/docker/bake-action/blob/master/.github/CONTRIBUTING.md) and wholeheartedly agree
+          required: true
+
+  - type: checkboxes
+    attributes:
+      label: "I've found a bug, and:"
+      description: |
+        Make sure that your request fulfills all of the following requirements.
+        If one requirement cannot be satisfied, explain in detail why.
+      options:
+        - label: The documentation does not mention anything about my problem
+        - label: There are no open or closed issues that are related to my problem
+
+  - type: textarea
+    attributes:
+      label: Description
+      description: >
+        Provide a brief description of the bug in 1-2 sentences.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Expected behaviour
+      description: >
+        Describe precisely what you'd expect to happen.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Actual behaviour
+      description: >
+        Describe precisely what is actually happening.
+    validations:
+      required: true
+
+  - type: input
+    attributes:
+      label: Repository URL
+      description: >
+        Enter the URL of the repository where you are experiencing the
+        issue. If your repository is private, provide a link to a minimal
+        repository that reproduces the issue.
+
+  - type: input
+    attributes:
+      label: Workflow run URL
+      description: >
+        Enter the URL of the GitHub Action workflow run if public (e.g.
+        `https://github.com/<user>/<repo>/actions/runs/<id>`)
+
+  - type: textarea
+    attributes:
+      label: YAML workflow
+      description: |
+        Provide the YAML of the workflow that's causing the issue.
+        Make sure to remove any sensitive information.
+      render: yaml
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Workflow logs
+      description: >
+        [Attach](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/attaching-files)
+        the [log file of your workflow run](https://docs.github.com/en/actions/managing-workflow-runs/using-workflow-run-logs#downloading-logs)
+        and make sure to remove any sensitive information.
+
+  - type: textarea
+    attributes:
+      label: BuildKit logs
+      description: >
+        If applicable, provide the [BuildKit container logs](https://docs.docker.com/build/ci/github-actions/configure-builder/#buildkit-container-logs)
+      render: text
+
+  - type: textarea
+    attributes:
+      label: Additional info
+      description: |
+        Provide any additional information that could be useful.
@@ -1,34 +0,0 @@
---
-name: Bug report
-about: Create a report to help us improve
---
-
-### Behaviour
-
-#### Steps to reproduce this issue
-
-1.
-2.
-3.
-
-#### Expected behaviour
-
-> Tell us what should happen
-
-#### Actual behaviour
-
-> Tell us what happens instead
-
-### Configuration
-
-* Repository URL (if public): 
-* Build URL (if public): 
-
-```yml
-# paste your YAML workflow file here and remove sensitive data
-```
-
-### Logs
-
-> Download the [log file of your build](https://docs.github.com/en/actions/managing-workflow-runs/using-workflow-run-logs#downloading-logs)
-> and [attach it](https://docs.github.com/en/github/managing-your-work-on-github/file-attachments-on-issues-and-pull-requests) to this issue.
@@ -0,0 +1,9 @@
+# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository#configuring-the-template-chooser
+blank_issues_enabled: true
+contact_links:
+  - name: Questions and Discussions
+    url: https://github.com/docker/bake-action/discussions/new
+    about: Use Github Discussions to ask questions and/or open discussion topics.
+  - name: Documentation
+    url: https://docs.docker.com/build/ci/github-actions/
+    about: Read the documentation.
@@ -0,0 +1,15 @@
+# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-githubs-form-schema
+name: Feature request
+description: Missing functionality? Come tell us about it!
+labels:
+  - kind/enhancement
+  - status/triage
+
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: What is the feature you want to see?
+    validations:
+      required: true
@@ -0,0 +1,12 @@
+# Reporting security issues
+
+The project maintainers take security seriously. If you discover a security
+issue, please bring it to their attention right away!
+
+**Please _DO NOT_ file a public issue**, instead send your report privately to
+[security@docker.com](mailto:security@docker.com).
+
+Security reports are greatly appreciated, and we will publicly thank you for it.
+We also like to send gifts&mdash;if you'd like Docker swag, make sure to let
+us know. We currently do not offer a paid security bounty program, but are not
+ruling it out in the future.
@@ -1,31 +0,0 @@
-# Support [![](https://isitmaintained.com/badge/resolution/docker/bake-action.svg)](https://isitmaintained.com/project/docker/bake-action)
-
-First, [be a good guy](https://github.com/kossnocorp/etiquette/blob/master/README.md).
-
-## Reporting an issue
-
-Please do a search in [open issues](https://github.com/docker/bake-action/issues?utf8=%E2%9C%93&q=) to see if the issue or feature request has already been filed.
-
-If you find your issue already exists, make relevant comments and add your [reaction](https://github.com/blog/2119-add-reactions-to-pull-requests-issues-and-comments). Use a reaction in place of a "+1" comment.
-
-:+1: - upvote
-
-:-1: - downvote
-
-If you cannot find an existing issue that describes your bug or feature, submit an issue using the guidelines below.
-
-## Writing good bug reports and feature requests
-
-File a single issue per problem and feature request.
-
-* Do not enumerate multiple bugs or feature requests in the same issue.
-* Do not add your issue as a comment to an existing issue unless it's for the identical input. Many issues look similar, but have different causes.
-
-The more information you can provide, the more likely someone will be successful reproducing the issue and finding a fix.
-
-You are now ready to [create a new issue](https://github.com/docker/bake-action/issues/new/choose)!
-
-## Closure policy
-
-* Issues that don't have the information requested above (when applicable) will be closed immediately and the poster directed to the support guidelines.
-* Issues that go a week without a response from original poster are subject to closure at our discretion.
@@ -1,9 +1,17 @@
 version: 2
 updates:
  - package-ecosystem: "github-actions"
-    directory: "/"
+    directories:
+      - "/"
+      - "/subaction/matrix"
    schedule:
      interval: "daily"
+    cooldown:
+      default-days: 2
+    groups:
+      crazy-max-dot-github:
+        patterns:
+          - "crazy-max/.github/*"
    labels:
      - "dependencies"
      - "bot"
@@ -11,6 +19,11 @@ updates:
    directory: "/"
    schedule:
      interval: "daily"
+    cooldown:
+      default-days: 2
+      exclude:
+        - "@docker/actions-toolkit"
+    versioning-strategy: "increase"
    allow:
      - dependency-type: "production"
    labels:
@@ -0,0 +1,89 @@
+name: ci-subaction
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 10 * * *'
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+    tags:
+      - 'v*'
+    paths:
+      - '.github/workflows/ci-subaction.yml'
+      - 'subaction/**'
+      - 'test/**'
+  pull_request:
+    paths:
+      - '.github/workflows/ci-subaction.yml'
+      - 'subaction/**'
+      - 'test/**'
+
+jobs:
+  matrix:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          -
+            testdir: group
+            expected: >
+              [{"target":"t1"},{"target":"t2"}]
+          -
+            testdir: group-matrix
+            target: validate
+            expected: >
+              [{"target":"lint-default"},{"target":"lint-labs"},{"target":"lint-nydus"},{"target":"lint-proto"},{"target":"lint-yaml"},{"target":"validate-doctoc"},{"target":"validate-vendor"}]
+          -
+            testdir: group-with-platform
+            target: validate
+            expected: >
+              [{"target":"lint"},{"target":"lint-gopls"},{"target":"validate-docs"},{"target":"validate-vendor"}]
+          -
+            testdir: group-with-platform
+            target: validate
+            fields: platforms
+            expected: >
+              [{"target":"lint","platforms":"darwin/amd64"},{"target":"lint","platforms":"darwin/arm64"},{"target":"lint","platforms":"linux/amd64"},{"target":"lint","platforms":"linux/arm64"},{"target":"lint","platforms":"linux/s390x"},{"target":"lint","platforms":"linux/ppc64le"},{"target":"lint","platforms":"linux/riscv64"},{"target":"lint","platforms":"windows/amd64"},{"target":"lint","platforms":"windows/arm64"},{"target":"lint-gopls","platforms":"darwin/amd64"},{"target":"lint-gopls","platforms":"darwin/arm64"},{"target":"lint-gopls","platforms":"linux/amd64"},{"target":"lint-gopls","platforms":"linux/arm64"},{"target":"lint-gopls","platforms":"linux/s390x"},{"target":"lint-gopls","platforms":"linux/ppc64le"},{"target":"lint-gopls","platforms":"linux/riscv64"},{"target":"lint-gopls","platforms":"windows/amd64"},{"target":"lint-gopls","platforms":"windows/arm64"},{"target":"validate-docs"},{"target":"validate-vendor"}]
+          -
+            testdir: group-with-platform
+            target: validate
+            fields: platforms,dockerfile
+            expected: >
+               [{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"darwin/amd64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"darwin/arm64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/amd64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/arm64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/s390x"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/ppc64le"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/riscv64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"windows/amd64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"windows/arm64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"darwin/amd64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"darwin/arm64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/amd64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/arm64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/s390x"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/ppc64le"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/riscv64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"windows/amd64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"windows/arm64"},{"target":"validate-docs","dockerfile":"./hack/dockerfiles/docs.Dockerfile"},{"target":"validate-vendor","dockerfile":"./hack/dockerfiles/vendor.Dockerfile"}]
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Matrix gen
+        id: gen
+        uses: ./subaction/matrix
+        with:
+          workdir: ./test/${{ matrix.testdir }}
+          target: ${{ matrix.target }}
+          fields: ${{ matrix.fields }}
+      -
+        name: Check output
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        env:
+          INPUT_MATRIX: ${{ steps.gen.outputs.matrix }}
+          INPUT_EXPECTED: ${{ matrix.expected }}
+        with:
+          script: |
+            const matrix = JSON.stringify(JSON.parse(core.getInput('matrix')));
+            const expected = JSON.stringify(JSON.parse(core.getInput('expected')));
+            if (matrix !== expected) {
+              throw new Error(`Matrix do not match expected values: ${matrix} != ${expected}`);
+            } else {
+              core.info(`✅`);
+            }
@@ -1,18 +1,42 @@
 name: ci

+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
+  workflow_dispatch:
+    inputs:
+      buildx-version:
+        description: 'Buildx version or Git context'
+        default: 'latest'
+        required: false
+      buildkit-image:
+        description: 'BuildKit image'
+        default: 'moby/buildkit:buildx-stable-1'
+        required: false
  schedule:
-    - cron: '0 10 * * *' # everyday at 10am
+    - cron: '0 10 * * *'
  push:
    branches:
      - 'master'
      - 'releases/v*'
    tags:
      - 'v*'
+    paths-ignore:
+      - '.github/workflows/ci-subaction.yml'
+      - 'subaction/**'
  pull_request:
-    branches:
-      - 'master'
-      - 'releases/v*'
+    paths-ignore:
+      - '.github/workflows/ci-subaction.yml'
+      - 'subaction/**'
+
+env:
+  BUILDX_VERSION: edge
+  BUILDKIT_IMAGE: moby/buildkit:latest

 jobs:
  bake:
@@ -25,26 +49,30 @@ jobs:
          - release
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      -
        name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
-          driver-opts: network=host
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+            network=host
      -
        name: Build and push
        uses: ./
        with:
+          source: .
          builder: ${{ steps.buildx.outputs.name }}
          files: |
            ./test/config.hcl
@@ -57,12 +85,13 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Build
        continue-on-error: true
        uses: ./
        with:
+          source: .
          files: |
            ./test/config.hcl
          set: |
@@ -73,23 +102,44 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Stop docker
        run: |
-          sudo systemctl stop docker
+          sudo systemctl stop docker docker.socket
      -
        name: Build
        id: bake
        continue-on-error: true
        uses: ./
        with:
+          source: .
          files: |
            ./test/config.hcl
      -
        name: Check
        run: |
-          echo "${{ toJson(steps.bake) }}"
+          if [ "${{ steps.bake.outcome }}" != "failure" ] || [ "${{ steps.bake.conclusion }}" != "success" ]; then
+            echo "::error::Should have failed"
+            exit 1
+          fi
+
+  error-source:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Build
+        id: bake
+        continue-on-error: true
+        uses: ./
+        with:
+          source: ./does-not-exist
+      -
+        name: Check
+        run: |
          if [ "${{ steps.bake.outcome }}" != "failure" ] || [ "${{ steps.bake.conclusion }}" != "success" ]; then
            echo "::error::Should have failed"
            exit 1
@@ -100,14 +150,298 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
-        name: Uninstall moby cli
+        name: Uninstall docker cli
        run: |
-          sudo apt-get purge -y moby-cli moby-buildx
+          if dpkg -s "docker-ce" >/dev/null 2>&1; then
+            sudo dpkg -r --force-depends docker-ce-cli docker-buildx-plugin
+          else
+            sudo apt-get purge -y moby-cli moby-buildx
+          fi
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          source: .
+          files: |
+            ./test/config.hcl
+
+  remote:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Build
+        uses: ./
+        with:
+          source: https://github.com/docker/buildx.git#v0.8.2
+          targets: update-docs
+
+  provenance:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        attrs:
+          - ''
+          - mode=max
+          - builder-id=foo
+          - false
+          - true
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          source: ./test/go
+          targets: binary
+          provenance: ${{ matrix.attrs }}
+          set: |
+            *.output=type=oci,dest=/tmp/build.tar
+            *.cache-from=type=gha,scope=provenance
+            *.cache-to=type=gha,scope=provenance,mode=max
+
+  sbom:
+    runs-on: ubuntu-latest
+    env:
+      DESTDIR: /tmp/bake-build
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - target: image
+            output: type=image,name=localhost:5000/name/app:latest,push=true
+          - target: binary
+            output: /tmp/bake-build
+    services:
+      registry:
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          source: ./test/go
+          targets: ${{ matrix.target }}
+          sbom: true
+          set: |
+            *.output=${{ matrix.output }}
+            *.cache-from=type=gha,scope=attests-${{ matrix.target }}
+            *.cache-to=type=gha,scope=attests-${{ matrix.target }},mode=max
+      -
+        name: Inspect image
+        if: matrix.target == 'image'
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
+      -
+        name: Check output folder
+        if: matrix.target == 'binary'
+        working-directory: ${{ env.DESTDIR }}
+        run: |
+          tree .
+      -
+        name: Print provenance
+        if: matrix.target == 'binary'
+        working-directory: ${{ env.DESTDIR }}
+        run: |
+          cat provenance.json | jq
+      -
+        name: Print SBOM
+        if: matrix.target == 'binary'
+        working-directory: ${{ env.DESTDIR }}
+        run: |
+          cat sbom.spdx.json | jq
+
+  set:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Build
+        uses: ./
+        with:
+          source: ./test/go
+          set: |
+            *.platform=linux/amd64
+            *.output=type=image,"name=localhost:5000/name/app:v1.0.0,localhost:5000/name/app:latest",push=true
+            *.tags=
+
+  group:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+            network=host
+      -
+        name: Build and push
+        uses: ./
+        with:
+          source: ./test/group
+          push: true
+          set: |
+            t1.tags=localhost:5000/name/app:t1
+            t2.tags=localhost:5000/name/app:t2
+
+  docker-config-malformed:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set malformed docker config
+        run: |
+          mkdir -p ~/.docker
+          echo 'foo_bar' >> ~/.docker/config.json
+      -
+        name: Build
+        uses: ./
+        with:
+          source: .
+          files: |
+            ./test/config.hcl
+
+  proxy-docker-config:
+    runs-on: ubuntu-latest
+    services:
+      squid-proxy:
+        image: ubuntu/squid:latest@sha256:6a097f68bae708cedbabd6188d68c7e2e7a38cedd05a176e1cc0ba29e3bbe029
+        ports:
+          - 3128:3128
+    steps:
+      -
+        name: Check proxy
+        run: |
+          netstat -aptn
+          curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy http://127.0.0.1:3128 -v --insecure --head https://www.google.com
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set proxy config
+        run: |
+          mkdir -p ~/.docker
+          echo '{"proxies":{"default":{"httpProxy":"http://127.0.0.1:3128","httpsProxy":"http://127.0.0.1:3128"}}}' > ~/.docker/config.json
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+            network=host
+          buildkitd-flags: --debug
+      -
+        name: Build
+        uses: ./
+        with:
+          source: .
+          files: |
+            ./test/config.hcl
+          targets: app-proxy
+
+  proxy-buildkitd:
+    runs-on: ubuntu-latest
+    services:
+      squid-proxy:
+        image: ubuntu/squid:latest@sha256:6a097f68bae708cedbabd6188d68c7e2e7a38cedd05a176e1cc0ba29e3bbe029
+        ports:
+          - 3128:3128
+    steps:
+      -
+        name: Check proxy
+        run: |
+          netstat -aptn
+          curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy http://127.0.0.1:3128 -v --insecure --head https://www.google.com
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+            network=host
+            env.http_proxy=http://127.0.0.1:3128
+            env.https_proxy=http://127.0.0.1:3128
+          buildkitd-flags: --debug
+      -
+        name: Build
+        uses: ./
+        with:
+          source: .
+          files: |
+            ./test/config.hcl
+
+  git-context:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
      -
        name: Build
        uses: ./
@@ -115,15 +449,454 @@ jobs:
          files: |
            ./test/config.hcl

