Merge pull request #203 from crazy-max/missing-post

fix missing runs.post in action.yml

.github/workflows/ci.yml

@@ -459,9 +459,7 @@ jobs:
         uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
-          # TODO: use buildx-stable-1 image when v0.13 promoted
           driver-opts: |
-            image=moby/buildkit:v0.13.0
             network=host
       -
         name: Build and push
@@ -504,15 +502,14 @@ jobs:
         uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
-          # TODO: use buildx-stable-1 image when v0.13 promoted
           driver-opts: |
-            image=moby/buildkit:v0.13.0
             network=host
       -
         name: Build and push
         uses: ./
         with:
           workdir: ./test/go
+          targets: image
           load: true
           push: true
           set: |

README.md

@@ -117,6 +117,26 @@ to the default Git context:
           push: true
 ```
 
+Building from the current repository automatically uses the `GITHUB_TOKEN`
+secret that GitHub [automatically creates for workflows](https://docs.github.com/en/actions/security-guides/automatic-token-authentication),
+so you don't need to pass that manually. If you want to authenticate against
+another private repository for remote definitions, you can set the
+[`BUILDX_BAKE_GIT_AUTH_TOKEN` environment variable](https://docs.docker.com/build/building/variables/#buildx_bake_git_auth_token).
+
+> [!NOTE]
+> Supported since Buildx 0.14.0
+
+```yaml
+      -
+        name: Build and push
+        uses: docker/bake-action@v4
+        with:
+          source: "${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}"
+          push: true
+        env:
+          BUILDX_BAKE_GIT_AUTH_TOKEN: ${{ secrets.MYTOKEN }}
+```
+
 ## Customizing
 
 ### inputs
@@ -138,20 +158,21 @@ The following inputs can be used as `step.with` keys
 > targets: default,release
 > ```
 
-| Name         | Type        | Description                                                                                                                                                     |
-|--------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `builder`    | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                     |
-| `source`     | String      | Context to build from. Can be either local (`.`) or a [remote bake definition](https://docs.docker.com/build/customize/bake/file-definition/#remote-definition) |
-| `files`      | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                                                  |
-| `workdir`    | String      | Working directory of execution                                                                                                                                  |
-| `targets`    | List/CSV    | List of bake targets (`default` target used if empty)                                                                                                           |
-| `no-cache`   | Bool        | Do not use cache when building the image (default `false`)                                                                                                      |
-| `pull`       | Bool        | Always attempt to pull a newer version of the image (default `false`)                                                                                           |
-| `load`       | Bool        | Load is a shorthand for `--set=*.output=type=docker` (default `false`)                                                                                          |
-| `provenance` | Bool/String | [Provenance](https://docs.docker.com/build/attestations/slsa-provenance/) is a shorthand for `--set=*.attest=type=provenance`                                   |
-| `push`       | Bool        | Push is a shorthand for `--set=*.output=type=registry` (default `false`)                                                                                        |
-| `sbom`       | Bool/String | [SBOM](https://docs.docker.com/build/attestations/sbom/) is a shorthand for `--set=*.attest=type=sbom`                                                          |
-| `set`        | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (eg: `targetpattern.key=value`)                     |
+| Name           | Type        | Description                                                                                                                                                        |
+|----------------|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `builder`      | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                        |
