Merge pull request #284 from crazy-max/fix-git-auth-token

set GIT_AUTH_TOKEN secret if Git context used
chore: update generated content
2026-06-05 09:38:40 +02:00 · 2025-01-14 13:52:00 +01:00 · 2025-01-10 11:33:07 +01:00 · 2025-01-10 11:33:06 +01:00 · 2025-01-10 10:24:17 +01:00 · 2025-01-10 10:19:39 +01:00
27 changed files with 831 additions and 246 deletions
@@ -38,9 +38,15 @@ jobs:
        with:
          workdir: ./test/group
      -
-        name: Show matrix
-        run: |
-          echo matrix=${{ steps.gen.outputs.matrix }}
+        name: Check targets
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const targets = `${{ steps.gen.outputs.targets }}`;
+            if (!targets) {
+              core.setFailed('No targets generated');
+            }
+            core.info(`targets=${targets}`);

  list-targets-group-matrix:
    runs-on: ubuntu-latest
@@ -56,6 +62,38 @@ jobs:
          workdir: ./test/group-matrix
          target: validate
      -
-        name: Show matrix
-        run: |
-          echo matrix=${{ steps.gen.outputs.matrix }}
+        name: Check targets
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const targets = `${{ steps.gen.outputs.targets }}`;
+            if (!targets) {
+              core.setFailed('No targets generated');
+            }
+            core.info(`targets=${targets}`);
+
+  list-targets-multi-files:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Matrix gen
+        id: gen
+        uses: ./subaction/list-targets
+        with:
+          workdir: ./test/multi-files
+          files: |
+            docker-bake.json
+            docker-bake.hcl
+      -
+        name: Check targets
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const targets = `${{ steps.gen.outputs.targets }}`;
+            if (!targets) {
+              core.setFailed('No targets generated');
+            }
+            core.info(`targets=${targets}`);
@@ -69,6 +69,7 @@ jobs:
        name: Build and push
        uses: ./
        with:
+          source: .
          builder: ${{ steps.buildx.outputs.name }}
          files: |
            ./test/config.hcl
@@ -87,6 +88,7 @@ jobs:
        continue-on-error: true
        uses: ./
        with:
+          source: .
          files: |
            ./test/config.hcl
          set: |
@@ -108,6 +110,7 @@ jobs:
        continue-on-error: true
        uses: ./
        with:
+          source: .
          files: |
            ./test/config.hcl
      -
@@ -144,10 +147,11 @@ jobs:
        name: Build
        uses: ./
        with:
+          source: .
          files: |
            ./test/config.hcl

-  source:
+  remote:
    runs-on: ubuntu-latest
    steps:
      -
@@ -188,6 +192,7 @@ jobs:
        uses: ./
        with:
          workdir: ./test/go
+          source: .
          targets: binary
          provenance: ${{ matrix.attrs }}
          set: |
@@ -229,6 +234,7 @@ jobs:
        uses: ./
        with:
          workdir: ./test/go
+          source: .
          targets: ${{ matrix.target }}
          sbom: true
          set: |
@@ -275,6 +281,7 @@ jobs:
        uses: ./
        with:
          workdir: ./test/go
+          source: .
          set: |
            *.platform=linux/amd64
            *.output=type=image,"name=localhost:5000/name/app:v1.0.0,localhost:5000/name/app:latest",push=true
@@ -304,6 +311,7 @@ jobs:
        uses: ./
        with:
          workdir: ./test/group
+          source: .
          push: true
          set: |
            t1.tags=localhost:5000/name/app:t1
@@ -324,6 +332,7 @@ jobs:
        name: Build
        uses: ./
        with:
+          source: .
          files: |
            ./test/config.hcl

@@ -361,6 +370,7 @@ jobs:
        name: Build
        uses: ./
        with:
+          source: .
          files: |
            ./test/config.hcl
          targets: app-proxy
@@ -396,6 +406,7 @@ jobs:
        name: Build
        uses: ./
        with:
+          source: .
          files: |
            ./test/config.hcl

