Merge pull request #298 from crazy-max/v5_update-actions-toolkit

[v5] Bump @docker/actions-toolkit from 0.51.0 to 0.53.0
chore: update generated content
2026-06-05 09:38:40 +02:00 · 2025-01-23 14:31:59 +01:00 · 2025-01-23 14:27:20 +01:00 · 2025-01-23 14:26:12 +01:00 · 2025-01-21 14:57:15 +01:00 · 2025-01-21 13:56:58 +01:00
34 changed files with 8310 additions and 5069 deletions
@@ -1,2 +1,12 @@
 /coverage
-/node_modules
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# yarn v2
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.*
@@ -1,2 +1,4 @@
+/.yarn/releases/** binary
+/.yarn/plugins/** binary
 /dist/** linguist-generated=true
 /lib/** linguist-generated=true
@@ -38,9 +38,15 @@ jobs:
        with:
          workdir: ./test/group
      -
-        name: Show matrix
-        run: |
-          echo matrix=${{ steps.gen.outputs.matrix }}
+        name: Check targets
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const targets = `${{ steps.gen.outputs.targets }}`;
+            if (!targets) {
+              core.setFailed('No targets generated');
+            }
+            core.info(`targets=${targets}`);

  list-targets-group-matrix:
    runs-on: ubuntu-latest
@@ -56,6 +62,38 @@ jobs:
          workdir: ./test/group-matrix
          target: validate
      -
-        name: Show matrix
-        run: |
-          echo matrix=${{ steps.gen.outputs.matrix }}
+        name: Check targets
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const targets = `${{ steps.gen.outputs.targets }}`;
+            if (!targets) {
+              core.setFailed('No targets generated');
+            }
+            core.info(`targets=${targets}`);
+
+  list-targets-multi-files:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Matrix gen
+        id: gen
+        uses: ./subaction/list-targets
+        with:
+          workdir: ./test/multi-files
+          files: |
+            docker-bake.json
+            docker-bake.hcl
+      -
+        name: Check targets
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const targets = `${{ steps.gen.outputs.targets }}`;
+            if (!targets) {
+              core.setFailed('No targets generated');
+            }
+            core.info(`targets=${targets}`);
@@ -522,3 +522,201 @@ jobs:
        name: Check docker
        run: |
          docker image inspect localhost:5000/name/app:latest
+
+  summary-disable:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          targets: app
+        env:
+          DOCKER_BUILD_SUMMARY: false
+
+  summary-disable-deprecated:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          targets: app
+        env:
+          DOCKER_BUILD_NO_SUMMARY: true
+
+  summary-not-supported:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: v0.12.1
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          targets: app
+
+  record-upload-disable:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          targets: app
+        env:
+          DOCKER_BUILD_RECORD_UPLOAD: false
+
+  record-retention-days:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        days:
+          - 2
+          - 0
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          targets: app
+        env:
+          DOCKER_BUILD_RECORD_RETENTION_DAYS: ${{ matrix.days }}
+
+  checks:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        buildx-version:
+          - latest
+          - v0.14.1
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ matrix.buildx-version }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          workdir: ./test
+          files: |
+            ./lint.hcl
+
+  annotations-disabled:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          workdir: ./test
+          files: |
+            ./lint.hcl
+        env:
+          DOCKER_BUILD_CHECKS_ANNOTATIONS: false
+
+  allow:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        buildx-version:
+          - v0.19.0-rc2
+          - v0.18.0
+          - v0.17.1
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ matrix.buildx-version }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          allow: network.host
+          targets: app-entitlements
@@ -0,0 +1,21 @@
+name: publish
+
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Publish
+        uses: actions/publish-immutable-action@v0.0.4
@@ -26,12 +26,12 @@ jobs:
        uses: actions/checkout@v4
      -
        name: Test
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v5
        with:
          targets: test
      -
        name: Upload coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
        with:
-          file: ./coverage/clover.xml
+          files: ./coverage/clover.xml
          token: ${{ secrets.CODECOV_TOKEN }}
@@ -41,6 +41,6 @@ jobs:
        uses: actions/checkout@v4
      -
        name: Validate
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v5
        with:
          targets: ${{ matrix.target }}
@@ -1,12 +1,5 @@
-/.dev
-node_modules
-lib
+# https://raw.githubusercontent.com/github/gitignore/main/Node.gitignore

-# Jetbrains
-/.idea
-/*.iml
-
-# Rest of the file pulled from https://github.com/github/gitignore/blob/master/Node.gitignore
 # Logs
 logs
 *.log
@@ -14,6 +7,7 @@ npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 lerna-debug.log*
+.pnpm-debug.log*

 # Diagnostic reports (https://nodejs.org/api/report.html)
 report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
@@ -24,34 +18,14 @@ pids
 *.seed
 *.pid.lock

-# Directory for instrumented libs generated by jscoverage/JSCover
-lib-cov
-
 # Coverage directory used by tools like istanbul
 coverage
 *.lcov

-# nyc test coverage
-.nyc_output
-
-# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
-.grunt
-
-# Bower dependency directory (https://bower.io/)
-bower_components
-
-# node-waf configuration
-.lock-wscript
-
-# Compiled binary addons (https://nodejs.org/api/addons.html)
-build/Release
-
 # Dependency directories
+node_modules/
 jspm_packages/

-# TypeScript v1 declaration files
-typings/
-
 # TypeScript cache
 *.tsbuildinfo