+| `source`       | String      | Context to build from. Can be either local (`.`) or a [remote bake definition](https://docs.docker.com/build/customize/bake/file-definition/#remote-definition)    |
+| `files`        | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                                                     |
+| `workdir`      | String      | Working directory of execution                                                                                                                                     |
+| `targets`      | List/CSV    | List of bake targets (`default` target used if empty)                                                                                                              |
+| `no-cache`     | Bool        | Do not use cache when building the image (default `false`)                                                                                                         |
+| `pull`         | Bool        | Always attempt to pull a newer version of the image (default `false`)                                                                                              |
+| `load`         | Bool        | Load is a shorthand for `--set=*.output=type=docker` (default `false`)                                                                                             |
+| `provenance`   | Bool/String | [Provenance](https://docs.docker.com/build/attestations/slsa-provenance/) is a shorthand for `--set=*.attest=type=provenance`                                      |
+| `push`         | Bool        | Push is a shorthand for `--set=*.output=type=registry` (default `false`)                                                                                           |
+| `sbom`         | Bool/String | [SBOM](https://docs.docker.com/build/attestations/sbom/) is a shorthand for `--set=*.attest=type=sbom`                                                             |
+| `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (eg: `targetpattern.key=value`)                        |
+| `github-token` | String      | API token used to authenticate to a Git repository for [remote definitions](https://docs.docker.com/build/bake/remote-definition/) (default `${{ github.token }}`) |
 
 ### outputs
 

__tests__/context.test.ts

@@ -1,6 +1,7 @@
 import {beforeEach, describe, expect, jest, test} from '@jest/globals';
 import * as fs from 'fs';
 import * as path from 'path';
+
 import {Bake} from '@docker/actions-toolkit/lib/buildx/bake';
 import {Builder} from '@docker/actions-toolkit/lib/buildx/builder';
 import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx';
@@ -8,6 +9,7 @@ import {Context} from '@docker/actions-toolkit/lib/context';
 import {Docker} from '@docker/actions-toolkit/lib/docker/docker';
 import {GitHub} from '@docker/actions-toolkit/lib/github';
 import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
+
 import {BakeDefinition} from '@docker/actions-toolkit/lib/types/bake';
 import {BuilderInfo} from '@docker/actions-toolkit/lib/types/builder';
 import {GitHubRepo} from '@docker/actions-toolkit/lib/types/github';
@@ -56,7 +58,7 @@ jest.spyOn(Builder.prototype, 'inspect').mockImplementation(async (): Promise<Bu
   };
 });
 
-jest.spyOn(Bake.prototype, 'parseDefinitions').mockImplementation(async (): Promise<BakeDefinition> => {
+jest.spyOn(Bake.prototype, 'getDefinition').mockImplementation(async (): Promise<BakeDefinition> => {
   return JSON.parse(`{
     "group": {
       "default": {
@@ -334,7 +336,23 @@ describe('getArgs', () => {
         return buildxVersion;
       });
       const inp = await context.getInputs();
-      const res = await context.getArgs(inp, toolkit);
+      const definition = await toolkit.bake.getDefinition(
+        {
+          files: inp.files,
+          load: inp.load,
+          noCache: inp.noCache,
+          overrides: inp.set,
+          provenance: inp.provenance,
+          push: inp.push,
+          sbom: inp.sbom,
+          source: inp.source,
+          targets: inp.targets
+        },
+        {
+          cwd: inp.workdir
+        }
+      );
+      const res = await context.getArgs(inp, definition, toolkit);
       expect(res).toEqual(expected);
     }
   );

action.yml

@@ -48,6 +48,10 @@ inputs:
   set:
     description: "List of targets values to override (eg. targetpattern.key=value)"
     required: false
+  github-token:
+    description: "API token used to authenticate to a Git repository for remote definitions"