@@ -415,8 +426,6 @@ jobs:
      -
        name: Build
        uses: ./
-        with:
-          source: "{{defaultContext}}"

  git-context-and-local:
    runs-on: ubuntu-latest
@@ -439,7 +448,6 @@ jobs:
        name: Build
        uses: ./
        with:
-          source: "{{defaultContext}}"
          files: |
            cwd://${{ steps.meta.outputs.bake-file }}

@@ -466,6 +474,7 @@ jobs:
        uses: ./
        with:
          workdir: ./test/go
+          source: .
          set: |
            *.output=type=image,name=localhost:5000/name/app:latest,push=true
            *.output=type=docker,name=app:local
@@ -509,6 +518,7 @@ jobs:
        uses: ./
        with:
          workdir: ./test/go
+          source: .
          targets: image
          load: true
          push: true
@@ -523,7 +533,7 @@ jobs:
        run: |
          docker image inspect localhost:5000/name/app:latest

-  disable-summary:
+  summary-disable:
    runs-on: ubuntu-latest
    steps:
      -
@@ -536,7 +546,6 @@ jobs:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
-            network=host
      -
        name: Build
        uses: ./
@@ -544,5 +553,184 @@ jobs:
          files: |
            ./test/config.hcl
          targets: app
+        env:
+          DOCKER_BUILD_SUMMARY: false
+
+  summary-disable-deprecated:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          source: .
+          files: |
+            ./test/config.hcl
+          targets: app
        env:
          DOCKER_BUILD_NO_SUMMARY: true
+
+  summary-not-supported:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: v0.12.1
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          targets: app
+
+  record-upload-disable:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          targets: app
+        env:
+          DOCKER_BUILD_RECORD_UPLOAD: false
+
+  record-retention-days:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        days:
+          - 2
+          - 0
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          targets: app
+        env:
+          DOCKER_BUILD_RECORD_RETENTION_DAYS: ${{ matrix.days }}
+
+  checks:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        buildx-version:
+          - latest
+          - v0.14.1
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ matrix.buildx-version }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          workdir: ./test
+          source: .
+          files: |
+            ./lint.hcl
+
+  annotations-disabled:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          workdir: ./test
+          source: .
+          files: |
+            ./lint.hcl
+        env:
+          DOCKER_BUILD_CHECKS_ANNOTATIONS: false
+
+  allow:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        buildx-version:
+          - v0.19.0-rc2
+          - v0.18.0
+          - v0.17.1
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ matrix.buildx-version }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          source: .
+          files: |
+            ./test/config.hcl
+          allow: network.host
+          targets: app-entitlements
@@ -0,0 +1,21 @@
+name: publish
+
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Publish
+        uses: actions/publish-immutable-action@v0.0.4
@@ -21,17 +21,14 @@ jobs:
  test:
    runs-on: ubuntu-latest
    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
      -
        name: Test
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
          targets: test
      -
        name: Upload coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
        with:
-          file: ./coverage/clover.xml
+          files: ./coverage/clover.xml
          token: ${{ secrets.CODECOV_TOKEN }}
@@ -36,11 +36,8 @@ jobs:
      matrix:
        target: ${{ fromJson(needs.prepare.outputs.targets) }}
    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
      -
        name: Validate
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
          targets: ${{ matrix.target }}
@@ -14,96 +14,64 @@ as a high-level build command.
 ___

 * [Usage](#usage)
-  * [Path context](#path-context)
  * [Git context](#git-context)
+  * [Path context](#path-context)
+* [Summaries](#summaries)
 * [Customizing](#customizing)
  * [inputs](#inputs)
  * [outputs](#outputs)
  * [environment variables](#environment-variables)
 * [Subactions](#subactions)
-  * [`list-targets`](#list-targets)
+  * [`list-targets`](subaction/list-targets)
 * [Contributing](#contributing)

 ## Usage

-### Path context
-
-By default, this action will use the local bake definition (`source: .`), so
-you need to use the [`actions/checkout`](https://github.com/actions/checkout/)
-action to check out the repository.
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'master'
-
-jobs:
-  bake:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/bake-action@v4
-        with:
-          push: true
-```
-
 ### Git context

-Git context can be provided using the [`source` input](#inputs). This means
-that you don't need to use the [`actions/checkout`](https://github.com/actions/checkout/)
+Since `v6` this action uses the [Git context](https://docs.docker.com/build/bake/remote-definition/)
+to build from a remote bake definition by default like the [build-push-action](https://github.com/docker/build-push-action)
+does. This means that you don't need to use the [`actions/checkout`](https://github.com/actions/checkout/)
 action to check out the repository as [BuildKit](https://docs.docker.com/build/buildkit/)
 will do this directly.

