Merge pull request #200 from crazy-max/git-auth-token

git auth token support for private repos

.github/workflows/ci.yml

@@ -459,9 +459,7 @@ jobs:
         uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
-          # TODO: use buildx-stable-1 image when v0.13 promoted
           driver-opts: |
-            image=moby/buildkit:v0.13.0
             network=host
       -
         name: Build and push
@@ -504,15 +502,14 @@ jobs:
         uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
-          # TODO: use buildx-stable-1 image when v0.13 promoted
           driver-opts: |
-            image=moby/buildkit:v0.13.0
             network=host
       -
         name: Build and push
         uses: ./
         with:
           workdir: ./test/go
+          targets: image
           load: true
           push: true
           set: |

README.md

@@ -117,6 +117,26 @@ to the default Git context:
           push: true
 ```
 
+Building from the current repository automatically uses the `GITHUB_TOKEN`
+secret that GitHub [automatically creates for workflows](https://docs.github.com/en/actions/security-guides/automatic-token-authentication),
+so you don't need to pass that manually. If you want to authenticate against
+another private repository for remote definitions, you can set the
+[`BUILDX_BAKE_GIT_AUTH_TOKEN` environment variable](https://docs.docker.com/build/building/variables/#buildx_bake_git_auth_token).
+
+> [!NOTE]
+> Supported since Buildx 0.14.0
+
+```yaml
+      -
+        name: Build and push
+        uses: docker/bake-action@v4
+        with:
+          source: "${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}"
+          push: true
+        env:
+          BUILDX_BAKE_GIT_AUTH_TOKEN: ${{ secrets.MYTOKEN }}
+```
+
 ## Customizing
 
 ### inputs
@@ -138,20 +158,21 @@ The following inputs can be used as `step.with` keys
 > targets: default,release
 > ```
 
-| Name         | Type        | Description                                                                                                                                                     |
-|--------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `builder`    | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                     |
-| `source`     | String      | Context to build from. Can be either local (`.`) or a [remote bake definition](https://docs.docker.com/build/customize/bake/file-definition/#remote-definition) |
-| `files`      | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                                                  |
-| `workdir`    | String      | Working directory of execution                                                                                                                                  |
-| `targets`    | List/CSV    | List of bake targets (`default` target used if empty)                                                                                                           |
-| `no-cache`   | Bool        | Do not use cache when building the image (default `false`)                                                                                                      |
-| `pull`       | Bool        | Always attempt to pull a newer version of the image (default `false`)                                                                                           |
-| `load`       | Bool        | Load is a shorthand for `--set=*.output=type=docker` (default `false`)                                                                                          |
-| `provenance` | Bool/String | [Provenance](https://docs.docker.com/build/attestations/slsa-provenance/) is a shorthand for `--set=*.attest=type=provenance`                                   |
-| `push`       | Bool        | Push is a shorthand for `--set=*.output=type=registry` (default `false`)                                                                                        |
-| `sbom`       | Bool/String | [SBOM](https://docs.docker.com/build/attestations/sbom/) is a shorthand for `--set=*.attest=type=sbom`                                                          |
-| `set`        | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (eg: `targetpattern.key=value`)                     |
+| Name           | Type        | Description                                                                                                                                                        |
+|----------------|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `builder`      | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                        |
+| `source`       | String      | Context to build from. Can be either local (`.`) or a [remote bake definition](https://docs.docker.com/build/customize/bake/file-definition/#remote-definition)    |
+| `files`        | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                                                     |
+| `workdir`      | String      | Working directory of execution                                                                                                                                     |
+| `targets`      | List/CSV    | List of bake targets (`default` target used if empty)                                                                                                              |
+| `no-cache`     | Bool        | Do not use cache when building the image (default `false`)                                                                                                         |
+| `pull`         | Bool        | Always attempt to pull a newer version of the image (default `false`)                                                                                              |