-  source:
+  git-context-query:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: v0.33.0
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
      -
        name: Build
        uses: ./
        with:
-          source: https://github.com/docker/buildx.git#v0.8.2
-          targets: update-docs
+          files: |
+            ./test/config.hcl
+        env:
+          BUILDX_SEND_GIT_QUERY_AS_INPUT: true
+
+  git-context-and-local:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+            cwd://${{ steps.meta.outputs.bake-file }}
+
+  multi-output:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+      -
+        name: Build and push
+        uses: ./
+        with:
+          source: ./test/go
+          set: |
+            *.output=type=image,name=localhost:5000/name/app:latest,push=true
+            *.output=type=docker,name=app:local
+            *.output=type=oci,dest=/tmp/oci.tar
+      -
+        name: Check registry
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
+      -
+        name: Check docker
+        run: |
+          docker image inspect app:local
+      -
+        name: Check oci
+        run: |
+          set -ex
+          mkdir -p /tmp/oci-out
+          tar xf /tmp/oci.tar -C /tmp/oci-out
+          tree -nh /tmp/oci-out
+
+  load-and-push:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+      -
+        name: Build and push
+        uses: ./
+        with:
+          source: ./test/go
+          targets: image
+          load: true
+          push: true
+          set: |
+            *.tags=localhost:5000/name/app:latest
+      -
+        name: Check registry
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
+      -
+        name: Check docker
+        run: |
+          docker image inspect localhost:5000/name/app:latest
+
+  summary-disable:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          targets: app
+        env:
+          DOCKER_BUILD_SUMMARY: false
+
+  summary-not-supported:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: v0.12.1
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          targets: app
+
+  record-upload-disable:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          targets: app
+        env:
+          DOCKER_BUILD_RECORD_UPLOAD: false
+
+  record-retention-days:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        days:
+          - 2
+          - 0
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          targets: app
+        env:
+          DOCKER_BUILD_RECORD_RETENTION_DAYS: ${{ matrix.days }}
+
+  checks:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        buildx-version:
+          - edge
+          - v0.14.1
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ matrix.buildx-version }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          source: ./test
+          files: |
+            ./lint.hcl
+
+  annotations-disabled:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          source: ./test
+          files: |
+            ./lint.hcl
+        env:
+          DOCKER_BUILD_CHECKS_ANNOTATIONS: false
+
+  allow:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        buildx-version:
+          - edge
+          - v0.19.0
+          - v0.18.0
+          - v0.17.1
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ matrix.buildx-version }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          allow: network.host
+          targets: app-entitlements
+
+  no-default-attestations:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Build
+        uses: ./
+        with:
+          source: .
+          files: |
+            ./test/config.hcl
+        env:
+          BUILDX_NO_DEFAULT_ATTESTATIONS: 1
+
+  call-check:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        id: bake
+        continue-on-error: true
+        uses: ./
+        with:
+          source: ./test
+          files: |
+            ./lint.hcl
+          call: check
+          targets: lint
+      -
+        name: Check
+        run: |
+          if [ "${{ steps.bake.outcome }}" != "failure" ] || [ "${{ steps.bake.conclusion }}" != "success" ]; then
+            echo "::error::Should have failed"
+            exit 1
+          fi
+
+  call-check-multi:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        id: bake
+        continue-on-error: true
+        uses: ./
+        with:
+          source: ./test
+          files: |
+            ./lint.hcl
+          call: check
+      -
+        name: Check
+        run: |
+          if [ "${{ steps.bake.outcome }}" != "failure" ] || [ "${{ steps.bake.conclusion }}" != "success" ]; then
+            echo "::error::Should have failed"
+            exit 1
+          fi
+
+  call-check-nowarning:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        id: bake
+        continue-on-error: true
+        uses: ./
+        with:
+          source: .
+          files: |
+            ./test/config.hcl
+          call: check
+
+  attest-override:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build and push
+        uses: ./
+        with:
+          source: ./test/attest
+
+  var:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          source: ./test/go
+          targets: binary
+          vars: |
+            DESTDIR=/tmp/build
+      -
+        name: Check output folder
+        working-directory: /tmp/build
+        run: |
+          tree .
@@ -0,0 +1,46 @@
+name: codeql
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+  pull_request:
+
+env:
+  NODE_VERSION: "24"
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Enable corepack
+        run: |
+          corepack enable
+          yarn --version
+      -
+        name: Set up Node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+      -
+        name: Initialize CodeQL
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          languages: javascript-typescript
+          build-mode: none
+      -
+        name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          category: "/language:javascript-typescript"
@@ -0,0 +1,17 @@
+name: pr-assign-author
+
+permissions:
+  contents: read
+
+on:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] safe to use without checkout
+    types:
+      - opened
+      - reopened
+
+jobs:
+  run:
+    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@9ba6e6f9450baf3b1237f8035c1fdc45932510bd # v1.8.0
+    permissions:
+      contents: read
+      pull-requests: write
@@ -0,0 +1,28 @@
+name: publish
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Publish
+        uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4
@@ -1,14 +1,24 @@
 name: test

+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
  push:
    branches:
      - 'master'
      - 'releases/v*'
+    paths-ignore:
+      - '.github/workflows/ci-subaction.yml'
+      - 'subaction/**'
  pull_request:
-    branches:
-      - 'master'
-      - 'releases/v*'
+    paths-ignore:
+      - '.github/workflows/ci-subaction.yml'
+      - 'subaction/**'

 jobs:
  test:
@@ -16,14 +26,16 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Test
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0
        with:
+          source: .
          targets: test
      -
        name: Upload coverage
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
-          file: ./coverage/clover.xml
+          files: ./coverage/clover.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
@@ -0,0 +1,58 @@
+name: update-dist
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+
+jobs:
+  update-dist:
+    if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: GitHub auth token from GitHub App
+        id: docker-read-app
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        with:
+          app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
+          private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
+          owner: docker
+          repositories: bake-action
+          permission-contents: write
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          fetch-depth: 0
+          token: ${{ steps.docker-read-app.outputs.token }}
+      -
+        name: Build
+        uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0
+        with:
+          source: .
+          targets: build
+      -
+        name: Commit and push dist
+        run: |
+          if [ -n "$(git status --porcelain -- dist)" ]; then
+            (
+              set -x
+              git config user.name "github-actions[bot]"
+              git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+              git add dist
+              git commit -m "chore: update generated content"
+              git push
+            )
+          else
+            echo "No changes in dist"
+          fi
@@ -1,24 +1,46 @@
 name: validate

+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
  push:
    branches:
      - 'master'
      - 'releases/v*'
  pull_request:
-    branches:
-      - 'master'
-      - 'releases/v*'

 jobs:
-  validate:
+  prepare:
    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: List targets
+        id: generate
+        uses: ./subaction/matrix
+        with:
+          target: validate
+
+  validate:
+    runs-on: ubuntu-latest
+    needs:
+      - prepare
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
+    steps:
      -
        name: Validate
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0
        with:
-          targets: validate
+          targets: ${{ matrix.target }}
@@ -0,0 +1,29 @@
+name: zizmor
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+    tags:
+      - 'v*'
+  pull_request:
+
+jobs:
+  zizmor:
+    uses: crazy-max/.github/.github/workflows/zizmor.yml@9ba6e6f9450baf3b1237f8035c1fdc45932510bd # v1.8.0
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      min-severity: medium
+      min-confidence: medium
+      persona: pedantic
@@ -1,12 +1,5 @@
-/.dev
-node_modules
-lib
+# https://raw.githubusercontent.com/github/gitignore/main/Node.gitignore

-# Jetbrains
-/.idea
-/*.iml
-
-# Rest of the file pulled from https://github.com/github/gitignore/blob/master/Node.gitignore
 # Logs
 logs
 *.log
@@ -14,6 +7,7 @@ npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 lerna-debug.log*
+.pnpm-debug.log*

 # Diagnostic reports (https://nodejs.org/api/report.html)
 report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
@@ -24,34 +18,14 @@ pids
 *.seed
 *.pid.lock

-# Directory for instrumented libs generated by jscoverage/JSCover
-lib-cov
-
 # Coverage directory used by tools like istanbul
 coverage
 *.lcov

-# nyc test coverage
-.nyc_output
-
-# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
-.grunt
-
-# Bower dependency directory (https://bower.io/)
-bower_components
-
-# node-waf configuration
-.lock-wscript
-
-# Compiled binary addons (https://nodejs.org/api/addons.html)
-build/Release
-
 # Dependency directories
+node_modules/
 jspm_packages/

-# TypeScript v1 declaration files
-typings/
-
 # TypeScript cache
 *.tsbuildinfo

@@ -61,36 +35,19 @@ typings/
 # Optional eslint cache
 .eslintcache

-# Optional REPL history
-.node_repl_history
-
-# Output of 'npm pack'
-*.tgz
-
 # Yarn Integrity file
 .yarn-integrity

-# dotenv environment variables file
+# dotenv environment variable files
 .env
-.env.test
+.env.development.local
+.env.test.local
+.env.production.local
+.env.local

-# parcel-bundler cache (https://parceljs.org/)
-.cache
-
-# next.js build output
-.next
-
-# nuxt.js build output
-.nuxt
-
-# vuepress build output
-.vuepress/dist
-
-# Serverless directories
-.serverless/
-
-# FuseBox cache
-.fusebox/
-
-# DynamoDB Local files
-.dynamodb/
+# yarn v2
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.*
@@ -0,0 +1,6 @@
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# yarn v2
+.yarn/
@@ -6,6 +6,5 @@
  "singleQuote": true,
  "trailingComma": "none",
  "bracketSpacing": false,
-  "arrowParens": "avoid",
-  "parser": "typescript"
+  "arrowParens": "avoid"
 }
@@ -0,0 +1,21 @@
+# https://yarnpkg.com/configuration/yarnrc
+
+nodeLinker: node-modules
+
+logFilters:
+  - code: YN0004
+    level: discard
+  - code: YN0013
+    level: discard
+  - code: YN0019
+    level: discard
+  - code: YN0076
+    level: discard
+  - code: YN0086
+    level: discard
+
+compressionLevel: mixed
+enableGlobalCache: false
+enableHardenedMode: true
+enableScripts: false
+npmMinimalAgeGate: 2d
@@ -1,15 +1,9 @@
 [![GitHub release](https://img.shields.io/github/release/docker/bake-action.svg?style=flat-square)](https://github.com/docker/bake-action/releases/latest)
 [![GitHub marketplace](https://img.shields.io/badge/marketplace-docker--buildx--bake-blue?logo=github&style=flat-square)](https://github.com/marketplace/actions/docker-buildx-bake)
-[![Test workflow](https://img.shields.io/github/workflow/status/docker/bake-action/test?label=test&logo=github&style=flat-square)](https://github.com/docker/bake-action/actions?workflow=test)
+[![CI workflow](https://img.shields.io/github/actions/workflow/status/docker/bake-action/ci.yml?branch=master&label=ci&logo=github&style=flat-square)](https://github.com/docker/bake-action/actions?workflow=ci)
+[![Test workflow](https://img.shields.io/github/actions/workflow/status/docker/bake-action/test.yml?branch=master&label=test&logo=github&style=flat-square)](https://github.com/docker/bake-action/actions?workflow=test)
 [![Codecov](https://img.shields.io/codecov/c/github/docker/bake-action?logo=codecov&style=flat-square)](https://codecov.io/gh/docker/bake-action)

-## :test_tube: Experimental
-
-This repository is considered **EXPERIMENTAL** and under active development
-until further notice. It is subject to non-backward compatible changes or
-removal in any future version, so you should [pin to a specific tag/commit](https://docs.github.com/en/actions/creating-actions/about-actions#using-tags-for-release-management)
-of this action in your workflow (i.e `docker/bake-action@v1.1.3`).
-
 ## About

 GitHub Action to use Docker [Buildx Bake](https://docs.docker.com/build/customize/bake/)
@@ -20,20 +14,110 @@ as a high-level build command.
 ___