+    default: ${{ github.token }}
+    required: false
 
 outputs:
   metadata:
@@ -56,3 +60,4 @@ outputs:
 runs:
   using: 'node20'
   main: 'dist/index.js'
+  post: 'dist/index.js'

package.json

@@ -27,7 +27,7 @@
   "license": "Apache-2.0",
   "dependencies": {
     "@actions/core": "^1.10.1",
-    "@docker/actions-toolkit": "^0.18.0",
+    "@docker/actions-toolkit": "^0.22.0",
     "handlebars": "^4.7.8"
   },
   "devDependencies": {

src/context.ts

@@ -1,12 +1,15 @@
 import * as core from '@actions/core';
 import * as handlebars from 'handlebars';
+
 import {Bake} from '@docker/actions-toolkit/lib/buildx/bake';
+import {Build} from '@docker/actions-toolkit/lib/buildx/build';
 import {Context} from '@docker/actions-toolkit/lib/context';
-import {Inputs as BuildxInputs} from '@docker/actions-toolkit/lib/buildx/inputs';
 import {GitHub} from '@docker/actions-toolkit/lib/github';
 import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
 import {Util} from '@docker/actions-toolkit/lib/util';
 
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/bake';
+
 export interface Inputs {
   builder: string;
   files: string[];
@@ -20,6 +23,7 @@ export interface Inputs {
   sbom: string;
   set: string[];
   source: string;
+  githubToken: string;
 }
 
 export async function getInputs(): Promise<Inputs> {
@@ -31,33 +35,28 @@ export async function getInputs(): Promise<Inputs> {
     noCache: core.getBooleanInput('no-cache'),
     pull: core.getBooleanInput('pull'),
     load: core.getBooleanInput('load'),
-    provenance: BuildxInputs.getProvenanceInput('provenance'),
+    provenance: Build.getProvenanceInput('provenance'),
     push: core.getBooleanInput('push'),
     sbom: core.getInput('sbom'),
     set: Util.getInputList('set', {ignoreComma: true, quote: false}),
-    source: core.getInput('source')
+    source: getSourceInput('source'),
+    githubToken: core.getInput('github-token')
   };
 }
 
-export async function getArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<string>> {
+export async function getArgs(inputs: Inputs, definition: BakeDefinition, toolkit: Toolkit): Promise<Array<string>> {
   // prettier-ignore
   return [
-    ...await getBakeArgs(inputs, toolkit),
+    ...await getBakeArgs(inputs, definition, toolkit),
     ...await getCommonArgs(inputs),
     ...inputs.targets
   ];
 }
 
-async function getBakeArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<string>> {
+async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit: Toolkit): Promise<Array<string>> {
   const args: Array<string> = ['bake'];
-  let source = handlebars.compile(inputs.source)({
-    defaultContext: Context.gitContext()
-  });
-  if (source === '.') {
-    source = '';
-  }
-  if (source) {
-    args.push(source);
+  if (inputs.source) {
+    args.push(inputs.source);
   }
   await Util.asyncForEach(inputs.files, async file => {
     args.push('--file', file);
@@ -66,23 +65,22 @@ async function getBakeArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<stri
     args.push('--set', set);
   });
   if (await toolkit.buildx.versionSatisfies('>=0.6.0')) {
-    args.push('--metadata-file', BuildxInputs.getBuildMetadataFilePath());
+    args.push('--metadata-file', Bake.getMetadataFilePath());
   }
   if (await toolkit.buildx.versionSatisfies('>=0.10.0')) {
-    const bakedef = await toolkit.bake.parseDefinitions([...inputs.files, source], inputs.targets, inputs.set, inputs.load, inputs.push, inputs.workdir);
     if (inputs.provenance) {
       args.push('--provenance', inputs.provenance);
-    } else if ((await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Bake.hasDockerExporter(bakedef, inputs.load)) {
+    } else if ((await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Bake.hasDockerExporter(definition, inputs.load)) {
       // if provenance not specified and BuildKit version compatible for
       // attestation, set default provenance. Also needs to make sure user
       // doesn't want to explicitly load the image to docker.
       if (GitHub.context.payload.repository?.private ?? false) {
         // if this is a private repository, we set the default provenance
         // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
-        args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=min,inline-only=true`));
+        args.push('--provenance', Build.resolveProvenanceAttrs(`mode=min,inline-only=true`));
       } else {
         // for a public repository, we set max provenance mode.