+| `load`         | Bool        | Load is a shorthand for `--set=*.output=type=docker` (default `false`)                                                                                             |
+| `provenance`   | Bool/String | [Provenance](https://docs.docker.com/build/attestations/slsa-provenance/) is a shorthand for `--set=*.attest=type=provenance`                                      |
+| `push`         | Bool        | Push is a shorthand for `--set=*.output=type=registry` (default `false`)                                                                                           |
+| `sbom`         | Bool/String | [SBOM](https://docs.docker.com/build/attestations/sbom/) is a shorthand for `--set=*.attest=type=sbom`                                                             |
+| `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (eg: `targetpattern.key=value`)                        |
+| `github-token` | String      | API token used to authenticate to a Git repository for [remote definitions](https://docs.docker.com/build/bake/remote-definition/) (default `${{ github.token }}`) |
 
 ### outputs
 

__tests__/context.test.ts

@@ -56,7 +56,7 @@ jest.spyOn(Builder.prototype, 'inspect').mockImplementation(async (): Promise<Bu
   };
 });
 
-jest.spyOn(Bake.prototype, 'parseDefinitions').mockImplementation(async (): Promise<BakeDefinition> => {
+jest.spyOn(Bake.prototype, 'getDefinition').mockImplementation(async (): Promise<BakeDefinition> => {
   return JSON.parse(`{
     "group": {
       "default": {
@@ -334,7 +334,23 @@ describe('getArgs', () => {
         return buildxVersion;
       });
       const inp = await context.getInputs();
-      const res = await context.getArgs(inp, toolkit);
+      const definition = await toolkit.bake.getDefinition(
+        {
+          files: inp.files,
+          load: inp.load,
+          noCache: inp.noCache,
+          overrides: inp.set,
+          provenance: inp.provenance,
+          push: inp.push,
+          sbom: inp.sbom,
+          source: inp.source,
+          targets: inp.targets
+        },
+        {
+          cwd: inp.workdir
+        }
+      );
+      const res = await context.getArgs(inp, definition, toolkit);
       expect(res).toEqual(expected);
     }
   );

action.yml

@@ -48,6 +48,10 @@ inputs:
   set:
     description: "List of targets values to override (eg. targetpattern.key=value)"
     required: false
+  github-token:
+    description: "API token used to authenticate to a Git repository for remote definitions"
+    default: ${{ github.token }}
+    required: false
 
 outputs:
   metadata:

package.json

@@ -27,7 +27,7 @@
   "license": "Apache-2.0",
   "dependencies": {
     "@actions/core": "^1.10.1",
-    "@docker/actions-toolkit": "^0.18.0",
+    "@docker/actions-toolkit": "^0.21.1",
     "handlebars": "^4.7.8"
   },
   "devDependencies": {

src/context.ts

@@ -6,6 +6,7 @@ import {Inputs as BuildxInputs} from '@docker/actions-toolkit/lib/buildx/inputs'
 import {GitHub} from '@docker/actions-toolkit/lib/github';
 import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
 import {Util} from '@docker/actions-toolkit/lib/util';
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/bake';
 
 export interface Inputs {
   builder: string;
@@ -20,6 +21,7 @@ export interface Inputs {
   sbom: string;
   set: string[];
   source: string;
+  githubToken: string;
 }
 
 export async function getInputs(): Promise<Inputs> {
@@ -35,29 +37,24 @@ export async function getInputs(): Promise<Inputs> {
     push: core.getBooleanInput('push'),
     sbom: core.getInput('sbom'),
     set: Util.getInputList('set', {ignoreComma: true, quote: false}),
-    source: core.getInput('source')
+    source: getSourceInput('source'),
+    githubToken: core.getInput('github-token')
   };
 }
 
-export async function getArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<string>> {
+export async function getArgs(inputs: Inputs, definition: BakeDefinition, toolkit: Toolkit): Promise<Array<string>> {
   // prettier-ignore
   return [
-    ...await getBakeArgs(inputs, toolkit),
+    ...await getBakeArgs(inputs, definition, toolkit),
     ...await getCommonArgs(inputs),
     ...inputs.targets
   ];
 }
 
-async function getBakeArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<string>> {
+async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit: Toolkit): Promise<Array<string>> {
   const args: Array<string> = ['bake'];
-  let source = handlebars.compile(inputs.source)({
-    defaultContext: Context.gitContext()
-  });
-  if (source === '.') {
-    source = '';
-  }
-  if (source) {
-    args.push(source);
+  if (inputs.source) {
+    args.push(inputs.source);
   }
   await Util.asyncForEach(inputs.files, async file => {
     args.push('--file', file);
@@ -69,10 +66,9 @@ async function getBakeArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<stri
     args.push('--metadata-file', BuildxInputs.getBuildMetadataFilePath());
   }
   if (await toolkit.buildx.versionSatisfies('>=0.10.0')) {
-    const bakedef = await toolkit.bake.parseDefinitions([...inputs.files, source], inputs.targets, inputs.set, inputs.load, inputs.push, inputs.workdir);
     if (inputs.provenance) {
       args.push('--provenance', inputs.provenance);
-    } else if ((await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Bake.hasDockerExporter(bakedef, inputs.load)) {
+    } else if ((await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Bake.hasDockerExporter(definition, inputs.load)) {
       // if provenance not specified and BuildKit version compatible for
       // attestation, set default provenance. Also needs to make sure user
       // doesn't want to explicitly load the image to docker.