+The git reference will be based on the [event that triggered your workflow](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows)
+and will result in the following context: `https://github.com/<owner>/<repo>.git#<ref>`.
+
 ```yaml
 name: ci

 on:
  push:
-    branches:
-      - 'master'

 jobs:
  bake:
    runs-on: ubuntu-latest
    steps:
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
      -
        name: Login to DockerHub
        uses: docker/login-action@v3
        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
      -
        name: Build and push
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
-          source: "${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}"
          push: true
+          set: |
+            *.tags=user/app:latest
 ```

 Be careful because **any file mutation in the steps that precede the build step
 will be ignored, including processing of the `.dockerignore` file** since
 the context is based on the Git reference. However, you can use the
-[Path context](#path-context) alongside the [`actions/checkout`](https://github.com/actions/checkout/)
-action to remove this restriction.
+[Path context](#path-context) using the [`source` input](#inputs) alongside
+the [`actions/checkout`](https://github.com/actions/checkout/) action to remove
+this restriction.

 Default Git context can also be provided using the [Handlebars template](https://handlebarsjs.com/guide/)
 expression `{{defaultContext}}`. Here we can use it to provide a subdirectory
@@ -112,10 +80,12 @@ to the default Git context:
 ```yaml
      -
        name: Build and push
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
          source: "{{defaultContext}}:mysubdir"
          push: true
+          set: |
+            *.tags=user/app:latest
 ```

 Building from the current repository automatically uses the `GITHUB_TOKEN`
@@ -130,14 +100,69 @@ another private repository for remote definitions, you can set the
 ```yaml
      -
        name: Build and push
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
-          source: "${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}"
          push: true
+          set: |
+            *.tags=user/app:latest
        env:
          BUILDX_BAKE_GIT_AUTH_TOKEN: ${{ secrets.MYTOKEN }}
 ```

+### Path context
+
+```yaml
+name: ci
+
+on:
+  push:
+
+jobs:
+  bake:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      -
+        name: Build and push
+        uses: docker/bake-action@v6
+        with:
+          source: .
+          push: true
+          set: |
+            *.tags=user/app:latest
+```
+
+## Summaries
+
+This action generates a [job summary](https://github.blog/2022-05-09-supercharging-github-actions-with-job-summaries/)
+that provides a detailed overview of the build execution. The summary shows an
+overview of all the steps executed during the build, including the build
+inputs, bake definition, and eventual errors.
+
+![build-push-action job summary](./.github/bake-summary.png)
+
+The summary also includes a link for downloading a build record archive with
+additional details about the build execution for all the bake targets,
+including build stats, logs, outputs, and more. The build record can be
+imported to Docker Desktop for inspecting the build in greater detail.
+
+Summaries are enabled by default, but can be disabled with the
+`DOCKER_BUILD_SUMMARY` [environment variable](#environment-variables).
+
+For more information about summaries, refer to the
+[documentation](https://docs.docker.com/go/build-summary/).
+
 ## Customizing

 ### inputs
@@ -163,6 +188,7 @@ The following inputs can be used as `step.with` keys
 |----------------|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `builder`      | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                        |
 | `source`       | String      | Context to build from. Can be either local (`.`) or a [remote bake definition](https://docs.docker.com/build/customize/bake/file-definition/#remote-definition)    |
+| `allow`        | List/CSV    | Allow build to access specified resources (e.g., `network.host`)                                                                                                   |
 | `files`        | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                                                     |
 | `workdir`      | String      | Working directory of execution                                                                                                                                     |
 | `targets`      | List/CSV    | List of bake targets (`default` target used if empty)                                                                                                              |
@@ -172,7 +198,7 @@ The following inputs can be used as `step.with` keys
 | `provenance`   | Bool/String | [Provenance](https://docs.docker.com/build/attestations/slsa-provenance/) is a shorthand for `--set=*.attest=type=provenance`                                      |
 | `push`         | Bool        | Push is a shorthand for `--set=*.output=type=registry` (default `false`)                                                                                           |
 | `sbom`         | Bool/String | [SBOM](https://docs.docker.com/build/attestations/sbom/) is a shorthand for `--set=*.attest=type=sbom`                                                             |
-| `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (eg: `targetpattern.key=value`)                        |
+| `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (e.g., `targetpattern.key=value`)                      |
 | `github-token` | String      | API token used to authenticate to a Git repository for [remote definitions](https://docs.docker.com/build/bake/remote-definition/) (default `${{ github.token }}`) |