 * [Usage](#usage)
+  * [Git context](#git-context)
+  * [Path context](#path-context)
+* [Summaries](#summaries)
 * [Customizing](#customizing)
  * [inputs](#inputs)
  * [outputs](#outputs)
+  * [environment variables](#environment-variables)
+* [Subactions](#subactions)
+  * [`matrix`](subaction/matrix)
+* [Notes](#notes)
+  * [Source semantics](#source-semantics)
 * [Contributing](#contributing)

 ## Usage

+### Git context
+
+Since `v6` this action uses the [Git context](https://docs.docker.com/build/bake/remote-definition/)
+to build from a remote bake definition by default like the [build-push-action](https://github.com/docker/build-push-action)
+does. This means that you don't need to use the [`actions/checkout`](https://github.com/actions/checkout/)
+action to check out the repository as [BuildKit](https://docs.docker.com/build/buildkit/)
+will do this directly.
+
+The git reference will be based on the [event that triggered your workflow](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows)
+and will result in the following context: `https://github.com/<owner>/<repo>.git#<ref>`.
+
+```yaml
+name: ci
+
+on:
+  push:
+
+jobs:
+  bake:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v4
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+      -
+        name: Build and push
+        uses: docker/bake-action@v7
+        with:
+          push: true
+          set: |
+            *.tags=user/app:latest
+```
+
+Be careful because **any file mutation in the steps that precede the build step
+will be ignored, including processing of the `.dockerignore` file** since
+the context is based on the Git reference. However, you can use the
+[Path context](#path-context) using the [`source` input](#inputs) alongside
+the [`actions/checkout`](https://github.com/actions/checkout/) action to remove
+this restriction.
+
+Default Git context can also be provided using the [Handlebars template](https://handlebarsjs.com/guide/)
+expression `{{defaultContext}}`. Here we can use it to provide a subdirectory
+to the default Git context:
+
+```yaml
+      -
+        name: Build and push
+        uses: docker/bake-action@v7
+        with:
+          source: "{{defaultContext}}:mysubdir"
+          push: true
+          set: |
+            *.tags=user/app:latest
+```
+
+Building from the current repository automatically uses the `GITHUB_TOKEN`
+secret that GitHub [automatically creates for workflows](https://docs.github.com/en/actions/security-guides/automatic-token-authentication),
+so you don't need to pass that manually. If you want to authenticate against
+another private repository for remote definitions, you can set the
+[`BUILDX_BAKE_GIT_AUTH_TOKEN` environment variable](https://docs.docker.com/build/building/variables/#buildx_bake_git_auth_token).
+
+> [!NOTE]
+> Supported since Buildx 0.14.0
+
+```yaml
+      -
+        name: Build and push
+        uses: docker/bake-action@v7
+        with:
+          push: true
+          set: |
+            *.tags=user/app:latest
+        env:
+          BUILDX_BAKE_GIT_AUTH_TOKEN: ${{ secrets.MYTOKEN }}
+```
+
+### Path context
+
 ```yaml
 name: ci

 on:
  push:
-    branches:
-      - 'master'

 jobs:
  bake:
@@ -41,28 +125,89 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: actions/checkout@v6
      -
        name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v4
        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
      -
        name: Build and push
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v7
        with:
+          source: .
          push: true
+          set: |
+            *.tags=user/app:latest
 ```

+If you point `source` to a subdirectory, relative paths are resolved from that
+subdirectory:
+
+```yaml
+      -
+        name: Build and push
+        uses: docker/bake-action@v7
+        with:
+          source: ./subdir
+          files: ./docker-bake.hcl
+```
+
+For example, if `./subdir/docker-bake.hcl` contains:
+
+```hcl
+target "default" {
+  output = ["type=local,dest=./artifacts"]
+}
+```
+
+The output will be written to `./subdir/artifacts` in the workspace.
+
+> [!NOTE]
+> More info about `source` semantics in the [Source semantics](#source-semantics) section.
+
+## Summaries
+
+This action generates a [job summary](https://github.blog/2022-05-09-supercharging-github-actions-with-job-summaries/)
+that provides a detailed overview of the build execution. The summary shows an
+overview of all the steps executed during the build, including the build
+inputs, bake definition, and eventual errors.
+
+![build-push-action job summary](./.github/bake-summary.png)
+
+The summary also includes a link for downloading a build record archive with
+additional details about the build execution for all the bake targets,
+including build stats, logs, outputs, and more. The build record can be
+imported to Docker Desktop for inspecting the build in greater detail.
+
+> [!WARNING]
+>
+> If you're using the [`actions/download-artifact`](https://github.com/actions/download-artifact)
+> action in your workflow, you need to ignore the build record artifacts
+> if `name` and `pattern` inputs are not specified ([defaults to download all artifacts](https://github.com/actions/download-artifact?tab=readme-ov-file#download-all-artifacts) of the workflow),
+> otherwise the action will fail:
+> ```yaml
+> - uses: actions/download-artifact@v4
+>   with:
+>     pattern: "!*.dockerbuild"
+> ```
+> More info: https://github.com/actions/toolkit/pull/1874
+
+Summaries are enabled by default, but can be disabled with the
+`DOCKER_BUILD_SUMMARY` [environment variable](#environment-variables).
+
+For more information about summaries, refer to the
+[documentation](https://docs.docker.com/go/build-summary/).
+
 ## Customizing

 ### inputs

-Following inputs can be used as `step.with` keys
+The following inputs can be used as `step.with` keys

 > `List` type is a newline-delimited string
 > ```yaml
@@ -79,27 +224,62 @@ Following inputs can be used as `step.with` keys
 > targets: default,release
 > ```

-| Name       | Type     | Description                                                                                                                                 |
-|------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------|
-| `builder`  | String   | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                 |
-| `files`    | List/CSV | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                              |
-| `workdir`  | String   | Working directory of execution                                                                                                              |
-| `targets`  | List/CSV | List of bake targets (`default` target used if empty)                                                                                       |
-| `no-cache` | Bool     | Do not use cache when building the image (default `false`)                                                                                  |
-| `pull`     | Bool     | Always attempt to pull a newer version of the image (default `false`)                                                                       |
-| `load`     | Bool     | Load is a shorthand for `--set=*.output=type=docker` (default `false`)                                                                      |
-| `push`     | Bool     | Push is a shorthand for `--set=*.output=type=registry` (default `false`)                                                                    |
-| `set`      | List     | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (eg: `targetpattern.key=value`) |
-| `source`   | String   | [Remote bake definition](https://docs.docker.com/build/customize/bake/file-definition/#remote-definition) to build from                     |
+| Name           | Type        | Description                                                                                                                                                                                                                                                            |
+|----------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `builder`      | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                                                                                                                            |
+| `allow`        | List/CSV    | Allow build to access specified resources (e.g., `network.host`)                                                                                                                                                                                                       |
+| `call`         | String      | Set method for evaluating build (e.g., check)                                                                                                                                                                                                                          |
+| `files`        | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                                                                                                                                                         |
+| `no-cache`     | Bool        | Do not use cache when building the image (default `false`)                                                                                                                                                                                                             |
+| `pull`         | Bool        | Always attempt to pull a newer version of the image (default `false`)                                                                                                                                                                                                  |
+| `load`         | Bool        | Load is a shorthand for `--set=*.output=type=docker` (default `false`)                                                                                                                                                                                                 |
+| `provenance`   | Bool/String | [Provenance](https://docs.docker.com/build/attestations/slsa-provenance/) is a shorthand for `--set=*.attest=type=provenance`                                                                                                                                          |
+| `push`         | Bool        | Push is a shorthand for `--set=*.output=type=registry` (default `false`)                                                                                                                                                                                               |
+| `sbom`         | Bool/String | [SBOM](https://docs.docker.com/build/attestations/sbom/) is a shorthand for `--set=*.attest=type=sbom`                                                                                                                                                                 |
+| `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (e.g., `targetpattern.key=value`)                                                                                                                          |
+| `source`       | String      | Build source to use. Supports local path and [remote bake definition](https://docs.docker.com/build/bake/remote-definition/). With a local path, Bake runs from that directory, so all relative paths are resolved from it. See [Source semantics](#source-semantics). |
+| `targets`      | List/CSV    | List of bake targets (`default` target used if empty)                                                                                                                                                                                                                  |
+| `vars`         | List        | [Variables](https://docs.docker.com/build/bake/variables/) to set in the Bake definition as list of key-value pair                                                                                                                                                     |
+| `github-token` | String      | API token used to authenticate to a Git repository for [remote definitions](https://docs.docker.com/build/bake/remote-definition/) (default `${{ github.token }}`)                                                                                                     |

 ### outputs

-Following outputs are available
+The following outputs are available

 | Name       | Type | Description           |
 |------------|------|-----------------------|
 | `metadata` | JSON | Build result metadata |

+### environment variables
+
+| Name                                 | Type   | Default | Description                                                                                                                                                                                                                                                        |
+|--------------------------------------|--------|---------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `DOCKER_BUILD_CHECKS_ANNOTATIONS`    | Bool   | `true`  | If `false`, GitHub annotations are not generated for [build checks](https://docs.docker.com/build/checks/)                                                                                                                                                         |
+| `DOCKER_BUILD_SUMMARY`               | Bool   | `true`  | If `false`, [build summary](https://docs.docker.com/build/ci/github-actions/build-summary/) generation is disabled                                                                                                                                                 |
+| `DOCKER_BUILD_RECORD_UPLOAD`         | Bool   | `true`  | If `false`, build record upload as [GitHub artifact](https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts) is disabled                                                                                                            |
+| `DOCKER_BUILD_RECORD_RETENTION_DAYS` | Number |         | Duration after which build record artifact will expire in days. Defaults to repository/org [retention settings](https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration#artifact-and-log-retention-policy) if unset or `0` |
+
+## Subactions
+
+* [`matrix`](subaction/matrix)
+
+## Notes
+
+### Source semantics
+
+`source` accepts either a Git/remote bake definition (for example `{{defaultContext}}` or `{{defaultContext}}:subdir`)
+or a local path (for example `.` or `./subdir`). When `source` is a local path,
+the action runs Bake from that directory (equivalent to `cd <path> && docker buildx bake`).
+
+This local path mode affects all relative paths resolved by Bake, not only
+target `context` fields. This includes paths used by local outputs, cache
+import/export, and `cwd://` references.
+
+| `source`                                                              | Behavior                                                                                       |
+|-----------------------------------------------------------------------|------------------------------------------------------------------------------------------------|
+| Git/remote (`{{defaultContext}}`, `https://...git#ref`, `...:subdir`) | Uses [remote bake definition](https://docs.docker.com/build/bake/remote-definition/) behavior. |
+| Local path (`.`, `./subdir`)                                          | Changes Bake working directory to that path before invoking Bake.                              |
+
 ## Contributing

 Want to contribute? Awesome! You can find information about contributing to
@@ -1,74 +0,0 @@
-import {describe, expect, it, jest, test} from '@jest/globals';
-import * as fs from 'fs';
-import * as path from 'path';
-import * as semver from 'semver';
-import * as exec from '@actions/exec';
-import * as buildx from '../src/buildx';
-import * as context from '../src/context';
-
-const tmpNameSync = path.join('/tmp/.docker-bake-jest', '.tmpname-jest').split(path.sep).join(path.posix.sep);
-const metadata = `{
-  "containerimage.config.digest": "sha256:059b68a595b22564a1cbc167af369349fdc2ecc1f7bc092c2235cbf601a795fd",
-  "containerimage.digest": "sha256:b09b9482c72371486bb2c1d2c2a2633ed1d0b8389e12c8d52b9e052725c0c83c"
-}`;
-
-jest.spyOn(context, 'tmpDir').mockImplementation((): string => {
-  const tmpDir = path.join('/tmp/.docker-bake-jest').split(path.sep).join(path.posix.sep);
-  if (!fs.existsSync(tmpDir)) {
-    fs.mkdirSync(tmpDir, {recursive: true});
-  }
-  return tmpDir;
-});
-
-jest.spyOn(context, 'tmpNameSync').mockImplementation((): string => {
-  return tmpNameSync;
-});
-
-describe('getMetadata', () => {
-  it('matches', async () => {
-    const metadataFile = await buildx.getMetadataFile();
-    await fs.writeFileSync(metadataFile, metadata);
-    const expected = await buildx.getMetadata();
-    expect(expected).toEqual(metadata);
-  });
-});
-
-describe('isAvailable', () => {
-  const execSpy = jest.spyOn(exec, 'getExecOutput');
-  buildx.isAvailable();
-
-  // eslint-disable-next-line jest/no-standalone-expect
-  expect(execSpy).toHaveBeenCalledWith(`docker`, ['buildx'], {
-    silent: true,
-    ignoreReturnCode: true
-  });
-});
-
-describe('isAvailable standalone', () => {
-  const execSpy = jest.spyOn(exec, 'getExecOutput');
-  buildx.isAvailable(true);
-
-  // eslint-disable-next-line jest/no-standalone-expect
-  expect(execSpy).toHaveBeenCalledWith(`buildx`, [], {
-    silent: true,
-    ignoreReturnCode: true
-  });
-});
-
-describe('getVersion', () => {
-  it('valid', async () => {
-    const version = await buildx.getVersion();
-    expect(semver.valid(version)).not.toBeNull();
-  }, 100000);
-});
-
-describe('parseVersion', () => {
-  test.each([
-    ['github.com/docker/buildx 0.4.1+azure bda4882a65349ca359216b135896bddc1d92461c', '0.4.1'],
-    ['github.com/docker/buildx v0.4.1 bda4882a65349ca359216b135896bddc1d92461c', '0.4.1'],
-    ['github.com/docker/buildx v0.4.2 fb7b670b764764dc4716df3eba07ffdae4cc47b2', '0.4.2'],
-    ['github.com/docker/buildx f117971 f11797113e5a9b86bd976329c5dbb8a8bfdfadfa', 'f117971']
-  ])('given %p', async (stdout, expected) => {
-    expect(buildx.parseVersion(stdout)).toEqual(expected);
-  });
-});
@@ -1,151 +1,482 @@
-import {describe, expect, it} from '@jest/globals';
-import * as context from '../src/context';
+import {afterEach, beforeEach, describe, expect, test, vi} from 'vitest';
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';