@@ -61,36 +35,19 @@ typings/
 # Optional eslint cache
 .eslintcache

-# Optional REPL history
-.node_repl_history
-
-# Output of 'npm pack'
-*.tgz
-
 # Yarn Integrity file
 .yarn-integrity

-# dotenv environment variables file
+# dotenv environment variable files
 .env
-.env.test
+.env.development.local
+.env.test.local
+.env.production.local
+.env.local

-# parcel-bundler cache (https://parceljs.org/)
-.cache
-
-# next.js build output
-.next
-
-# nuxt.js build output
-.nuxt
-
-# vuepress build output
-.vuepress/dist
-
-# Serverless directories
-.serverless/
-
-# FuseBox cache
-.fusebox/
-
-# DynamoDB Local files
-.dynamodb/
+# yarn v2
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.*
@@ -0,0 +1,6 @@
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# yarn v2
+.yarn/
@@ -0,0 +1,13 @@
+logFilters:
+  - code: YN0013
+    level: discard
+  - code: YN0019
+    level: discard
+  - code: YN0076
+    level: discard
+
+nodeLinker: node-modules
+
+plugins:
+  - path: .yarn/plugins/@yarnpkg/plugin-interactive-tools.cjs
+    spec: "@yarnpkg/plugin-interactive-tools"
@@ -16,11 +16,13 @@ ___
 * [Usage](#usage)
  * [Path context](#path-context)
  * [Git context](#git-context)
+* [Summaries](#summaries)
 * [Customizing](#customizing)
  * [inputs](#inputs)
  * [outputs](#outputs)
+  * [environment variables](#environment-variables)
 * [Subactions](#subactions)
-  * [`list-targets`](#list-targets)
+  * [`list-targets`](subaction/list-targets)
 * [Contributing](#contributing)

 ## Usage
@@ -57,7 +59,7 @@ jobs:
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      -
        name: Build and push
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v5
        with:
          push: true
 ```
@@ -92,7 +94,7 @@ jobs:
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      -
        name: Build and push
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v5
        with:
          source: "${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}"
          push: true
@@ -111,7 +113,7 @@ to the default Git context:
 ```yaml
      -
        name: Build and push
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v5
        with:
          source: "{{defaultContext}}:mysubdir"
          push: true
@@ -129,7 +131,7 @@ another private repository for remote definitions, you can set the
 ```yaml
      -
        name: Build and push
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v5
        with:
          source: "${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}"
          push: true
@@ -137,6 +139,26 @@ another private repository for remote definitions, you can set the
          BUILDX_BAKE_GIT_AUTH_TOKEN: ${{ secrets.MYTOKEN }}
 ```

+## Summaries
+
+This action generates a [job summary](https://github.blog/2022-05-09-supercharging-github-actions-with-job-summaries/)
+that provides a detailed overview of the build execution. The summary shows an
+overview of all the steps executed during the build, including the build
+inputs, bake definition, and eventual errors.
+
+![build-push-action job summary](./.github/bake-summary.png)
+
+The summary also includes a link for downloading a build record archive with
+additional details about the build execution for all the bake targets,
+including build stats, logs, outputs, and more. The build record can be
+imported to Docker Desktop for inspecting the build in greater detail.
+
+Summaries are enabled by default, but can be disabled with the
+`DOCKER_BUILD_SUMMARY` [environment variable](#environment-variables).
+
+For more information about summaries, refer to the
+[documentation](https://docs.docker.com/go/build-summary/).
+
 ## Customizing

 ### inputs
@@ -162,6 +184,7 @@ The following inputs can be used as `step.with` keys
 |----------------|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `builder`      | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                        |
 | `source`       | String      | Context to build from. Can be either local (`.`) or a [remote bake definition](https://docs.docker.com/build/customize/bake/file-definition/#remote-definition)    |
+| `allow`        | List/CSV    | Allow build to access specified resources (e.g., `network.host`)                                                                                                   |
 | `files`        | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                                                     |
 | `workdir`      | String      | Working directory of execution                                                                                                                                     |
 | `targets`      | List/CSV    | List of bake targets (`default` target used if empty)                                                                                                              |
@@ -171,7 +194,7 @@ The following inputs can be used as `step.with` keys
 | `provenance`   | Bool/String | [Provenance](https://docs.docker.com/build/attestations/slsa-provenance/) is a shorthand for `--set=*.attest=type=provenance`                                      |
 | `push`         | Bool        | Push is a shorthand for `--set=*.output=type=registry` (default `false`)                                                                                           |
 | `sbom`         | Bool/String | [SBOM](https://docs.docker.com/build/attestations/sbom/) is a shorthand for `--set=*.attest=type=sbom`                                                             |
-| `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (eg: `targetpattern.key=value`)                        |
+| `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (e.g., `targetpattern.key=value`)                      |
 | `github-token` | String      | API token used to authenticate to a Git repository for [remote definitions](https://docs.docker.com/build/bake/remote-definition/) (default `${{ github.token }}`) |

 ### outputs
@@ -182,78 +205,18 @@ The following outputs are available
 |------------|------|-----------------------|
 | `metadata` | JSON | Build result metadata |

+### environment variables
+
+| Name                                 | Type   | Default | Description                                                                                                                                                                                                                                                        |
+|--------------------------------------|--------|---------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `DOCKER_BUILD_CHECKS_ANNOTATIONS`    | Bool   | `true`  | If `false`, GitHub annotations are not generated for [build checks](https://docs.docker.com/build/checks/)                                                                                                                                                         |
+| `DOCKER_BUILD_SUMMARY`               | Bool   | `true`  | If `false`, [build summary](https://docs.docker.com/build/ci/github-actions/build-summary/) generation is disabled                                                                                                                                                 |
+| `DOCKER_BUILD_RECORD_UPLOAD`         | Bool   | `true`  | If `false`, build record upload as [GitHub artifact](https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts) is disabled                                                                                                            |
+| `DOCKER_BUILD_RECORD_RETENTION_DAYS` | Number |         | Duration after which build record artifact will expire in days. Defaults to repository/org [retention settings](https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration#artifact-and-log-retention-policy) if unset or `0` |
+
 ## Subactions