 ### outputs
@@ -183,84 +209,18 @@ The following outputs are available
 |------------|------|-----------------------|
 | `metadata` | JSON | Build result metadata |

-## Subactions
-
-### `list-targets`
-
-This subaction generates a list of Bake targets that can be used in a [GitHub matrix](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix),
-so you can distribute your builds across multiple runners.
-
-```hcl
-# docker-bake.hcl
-group "validate" {
-  targets = ["lint", "doctoc"]
-}
-
-target "lint" {
-  target = "lint"
-}
-
-target "doctoc" {
-  target = "doctoc"
-}
-```
-
-```yaml
-jobs:
-  prepare:
-    runs-on: ubuntu-latest
-    outputs:
-      targets: ${{ steps.generate.outputs.targets }}
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: List targets
-        id: generate
-        uses: docker/bake-action/subaction/list-targets@v4
-        with:
-          target: validate
-
-  validate:
-    runs-on: ubuntu-latest
-    needs:
-      - prepare
-    strategy:
-      fail-fast: false
-      matrix:
-        target: ${{ fromJson(needs.prepare.outputs.targets) }}
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Validate
-        uses: docker/bake-action@v4
-        with:
-          targets: ${{ matrix.target }}
-```
-#### inputs
-
-| Name         | Type        | Description                                                                                                                                 |
-|--------------|-------------|---------------------------------------------------------------------------------------------------------------------------------------------|
-| `workdir`    | String      | Working directory to use (defaults to `.`)                                                                                                  |
-| `files`      | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                              |
-| `target`     | String      | The target to use within the bake file                                                                                                      |
-
-#### outputs
-
-The following outputs are available
-
-| Name       | Type     | Description                |
-|------------|----------|----------------------------|
-| `targets`  | List/CSV | List of extracted targest  |
-
 ### environment variables

-| Name                      | Type | Description                                                                                                       |
-|---------------------------|------|-------------------------------------------------------------------------------------------------------------------|
-| `DOCKER_BUILD_NO_SUMMARY` | Bool | If `true`, [build summary](https://docs.docker.com/build/ci/github-actions/build-summary/) generation is disabled |
+| Name                                 | Type   | Default | Description                                                                                                                                                                                                                                                        |
+|--------------------------------------|--------|---------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `DOCKER_BUILD_CHECKS_ANNOTATIONS`    | Bool   | `true`  | If `false`, GitHub annotations are not generated for [build checks](https://docs.docker.com/build/checks/)                                                                                                                                                         |
+| `DOCKER_BUILD_SUMMARY`               | Bool   | `true`  | If `false`, [build summary](https://docs.docker.com/build/ci/github-actions/build-summary/) generation is disabled                                                                                                                                                 |
+| `DOCKER_BUILD_RECORD_UPLOAD`         | Bool   | `true`  | If `false`, build record upload as [GitHub artifact](https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts) is disabled                                                                                                            |
+| `DOCKER_BUILD_RECORD_RETENTION_DAYS` | Number |         | Duration after which build record artifact will expire in days. Defaults to repository/org [retention settings](https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration#artifact-and-log-retention-policy) if unset or `0` |
+
+## Subactions
+
+* [`list-targets`](subaction/list-targets)