-describe('getInputList', () => {
-  it('single line correctly', async () => {
-    await setInput('foo', 'bar');
-    const res = context.getInputList('foo');
-    expect(res).toEqual(['bar']);
+import {Bake} from '@docker/actions-toolkit/lib/buildx/bake.js';
+import {Build} from '@docker/actions-toolkit/lib/buildx/build.js';
+import {Builder} from '@docker/actions-toolkit/lib/buildx/builder.js';
+import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx.js';
+import {Docker} from '@docker/actions-toolkit/lib/docker/docker.js';
+import {Toolkit} from '@docker/actions-toolkit/lib/toolkit.js';
+
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake.js';
+import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder.js';
+
+import * as context from '../src/context.js';
+
+const tmpDir = fs.mkdtempSync(path.join(process.env.TEMP || os.tmpdir(), 'context-'));
+const fixturesDir = path.join(__dirname, 'fixtures');
+
+vi.spyOn(Docker, 'isAvailable').mockImplementation(async (): Promise<boolean> => {
+  return true;
+});
+
+const metadataJson = path.join(tmpDir, 'metadata.json');
+vi.spyOn(Bake.prototype, 'getMetadataFilePath').mockImplementation((): string => {
+  return metadataJson;
+});
+
+type BuilderInfoFixture = Omit<BuilderInfo, 'lastActivity'> & {lastActivity: string};
+const builderInfoFixture = <BuilderInfoFixture>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'builder-info.json'), {encoding: 'utf-8'}).trim());
+vi.spyOn(Builder.prototype, 'inspect').mockImplementation(async (): Promise<BuilderInfo> => {
+  return {
+    ...builderInfoFixture,
+    lastActivity: new Date(builderInfoFixture.lastActivity)
+  };
+});
+
+vi.spyOn(Bake.prototype, 'getDefinition').mockImplementation(async (): Promise<BakeDefinition> => {
+  return <BakeDefinition>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'bake-def.json'), {encoding: 'utf-8'}).trim());
+});
+
+describe('getInputs', () => {
+  const originalEnv = process.env;
+
+  beforeEach(() => {
+    process.env = Object.keys(process.env).reduce((object, key) => {
+      if (!key.startsWith('INPUT_')) {
+        object[key] = process.env[key];
+      }
+      return object;
+    }, {});
  });

-  it('multiline correctly', async () => {
-    setInput('foo', 'bar\nbaz');
-    const res = context.getInputList('foo');
-    expect(res).toEqual(['bar', 'baz']);
+  afterEach(() => {
+    process.env = originalEnv;
  });

-  it('empty lines correctly', async () => {
-    setInput('foo', 'bar\n\nbaz');
-    const res = context.getInputList('foo');
-    expect(res).toEqual(['bar', 'baz']);
+  function setRequiredBooleanInputs(): void {
+    setInput('no-cache', 'false');
+    setInput('pull', 'false');
+    setInput('load', 'false');
+    setInput('push', 'false');
+  }
+
+  test('uses Build git context when source input is empty', async () => {
+    const gitContext = 'https://github.com/docker/bake-action.git?ref=refs/heads/master&checksum=0123456789abcdef';
+    const gitContextSpy = vi.spyOn(Build.prototype, 'gitContext').mockResolvedValue(gitContext);
+    setRequiredBooleanInputs();
+    const inputs = await context.getInputs();
+    expect(inputs.source).toEqual({
+      remoteRef: gitContext
+    });
+    expect(gitContextSpy).toHaveBeenCalledTimes(1);
+    gitContextSpy.mockRestore();
  });

-  it('comma correctly', async () => {
-    setInput('foo', 'bar,baz');
-    const res = context.getInputList('foo');
-    expect(res).toEqual(['bar', 'baz']);
-  });
-
-  it('empty result correctly', async () => {
-    setInput('foo', 'bar,baz,');
-    const res = context.getInputList('foo');
-    expect(res).toEqual(['bar', 'baz']);
-  });
-
-  it('different new lines correctly', async () => {
-    setInput('foo', 'bar\r\nbaz');
-    const res = context.getInputList('foo');
-    expect(res).toEqual(['bar', 'baz']);
-  });
-
-  it('different new lines and comma correctly', async () => {
-    setInput('foo', 'bar\r\nbaz,bat');
-    const res = context.getInputList('foo');
-    expect(res).toEqual(['bar', 'baz', 'bat']);
-  });
-
-  it('multiline and ignoring comma correctly', async () => {
-    setInput('cache-from', 'user/app:cache\ntype=local,src=path/to/dir');
-    const res = context.getInputList('cache-from', true);
-    expect(res).toEqual(['user/app:cache', 'type=local,src=path/to/dir']);
-  });
-
-  it('different new lines and ignoring comma correctly', async () => {
-    setInput('cache-from', 'user/app:cache\r\ntype=local,src=path/to/dir');
-    const res = context.getInputList('cache-from', true);
-    expect(res).toEqual(['user/app:cache', 'type=local,src=path/to/dir']);
-  });
-
-  it('multiline values', async () => {
-    setInput(
-      'secrets',
-      `GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789
-"MYSECRET=aaaaaaaa
-bbbbbbb
-ccccccccc"
-FOO=bar`
-    );
-    const res = context.getInputList('secrets', true);
-    expect(res).toEqual([
-      'GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789',
-      `MYSECRET=aaaaaaaa
-bbbbbbb
-ccccccccc`,
-      'FOO=bar'
-    ]);
-  });
-
-  it('multiline values with empty lines', async () => {
-    setInput(
-      'secrets',
-      `GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789
-"MYSECRET=aaaaaaaa
-bbbbbbb
-ccccccccc"
-FOO=bar
-"EMPTYLINE=aaaa
-
-bbbb
-ccc"`
-    );
-    const res = context.getInputList('secrets', true);
-    expect(res).toEqual([
-      'GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789',
-      `MYSECRET=aaaaaaaa
-bbbbbbb
-ccccccccc`,
-      'FOO=bar',
-      `EMPTYLINE=aaaa
-
-bbbb
-ccc`
-    ]);
-  });
-
-  it('multiline values without quotes', async () => {
-    setInput(
-      'secrets',
-      `GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789
-MYSECRET=aaaaaaaa
-bbbbbbb
-ccccccccc
-FOO=bar`
-    );
-    const res = context.getInputList('secrets', true);
-    expect(res).toEqual(['GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789', 'MYSECRET=aaaaaaaa', 'bbbbbbb', 'ccccccccc', 'FOO=bar']);
-  });
-
-  it('multiline values escape quotes', async () => {
-    setInput(
-      'secrets',
-      `GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789
-"MYSECRET=aaaaaaaa
-bbbb""bbb
-ccccccccc"
-FOO=bar`
-    );
-    const res = context.getInputList('secrets', true);
-    expect(res).toEqual([
-      'GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789',
-      `MYSECRET=aaaaaaaa
-bbbb"bbb
-ccccccccc`,
-      'FOO=bar'
-    ]);
+  test('renders defaultContext source templates from Build git context', async () => {
+    const gitContext = 'https://github.com/docker/bake-action.git#refs/heads/master';
+    const gitContextSpy = vi.spyOn(Build.prototype, 'gitContext').mockResolvedValue(gitContext);
+    setRequiredBooleanInputs();
+    setInput('source', '{{defaultContext}}:subdir');
+    const inputs = await context.getInputs();
+    expect(inputs.source).toEqual({
+      remoteRef: `${gitContext}:subdir`
+    });
+    expect(gitContextSpy).toHaveBeenCalledTimes(1);
+    gitContextSpy.mockRestore();
  });
 });

-describe('asyncForEach', () => {
-  it('executes async tasks sequentially', async () => {
-    const testValues = [1, 2, 3, 4, 5];
-    const results: number[] = [];
-
-    await context.asyncForEach(testValues, async value => {
-      results.push(value);
-    });
-
-    expect(results).toEqual(testValues);
+describe('getArgs', () => {
+  const originalEnv = process.env;
+  beforeEach(() => {
+    process.env = Object.keys(process.env).reduce((object, key) => {
+      if (!key.startsWith('INPUT_')) {
+        object[key] = process.env[key];
+      }
+      return object;
+    }, {});
  });
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  // prettier-ignore
+  test.each([
+    [
+      0,
+      '0.4.1',
+      new Map<string, string>([
+        ['source', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'bake',
+      ],
+      undefined
+    ],
+    [
+      1,
+      '0.8.2',
+      new Map<string, string>([
+        ['source', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false']
+      ]),
+      [
+        'bake',
+        '--metadata-file', metadataJson
+      ],
+      undefined
+    ],
+    [
+      2,
+      '0.8.2',
+      new Map<string, string>([
+        ['source', '.'],
+        ['targets', 'webapp\nvalidate'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false']
+      ]),
+      [
+        'bake',
+        '--metadata-file', metadataJson,
+        'webapp', 'validate'
+      ],
+      undefined
+    ],
+    [
+      3,
+      '0.8.2',
+      new Map<string, string>([
+        ['source', '.'],
+        ['set', '*.cache-from=type=gha\n*.cache-to=type=gha'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false']
+      ]),
+      [
+        'bake',
+        '--set', '*.cache-from=type=gha',
+        '--set', '*.cache-to=type=gha',
+        '--metadata-file', metadataJson
+      ],
+      undefined
+    ],
+    [
+      4,
+      '0.10.0',
+      new Map<string, string>([
+        ['source', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'bake',
+        '--metadata-file', metadataJson,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+      ],
+      undefined
+    ],
+    [
+      5,
+      '0.10.0',
+      new Map<string, string>([
+        ['source', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'true'],
+      ]),
+      [
+        'bake',
+        '--metadata-file', metadataJson,
+        "--provenance", `builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      undefined
+    ],
+    [
+      6,
+      '0.10.0',
+      new Map<string, string>([
+        ['source', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'mode=max'],
+      ]),
+      [
+        'bake',
+        '--metadata-file', metadataJson,
+        "--provenance", `mode=max,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      undefined
+    ],
+    [
+      7,
+      '0.10.0',
+      new Map<string, string>([
+        ['source', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'false'],
+      ]),
+      [
+        'bake',
+        '--metadata-file', metadataJson,
+        "--provenance", 'false'
+      ],
+      undefined
+    ],
+    [
+      8,
+      '0.10.0',
+      new Map<string, string>([
+        ['source', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'builder-id=foo'],
+      ]),
+      [
+        'bake',
+        '--metadata-file', metadataJson,
+        "--provenance", 'builder-id=foo'
+      ],
+      undefined
+    ],
+    [
+      9,
+      '0.10.0',
+      new Map<string, string>([
+        ['source', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['set', `*.platform=linux/amd64,linux/ppc64le,linux/s390x\n*.output=type=image,"name=moby/buildkit:v0.11.0,moby/buildkit:latest",push=true`],
+        ['targets', `"image-all"`],
+      ]),
+      [
+        'bake',
+        '--set', '*.platform=linux/amd64,linux/ppc64le,linux/s390x',
+        '--set', `*.output=type=image,"name=moby/buildkit:v0.11.0,moby/buildkit:latest",push=true`,
+        '--metadata-file', metadataJson,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        'image-all'
+      ],
+      undefined
+    ],
+    [
+      10,
+      '0.10.0',
+      new Map<string, string>([
+        ['source', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['set', `*.labels.foo=bar=#baz`],
+        ['targets', `"image-all"`],
+      ]),
+      [
+        'bake',
+        '--set', `*.labels.foo=bar=#baz`,
+        '--metadata-file', metadataJson,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        'image-all'
+      ],
+      undefined
+    ],
+    [
+      11,
+      '0.10.0',
+      new Map<string, string>([
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['files', './foo.hcl'],
+      ]),
+      [
+        'bake',
+        'https://github.com/docker/bake-action.git#refs/heads/master',
+        '--file', './foo.hcl',
+        '--metadata-file', metadataJson,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      undefined
+    ],
+    [
+      12,
+      '0.17.0',
+      new Map<string, string>([
+        ['source', '.'],
+        ['allow', 'network.host'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'bake',
+        '--allow', 'network.host',
+        '--metadata-file', metadataJson,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      undefined
+    ],
+    [
+      13,
+      '0.15.0',
+      new Map<string, string>([
+        ['source', '{{defaultContext}}:subdir'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['files', './foo.hcl'],
+      ]),
+      [
+        'bake',
+        'https://github.com/docker/bake-action.git#refs/heads/master:subdir',
+        '--file', './foo.hcl',
+        '--metadata-file', metadataJson,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      undefined
+    ],
+    [
+      14,
+      '0.15.0',
+      new Map<string, string>([
+        ['source', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false']
+      ]),
+      [
+        'bake',
+        '--metadata-file', metadataJson
+      ],
+      new Map<string, string>([
+        ['BUILDX_NO_DEFAULT_ATTESTATIONS', '1']
+      ])
+    ],
+    [
+      15,
+      '0.29.0',
+      new Map<string, string>([
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['files', './foo.hcl'],
+      ]),
+      [
+        'bake',
+        'https://github.com/docker/bake-action.git?ref=refs/heads/master',
+        '--allow', 'fs=*',
+        '--file', './foo.hcl',
+        '--metadata-file', metadataJson,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      new Map<string, string>([
+        ['BUILDX_SEND_GIT_QUERY_AS_INPUT', 'true']
+      ])
+    ],
+    [
+      16,
+      '0.28.0',
+      new Map<string, string>([
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['files', './foo.hcl'],
+      ]),
+      [
+        'bake',
+        'https://github.com/docker/bake-action.git#refs/heads/master',
+        '--allow', 'fs=*',
+        '--file', './foo.hcl',
+        '--metadata-file', metadataJson,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      new Map<string, string>([
+        ['BUILDX_SEND_GIT_QUERY_AS_INPUT', 'true']
+      ])
+    ],
+  ])(
+    '[%d] given %o with %o as inputs, returns %o',
+    async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>, envs: Map<string, string> | undefined) => {
+      if (envs) {
+        envs.forEach((value: string, name: string) => {
+          process.env[name] = value;
+        });
+      }
+      inputs.forEach((value: string, name: string) => {
+        setInput(name, value);
+      });
+      const toolkit = new Toolkit();
+      vi.spyOn(Buildx.prototype, 'version').mockImplementation(async (): Promise<string> => {
+        return buildxVersion;
+      });
+      const inp = await context.getInputs();
+      const definition = await toolkit.buildxBake.getDefinition(
+        {
+          files: inp.files,
+          load: inp.load,
+          noCache: inp['no-cache'],
+          overrides: inp.set,
+          provenance: inp.provenance,
+          push: inp.push,
+          sbom: inp.sbom,
+          source: inp.source.remoteRef,
+          targets: inp.targets
+        },
+        {
+          cwd: inp.source.workdir,
+        }
+      );
+      const res = await context.getArgs(inp, definition, toolkit);
+      expect(res).toEqual(expected);
+    }
+  );
 });