-### `list-targets`
-
-This subaction generates a list of Bake targets that can be used in a [GitHub matrix](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix),
-so you can distribute your builds across multiple runners.
-
-```hcl
-# docker-bake.hcl
-group "validate" {
-  targets = ["lint", "doctoc"]
-}
-
-target "lint" {
-  target = "lint"
-}
-
-target "doctoc" {
-  target = "doctoc"
-}
-```
-
-```yaml
-jobs:
-  prepare:
-    runs-on: ubuntu-latest
-    outputs:
-      targets: ${{ steps.generate.outputs.targets }}
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: List targets
-        id: generate
-        uses: docker/bake-action/subaction/list-targets@v4
-        with:
-          target: validate
-
-  validate:
-    runs-on: ubuntu-latest
-    needs:
-      - prepare
-    strategy:
-      fail-fast: false
-      matrix:
-        target: ${{ fromJson(needs.prepare.outputs.targets) }}
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Validate
-        uses: docker/bake-action@v4
-        with:
-          targets: ${{ matrix.target }}
-```
-#### inputs
-
-| Name         | Type        | Description                                                                                                                                 |
-|--------------|-------------|---------------------------------------------------------------------------------------------------------------------------------------------|
-| `workdir`    | String      | Working directory to use (defaults to `.`)                                                                                                  |
-| `files`      | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                              |
-| `target`     | String      | The target to use within the bake file                                                                                                      |
-
-#### outputs
-
-The following outputs are available
-
-| Name       | Type     | Description                |
-|------------|----------|----------------------------|
-| `targets`  | List/CSV | List of extracted targest  |
+* [`list-targets`](subaction/list-targets)

 ## Contributing

@@ -10,8 +10,8 @@ import {Docker} from '@docker/actions-toolkit/lib/docker/docker';
 import {GitHub} from '@docker/actions-toolkit/lib/github';
 import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';

-import {BakeDefinition} from '@docker/actions-toolkit/lib/types/bake';
-import {BuilderInfo} from '@docker/actions-toolkit/lib/types/builder';
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
+import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder';
 import {GitHubRepo} from '@docker/actions-toolkit/lib/types/github';

 import * as context from '../src/context';
@@ -39,6 +39,11 @@ jest.spyOn(Docker, 'isAvailable').mockImplementation(async (): Promise<boolean>
  return true;
 });

+const metadataJson = path.join(tmpDir, 'metadata.json');
+jest.spyOn(Bake.prototype, 'getMetadataFilePath').mockImplementation((): string => {
+  return metadataJson;
+});
+
 jest.spyOn(Builder.prototype, 'inspect').mockImplementation(async (): Promise<BuilderInfo> => {
  return {
    name: 'builder2',
@@ -152,7 +157,7 @@ describe('getArgs', () => {
      ]),
      [
        'bake',
-        '--metadata-file', path.join(tmpDir, 'metadata-file')
+        '--metadata-file', metadataJson
      ]
    ],
    [
@@ -167,7 +172,7 @@ describe('getArgs', () => {
      ]),
      [
        'bake',
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '--metadata-file', metadataJson,
        'webapp', 'validate'
      ]
    ],
@@ -185,7 +190,7 @@ describe('getArgs', () => {
        'bake',
        '--set', '*.cache-from=type=gha',
        '--set', '*.cache-to=type=gha',
-        '--metadata-file', path.join(tmpDir, 'metadata-file')
+        '--metadata-file', metadataJson
      ]
    ],
    [
@@ -199,8 +204,8 @@ describe('getArgs', () => {
      ]),
      [
        'bake',
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
-        "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', metadataJson,
+        "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
      ]
    ],
    [
@@ -215,8 +220,8 @@ describe('getArgs', () => {
      ]),
      [
        'bake',
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
-        "--provenance", `builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`
+        '--metadata-file', metadataJson,
+        "--provenance", `builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
      ]
    ],
    [
@@ -231,8 +236,8 @@ describe('getArgs', () => {
      ]),
      [
        'bake',
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
-        "--provenance", `mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`
+        '--metadata-file', metadataJson,
+        "--provenance", `mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
      ]
    ],
    [
@@ -247,7 +252,7 @@ describe('getArgs', () => {
      ]),
      [
        'bake',
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '--metadata-file', metadataJson,
        "--provenance", 'false'
      ]
    ],
@@ -263,7 +268,7 @@ describe('getArgs', () => {
      ]),
      [
        'bake',
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '--metadata-file', metadataJson,
        "--provenance", 'builder-id=foo'
      ]
    ],
@@ -282,8 +287,8 @@ describe('getArgs', () => {
        'bake',
        '--set', '*.platform=linux/amd64,linux/ppc64le,linux/s390x',
        '--set', `*.output=type=image,"name=moby/buildkit:v0.11.0,moby/buildkit:latest",push=true`,
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
-        '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', metadataJson,
+        '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
        'image-all'
      ]
    ],
@@ -301,8 +306,8 @@ describe('getArgs', () => {
      [
        'bake',
        '--set', `*.labels.foo=bar=#baz`,
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
-        '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', metadataJson,
+        '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
        'image-all'
      ]
    ],
@@ -321,8 +326,25 @@ describe('getArgs', () => {
        'bake',
        'https://github.com/docker/build-push-action.git#refs/heads/master',
        '--file', './foo.hcl',
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
-        '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', metadataJson,
+        '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
+      ]
+    ],
+    [
+      12,
+      '0.17.0',
+      new Map<string, string>([
+        ['allow', 'network.host'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'bake',
+        '--allow', 'network.host',
+        '--metadata-file', metadataJson,
+        "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
      ]
    ],
  ])(
@@ -336,11 +358,11 @@ describe('getArgs', () => {
        return buildxVersion;
      });
      const inp = await context.getInputs();
-      const definition = await toolkit.bake.getDefinition(
+      const definition = await toolkit.buildxBake.getDefinition(
        {
          files: inp.files,
          load: inp.load,
-          noCache: inp.noCache,
+          noCache: inp['no-cache'],
          overrides: inp.set,
          provenance: inp.provenance,
          push: inp.push,
@@ -13,6 +13,9 @@ inputs:
  source:
    description: "Context to build from. Can be either local or a remote bake definition"
    required: false
+  allow:
+    description: "Allow build to access specified resources (e.g., network.host)"
+    required: false
  files:
    description: "List of bake definition files"
    required: false
@@ -5,9 +5,16 @@ ARG NODE_VERSION=20
 FROM node:${NODE_VERSION}-alpine AS base
 RUN apk add --no-cache cpio findutils git
 WORKDIR /src
+RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache <<EOT
+  corepack enable
+  yarn --version
+  yarn config set --home enableTelemetry 0
+EOT