@@ -111,3 +107,13 @@ async function getCommonArgs(inputs: Inputs): Promise<Array<string>> {
   }
   return args;
 }
+
+function getSourceInput(name: string): string {
+  let source = handlebars.compile(core.getInput(name))({
+    defaultContext: Context.gitContext()
+  });
+  if (source === '.') {
+    source = '';
+  }
+  return source;
+}

src/main.ts

@@ -8,6 +8,7 @@ import {Docker} from '@docker/actions-toolkit/lib/docker/docker';
 import {Exec} from '@docker/actions-toolkit/lib/exec';
 import {GitHub} from '@docker/actions-toolkit/lib/github';
 import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/bake';
 import {ConfigFile} from '@docker/actions-toolkit/lib/types/docker';
 
 import * as context from './context';
@@ -18,6 +19,7 @@ actionsToolkit.run(
   async () => {
     const inputs: context.Inputs = await context.getInputs();
     const toolkit = new Toolkit();
+    const gitAuthToken = process.env.BUILDX_BAKE_GIT_AUTH_TOKEN ?? inputs.githubToken;
 
     await core.group(`GitHub Actions runtime token ACs`, async () => {
       try {
@@ -72,17 +74,48 @@ actionsToolkit.run(
       await toolkit.buildx.printVersion();
     });
 
-    const args: string[] = await context.getArgs(inputs, toolkit);
+    let definition: BakeDefinition | undefined;
+    await core.group(`Parsing raw definition`, async () => {
+      definition = await toolkit.bake.getDefinition(
+        {
+          files: inputs.files,
+          load: inputs.load,
+          noCache: inputs.noCache,
+          overrides: inputs.set,
+          provenance: inputs.provenance,
+          push: inputs.push,
+          sbom: inputs.sbom,
+          source: inputs.source,
+          targets: inputs.targets,
+          githubToken: gitAuthToken
+        },
+        {
+          cwd: inputs.workdir
+        }
+      );
+    });
+    if (!definition) {
+      throw new Error('Bake definition not set');
+    }
+
+    const args: string[] = await context.getArgs(inputs, definition, toolkit);
     const buildCmd = await toolkit.buildx.getCommand(args);
+    const buildEnv = Object.assign({}, process.env, {
+      BUILDX_BAKE_GIT_AUTH_TOKEN: gitAuthToken
+    }) as {
+      [key: string]: string;
+    };
 
     await core.group(`Bake definition`, async () => {
       await Exec.exec(buildCmd.command, [...buildCmd.args, '--print'], {
-        cwd: inputs.workdir
+        cwd: inputs.workdir,
+        env: buildEnv
       });
     });
 
     await Exec.getExecOutput(buildCmd.command, buildCmd.args, {
       cwd: inputs.workdir,
+      env: buildEnv,
       ignoreReturnCode: true
     }).then(res => {
       if (res.stderr.length > 0 && res.exitCode != 0) {

yarn.lock

@@ -56,10 +56,10 @@
     "@actions/core" "^1.2.6"
     minimatch "^3.0.4"
 
-"@actions/http-client@^2.0.1", "@actions/http-client@^2.1.1", "@actions/http-client@^2.2.0":
-  version "2.2.0"
-  resolved "https://registry.yarnpkg.com/@actions/http-client/-/http-client-2.2.0.tgz#f8239f375be6185fcd07765efdcf0031ad5df1a0"
-  integrity sha512-q+epW0trjVUUHboliPb4UF9g2msf+w61b32tAkFEwL/IwP0DQWgbCMM0Hbe3e3WXSKz5VcUXbzJQgy8Hkra/Lg==
+"@actions/http-client@^2.0.1", "@actions/http-client@^2.1.1", "@actions/http-client@^2.2.0", "@actions/http-client@^2.2.1":
+  version "2.2.1"
+  resolved "https://registry.yarnpkg.com/@actions/http-client/-/http-client-2.2.1.tgz#ed3fe7a5a6d317ac1d39886b0bb999ded229bb38"
+  integrity sha512-KhC/cZsq7f8I4LfZSJKgCvEwfkE8o1538VoBeoGzokVLLnbFDEAdFD3UhoMklxo2un9NJVBdANOresx7vTHlHw==