 // See: https://github.com/actions/toolkit/blob/a1b068ec31a042ff1e10a522d8fdf0b8869d53ca/packages/core/src/core.ts#L89
@@ -1,16 +0,0 @@
-import {describe, expect, it, jest} from '@jest/globals';
-import * as docker from '../src/docker';
-import * as exec from '@actions/exec';
-
-describe('isAvailable', () => {
-  it('cli', () => {
-    const execSpy = jest.spyOn(exec, 'getExecOutput');
-    docker.isAvailable();
-
-    // eslint-disable-next-line jest/no-standalone-expect
-    expect(execSpy).toHaveBeenCalledWith(`docker`, undefined, {
-      silent: true,
-      ignoreReturnCode: true
-    });
-  });
-});
@@ -0,0 +1,55 @@
+{
+  "group": {
+    "default": {
+      "targets": [
+        "validate"
+      ]
+    },
+    "validate": {
+      "targets": [
+        "lint",
+        "validate-vendor",
+        "validate-docs"
+      ]
+    }
+  },
+  "target": {
+    "lint": {
+      "context": ".",
+      "dockerfile": "./hack/dockerfiles/lint.Dockerfile",
+      "args": {
+        "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
+        "GO_VERSION": "1.20"
+      },
+      "output": [
+        "type=cacheonly"
+      ]
+    },
+    "validate-docs": {
+      "context": ".",
+      "dockerfile": "./hack/dockerfiles/docs.Dockerfile",
+      "args": {
+        "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
+        "BUILDX_EXPERIMENTAL": "1",
+        "FORMATS": "md",
+        "GO_VERSION": "1.20"
+      },
+      "target": "validate",
+      "output": [
+        "type=cacheonly"
+      ]
+    },
+    "validate-vendor": {
+      "context": ".",
+      "dockerfile": "./hack/dockerfiles/vendor.Dockerfile",
+      "args": {
+        "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
+        "GO_VERSION": "1.20"
+      },
+      "target": "validate",
+      "output": [
+        "type=cacheonly"
+      ]
+    }
+  }
+}
@@ -0,0 +1,22 @@
+{
+  "name": "builder2",
+  "driver": "docker-container",
+  "lastActivity": "2023-01-16 09:45:23 +0000 UTC",
+  "nodes": [
+    {
+      "buildkit": "v0.11.0",
+      "buildkitd-flags": "--debug --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host",
+      "driver-opts": [
+        "BUILDKIT_STEP_LOG_MAX_SIZE=10485760",
+        "BUILDKIT_STEP_LOG_MAX_SPEED=10485760",
+        "JAEGER_TRACE=localhost:6831",
+        "image=moby/buildkit:latest",
+        "network=host"
+      ],
+      "endpoint": "unix:///var/run/docker.sock",
+      "name": "builder20",
+      "platforms": "linux/amd64,linux/amd64/v2,linux/amd64/v3,linux/arm64,linux/riscv64,linux/ppc64le,linux/s390x,linux/386,linux/mips64le,linux/mips64,linux/arm/v7,linux/arm/v6",
+      "status": "running"
+    }
+  ]
+}
@@ -0,0 +1,39 @@
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import {vi} from 'vitest';
+
+const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'docker-bake-action-'));
+
+const githubPayload = {
+  repository: {
+    private: true
+  }
+};
+
+const githubEventPath = path.join(tmpDir, 'github-event.json');
+fs.writeFileSync(githubEventPath, JSON.stringify(githubPayload));
+
+process.env = Object.assign({}, process.env, {
+  TEMP: tmpDir,
+  GITHUB_REPOSITORY: 'docker/bake-action',
+  GITHUB_REF: 'refs/heads/master',
+  GITHUB_RUN_ID: '123456789',
+  GITHUB_RUN_ATTEMPT: '1',
+  GITHUB_EVENT_PATH: githubEventPath,
+  RUNNER_TEMP: path.join(tmpDir, 'runner-temp'),
+  RUNNER_TOOL_CACHE: path.join(tmpDir, 'runner-tool-cache')
+});
+
+vi.mock('@actions/github', () => ({
+  context: {
+    repo: {
+      owner: 'docker',
+      repo: 'bake-action'
+    },
+    ref: 'refs/heads/master',
+    runId: 123456789,
+    payload: githubPayload
+  },
+  getOctokit: vi.fn()
+}));
@@ -10,15 +10,14 @@ inputs:
  builder:
    description: "Builder instance"
    required: false
+  allow:
+    description: "Allow build to access specified resources (e.g., network.host)"
+    required: false
+  call:
+    description: "Set method for evaluating build (e.g., check)"
+    required: false
  files:
    description: "List of bake definition files"
-    required: true
-  workdir:
-    description: "Working directory of bake execution"
-    required: false
-    default: '.'
-  targets:
-    description: "List of bake targets"
    required: false
  no-cache:
    description: "Do not use cache when building the image"
@@ -32,15 +31,31 @@ inputs:
    description: "Load is a shorthand for --set=*.output=type=docker"
    required: false
    default: 'false'
+  provenance:
+    description: "Provenance is a shorthand for --set=*.attest=type=provenance"
+    required: false
  push:
    description: "Push is a shorthand for --set=*.output=type=registry"
    required: false
    default: 'false'
+  sbom:
+    description: "SBOM is a shorthand for --set=*.attest=type=sbom"
+    required: false
  set:
    description: "List of targets values to override (eg. targetpattern.key=value)"
    required: false
  source:
-    description: "Remote bake definition to build from"
+    description: "Context to build from. Can be either local to specify the working directory or a remote bake definition"
+    required: false
+  targets:
+    description: "List of bake targets"
+    required: false
+  vars:
+    description: "Variables to set in the Bake definition as list of key-value pair"
+    required: false
+  github-token:
+    description: "API token used to authenticate to a Git repository for remote definitions"
+    default: ${{ github.token }}
    required: false

 outputs:
@@ -48,5 +63,6 @@ outputs:
    description: 'Build result metadata'

 runs:
-  using: 'node16'
-  main: 'dist/index.js'
+  using: 'node24'
+  main: 'dist/index.cjs'
+  post: 'dist/index.cjs'
@@ -1,15 +1,21 @@
 # syntax=docker/dockerfile:1

-ARG NODE_VERSION=16
-ARG DOCKER_VERSION=20.10.13
-ARG BUILDX_VERSION=0.8.1
+ARG NODE_VERSION=24

 FROM node:${NODE_VERSION}-alpine AS base
-RUN apk add --no-cache cpio findutils git
+RUN apk add --no-cache cpio findutils git rsync
 WORKDIR /src
+RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache <<EOT
+  set -e
+  corepack enable
+  yarn --version
+  yarn config set --home enableTelemetry 0
+EOT

 FROM base AS deps
 RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache \
  --mount=type=cache,target=/src/node_modules \
  yarn install && mkdir /vendor && cp yarn.lock /vendor

@@ -18,61 +24,66 @@ COPY --from=deps /vendor /

 FROM deps AS vendor-validate
 RUN --mount=type=bind,target=.,rw <<EOT
-set -e
-git add -A
-cp -rf /vendor/* .
-if [ -n "$(git status --porcelain -- yarn.lock)" ]; then
-  echo >&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor-update"'
-  git status --porcelain -- yarn.lock
-  exit 1
-fi
+  set -e
+  git add -A
+  cp -rf /vendor/* .
+  if [ -n "$(git status --porcelain -- yarn.lock)" ]; then
+    echo >&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor"'
+    git status --porcelain -- yarn.lock
+    exit 1
+  fi
 EOT

 FROM deps AS build
-RUN --mount=type=bind,target=.,rw \
-  --mount=type=cache,target=/src/node_modules \
-  yarn run build && mkdir /out && cp -Rf dist /out/
+RUN --mount=target=/context \
+  --mount=type=cache,target=/src/.yarn/cache \
+  --mount=type=cache,target=/src/node_modules <<EOT
+  set -e
+  rsync -a /context/. .
+  rm -rf dist
+  yarn run build
+  mkdir /out
+  cp -r dist /out
+EOT

 FROM scratch AS build-update
 COPY --from=build /out /

 FROM build AS build-validate
-RUN --mount=type=bind,target=.,rw <<EOT
-set -e
-git add -A
-cp -rf /out/* .
-if [ -n "$(git status --porcelain -- dist)" ]; then
-  echo >&2 'ERROR: Build result differs. Please build first with "docker buildx bake build"'
-  git status --porcelain -- dist
-  exit 1
-fi
+RUN --mount=target=/context \
+  --mount=target=.,type=tmpfs <<EOT
+  set -e
+  rsync -a /context/. .
+  git add -A
+  rm -rf dist
+  cp -rf /out/* .
+  if [ -n "$(git status --porcelain -- dist)" ]; then
+    echo >&2 'ERROR: Build result differs. Please build first with "docker buildx bake build"'
+    git status --porcelain -- dist
+    exit 1
+  fi
 EOT

 FROM deps AS format
 RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache \
  --mount=type=cache,target=/src/node_modules \
-  yarn run format \
-  && mkdir /out && find . -name '*.ts' -not -path './node_modules/*' | cpio -pdm /out
+  yarn run format && mkdir /out && find . -name '*.ts' -not -path './node_modules/*' -not -path './.yarn/*' | cpio -pdm /out

 FROM scratch AS format-update
 COPY --from=format /out /

 FROM deps AS lint
 RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache \
  --mount=type=cache,target=/src/node_modules \
  yarn run lint

-FROM docker:${DOCKER_VERSION} as docker
-FROM docker/buildx-bin:${BUILDX_VERSION} as buildx
-
 FROM deps AS test
-ENV RUNNER_TEMP=/tmp/github_runner
-ENV RUNNER_TOOL_CACHE=/tmp/github_tool_cache
 RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache \
  --mount=type=cache,target=/src/node_modules \
-  --mount=type=bind,from=docker,source=/usr/local/bin/docker,target=/usr/bin/docker \
-  --mount=type=bind,from=buildx,source=/buildx,target=/usr/libexec/docker/cli-plugins/docker-buildx \
-  yarn run test --coverageDirectory=/tmp/coverage
+  yarn run test --coverage --coverage.reportsDirectory=/tmp/coverage

 FROM scratch AS test-coverage
 COPY --from=test /tmp/coverage /
@@ -1,9 +1,15 @@
+target "_common" {
+  args = {
+    BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1
+  }
+}
+
 group "default" {
  targets = ["build"]
 }

 group "pre-checkin" {
-  targets = ["vendor-update", "format", "build"]
+  targets = ["vendor", "format", "build"]
 }

 group "validate" {
@@ -11,42 +17,49 @@ group "validate" {
 }

 target "build" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "build-update"
  output = ["."]
 }

 target "build-validate" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "build-validate"
  output = ["type=cacheonly"]
 }

 target "format" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "format-update"
  output = ["."]
 }

 target "lint" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "lint"
  output = ["type=cacheonly"]
 }

-target "vendor-update" {
+target "vendor" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "vendor-update"
  output = ["."]
 }

 target "vendor-validate" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "vendor-validate"
  output = ["type=cacheonly"]
 }