 FROM base AS deps
 RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache \
  --mount=type=cache,target=/src/node_modules \
  yarn install && mkdir /vendor && cp yarn.lock /vendor

@@ -28,6 +35,7 @@ EOT

 FROM deps AS build
 RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache \
  --mount=type=cache,target=/src/node_modules \
  yarn run build && mkdir /out && cp -Rf dist /out/

@@ -48,20 +56,23 @@ EOT

 FROM deps AS format
 RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache \
  --mount=type=cache,target=/src/node_modules \
  yarn run format \
-  && mkdir /out && find . -name '*.ts' -not -path './node_modules/*' | cpio -pdm /out
+  && mkdir /out && find . -name '*.ts' -not -path './node_modules/*' -not -path './.yarn/*' | cpio -pdm /out

 FROM scratch AS format-update
 COPY --from=format /out /

 FROM deps AS lint
 RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache \
  --mount=type=cache,target=/src/node_modules \
  yarn run lint

 FROM deps AS test
 RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache \
  --mount=type=cache,target=/src/node_modules \
  yarn run test --coverage --coverageDirectory=/tmp/coverage

@@ -1330,16 +1330,6 @@ Apache-2.0
      of your accepting any such warranty or additional liability.


-@vercel/ncc
-MIT
-Copyright 2018 ZEIT, Inc.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
 abort-controller
 MIT
 MIT License
@@ -2371,6 +2361,26 @@ IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 dot-object
 MIT

+encoding
+MIT
+Copyright (c) 2012-2014 Andris Reinman
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
 event-target-shim
 MIT
 The MIT License (MIT)
@@ -2506,6 +2516,55 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.


+he
+MIT
+Copyright Mathias Bynens <https://mathiasbynens.be/>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
+iconv-lite
+MIT
+Copyright (c) 2011 Alexander Shtuchkin
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
+
 inherits
 ISC
 The ISC License
@@ -2567,6 +2626,31 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI
 isarray
 MIT

+js-yaml
+MIT
+(The MIT License)
+
+Copyright (C) 2011-2015 by Vitaly Puzrin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+
 jwt-decode
 MIT
 The MIT License (MIT)
@@ -3289,6 +3373,31 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.


+safer-buffer
+MIT
+MIT License
+
+Copyright (c) 2018 Nikita Skovoroda <chalkerx@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
 sax
 ISC
 The ISC License
@@ -3795,25 +3904,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.


-yallist
-ISC
-The ISC License
-
-Copyright (c) Isaac Z. Schlueter and Contributors
-
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-
 zip-stream
 MIT
 Copyright (c) 2014 Chris Talkington, contributors.
@@ -3,7 +3,7 @@ group "default" {
 }

 group "pre-checkin" {
-  targets = ["vendor-update", "format", "build"]
+  targets = ["vendor", "format", "build"]
 }

 group "validate" {
@@ -34,7 +34,7 @@ target "lint" {
  output = ["type=cacheonly"]
 }