 ## Contributing

@@ -137,6 +137,7 @@ describe('getArgs', () => {
      0,
      '0.4.1',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -150,6 +151,7 @@ describe('getArgs', () => {
      1,
      '0.8.2',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -164,6 +166,7 @@ describe('getArgs', () => {
      2,
      '0.8.2',
      new Map<string, string>([
+        ['source', '.'],
        ['targets', 'webapp\nvalidate'],
        ['load', 'false'],
        ['no-cache', 'false'],
@@ -180,6 +183,7 @@ describe('getArgs', () => {
      3,
      '0.8.2',
      new Map<string, string>([
+        ['source', '.'],
        ['set', '*.cache-from=type=gha\n*.cache-to=type=gha'],
        ['load', 'false'],
        ['no-cache', 'false'],
@@ -197,6 +201,7 @@ describe('getArgs', () => {
      4,
      '0.10.0',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -212,6 +217,7 @@ describe('getArgs', () => {
      5,
      '0.10.0',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -228,6 +234,7 @@ describe('getArgs', () => {
      6,
      '0.10.0',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -244,6 +251,7 @@ describe('getArgs', () => {
      7,
      '0.10.0',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -260,6 +268,7 @@ describe('getArgs', () => {
      8,
      '0.10.0',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -276,6 +285,7 @@ describe('getArgs', () => {
      9,
      '0.10.0',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -296,6 +306,7 @@ describe('getArgs', () => {
      10,
      '0.10.0',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -315,7 +326,6 @@ describe('getArgs', () => {
      11,
      '0.10.0',
      new Map<string, string>([
-        ['source', '{{defaultContext}}'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -330,6 +340,43 @@ describe('getArgs', () => {
        '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
      ]
    ],
+    [
+      12,
+      '0.17.0',
+      new Map<string, string>([
+        ['source', '.'],
+        ['allow', 'network.host'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'bake',
+        '--allow', 'network.host',
+        '--metadata-file', metadataJson,
+        "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
+      ]
+    ],
+    [
+      13,
+      '0.15.0',
+      new Map<string, string>([
+        ['source', '{{defaultContext}}:subdir'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['files', './foo.hcl'],
+      ]),
+      [
+        'bake',
+        'https://github.com/docker/build-push-action.git#refs/heads/master:subdir',
+        '--file', './foo.hcl',
+        '--metadata-file', metadataJson,
+        '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
+      ]
+    ],
  ])(
    '[%d] given %p with %p as inputs, returns %p',
    async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {
@@ -13,6 +13,9 @@ inputs:
  source:
    description: "Context to build from. Can be either local or a remote bake definition"
    required: false
+  allow:
+    description: "Allow build to access specified resources (e.g., network.host)"
+    required: false
  files:
    description: "List of bake definition files"
    required: false
@@ -2516,6 +2516,30 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.


+he
+MIT
+Copyright Mathias Bynens <https://mathiasbynens.be/>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
 iconv-lite
 MIT
 Copyright (c) 2011 Alexander Shtuchkin
@@ -1,3 +1,9 @@
+target "_common" {
+  args = {
+    BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1
+  }
+}
+
 group "default" {
  targets = ["build"]
 }
@@ -11,42 +17,49 @@ group "validate" {
 }

 target "build" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "build-update"
  output = ["."]
 }

 target "build-validate" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "build-validate"
  output = ["type=cacheonly"]
 }

 target "format" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "format-update"
  output = ["."]
 }

 target "lint" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "lint"
  output = ["type=cacheonly"]
 }

 target "vendor" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "vendor-update"
  output = ["."]
 }

 target "vendor-validate" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "vendor-validate"
  output = ["type=cacheonly"]
 }

 target "test" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "test-coverage"
  output = ["./coverage"]
@@ -26,8 +26,8 @@
  "license": "Apache-2.0",
  "packageManager": "yarn@3.6.3",
  "dependencies": {
-    "@actions/core": "^1.10.1",
-    "@docker/actions-toolkit": "^0.26.0",
+    "@actions/core": "^1.11.1",
+    "@docker/actions-toolkit": "^0.50.0",
    "handlebars": "^4.7.8"
  },
  "devDependencies": {
@@ -11,6 +11,7 @@ import {Util} from '@docker/actions-toolkit/lib/util';
 import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';

 export interface Inputs {
+  allow: string[];
  builder: string;
  files: string[];
  workdir: string;
@@ -28,6 +29,7 @@ export interface Inputs {

 export async function getInputs(): Promise<Inputs> {
  return {
+    allow: Util.getInputList('allow'),
    builder: core.getInput('builder'),
    files: Util.getInputList('files'),
    workdir: core.getInput('workdir') || '.',
@@ -66,6 +68,10 @@ export function sanitizeInputs(inputs: Inputs) {
  return res;
 }