 target "test" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "test-coverage"
  output = ["./coverage"]
@@ -0,0 +1,52 @@
+import {defineConfig} from 'eslint/config';
+import js from '@eslint/js';
+import tseslint from '@typescript-eslint/eslint-plugin';
+import vitest from '@vitest/eslint-plugin';
+import globals from 'globals';
+import eslintConfigPrettier from 'eslint-config-prettier/flat';
+import eslintPluginPrettier from 'eslint-plugin-prettier';
+
+export default defineConfig([
+  {
+    ignores: ['.yarn/**/*', 'coverage/**/*', 'dist/**/*']
+  },
+  js.configs.recommended,
+  ...tseslint.configs['flat/recommended'],
+  eslintConfigPrettier,
+  {
+    languageOptions: {
+      globals: {
+        ...globals.node
+      }
+    }
+  },
+  {
+    files: ['__tests__/**'],
+    ...vitest.configs.recommended,
+    languageOptions: {
+      globals: {
+        ...globals.node,
+        ...vitest.environments.env.globals
+      }
+    },
+    rules: {
+      ...vitest.configs.recommended.rules,
+      'vitest/no-conditional-expect': 'error',
+      'vitest/no-disabled-tests': 0
+    }
+  },
+  {
+    plugins: {
+      prettier: eslintPluginPrettier
+    },
+    rules: {
+      'prettier/prettier': 'error',
+      '@typescript-eslint/no-require-imports': [
+        'error',
+        {
+          allowAsImport: true
+        }
+      ]
+    }
+  }
+]);
@@ -1,13 +0,0 @@
-module.exports = {
-  clearMocks: true,
-  moduleFileExtensions: ['js', 'ts'],
-  setupFiles: ['dotenv/config'],
-  testMatch: ['**/*.test.ts'],
-  transform: {
-    '^.+\\.ts$': 'ts-jest'
-  },
-  moduleNameMapper: {
-    '^csv-parse/sync': '<rootDir>/node_modules/csv-parse/dist/cjs/sync.cjs'
-  },
-  verbose: true
-};
@@ -1,13 +1,14 @@
 {
  "name": "docker-buildx-bake",
  "description": "GitHub Action to use Docker Buildx Bake as a high-level build command",
-  "main": "lib/main.js",
+  "type": "module",
+  "main": "src/main.ts",
  "scripts": {
-    "build": "ncc build src/main.ts --source-map --minify --license licenses.txt",
-    "lint": "eslint src/**/*.ts __tests__/**/*.ts",
-    "format": "eslint --fix src/**/*.ts __tests__/**/*.ts",
-    "test": "jest --coverage",
-    "all": "yarn run build && yarn run format && yarn test"
+    "build": "esbuild src/main.ts --bundle --platform=node --target=node24 --format=cjs --outfile=dist/index.cjs --sourcemap --minify && yarn run license",
+    "lint": "eslint --max-warnings=0 .",
+    "format": "eslint --fix .",
+    "test": "vitest run",
+    "license": "generate-license-file --input package.json --output dist/licenses.txt --overwrite --ci --no-spinner --eol lf"
  },
  "repository": {
    "type": "git",
@@ -19,38 +20,29 @@
    "buildx",
    "bake"
  ],
-  "author": "Docker",
-  "contributors": [
-    {
-      "name": "CrazyMax",
-      "url": "https://crazymax.dev"
-    }
-  ],
+  "author": "Docker Inc.",
  "license": "Apache-2.0",
+  "packageManager": "yarn@4.15.0",
  "dependencies": {
-    "@actions/core": "^1.10.0",
-    "@actions/exec": "^1.1.1",
-    "csv-parse": "^5.3.0",
-    "semver": "^7.3.7",
-    "tmp": "^0.2.1"
+    "@actions/core": "^3.0.1",
+    "@docker/actions-toolkit": "^0.91.0",
+    "handlebars": "^4.7.9"
  },
  "devDependencies": {
-    "@types/csv-parse": "^1.2.2",
-    "@types/node": "^16.11.26",
-    "@types/semver": "^7.3.9",
-    "@types/tmp": "^0.2.3",
-    "@typescript-eslint/eslint-plugin": "^5.14.0",
-    "@typescript-eslint/parser": "^5.14.0",
-    "@vercel/ncc": "^0.33.3",
-    "dotenv": "^16.0.0",
-    "eslint": "^8.11.0",
-    "eslint-config-prettier": "^8.5.0",
-    "eslint-plugin-jest": "^26.1.1",
-    "eslint-plugin-prettier": "^4.0.0",
-    "jest": "^27.2.5",
-    "prettier": "^2.3.1",
-    "ts-jest": "^27.1.2",
-    "ts-node": "^10.7.0",
-    "typescript": "^4.4.4"
+    "@eslint/js": "^9.39.3",
+    "@types/node": "^24.11.0",
+    "@typescript-eslint/eslint-plugin": "^8.56.1",
+    "@typescript-eslint/parser": "^8.56.1",
+    "@vitest/coverage-v8": "^4.0.18",
+    "@vitest/eslint-plugin": "^1.6.9",
+    "esbuild": "^0.28.0",
+    "eslint": "^9.39.3",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-prettier": "^5.5.5",
+    "generate-license-file": "^4.1.1",
+    "globals": "^17.3.0",
+    "prettier": "^3.8.1",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.18"
  }
 }
@@ -1,75 +0,0 @@
-import fs from 'fs';
-import path from 'path';
-import * as semver from 'semver';
-import * as exec from '@actions/exec';
-
-import * as context from './context';
-
-export async function getMetadataFile(): Promise<string> {
-  return path.join(context.tmpDir(), 'metadata-file').split(path.sep).join(path.posix.sep);
-}
-
-export async function getMetadata(): Promise<string | undefined> {
-  const metadataFile = await getMetadataFile();
-  if (!fs.existsSync(metadataFile)) {
-    return undefined;
-  }
-  const content = fs.readFileSync(metadataFile, {encoding: 'utf-8'}).trim();
-  if (content === 'null') {
-    return undefined;
-  }
-  return content;
-}
-
-export async function isAvailable(standalone?: boolean): Promise<boolean> {
-  const cmd = getCommand([], standalone);
-  return await exec
-    .getExecOutput(cmd.command, cmd.args, {
-      ignoreReturnCode: true,
-      silent: true
-    })
-    .then(res => {
-      if (res.stderr.length > 0 && res.exitCode != 0) {
-        return false;
-      }
-      return res.exitCode == 0;
-    })
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    .catch(error => {
-      return false;
-    });
-}
-
-export async function getVersion(standalone?: boolean): Promise<string> {
-  const cmd = getCommand(['version'], standalone);
-  return await exec
-    .getExecOutput(cmd.command, cmd.args, {
-      ignoreReturnCode: true,
-      silent: true
-    })
-    .then(res => {
-      if (res.stderr.length > 0 && res.exitCode != 0) {
-        throw new Error(res.stderr.trim());
-      }
-      return parseVersion(res.stdout.trim());
-    });
-}
-
-export function parseVersion(stdout: string): string {
-  const matches = /\sv?([0-9a-f]{7}|[0-9.]+)/.exec(stdout);
-  if (!matches) {
-    throw new Error(`Cannot parse buildx version`);
-  }
-  return matches[1];
-}
-
-export function satisfies(version: string, range: string): boolean {
-  return semver.satisfies(version, range) || /^[0-9a-f]{7}$/.exec(version) !== null;
-}
-
-export function getCommand(args: Array<string>, standalone?: boolean) {
-  return {
-    command: standalone ? 'buildx' : 'docker',
-    args: standalone ? args : ['buildx', ...args]
-  };
-}
@@ -1,81 +1,136 @@
 import * as fs from 'fs';
-import * as os from 'os';
-import * as path from 'path';
-import * as tmp from 'tmp';
-import * as buildx from './buildx';
 import * as core from '@actions/core';
-import {parse} from 'csv-parse/sync';
+import * as handlebars from 'handlebars';

-let _tmpDir: string;
+import {Bake} from '@docker/actions-toolkit/lib/buildx/bake.js';
+import {Build} from '@docker/actions-toolkit/lib/buildx/build.js';
+import {GitHub} from '@docker/actions-toolkit/lib/github/github.js';
+import {Toolkit} from '@docker/actions-toolkit/lib/toolkit.js';
+import {Util} from '@docker/actions-toolkit/lib/util.js';
+
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake.js';
+
+export interface BakeContext {
+  remoteRef?: string;
+  workdir?: string;
+}

 export interface Inputs {
  builder: string;
+  allow: string[];
+  call: string;
  files: string[];
-  workdir: string;
-  targets: string[];
-  noCache: boolean;
+  'no-cache': boolean;
  pull: boolean;
  load: boolean;
+  provenance: string;
  push: boolean;
+  sbom: string;
  set: string[];
-  source: string;
-}
-
-export function tmpDir(): string {
-  if (!_tmpDir) {
-    _tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'docker-build-push-')).split(path.sep).join(path.posix.sep);
-  }
-  return _tmpDir;
-}
-
-export function tmpNameSync(options?: tmp.TmpNameOptions): string {
-  return tmp.tmpNameSync(options);
+  source: BakeContext;
+  targets: string[];
+  vars: string[];
+  'github-token': string;
 }

 export async function getInputs(): Promise<Inputs> {
  return {
    builder: core.getInput('builder'),
-    files: getInputList('files'),
-    workdir: core.getInput('workdir') || '.',
-    targets: getInputList('targets'),
-    noCache: core.getBooleanInput('no-cache'),
+    allow: Util.getInputList('allow'),
+    call: core.getInput('call'),
+    files: Util.getInputList('files'),
+    'no-cache': core.getBooleanInput('no-cache'),
    pull: core.getBooleanInput('pull'),
    load: core.getBooleanInput('load'),
+    provenance: Build.getProvenanceInput('provenance'),
    push: core.getBooleanInput('push'),
-    set: getInputList('set', true),
-    source: core.getInput('source')
+    sbom: core.getInput('sbom'),
+    set: Util.getInputList('set', {ignoreComma: true, quote: false}),
+    source: await getBakeContext(core.getInput('source')),
+    targets: Util.getInputList('targets'),
+    vars: Util.getInputList('vars', {ignoreComma: true, quote: false}),
+    'github-token': core.getInput('github-token')
  };
 }

-export async function getArgs(inputs: Inputs, buildxVersion: string): Promise<Array<string>> {
+export async function getArgs(inputs: Inputs, definition: BakeDefinition, toolkit: Toolkit): Promise<Array<string>> {
  // prettier-ignore
  return [
-    ...await getBakeArgs(inputs, buildxVersion),
+    ...await getBakeArgs(inputs, definition, toolkit),
    ...await getCommonArgs(inputs),
    ...inputs.targets
  ];
 }

-async function getBakeArgs(inputs: Inputs, buildxVersion: string): Promise<Array<string>> {
+async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit: Toolkit): Promise<Array<string>> {
  const args: Array<string> = ['bake'];
-  if (inputs.source) {
-    args.push(inputs.source);
+  if (inputs.source.remoteRef) {
+    args.push(inputs.source.remoteRef);
  }
-  await asyncForEach(inputs.files, async file => {
+  if (await toolkit.buildx.versionSatisfies('>=0.17.0')) {
+    if (await toolkit.buildx.versionSatisfies('>=0.18.0')) {
+      // allow filesystem entitlements by default
+      inputs.allow.push('fs=*');
+    }
+    await Util.asyncForEach(inputs.allow, async (allow: string) => {
+      args.push('--allow', allow);
+    });
+  }
+  if (inputs.call) {
+    if (!(await toolkit.buildx.versionSatisfies('>=0.16.0'))) {
+      throw new Error(`Buildx >= 0.16.0 is required to use the call input.`);
+    }
+    args.push('--call', inputs.call);
+  }
+  await Util.asyncForEach(inputs.files, async (file: string) => {
    args.push('--file', file);
  });
-  await asyncForEach(inputs.set, async set => {
-    args.push('--set', set);
+  await Util.asyncForEach(inputs.set, async (s: string) => {
+    args.push('--set', s);
  });
-  if (buildx.satisfies(buildxVersion, '>=0.6.0')) {
-    args.push('--metadata-file', await buildx.getMetadataFile());
+  if (inputs.vars.length > 0) {
+    if (!(await toolkit.buildx.versionSatisfies('>=0.31.0'))) {
+      throw new Error(`Buildx >= 0.31.0 is required to use the vars input.`);
+    }
+    await Util.asyncForEach(inputs.vars, async (v: string) => {
+      args.push('--var', v);
+    });
+  }
+  if (await toolkit.buildx.versionSatisfies('>=0.6.0')) {
+    args.push('--metadata-file', toolkit.buildxBake.getMetadataFilePath());
+  }
+  if (await toolkit.buildx.versionSatisfies('>=0.10.0')) {
+    if (inputs.provenance) {
+      args.push('--provenance', inputs.provenance);
+    } else if (!noDefaultAttestations() && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Bake.hasDockerExporter(definition, inputs.load)) {
+      // check if provenance attestation is already specified in the bake
+      // definition and if not specified and BuildKit version compatible for
+      // attestation, set default provenance. Also needs to make sure user
+      // doesn't want to explicitly load the image to docker.
+      for (const targetName in definition.target) {
+        const target = definition.target[targetName];
+        if (!Array.isArray(target.attest) || !target.attest.some(attest => attest?.type === 'provenance')) {
+          if (GitHub.context.payload.repository?.private ?? false) {
+            // if this is a private repository, we set the default provenance
+            // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
+            args.push('--set', `${targetName}.attest=type=provenance,${Build.resolveProvenanceAttrs(`mode=min,inline-only=true`)}`);
+          } else {
+            // for a public repository, we set max provenance mode.
+            args.push('--set', `${targetName}.attest=type=provenance,${Build.resolveProvenanceAttrs(`mode=max`)}`);
+          }
+        }
+      }
+    }
+    if (inputs.sbom) {
+      args.push('--sbom', inputs.sbom);
+    }
  }
  return args;
 }

 async function getCommonArgs(inputs: Inputs): Promise<Array<string>> {
  const args: Array<string> = [];
-  if (inputs.noCache) {
+  if (inputs['no-cache']) {
    args.push('--no-cache');
  }
  if (inputs.builder) {
@@ -93,36 +148,32 @@ async function getCommonArgs(inputs: Inputs): Promise<Array<string>> {
  return args;
 }

-export function getInputList(name: string, ignoreComma?: boolean): string[] {
-  const res: Array<string> = [];
-
-  const items = core.getInput(name);
-  if (items == '') {
-    return res;
-  }
-
-  const records = parse(items, {
-    columns: false,
-    relaxColumnCount: true,
-    skipEmptyLines: true
+async function getBakeContext(sourceInput: string): Promise<BakeContext> {
+  const defaultContext = await new Build().gitContext();
+  let bakeContext = handlebars.compile(sourceInput)({
+    defaultContext: defaultContext
  });
-
-  for (const record of records as Array<string[]>) {
-    if (record.length == 1) {
-      res.push(record[0]);
-      continue;
-    } else if (!ignoreComma) {
-      res.push(...record);
-      continue;
-    }
-    res.push(record.join(','));
+  if (!bakeContext) {
+    bakeContext = defaultContext;
  }
-
-  return res.filter(item => item).map(pat => pat.trim());
+  if (Util.isValidRef(bakeContext)) {
+    return {
+      remoteRef: bakeContext
+    };
+  }
+  try {
+    fs.statSync(sourceInput).isDirectory();
+  } catch {
+    throw new Error(`Invalid source: ${sourceInput} does not exist or is not a directory.`);
+  }
+  return {
+    workdir: bakeContext
+  };
 }

-export const asyncForEach = async (array, callback) => {
-  for (let index = 0; index < array.length; index++) {
-    await callback(array[index], index, array);
+function noDefaultAttestations(): boolean {
+  if (process.env.BUILDX_NO_DEFAULT_ATTESTATIONS) {
+    return Util.parseBool(process.env.BUILDX_NO_DEFAULT_ATTESTATIONS);
  }
-};
+  return false;
+}
@@ -1,19 +0,0 @@
-import * as exec from '@actions/exec';
-
-export async function isAvailable(): Promise<boolean> {
-  return await exec
-    .getExecOutput('docker', undefined, {
-      ignoreReturnCode: true,
-      silent: true
-    })
-    .then(res => {
-      if (res.stderr.length > 0 && res.exitCode != 0) {
-        return false;
-      }
-      return res.exitCode == 0;
-    })
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    .catch(error => {
-      return false;
-    });
-}
@@ -1,87 +1,334 @@
 import * as fs from 'fs';
-import * as buildx from './buildx';
-import * as context from './context';
-import * as docker from './docker';
-import * as stateHelper from './state-helper';
+import * as path from 'path';
 import * as core from '@actions/core';
-import * as exec from '@actions/exec';
+import * as actionsToolkit from '@docker/actions-toolkit';
+
+import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx.js';
+import {History as BuildxHistory} from '@docker/actions-toolkit/lib/buildx/history.js';
+import {Context} from '@docker/actions-toolkit/lib/context.js';
+import {Docker} from '@docker/actions-toolkit/lib/docker/docker.js';
+import {Exec} from '@docker/actions-toolkit/lib/exec.js';
+import {GitHub} from '@docker/actions-toolkit/lib/github/github.js';
+import {GitHubArtifact} from '@docker/actions-toolkit/lib/github/artifact.js';
+import {GitHubSummary} from '@docker/actions-toolkit/lib/github/summary.js';
+import {Toolkit} from '@docker/actions-toolkit/lib/toolkit.js';
+import {Util} from '@docker/actions-toolkit/lib/util.js';
+
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake.js';
+import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder.js';
+import {ConfigFile} from '@docker/actions-toolkit/lib/types/docker/docker.js';
+import {UploadResponse as UploadArtifactResponse} from '@docker/actions-toolkit/lib/types/github/artifact.js';
+
+import * as context from './context.js';
+import * as stateHelper from './state-helper.js';
+
+actionsToolkit.run(
+  // main
+  async () => {
+    const startedTime = new Date();

-async function run(): Promise<void> {
-  try {
    const inputs: context.Inputs = await context.getInputs();
+    stateHelper.setSummaryInputs(inputs);
+    core.debug(`inputs: ${JSON.stringify(inputs)}`);

-    // standalone if docker cli not available
-    const standalone = !(await docker.isAvailable());
+    const toolkit = new Toolkit();
+    const gitAuthToken = process.env.BUILDX_BAKE_GIT_AUTH_TOKEN ?? inputs['github-token'];