-target "vendor-update" {
+target "vendor" {
  dockerfile = "dev.Dockerfile"
  target = "vendor-update"
  output = ["."]
@@ -1,17 +1,16 @@
 {
  "name": "docker-buildx-bake",
  "description": "GitHub Action to use Docker Buildx Bake as a high-level build command",
-  "main": "lib/main.js",
+  "main": "src/main.ts",
  "scripts": {
-    "build": "ncc build src/main.ts --source-map --minify --license licenses.txt",
+    "build": "ncc build --source-map --minify --license licenses.txt",
    "lint": "yarn run prettier && yarn run eslint",
    "format": "yarn run prettier:fix && yarn run eslint:fix",
    "eslint": "eslint --max-warnings=0 .",
    "eslint:fix": "eslint --fix .",
    "prettier": "prettier --check \"./**/*.ts\"",
    "prettier:fix": "prettier --write \"./**/*.ts\"",
-    "test": "jest",
-    "all": "yarn run build && yarn run format && yarn test"
+    "test": "jest"
  },
  "repository": {
    "type": "git",
@@ -25,24 +24,25 @@
  ],
  "author": "Docker Inc.",
  "license": "Apache-2.0",
+  "packageManager": "yarn@3.6.3",
  "dependencies": {
-    "@actions/core": "^1.10.1",
-    "@docker/actions-toolkit": "^0.22.0",
+    "@actions/core": "^1.11.1",
+    "@docker/actions-toolkit": "^0.53.0",
    "handlebars": "^4.7.8"
  },
  "devDependencies": {
-    "@types/node": "^20.5.9",
-    "@typescript-eslint/eslint-plugin": "^6.6.0",
-    "@typescript-eslint/parser": "^6.6.0",
-    "@vercel/ncc": "^0.38.0",
-    "eslint": "^8.48.0",
-    "eslint-config-prettier": "^9.0.0",
-    "eslint-plugin-jest": "^27.2.3",
-    "eslint-plugin-prettier": "^5.0.0",
-    "jest": "^29.6.4",
-    "prettier": "^3.0.3",
-    "ts-jest": "^29.1.1",
-    "ts-node": "^10.9.1",
-    "typescript": "^5.2.2"
+    "@types/node": "^20.12.12",
+    "@typescript-eslint/eslint-plugin": "^7.9.0",
+    "@typescript-eslint/parser": "^7.9.0",
+    "@vercel/ncc": "^0.38.1",
+    "eslint": "^8.57.0",
+    "eslint-config-prettier": "^9.1.0",
+    "eslint-plugin-jest": "^28.5.0",
+    "eslint-plugin-prettier": "^5.1.3",
+    "jest": "^29.7.0",
+    "prettier": "^3.2.5",
+    "ts-jest": "^29.1.2",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.4.5"
  }
 }
@@ -8,14 +8,15 @@ import {GitHub} from '@docker/actions-toolkit/lib/github';
 import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
 import {Util} from '@docker/actions-toolkit/lib/util';

-import {BakeDefinition} from '@docker/actions-toolkit/lib/types/bake';
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';

 export interface Inputs {
+  allow: string[];
  builder: string;
  files: string[];
  workdir: string;
  targets: string[];
-  noCache: boolean;
+  'no-cache': boolean;
  pull: boolean;
  load: boolean;
  provenance: string;
@@ -23,16 +24,17 @@ export interface Inputs {
  sbom: string;
  set: string[];
  source: string;
-  githubToken: string;
+  'github-token': string;
 }

 export async function getInputs(): Promise<Inputs> {
  return {
+    allow: Util.getInputList('allow'),
    builder: core.getInput('builder'),
    files: Util.getInputList('files'),
    workdir: core.getInput('workdir') || '.',
    targets: Util.getInputList('targets'),
-    noCache: core.getBooleanInput('no-cache'),
+    'no-cache': core.getBooleanInput('no-cache'),
    pull: core.getBooleanInput('pull'),
    load: core.getBooleanInput('load'),
    provenance: Build.getProvenanceInput('provenance'),
@@ -40,10 +42,32 @@ export async function getInputs(): Promise<Inputs> {
    sbom: core.getInput('sbom'),
    set: Util.getInputList('set', {ignoreComma: true, quote: false}),
    source: getSourceInput('source'),
-    githubToken: core.getInput('github-token')
+    'github-token': core.getInput('github-token')
  };
 }

+export function sanitizeInputs(inputs: Inputs) {
+  const res = {};
+  for (const key of Object.keys(inputs)) {
+    if (key === 'github-token') {
+      continue;
+    }
+    const value: string | string[] | boolean = inputs[key];
+    if (typeof value === 'boolean' && value === false) {
+      continue;
+    } else if (Array.isArray(value) && value.length === 0) {
+      continue;
+    } else if (!value) {
+      continue;
+    }
+    if (key === 'workdir' && value === '.') {
+      continue;
+    }
+    res[key] = value;
+  }
+  return res;
+}
+
 export async function getArgs(inputs: Inputs, definition: BakeDefinition, toolkit: Toolkit): Promise<Array<string>> {
  // prettier-ignore
  return [
@@ -58,6 +82,15 @@ async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit:
  if (inputs.source) {
    args.push(inputs.source);
  }
+  if (await toolkit.buildx.versionSatisfies('>=0.17.0')) {
+    if (await toolkit.buildx.versionSatisfies('>=0.18.0')) {
+      // allow filesystem entitlements by default
+      inputs.allow.push('fs=*');
+    }
+    await Util.asyncForEach(inputs.allow, async allow => {
+      args.push('--allow', allow);
+    });
+  }
  await Util.asyncForEach(inputs.files, async file => {
    args.push('--file', file);
  });
@@ -65,7 +98,7 @@ async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit:
    args.push('--set', set);
  });
  if (await toolkit.buildx.versionSatisfies('>=0.6.0')) {
-    args.push('--metadata-file', Bake.getMetadataFilePath());
+    args.push('--metadata-file', toolkit.buildxBake.getMetadataFilePath());
  }
  if (await toolkit.buildx.versionSatisfies('>=0.10.0')) {
    if (inputs.provenance) {
@@ -92,7 +125,7 @@ async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit:

 async function getCommonArgs(inputs: Inputs): Promise<Array<string>> {
  const args: Array<string> = [];
-  if (inputs.noCache) {
+  if (inputs['no-cache']) {
    args.push('--no-cache');
  }
  if (inputs.builder) {
@@ -3,15 +3,19 @@ import * as path from 'path';
 import * as core from '@actions/core';
 import * as actionsToolkit from '@docker/actions-toolkit';