+export function getGitAuthToken(inputs: Inputs): string {
+  return process.env.BUILDX_BAKE_GIT_AUTH_TOKEN ?? inputs['github-token'];
+}
+
 export async function getArgs(inputs: Inputs, definition: BakeDefinition, toolkit: Toolkit): Promise<Array<string>> {
  // prettier-ignore
  return [
@@ -80,12 +86,30 @@ async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit:
  if (inputs.source) {
    args.push(inputs.source);
  }
+  if (await toolkit.buildx.versionSatisfies('>=0.17.0')) {
+    if (await toolkit.buildx.versionSatisfies('>=0.18.0')) {
+      // allow filesystem entitlements by default
+      inputs.allow.push('fs=*');
+    }
+    await Util.asyncForEach(inputs.allow, async allow => {
+      args.push('--allow', allow);
+    });
+  }
  await Util.asyncForEach(inputs.files, async file => {
    args.push('--file', file);
  });
  await Util.asyncForEach(inputs.set, async set => {
    args.push('--set', set);
  });
+  if (await toolkit.buildx.versionSatisfies('<0.20.0')) {
+    // For buildx versions < 0.20.0, we need to set GIT_AUTH_TOKEN secret as it
+    // doesn't infer BUILDX_BAKE_GIT_AUTH_TOKEN environment variable for build
+    // request: https://github.com/docker/buildx/pull/2905
+    const gitAuthToken = getGitAuthToken(inputs);
+    if (gitAuthToken && !Bake.hasGitAuthTokenSecret(definition) && inputs.source.startsWith(Context.gitContext())) {
+      args.push('--set', `*.secrets=${Build.resolveSecretString(`GIT_AUTH_TOKEN=${gitAuthToken}`)}`);
+    }
+  }
  if (await toolkit.buildx.versionSatisfies('>=0.6.0')) {
    args.push('--metadata-file', toolkit.buildxBake.getMetadataFilePath());
  }
@@ -136,6 +160,9 @@ function getSourceInput(name: string): string {
  let source = handlebars.compile(core.getInput(name))({
    defaultContext: Context.gitContext()
  });
+  if (!source) {
+    source = Context.gitContext();
+  }
  if (source === '.') {
    source = '';
  }
@@ -13,7 +13,9 @@ import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
 import {Util} from '@docker/actions-toolkit/lib/util';

 import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
+import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder';
 import {ConfigFile} from '@docker/actions-toolkit/lib/types/docker/docker';
+import {UploadArtifactResponse} from '@docker/actions-toolkit/lib/types/github';

 import * as context from './context';
 import * as stateHelper from './state-helper';
@@ -28,7 +30,7 @@ actionsToolkit.run(
    stateHelper.setInputs(inputs);

    const toolkit = new Toolkit();
-    const gitAuthToken = process.env.BUILDX_BAKE_GIT_AUTH_TOKEN ?? inputs['github-token'];
+    const gitAuthToken = context.getGitAuthToken(inputs);

    await core.group(`GitHub Actions runtime token ACs`, async () => {
      try {
@@ -83,16 +85,17 @@ actionsToolkit.run(
      await toolkit.buildx.printVersion();
    });

+    let builder: BuilderInfo;
    await core.group(`Builder info`, async () => {
-      const builder = await toolkit.builder.inspect(inputs.builder);
+      builder = await toolkit.builder.inspect(inputs.builder);
      core.info(JSON.stringify(builder, null, 2));
-      stateHelper.setBuilder(builder);
    });