   dependencies:
     tunnel "^0.0.6"
     undici "^5.25.4"
@@ -765,16 +765,16 @@
   dependencies:
     "@jridgewell/trace-mapping" "0.3.9"
 
-"@docker/actions-toolkit@^0.18.0":
-  version "0.18.0"
-  resolved "https://registry.yarnpkg.com/@docker/actions-toolkit/-/actions-toolkit-0.18.0.tgz#628e9396ae90b596348312058296aeb20a27360d"
-  integrity sha512-F0DwpVe2TNAQuZO540wJpu2QxXACNKZX3Tgi8yPfChsgUG0Z20Fmr6BNToQxlaVxG6LiMQdujfemoHo4slnLEw==
+"@docker/actions-toolkit@^0.21.1":
+  version "0.21.1"
+  resolved "https://registry.yarnpkg.com/@docker/actions-toolkit/-/actions-toolkit-0.21.1.tgz#d4a4630d117dcb2f040e121e1f918c0b19ceebf8"
+  integrity sha512-JPdPr9AesJQ47kRB+ylGdCxTisEL5ptOtqeGGtpXZjX7zb3S//2EmptiNDV+G5F2LrMvnCz67ZZGipf0LGDPJQ==
   dependencies:
     "@actions/cache" "^3.2.4"
     "@actions/core" "^1.10.1"
     "@actions/exec" "^1.1.1"
     "@actions/github" "^6.0.0"
-    "@actions/http-client" "^2.2.0"
+    "@actions/http-client" "^2.2.1"
     "@actions/io" "^1.1.3"
     "@actions/tool-cache" "^2.0.1"
     "@octokit/core" "^5.1.0"
@@ -783,8 +783,8 @@
     csv-parse "^5.5.5"
     handlebars "^4.7.8"
     jwt-decode "^4.0.0"
-    semver "^7.5.4"
-    tmp "^0.2.2"
+    semver "^7.6.0"
+    tmp "^0.2.3"
 
 "@eslint-community/eslint-utils@^4.2.0", "@eslint-community/eslint-utils@^4.4.0":
   version "4.4.0"
@@ -3678,10 +3678,10 @@ semver@^6.0.0, semver@^6.1.0, semver@^6.3.0, semver@^6.3.1:
   resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.1.tgz#556d2ef8689146e46dcea4bfdd095f3434dffcb4"
   integrity sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==
 
-semver@^7.3.7, semver@^7.5.3, semver@^7.5.4:
-  version "7.5.4"
-  resolved "https://registry.yarnpkg.com/semver/-/semver-7.5.4.tgz#483986ec4ed38e1c6c48c34894a9182dbff68a6e"
-  integrity sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==
+semver@^7.3.7, semver@^7.5.3, semver@^7.5.4, semver@^7.6.0:
+  version "7.6.0"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-7.6.0.tgz#1a46a4db4bffcccd97b743b5005c8325f23d4e2d"
+  integrity sha512-EnwXhrlwXMk9gKu5/flx5sv/an57AkRplG3hTK68W7FRDN+k+OWBj65M7719OkA82XLBxrcX0KSHj+X5COhOVg==
   dependencies:
     lru-cache "^6.0.0"
 
@@ -3855,7 +3855,7 @@ titleize@^3.0.0:
   resolved "https://registry.yarnpkg.com/titleize/-/titleize-3.0.0.tgz#71c12eb7fdd2558aa8a44b0be83b8a76694acd53"
   integrity sha512-KxVu8EYHDPBdUYdKZdKtU2aj2XfEx9AfjXxE/Aj0vT06w2icA09Vus1rh6eSu1y01akYg6BjIK/hxyLJINoMLQ==
 
-tmp@^0.2.2:
+tmp@^0.2.3:
   version "0.2.3"
   resolved "https://registry.yarnpkg.com/tmp/-/tmp-0.2.3.tgz#eb783cc22bc1e8bebd0671476d46ea4eb32a79ae"
   integrity sha512-nZD7m9iCPC5g0pYmcaxogYKggSfLsdxl8of3Q/oIbqCqLLIO9IAF0GWjX1z9NZRHPiXv8Wex4yDCaZsgEw0Y8w==
@@ -3975,9 +3975,9 @@ uglify-js@^3.1.4:
   integrity sha512-T9q82TJI9e/C1TAxYvfb16xO120tMVFZrGA3f9/P4424DNu6ypK103y0GPFVa17yotwSyZW5iYXgjYHkGrJW/g==
 
 undici@^5.25.4:
-  version "5.28.3"
-  resolved "https://registry.yarnpkg.com/undici/-/undici-5.28.3.tgz#a731e0eff2c3fcfd41c1169a869062be222d1e5b"
-  integrity sha512-3ItfzbrhDlINjaP0duwnNsKpDQk3acHI3gVJ1z4fmwMK31k5G9OVIAMLSIaP6w4FaGkaAkN6zaQO9LUvZ1t7VA==
+  version "5.28.4"
+  resolved "https://registry.yarnpkg.com/undici/-/undici-5.28.4.tgz#6b280408edb6a1a604a9b20340f45b422e373068"
+  integrity sha512-72RFADWFqKmUb2hmmvNODKL3p9hcB6Gt2DOQMis1SEBaV6a4MH8soBvzg+95CYhCKPFedut2JY9bMfrDl9D23g==
   dependencies:
     "@fastify/busboy" "^2.0.0"