-import {Bake} from '@docker/actions-toolkit/lib/buildx/bake';
+import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx';
+import {History as BuildxHistory} from '@docker/actions-toolkit/lib/buildx/history';
 import {Context} from '@docker/actions-toolkit/lib/context';
 import {Docker} from '@docker/actions-toolkit/lib/docker/docker';
 import {Exec} from '@docker/actions-toolkit/lib/exec';
 import {GitHub} from '@docker/actions-toolkit/lib/github';
 import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
+import {Util} from '@docker/actions-toolkit/lib/util';

-import {BakeDefinition} from '@docker/actions-toolkit/lib/types/bake';
-import {ConfigFile} from '@docker/actions-toolkit/lib/types/docker';
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
+import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder';
+import {ConfigFile} from '@docker/actions-toolkit/lib/types/docker/docker';
+import {UploadArtifactResponse} from '@docker/actions-toolkit/lib/types/github';

 import * as context from './context';
 import * as stateHelper from './state-helper';
@@ -19,9 +23,14 @@ import * as stateHelper from './state-helper';
 actionsToolkit.run(
  // main
  async () => {
+    const startedTime = new Date();
+
    const inputs: context.Inputs = await context.getInputs();
+    core.debug(`inputs: ${JSON.stringify(inputs)}`);
+    stateHelper.setInputs(inputs);
+
    const toolkit = new Toolkit();
-    const gitAuthToken = process.env.BUILDX_BAKE_GIT_AUTH_TOKEN ?? inputs.githubToken;
+    const gitAuthToken = process.env.BUILDX_BAKE_GIT_AUTH_TOKEN ?? inputs['github-token'];

    await core.group(`GitHub Actions runtime token ACs`, async () => {
      try {
@@ -76,13 +85,20 @@ actionsToolkit.run(
      await toolkit.buildx.printVersion();
    });

+    let builder: BuilderInfo;
+    await core.group(`Builder info`, async () => {
+      builder = await toolkit.builder.inspect(inputs.builder);
+      core.info(JSON.stringify(builder, null, 2));
+    });
+
    let definition: BakeDefinition | undefined;
    await core.group(`Parsing raw definition`, async () => {
-      definition = await toolkit.bake.getDefinition(
+      definition = await toolkit.buildxBake.getDefinition(
        {
+          allow: inputs.allow,
          files: inputs.files,
          load: inputs.load,
-          noCache: inputs.noCache,
+          noCache: inputs['no-cache'],
          overrides: inputs.set,
          provenance: inputs.provenance,
          push: inputs.push,
@@ -99,33 +115,41 @@ actionsToolkit.run(
    if (!definition) {
      throw new Error('Bake definition not set');
    }
+    stateHelper.setBakeDefinition(definition);

    const args: string[] = await context.getArgs(inputs, definition, toolkit);
    const buildCmd = await toolkit.buildx.getCommand(args);
    const buildEnv = Object.assign({}, process.env, {
-      BUILDX_BAKE_GIT_AUTH_TOKEN: gitAuthToken
+      BUILDX_BAKE_GIT_AUTH_TOKEN: gitAuthToken,
+      BUILDX_METADATA_WARNINGS: 'true'
    }) as {
      [key: string]: string;
    };

    await core.group(`Bake definition`, async () => {
-      await Exec.exec(buildCmd.command, [...buildCmd.args, '--print'], {
+      await Exec.getExecOutput(buildCmd.command, [...buildCmd.args, '--print'], {
        cwd: inputs.workdir,
-        env: buildEnv
+        env: buildEnv,
+        ignoreReturnCode: true
+      }).then(res => {
+        if (res.stderr.length > 0 && res.exitCode != 0) {
+          throw Error(res.stderr);
+        }
      });
    });

+    let err: Error | undefined;
    await Exec.getExecOutput(buildCmd.command, buildCmd.args, {
      cwd: inputs.workdir,
      env: buildEnv,
      ignoreReturnCode: true
    }).then(res => {
      if (res.stderr.length > 0 && res.exitCode != 0) {
-        throw new Error(`buildx bake failed with: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
+        err = Error(`buildx bake failed with: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
      }
    });