-        args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=max`));
+        args.push('--provenance', Build.resolveProvenanceAttrs(`mode=max`));
       }
     }
     if (inputs.sbom) {
@@ -111,3 +109,13 @@ async function getCommonArgs(inputs: Inputs): Promise<Array<string>> {
   }
   return args;
 }
+
+function getSourceInput(name: string): string {
+  let source = handlebars.compile(core.getInput(name))({
+    defaultContext: Context.gitContext()
+  });
+  if (source === '.') {
+    source = '';
+  }
+  return source;
+}

src/main.ts

@@ -2,12 +2,15 @@ import * as fs from 'fs';
 import * as path from 'path';
 import * as core from '@actions/core';
 import * as actionsToolkit from '@docker/actions-toolkit';
-import {Inputs as BuildxInputs} from '@docker/actions-toolkit/lib/buildx/inputs';
+
+import {Bake} from '@docker/actions-toolkit/lib/buildx/bake';
 import {Context} from '@docker/actions-toolkit/lib/context';
 import {Docker} from '@docker/actions-toolkit/lib/docker/docker';
 import {Exec} from '@docker/actions-toolkit/lib/exec';
 import {GitHub} from '@docker/actions-toolkit/lib/github';
 import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
+
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/bake';
 import {ConfigFile} from '@docker/actions-toolkit/lib/types/docker';
 
 import * as context from './context';
@@ -18,6 +21,7 @@ actionsToolkit.run(
   async () => {
     const inputs: context.Inputs = await context.getInputs();
     const toolkit = new Toolkit();
+    const gitAuthToken = process.env.BUILDX_BAKE_GIT_AUTH_TOKEN ?? inputs.githubToken;
 
     await core.group(`GitHub Actions runtime token ACs`, async () => {
       try {
@@ -72,17 +76,48 @@ actionsToolkit.run(
       await toolkit.buildx.printVersion();
     });
 
-    const args: string[] = await context.getArgs(inputs, toolkit);
+    let definition: BakeDefinition | undefined;
+    await core.group(`Parsing raw definition`, async () => {
+      definition = await toolkit.bake.getDefinition(
+        {
+          files: inputs.files,
+          load: inputs.load,
+          noCache: inputs.noCache,
+          overrides: inputs.set,
+          provenance: inputs.provenance,
+          push: inputs.push,
+          sbom: inputs.sbom,
+          source: inputs.source,
+          targets: inputs.targets,
+          githubToken: gitAuthToken
+        },
+        {
+          cwd: inputs.workdir
+        }
+      );
+    });
+    if (!definition) {
+      throw new Error('Bake definition not set');
+    }
+
+    const args: string[] = await context.getArgs(inputs, definition, toolkit);
     const buildCmd = await toolkit.buildx.getCommand(args);
+    const buildEnv = Object.assign({}, process.env, {
+      BUILDX_BAKE_GIT_AUTH_TOKEN: gitAuthToken
+    }) as {
+      [key: string]: string;
+    };
 
     await core.group(`Bake definition`, async () => {
       await Exec.exec(buildCmd.command, [...buildCmd.args, '--print'], {
-        cwd: inputs.workdir
+        cwd: inputs.workdir,
+        env: buildEnv
       });
     });
 
     await Exec.getExecOutput(buildCmd.command, buildCmd.args, {
       cwd: inputs.workdir,
+      env: buildEnv,
       ignoreReturnCode: true
     }).then(res => {
       if (res.stderr.length > 0 && res.exitCode != 0) {
@@ -90,11 +125,12 @@ actionsToolkit.run(
       }
     });
 
-    const metadata = await BuildxInputs.resolveBuildMetadata();
+    const metadata = Bake.resolveMetadata();
     if (metadata) {
       await core.group(`Metadata`, async () => {
-        core.info(metadata);
-        core.setOutput('metadata', metadata);
+        const metadatadt = JSON.stringify(metadata, null, 2);
+        core.info(metadatadt);
+        core.setOutput('metadata', metadatadt);
       });
     }
   },