-    core.startGroup(`Docker info`);
-    if (standalone) {
-      core.info(`Docker info skipped in standalone mode`);
-    } else {
-      await exec.exec('docker', ['version'], {
-        failOnStdErr: false
-      });
-      await exec.exec('docker', ['info'], {
-        failOnStdErr: false
-      });
-    }
-    core.endGroup();
+    await core.group(`GitHub Actions runtime token ACs`, async () => {
+      try {
+        await GitHub.printActionsRuntimeTokenACs();
+      } catch (e) {
+        core.warning(e.message);
+      }
+    });

-    if (!(await buildx.isAvailable(standalone))) {
+    await core.group(`Docker info`, async () => {
+      try {
+        await Docker.printVersion();
+        await Docker.printInfo();
+      } catch (e) {
+        core.info(e.message);
+      }
+    });
+
+    await core.group(`Proxy configuration`, async () => {
+      let dockerConfig: ConfigFile | undefined;
+      let dockerConfigMalformed = false;
+      try {
+        dockerConfig = await Docker.configFile();
+      } catch (e) {
+        dockerConfigMalformed = true;
+        core.warning(`Unable to parse config file ${path.join(Docker.configDir, 'config.json')}: ${e}`);
+      }
+      if (dockerConfig && dockerConfig.proxies) {
+        for (const host in dockerConfig.proxies) {
+          let prefix = '';
+          if (Object.keys(dockerConfig.proxies).length > 1) {
+            prefix = '  ';
+            core.info(host);
+          }
+          for (const key in dockerConfig.proxies[host]) {
+            core.info(`${prefix}${key}: ${dockerConfig.proxies[host][key]}`);
+          }
+        }
+      } else if (!dockerConfigMalformed) {
+        core.info('No proxy configuration found');
+      }
+    });
+
+    if (!(await toolkit.buildx.isAvailable())) {
      core.setFailed(`Docker buildx is required. See https://github.com/docker/setup-buildx-action to set up buildx.`);
      return;
    }
-    stateHelper.setTmpDir(context.tmpDir());

-    const buildxVersion = await buildx.getVersion(standalone);
+    stateHelper.setTmpDir(Context.tmpDir());
+
    await core.group(`Buildx version`, async () => {
-      const versionCmd = buildx.getCommand(['version'], standalone);
-      await exec.exec(versionCmd.command, versionCmd.args, {
-        failOnStdErr: false
-      });
+      await toolkit.buildx.printVersion();
    });

-    const args: string[] = await context.getArgs(inputs, buildxVersion);
-    const buildCmd = buildx.getCommand(args, standalone);
-
-    core.startGroup(`Bake definition`);
-    await exec.exec(buildCmd.command, [...buildCmd.args, '--print'], {
-      cwd: inputs.workdir
+    let builder: BuilderInfo;
+    await core.group(`Builder info`, async () => {
+      builder = await toolkit.builder.inspect(inputs.builder);
+      stateHelper.setBuilderDriver(builder.driver ?? '');
+      stateHelper.setBuilderEndpoint(builder.nodes?.[0]?.endpoint ?? '');
+      core.info(JSON.stringify(builder, null, 2));
    });
-    core.endGroup();

-    await exec
-      .getExecOutput(buildCmd.command, buildCmd.args, {
-        cwd: inputs.workdir,
+    let definition: BakeDefinition | undefined;
+    await core.group(`Parsing raw definition`, async () => {
+      definition = await toolkit.buildxBake.getDefinition(
+        {
+          allow: inputs.allow,
+          files: inputs.files,
+          load: inputs.load,
+          noCache: inputs['no-cache'],
+          overrides: inputs.set,
+          provenance: inputs.provenance,
+          push: inputs.push,
+          sbom: inputs.sbom,
+          source: inputs.source.remoteRef,
+          targets: inputs.targets,
+          vars: inputs.vars,
+          githubToken: gitAuthToken
+        },
+        {
+          cwd: inputs.source.workdir
+        }
+      );
+    });
+    if (!definition) {
+      throw new Error('Bake definition not set');
+    }
+    stateHelper.setBakeDefinition(definition);
+
+    const args: string[] = await context.getArgs(inputs, definition, toolkit);
+    const buildCmd = await toolkit.buildx.getCommand(args);
+    const buildEnv = Object.assign({}, process.env, {
+      BUILDX_BAKE_GIT_AUTH_TOKEN: gitAuthToken,
+      BUILDX_METADATA_WARNINGS: 'true'
+    }) as {
+      [key: string]: string;
+    };
+
+    await core.group(`Bake definition`, async () => {
+      await Exec.getExecOutput(buildCmd.command, [...buildCmd.args, '--print'], {
+        cwd: inputs.source.workdir,
+        env: buildEnv,
        ignoreReturnCode: true
-      })
-      .then(res => {
+      }).then(res => {
        if (res.stderr.length > 0 && res.exitCode != 0) {
-          throw new Error(`buildx bake failed with: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
+          throw Error(res.stderr);
        }
      });
+    });

-    const metadata = await buildx.getMetadata();
+    let err: Error | undefined;
+    await Exec.getExecOutput(buildCmd.command, buildCmd.args, {
+      cwd: inputs.source.workdir,
+      env: buildEnv,
+      ignoreReturnCode: true
+    }).then(res => {
+      if (res.exitCode != 0) {
+        if (inputs.call && inputs.call === 'check' && res.stdout.length > 0) {
+          // checks warnings are printed to stdout: https://github.com/docker/buildx/pull/2647
+          // with bake we can have multiple targets being checked so we need to
+          // count the total number of warnings
+          const totalWarnings = [...res.stdout.matchAll(/^Check complete, (\d+) warnings? (?:has|have) been found!/gm)].reduce((sum, m) => sum + parseInt(m[1], 10), 0);
+          if (totalWarnings > 0) {
+            // https://github.com/docker/buildx/blob/1e50e8ddabe108f009b9925e13a321d7c8f99f26/commands/build.go#L797-L803
+            if (totalWarnings === 1) {
+              err = Error(`Check complete, ${totalWarnings} warning has been found!`);
+            } else {
+              err = Error(`Check complete, ${totalWarnings} warnings have been found!`);
+            }
+          } else {
+            // if there are no warnings found, return the first line of stdout
+            err = Error(res.stdout.split('\n')[0]?.trim());
+          }
+        } else if (res.stderr.length > 0) {
+          err = Error(`buildx bake failed with: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
+        }
+      }
+    });
+
+    const metadata = toolkit.buildxBake.resolveMetadata();
    if (metadata) {
-      await core.group(`Metadata output`, async () => {
-        core.info(metadata);
-        core.setOutput('metadata', metadata);
+      await core.group(`Metadata`, async () => {
+        const metadatadt = JSON.stringify(metadata, null, 2);
+        core.info(metadatadt);
+        core.setOutput('metadata', metadatadt);
+      });
+    }
+
+    let refs: Array<string> = [];
+    await core.group(`Build references`, async () => {
+      refs = await buildRefs(toolkit, startedTime, inputs.builder);
+      if (refs.length > 0) {
+        for (const ref of refs) {
+          core.info(ref);
+        }
+        stateHelper.setBuildRefs(refs);
+      } else {
+        core.info('No build references found');
+      }
+    });
+
+    if (buildChecksAnnotationsEnabled()) {
+      const warnings = toolkit.buildxBake.resolveWarnings(metadata);
+      if (refs.length > 0 && warnings && warnings.length > 0) {
+        const annotations = await Buildx.convertWarningsToGitHubAnnotations(warnings, refs);
+        core.debug(`annotations: ${JSON.stringify(annotations, null, 2)}`);
+        if (annotations && annotations.length > 0) {
+          await core.group(`Generating GitHub annotations (${annotations.length} build checks found)`, async () => {
+            for (const annotation of annotations) {
+              core.warning(annotation.message, annotation);
+            }
+          });
+        }
+      }
+    }
+
+    await core.group(`Check build summary support`, async () => {
+      if (!buildSummaryEnabled()) {
+        core.info('Build summary disabled');
+      } else if (inputs.call && inputs.call !== 'build') {
+        core.info(`Build summary skipped for ${inputs.call} subrequest`);
+      } else if (GitHub.isGHES) {
+        core.info('Build summary is not yet supported on GHES');
+      } else if (!(await toolkit.buildx.versionSatisfies('>=0.23.0'))) {
+        core.info('Build summary requires Buildx >= 0.23.0');
+      } else if (refs.length == 0) {
+        core.info('Build summary requires at least one build reference');
+      } else {
+        core.info('Build summary supported!');
+        stateHelper.setSummarySupported();
+      }
+    });
+
+    if (err) {
+      throw err;
+    }
+  },
+  // post
+  async () => {
+    if (stateHelper.isSummarySupported) {
+      await core.group(`Generating build summary`, async () => {
+        try {
+          const recordUploadEnabled = buildRecordUploadEnabled();
+          let recordRetentionDays: number | undefined;
+          if (recordUploadEnabled) {
+            recordRetentionDays = buildRecordRetentionDays();
+          }
+
+          const buildxHistory = new BuildxHistory();
+          const exportRes = await buildxHistory.export({
+            refs: stateHelper.buildRefs
+          });
+          core.info(`Build records written to ${exportRes.dockerbuildFilename} (${Util.formatFileSize(exportRes.dockerbuildSize)})`);
+
+          let uploadRes: UploadArtifactResponse | undefined;
+          if (recordUploadEnabled) {
+            uploadRes = await GitHubArtifact.upload({
+              filename: exportRes.dockerbuildFilename,
+              retentionDays: recordRetentionDays
+            });
+          }
+
+          await GitHubSummary.writeBuildSummary({
+            exportRes: exportRes,
+            uploadRes: uploadRes,
+            inputs: stateHelper.summaryInputs,
+            bakeDefinition: stateHelper.bakeDefinition,
+            driver: stateHelper.builderDriver,
+            endpoint: stateHelper.builderEndpoint
+          });
+        } catch (e) {
+          core.warning(e.message);
+        }
+      });
+    }
+    if (stateHelper.tmpDir.length > 0) {
+      await core.group(`Removing temp folder ${stateHelper.tmpDir}`, async () => {
+        fs.rmSync(stateHelper.tmpDir, {recursive: true});
      });
    }
-  } catch (error) {
-    core.setFailed(error.message);
  }
+);
+
+async function buildRefs(toolkit: Toolkit, since: Date, builder?: string): Promise<Array<string>> {
+  // get refs from metadata file
+  const metaRefs = toolkit.buildxBake.resolveRefs();
+  if (metaRefs) {
+    return metaRefs;
+  }
+  // otherwise, look for the very first build ref since the build has started
+  if (!builder) {
+    const currentBuilder = await toolkit.builder.inspect();
+    builder = currentBuilder.name;
+  }
+  const res = Buildx.refs({
+    dir: Buildx.refsDir,
+    builderName: builder,
+    since: since
+  });
+  const refs: Array<string> = [];
+  for (const ref in res) {
+    if (Object.prototype.hasOwnProperty.call(res, ref)) {
+      refs.push(ref);
+    }
+  }
+  return refs;
 }

-async function cleanup(): Promise<void> {
-  if (stateHelper.tmpDir.length > 0) {
-    core.startGroup(`Removing temp folder ${stateHelper.tmpDir}`);
-    fs.rmdirSync(stateHelper.tmpDir, {recursive: true});
-    core.endGroup();
+function buildChecksAnnotationsEnabled(): boolean {
+  if (process.env.DOCKER_BUILD_CHECKS_ANNOTATIONS) {
+    return Util.parseBool(process.env.DOCKER_BUILD_CHECKS_ANNOTATIONS);
  }
+  return true;
 }

-if (!stateHelper.IsPost) {
-  run();
-} else {
-  cleanup();
+function buildSummaryEnabled(): boolean {
+  if (process.env.DOCKER_BUILD_SUMMARY) {
+    return Util.parseBool(process.env.DOCKER_BUILD_SUMMARY);
+  }
+  return true;
+}
+
+function buildRecordUploadEnabled(): boolean {
+  if (process.env.DOCKER_BUILD_RECORD_UPLOAD) {
+    return Util.parseBool(process.env.DOCKER_BUILD_RECORD_UPLOAD);
+  }
+  return true;
+}
+
+function buildRecordRetentionDays(): number | undefined {
+  const val = process.env.DOCKER_BUILD_RECORD_RETENTION_DAYS;
+  if (val) {
+    const res = parseInt(val);
+    if (isNaN(res)) {
+      throw Error(`Invalid build record retention days: ${val}`);
+    }
+    return res;
+  }
 }
@@ -1,12 +1,61 @@
 import * as core from '@actions/core';

-export const IsPost = !!process.env['STATE_isPost'];
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake.js';
+
+import {Inputs} from './context.js';
+
 export const tmpDir = process.env['STATE_tmpDir'] || '';

+export const builderDriver = process.env['STATE_builderDriver'] || '';
+export const builderEndpoint = process.env['STATE_builderEndpoint'] || '';
+export const summaryInputs = process.env['STATE_summaryInputs'] ? JSON.parse(process.env['STATE_summaryInputs']) : undefined;
+export const bakeDefinition = process.env['STATE_bakeDefinition'] ? <BakeDefinition>JSON.parse(process.env['STATE_bakeDefinition']) : undefined;
+
+export const buildRefs = process.env['STATE_buildRefs'] ? process.env['STATE_buildRefs'].split(',') : [];
+export const isSummarySupported = !!process.env['STATE_isSummarySupported'];
+
 export function setTmpDir(tmpDir: string) {
  core.saveState('tmpDir', tmpDir);
 }