-    const metadata = Bake.resolveMetadata();
+    const metadata = toolkit.buildxBake.resolveMetadata();
    if (metadata) {
      await core.group(`Metadata`, async () => {
        const metadatadt = JSON.stringify(metadata, null, 2);
@@ -133,9 +157,93 @@ actionsToolkit.run(
        core.setOutput('metadata', metadatadt);
      });
    }
+
+    let refs: Array<string> = [];
+    await core.group(`Build references`, async () => {
+      refs = await buildRefs(toolkit, startedTime, inputs.builder);
+      if (refs.length > 0) {
+        for (const ref of refs) {
+          core.info(ref);
+        }
+        stateHelper.setBuildRefs(refs);
+      } else {
+        core.info('No build references found');
+      }
+    });
+
+    if (buildChecksAnnotationsEnabled()) {
+      const warnings = toolkit.buildxBake.resolveWarnings(metadata);
+      if (refs.length > 0 && warnings && warnings.length > 0) {
+        const annotations = await Buildx.convertWarningsToGitHubAnnotations(warnings, refs);
+        core.debug(`annotations: ${JSON.stringify(annotations, null, 2)}`);
+        if (annotations && annotations.length > 0) {
+          await core.group(`Generating GitHub annotations (${annotations.length} build checks found)`, async () => {
+            for (const annotation of annotations) {
+              core.warning(annotation.message, annotation);
+            }
+          });
+        }
+      }
+    }
+
+    await core.group(`Check build summary support`, async () => {
+      if (!buildSummaryEnabled()) {
+        core.info('Build summary disabled');
+      } else if (GitHub.isGHES) {
+        core.info('Build summary is not yet supported on GHES');
+      } else if (!(await toolkit.buildx.versionSatisfies('>=0.13.0'))) {
+        core.info('Build summary requires Buildx >= 0.13.0');
+      } else if (builder && builder.driver === 'cloud') {
+        core.info('Build summary is not yet supported with Docker Build Cloud');
+      } else if (refs.length == 0) {
+        core.info('Build summary requires at least one build reference');
+      } else {
+        core.info('Build summary supported!');
+        stateHelper.setSummarySupported();
+      }
+    });
+
+    if (err) {
+      throw err;
+    }
  },
  // post
  async () => {
+    if (stateHelper.isSummarySupported) {
+      await core.group(`Generating build summary`, async () => {
+        try {
+          const recordUploadEnabled = buildRecordUploadEnabled();
+          let recordRetentionDays: number | undefined;
+          if (recordUploadEnabled) {
+            recordRetentionDays = buildRecordRetentionDays();
+          }
+
+          const buildxHistory = new BuildxHistory();
+          const exportRes = await buildxHistory.export({
+            refs: stateHelper.buildRefs
+          });
+          core.info(`Build records written to ${exportRes.dockerbuildFilename} (${Util.formatFileSize(exportRes.dockerbuildSize)})`);
+
+          let uploadRes: UploadArtifactResponse | undefined;
+          if (recordUploadEnabled) {
+            uploadRes = await GitHub.uploadArtifact({
+              filename: exportRes.dockerbuildFilename,
+              mimeType: 'application/gzip',
+              retentionDays: recordRetentionDays
+            });
+          }
+
+          await GitHub.writeBuildSummary({
+            exportRes: exportRes,
+            uploadRes: uploadRes,
+            inputs: stateHelper.inputs,
+            bakeDefinition: stateHelper.bakeDefinition
+          });
+        } catch (e) {
+          core.warning(e.message);
+        }
+      });
+    }
    if (stateHelper.tmpDir.length > 0) {
      await core.group(`Removing temp folder ${stateHelper.tmpDir}`, async () => {
        fs.rmSync(stateHelper.tmpDir, {recursive: true});
@@ -143,3 +251,69 @@ actionsToolkit.run(
    }
  }
 );
+
+async function buildRefs(toolkit: Toolkit, since: Date, builder?: string): Promise<Array<string>> {
+  // get refs from metadata file
+  const metaRefs = toolkit.buildxBake.resolveRefs();
+  if (metaRefs) {
+    return metaRefs;
+  }
+  // otherwise, look for the very first build ref since the build has started
+  if (!builder) {
+    const currentBuilder = await toolkit.builder.inspect();
+    builder = currentBuilder.name;
+  }
+  const res = Buildx.refs({
+    dir: Buildx.refsDir,
+    builderName: builder,
+    since: since
+  });
+  const refs: Array<string> = [];
+  for (const ref in res) {
+    if (Object.prototype.hasOwnProperty.call(res, ref)) {
+      refs.push(ref);
+    }
+  }
+  return refs;
+}
+
+function buildChecksAnnotationsEnabled(): boolean {
+  if (process.env.DOCKER_BUILD_CHECKS_ANNOTATIONS) {
+    return Util.parseBool(process.env.DOCKER_BUILD_CHECKS_ANNOTATIONS);
+  }
+  return true;
+}
+
+function buildSummaryEnabled(): boolean {
+  if (process.env.DOCKER_BUILD_NO_SUMMARY) {
+    core.warning('DOCKER_BUILD_NO_SUMMARY is deprecated. Set DOCKER_BUILD_SUMMARY to false instead.');
+    return !Util.parseBool(process.env.DOCKER_BUILD_NO_SUMMARY);
+  } else if (process.env.DOCKER_BUILD_SUMMARY) {
+    return Util.parseBool(process.env.DOCKER_BUILD_SUMMARY);
+  }
+  return true;
+}
+
+function buildRecordUploadEnabled(): boolean {
+  if (process.env.DOCKER_BUILD_RECORD_UPLOAD) {
+    return Util.parseBool(process.env.DOCKER_BUILD_RECORD_UPLOAD);
+  }
+  return true;
+}
+
+function buildRecordRetentionDays(): number | undefined {
+  let val: string | undefined;
+  if (process.env.DOCKER_BUILD_EXPORT_RETENTION_DAYS) {
+    core.warning('DOCKER_BUILD_EXPORT_RETENTION_DAYS is deprecated. Use DOCKER_BUILD_RECORD_RETENTION_DAYS instead.');
+    val = process.env.DOCKER_BUILD_EXPORT_RETENTION_DAYS;
+  } else if (process.env.DOCKER_BUILD_RECORD_RETENTION_DAYS) {
+    val = process.env.DOCKER_BUILD_RECORD_RETENTION_DAYS;
+  }
+  if (val) {
+    const res = parseInt(val);
+    if (isNaN(res)) {
+      throw Error(`Invalid build record retention days: ${val}`);
+    }
+    return res;
+  }
+}
@@ -1,7 +1,31 @@
 import * as core from '@actions/core';

+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
+
+import {Inputs, sanitizeInputs} from './context';
+
 export const tmpDir = process.env['STATE_tmpDir'] || '';
+export const inputs = process.env['STATE_inputs'] ? JSON.parse(process.env['STATE_inputs']) : undefined;
+export const bakeDefinition = process.env['STATE_bakeDefinition'] ? <BakeDefinition>JSON.parse(process.env['STATE_bakeDefinition']) : undefined;
+export const buildRefs = process.env['STATE_buildRefs'] ? process.env['STATE_buildRefs'].split(',') : [];
+export const isSummarySupported = !!process.env['STATE_isSummarySupported'];

 export function setTmpDir(tmpDir: string) {
  core.saveState('tmpDir', tmpDir);
 }
+
+export function setInputs(inputs: Inputs) {
+  core.saveState('inputs', JSON.stringify(sanitizeInputs(inputs)));
+}
+
+export function setBakeDefinition(bakeDefinition: BakeDefinition) {
+  core.saveState('bakeDefinition', JSON.stringify(bakeDefinition));
+}
+
+export function setBuildRefs(buildRefs: Array<string>) {
+  core.saveState('buildRefs', buildRefs.join(','));
+}
+
+export function setSummarySupported() {
+  core.saveState('isSummarySupported', 'true');
+}
@@ -0,0 +1,84 @@
+## About
+
+This subaction generates a list of Bake targets that can be used in a [GitHub matrix](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix),
+so you can distribute your builds across multiple runners.
+
+![Screenshot](../../.github/bake-action.png)
+
+___
+
+* [Usage](#usage)
+* [Customizing](#customizing)
+  * [inputs](#inputs)
+  * [outputs](#outputs)
+
+## Usage
+
+```hcl
+# docker-bake.hcl
+group "validate" {
+  targets = ["lint", "doctoc"]
+}
+
+target "lint" {
+  target = "lint"
+}
+
+target "doctoc" {
+  target = "doctoc"
+}
+```
+
+```yaml
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      targets: ${{ steps.generate.outputs.targets }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: List targets
+        id: generate
+        uses: docker/bake-action/subaction/list-targets@v4
+        with:
+          target: validate
+
+  validate:
+    runs-on: ubuntu-latest
+    needs:
+      - prepare
+    strategy:
+      fail-fast: false
+      matrix:
+        target: ${{ fromJson(needs.prepare.outputs.targets) }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Validate
+        uses: docker/bake-action@v5
+        with:
+          targets: ${{ matrix.target }}
+```
+
+## Customizing
+
+### inputs
+
+| Name         | Type        | Description                                                                                                                                 |
+|--------------|-------------|---------------------------------------------------------------------------------------------------------------------------------------------|
+| `workdir`    | String      | Working directory to use (defaults to `.`)                                                                                                  |
+| `files`      | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                              |
+| `target`     | String      | The target to use within the bake file                                                                                                      |
+
+### outputs
+
+The following outputs are available
+
+| Name       | Type     | Description                |
+|------------|----------|----------------------------|
+| `targets`  | List/CSV | List of extracted targest  |
@@ -29,7 +29,7 @@ runs:
      with:
        script: |
          let def;
-          const files = `${{ inputs.files }}` ? `${{ inputs.files }}`.split(',') : [];
+          const files = `${{ inputs.files }}` ? `${{ inputs.files }}`.split(/[\r?\n,]+/).filter(Boolean) : [];
          const target = `${{ inputs.target }}`;

          await core.group(`Validating definition`, async () => {
@@ -42,3 +42,8 @@ target "app-proxy" {
  inherits = ["app"]
  dockerfile = "proxy.Dockerfile"
 }
+
+target "app-entitlements" {
+  inherits = ["app"]
+  entitlements = ["network.host"]
+}
@@ -0,0 +1,10 @@
+frOM busybox as base
+cOpy lint-other.Dockerfile .
+
+froM busybox aS notused
+COPY lint-other.Dockerfile .
+
+from scratch
+COPy --from=base \
+  /lint-other.Dockerfile \
+  /
@@ -0,0 +1,12 @@
+frOM busybox as base
+cOpy lint.Dockerfile .
+
+from scratch
+MAINTAINER moby@example.com
+COPy --from=base \
+  /lint.Dockerfile \
+  /
+
+CMD [ "echo", "Hello, Norway!" ]
+CMD [ "echo", "Hello, Sweden!" ]
+ENTRYPOINT my-program start
@@ -0,0 +1,12 @@
+group "default" {
+  targets = ["lint", "lint-other", "lint-inline"]
+}
+target "lint" {
+  dockerfile = "lint.Dockerfile"
+}
+target "lint-other" {
+  dockerfile = "lint-other.Dockerfile"
+}
+target "lint-inline" {
+  dockerfile-inline = "FRoM alpine\nENTRYPOINT [\"echo\", \"hello\"]"
+}
@@ -0,0 +1,15 @@
+group "default" {
+  targets = ["t3"]
+}
+
+target "t3" {
+  name = "${item.tag}"
+  matrix = {
+    item = t3
+  }
+  args = {
+    VERSION = "${item.version}"
+    DUMMY_ARG = "${item.arg}"
+  }
+  tags = ["${item.tag}"]
+}
@@ -0,0 +1,14 @@
+{
+  "t3": [
+    {
+      "version": "v1",
+      "arg": "v1-value",
+      "tag": "v1-tag"
+    },
+    {
+      "version": "v2",
+      "arg": "v2-value",
+      "tag": "v2-tag"
+    }
+  ]
+}