-if (!IsPost) {
-  core.saveState('isPost', 'true');
+export function setBuilderDriver(builderDriver: string) {
+  core.saveState('builderDriver', builderDriver);
+}
+
+export function setBuilderEndpoint(builderEndpoint: string) {
+  core.saveState('builderEndpoint', builderEndpoint);
+}
+
+export function setBakeDefinition(bakeDefinition: BakeDefinition) {
+  core.saveState('bakeDefinition', JSON.stringify(bakeDefinition));
+}
+
+export function setBuildRefs(buildRefs: Array<string>) {
+  core.saveState('buildRefs', buildRefs.join(','));
+}
+
+export function setSummarySupported() {
+  core.saveState('isSummarySupported', 'true');
+}
+
+export function setSummaryInputs(inputs: Inputs) {
+  const res = {};
+  if (inputs.source.remoteRef || inputs.source.workdir) {
+    res['source'] = inputs.source.remoteRef || inputs.source.workdir;
+  }
+  for (const key of Object.keys(inputs)) {
+    if (key === 'source' || key === 'github-token') {
+      continue;
+    }
+    const value: string | string[] | boolean = inputs[key];
+    if (typeof value === 'boolean' && !value) {
+      continue;
+    } else if (Array.isArray(value) && value.length === 0) {
+      continue;
+    } else if (!value) {
+      continue;
+    }
+    res[key] = value;
+  }
+  core.saveState('summaryInputs', JSON.stringify(res));
 }
@@ -0,0 +1,140 @@
+## About
+
+This subaction generates a multi-dimension matrix that can be used in a [GitHub matrix](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix)
+through the [`include` property](https://docs.github.com/en/actions/how-tos/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow#expanding-or-adding-matrix-configurations)
+so you can distribute your builds across multiple runners.
+
+![Screenshot](../../.github/subaction-matrix.png)
+
+___
+
+* [Usage](#usage)
+* [Customizing](#customizing)
+  * [inputs](#inputs)
+  * [outputs](#outputs)
+
+## Usage
+
+### List targets
+
+```hcl
+# docker-bake.hcl
+group "validate" {
+  targets = ["lint", "doctoc"]
+}
+
+target "lint" {
+  target = "lint"
+}
+
+target "doctoc" {
+  target = "doctoc"
+}
+```
+
+```yaml
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v6
+      -
+        name: Generate matrix
+        id: generate
+        uses: docker/bake-action/subaction/matrix@v7
+        with:
+          target: validate
+
+  validate:
+    runs-on: ubuntu-latest
+    needs:
+      - prepare
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
+    steps:
+      -
+        name: Validate
+        uses: docker/bake-action@v7
+        with:
+          targets: ${{ matrix.target }}
+```
+
+### Platforms split
+
+```hcl
+# docker-bake.hcl
+target "lint" {
+  dockerfile = "./hack/dockerfiles/lint.Dockerfile"
+  output = ["type=cacheonly"]
+  platforms = [
+    "darwin/amd64",
+    "darwin/arm64",
+    "linux/amd64",
+    "linux/arm64",
+    "linux/s390x",
+    "linux/ppc64le",
+    "linux/riscv64",
+    "windows/amd64",
+    "windows/arm64"
+  ]
+}
+```
+
+```yaml
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v6
+      -
+        name: Generate matrix
+        id: generate
+        uses: docker/bake-action/subaction/matrix@v7
+        with:
+          target: lint
+          fields: platforms
+
+  lint:
+    runs-on: ${{ startsWith(matrix.platforms, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
+    needs:
+      - prepare
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
+    steps:
+      -
+        name: Lint
+        uses: docker/bake-action@v7
+        with:
+          targets: ${{ matrix.target }}
+          set: |
+            *.platform=${{ matrix.platforms }}
+```
+
+## Customizing
+
+### inputs
+
+| Name      | Type     | Description                                                                                    |
+|-----------|----------|------------------------------------------------------------------------------------------------|
+| `workdir` | String   | Working directory to use (defaults to `.`)                                                     |
+| `files`   | List/CSV | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/) |
+| `target`  | String   | The target to use within the bake file                                                         |
+| `fields`  | String   | List of extra fields to include in the matrix                                                  |
+
+### outputs
+
+| Name     | Type | Description          |
+|----------|------|----------------------|
+| `matrix` | JSON | Matrix configuration |
@@ -0,0 +1,101 @@
+# https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions
+name: 'Matrix'
+description: 'Generate a matrix from a Bake definition to help distributing builds in your workflow'
+
+inputs:
+  workdir:
+    description: Working directory
+    default: '.'
+    required: false
+  files:
+    description: List of Bake files
+    required: false
+  target:
+    description: Bake target
+    required: false
+  fields:
+    description: List of extra fields to include in the matrix
+    required: false
+
+outputs:
+  matrix:
+    description: Matrix configuration
+    value: ${{ steps.generate.outputs.includes }}
+
+runs:
+  using: composite
+  steps:
+    -
+      name: Generate
+      id: generate
+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      env:
+        INPUT_WORKDIR: ${{ inputs.workdir }}
+        INPUT_FILES: ${{ inputs.files }}
+        INPUT_TARGET: ${{ inputs.target }}
+        INPUT_FIELDS: ${{ inputs.fields }}
+      with:
+        script: |
+          function getInputList(name) {
+            return core.getInput(name) ? core.getInput(name).split(/[\r?\n,]+/).filter(x => x !== '') : [];
+          }
+
+          const workdir = core.getInput('workdir');
+          const files = getInputList('files');
+          const target = core.getInput('target');
+          const fields = getInputList('fields');
+
+          let def = {};
+          await core.group(`Parsing definition`, async () => {
+            let args = ['buildx', 'bake'];
+            for (const file of files) {
+              args.push('--file', file);
+            }
+            if (target) {
+              args.push(target);
+            }
+            args.push('--print');
+            const res = await exec.getExecOutput('docker', args, {
+              ignoreReturnCode: true,
+              silent: true,
+              cwd: workdir
+            });
+            if (res.stderr.length > 0 && res.exitCode != 0) {
+              throw new Error(res.stderr);
+            }
+            def = JSON.parse(res.stdout.trim());
+            core.info(JSON.stringify(def, null, 2));
+          });
+
+          await core.group(`Generating matrix`, async () => {
+            const result = [];
+            for (const targetName of Object.keys(def.target)) {
+              const target = def.target[targetName];
+              const entry = { target: targetName };
+              if (fields.length === 0) {
+                result.push({ ...entry });
+                continue;
+              }
+              let fieldFound = false;
+              Object.keys(target).forEach(field => {
+                if (fields.includes(field)) {
+                  fieldFound = true;
+                  const value = target[field];
+                  if (Array.isArray(value)) {
+                    value.forEach((v) => {
+                      entry[field] = v;
+                      result.push({ ...entry });
+                    });
+                  } else {
+                    entry[field] = value;
+                    result.push({ ...entry });
+                  }
+                }
+              });
+              if (!fieldFound) {
+                result.push({ ...entry });
+              }
+            }
+            core.info(JSON.stringify(result, null, 2));
+            core.setOutput('includes', JSON.stringify(result));
+          });
@@ -0,0 +1,10 @@
+# syntax=docker/dockerfile:1
+
+FROM busybox AS t1
+RUN echo "Hello t1"
+
+FROM busybox AS t2
+RUN echo "Hello t2"
+
+FROM busybox AS t3
+RUN echo "Hello t3"
@@ -0,0 +1,17 @@
+group "default" {
+  targets = ["t1", "t2", "t3"]
+}
+
+target "t1" {
+  target = "t1"
+}
+
+target "t2" {
+  target = "t2"
+  attest = ["type=provenance,mode=min"]
+}
+
+target "t3" {
+  target = "t3"
+  attest = ["type=sbom"]
+}
@@ -6,21 +6,26 @@ group "release" {
  targets = ["db", "app-plus"]
 }

+# Special target: https://github.com/docker/metadata-action#bake-definition
+target "docker-metadata-action" {
+  tags = [
+    "localhost:5000/name/app:latest",
+    "localhost:5000/name/app:1.0.0"
+  ]
+}
+
 target "db" {
  context = "./test"
  tags = ["docker.io/tonistiigi/db"]
 }

 target "app" {
+  inherits = ["docker-metadata-action"]
  context = "./test"
  dockerfile = "Dockerfile"
  args = {
    name = "foo"
  }
-  tags = [
-    "localhost:5000/name/app:latest",
-    "localhost:5000/name/app:1.0.0"
-  ]
 }

 target "cross" {
@@ -37,3 +42,13 @@ target "app-plus" {
    IAMPLUS = "true"
  }
 }
+
+target "app-proxy" {
+  inherits = ["app"]
+  dockerfile = "proxy.Dockerfile"
+}
+
+target "app-entitlements" {
+  inherits = ["app"]
+  entitlements = ["network.host"]
+}
@@ -0,0 +1,19 @@
+# syntax=docker/dockerfile:1
+
+FROM golang:alpine AS base
+ENV CGO_ENABLED=0
+RUN apk add --no-cache file git
+WORKDIR /src
+
+FROM base AS build
+RUN --mount=type=bind,target=/src \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go build -ldflags "-s -w" -o /usr/bin/app .
+
+FROM scratch AS binary
+COPY --from=build /usr/bin/app /bin/app
+
+FROM alpine AS image
+COPY --from=build /usr/bin/app /bin/app
+EXPOSE 8080
+ENTRYPOINT ["/bin/app"]
@@ -0,0 +1,17 @@
+variable "DESTDIR" {
+  default = "/tmp/bake-build"
+}
+
+group "default" {
+  targets = ["binary"]
+}
+
+target "binary" {
+  target = "binary"
+  output = [DESTDIR]
+}
+
+target "image" {
+  target = "image"
+  tags = ["localhost:5000/name/app:latest"]
+}
@@ -0,0 +1,3 @@
+module github.com/docker/bake-action/test/go
+
+go 1.18
@@ -0,0 +1,14 @@
+package main
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+)
+
+func main() {
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, "Hello, Go!")
+	})
+	log.Fatal(http.ListenAndServe(":8080", nil))
+}
@@ -0,0 +1,31 @@
+group "validate" {
+  targets = ["lint", "validate-vendor", "validate-doctoc"]
+}
+
+target "lint" {
+  name = "lint-${buildtags.name}"
+  dockerfile = "./hack/dockerfiles/lint.Dockerfile"
+  target = buildtags.target
+  output = ["type=cacheonly"]
+  matrix = {
+    buildtags = [
+      { name = "default", tags = "", target = "golangci-lint" },
+      { name = "labs", tags = "dfrunsecurity dfparents", target = "golangci-lint" },
+      { name = "nydus", tags = "nydus", target = "golangci-lint" },
+      { name = "yaml", tags = "", target = "yamllint" },
+      { name = "proto", tags = "", target = "protolint" },
+    ]
+  }
+}
+
+target "validate-vendor" {
+  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}
+
+target "validate-doctoc" {
+  dockerfile = "./hack/dockerfiles/doctoc.Dockerfile"
+  target = "validate-toc"
+  output = ["type=cacheonly"]
+}
@@ -0,0 +1,36 @@
+group "validate" {
+  targets = ["lint", "lint-gopls", "validate-vendor", "validate-docs"]
+}
+
+target "lint" {
+  dockerfile = "./hack/dockerfiles/lint.Dockerfile"
+  output = ["type=cacheonly"]
+  platforms = [
+    "darwin/amd64",
+    "darwin/arm64",
+    "linux/amd64",
+    "linux/arm64",
+    "linux/s390x",
+    "linux/ppc64le",
+    "linux/riscv64",
+    "windows/amd64",
+    "windows/arm64"
+  ]
+}
+
+target "lint-gopls" {
+  inherits = ["lint"]
+  target = "gopls-analyze"
+}
+
+target "validate-vendor" {
+  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}
+
+target "validate-docs" {
+  dockerfile = "./hack/dockerfiles/docs.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}
@@ -0,0 +1,7 @@
+# syntax=docker/dockerfile:1
+
+FROM busybox AS t1
+RUN echo "Hello t1"
+
+FROM busybox AS t2
+RUN echo "Hello t2"
@@ -0,0 +1,11 @@
+group "default" {
+  targets = ["t1", "t2"]
+}
+
+target "t1" {
+  target = "t1"
+}
+
+target "t2" {
+  target = "t2"
+}
@@ -0,0 +1,10 @@
+frOM busybox as base
+cOpy lint-other.Dockerfile .
+
+froM busybox aS notused
+COPY lint-other.Dockerfile .
+
+from scratch
+COPy --from=base \
+  /lint-other.Dockerfile \
+  /
@@ -0,0 +1,12 @@
+frOM busybox as base
+cOpy lint.Dockerfile .
+
+from scratch
+MAINTAINER moby@example.com
+COPy --from=base \
+  /lint.Dockerfile \
+  /
+
+CMD [ "echo", "Hello, Norway!" ]
+CMD [ "echo", "Hello, Sweden!" ]
+ENTRYPOINT my-program start
@@ -0,0 +1,12 @@
+group "default" {
+  targets = ["lint", "lint-other", "lint-inline"]
+}
+target "lint" {
+  dockerfile = "lint.Dockerfile"
+}
+target "lint-other" {
+  dockerfile = "lint-other.Dockerfile"
+}
+target "lint-inline" {
+  dockerfile-inline = "FRoM alpine\nENTRYPOINT [\"echo\", \"hello\"]"
+}
@@ -0,0 +1,15 @@
+group "default" {
+  targets = ["t3"]
+}
+
+target "t3" {
+  name = "${item.tag}"
+  matrix = {
+    item = t3
+  }
+  args = {
+    VERSION = "${item.version}"
+    DUMMY_ARG = "${item.arg}"
+  }
+  tags = ["${item.tag}"]
+}
@@ -0,0 +1,14 @@
+{
+  "t3": [
+    {
+      "version": "v1",
+      "arg": "v1-value",
+      "tag": "v1-tag"
+    },
+    {
+      "version": "v2",
+      "arg": "v2-value",
+      "tag": "v2-tag"
+    }
+  ]
+}
@@ -0,0 +1,9 @@
+# syntax=docker/dockerfile:1
+FROM alpine
+RUN apk add --no-cache curl net-tools
+ARG HTTP_PROXY
+ARG HTTPS_PROXY
+RUN printenv HTTP_PROXY
+RUN printenv HTTPS_PROXY
+RUN netstat -aptn
+RUN curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy $HTTP_PROXY -v --insecure --head https://www.google.com
@@ -1,19 +1,17 @@
 {
  "compilerOptions": {
-    "target": "es6",
-    "module": "commonjs",
+    "module": "nodenext",
+    "moduleResolution": "nodenext",
+    "esModuleInterop": true,
    "newLine": "lf",
    "outDir": "./lib",
    "rootDir": "./src",
-    "esModuleInterop": true,
    "forceConsistentCasingInFileNames": true,
-    "strict": true,
    "noImplicitAny": false,
+    "resolveJsonModule": true,
    "useUnknownInCatchVariables": false,
  },
-  "exclude": [
-    "node_modules",
-    "**/*.test.ts",
-    "jest.config.ts"
+  "include": [
+    "src/**/*.ts"
  ]
 }
@@ -0,0 +1,16 @@
+import {defineConfig} from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    clearMocks: true,
+    environment: 'node',
+    setupFiles: ['./__tests__/setup.unit.ts'],
+    include: ['**/*.test.ts'],
+    coverage: {
+      provider: 'v8',
+      reporter: ['clover'],
+      include: ['src/**/*.ts'],
+      exclude: ['src/**/main.ts']
+    }
+  }
+});