    let definition: BakeDefinition | undefined;
    await core.group(`Parsing raw definition`, async () => {
      definition = await toolkit.buildxBake.getDefinition(
        {
+          allow: inputs.allow,
          files: inputs.files,
          load: inputs.load,
          noCache: inputs['no-cache'],
@@ -117,15 +120,21 @@ actionsToolkit.run(
    const args: string[] = await context.getArgs(inputs, definition, toolkit);
    const buildCmd = await toolkit.buildx.getCommand(args);
    const buildEnv = Object.assign({}, process.env, {
-      BUILDX_BAKE_GIT_AUTH_TOKEN: gitAuthToken
+      BUILDX_BAKE_GIT_AUTH_TOKEN: gitAuthToken,
+      BUILDX_METADATA_WARNINGS: 'true'
    }) as {
      [key: string]: string;
    };

    await core.group(`Bake definition`, async () => {
-      await Exec.exec(buildCmd.command, [...buildCmd.args, '--print'], {
+      await Exec.getExecOutput(buildCmd.command, [...buildCmd.args, '--print'], {
        cwd: inputs.workdir,
-        env: buildEnv
+        env: buildEnv,
+        ignoreReturnCode: true
+      }).then(res => {
+        if (res.stderr.length > 0 && res.exitCode != 0) {
+          throw Error(res.stderr);
+        }
      });
    });

@@ -148,44 +157,82 @@ actionsToolkit.run(
        core.setOutput('metadata', metadatadt);
      });
    }
+
+    let refs: Array<string> = [];
    await core.group(`Build references`, async () => {
-      const refs = await buildRefs(toolkit, startedTime, inputs.builder);
-      if (refs) {
+      refs = await buildRefs(toolkit, startedTime, inputs.builder);
+      if (refs.length > 0) {
        for (const ref of refs) {
          core.info(ref);
        }
        stateHelper.setBuildRefs(refs);
      } else {
-        core.warning('No build refs found');
+        core.info('No build references found');
      }
    });
+
+    if (buildChecksAnnotationsEnabled()) {
+      const warnings = toolkit.buildxBake.resolveWarnings(metadata);
+      if (refs.length > 0 && warnings && warnings.length > 0) {
+        const annotations = await Buildx.convertWarningsToGitHubAnnotations(warnings, refs);
+        core.debug(`annotations: ${JSON.stringify(annotations, null, 2)}`);
+        if (annotations && annotations.length > 0) {
+          await core.group(`Generating GitHub annotations (${annotations.length} build checks found)`, async () => {
+            for (const annotation of annotations) {
+              core.warning(annotation.message, annotation);
+            }
+          });
+        }
+      }
+    }
+
+    await core.group(`Check build summary support`, async () => {
+      if (!buildSummaryEnabled()) {
+        core.info('Build summary disabled');
+      } else if (GitHub.isGHES) {
+        core.info('Build summary is not yet supported on GHES');
+      } else if (!(await toolkit.buildx.versionSatisfies('>=0.13.0'))) {
+        core.info('Build summary requires Buildx >= 0.13.0');
+      } else if (builder && builder.driver === 'cloud') {
+        core.info('Build summary is not yet supported with Docker Build Cloud');
+      } else if (refs.length == 0) {
+        core.info('Build summary requires at least one build reference');
+      } else {
+        core.info('Build summary supported!');
+        stateHelper.setSummarySupported();
+      }
+    });
+
    if (err) {
      throw err;
    }
  },
  // post
  async () => {
-    if (stateHelper.buildRefs.length > 0) {
+    if (stateHelper.isSummarySupported) {
      await core.group(`Generating build summary`, async () => {
-        if (process.env.DOCKER_BUILD_NO_SUMMARY && Util.parseBool(process.env.DOCKER_BUILD_NO_SUMMARY)) {
-          core.info('Summary disabled');
-          return;
-        }
-        if (stateHelper.builder && stateHelper.builder.driver === 'cloud') {
-          core.info('Summary is not yet supported with Docker Build Cloud');
-          return;
-        }
        try {
+          const recordUploadEnabled = buildRecordUploadEnabled();
+          let recordRetentionDays: number | undefined;
+          if (recordUploadEnabled) {
+            recordRetentionDays = buildRecordRetentionDays();
+          }
+
          const buildxHistory = new BuildxHistory();
          const exportRes = await buildxHistory.export({
            refs: stateHelper.buildRefs
          });
-          core.info(`Build records exported to ${exportRes.dockerbuildFilename} (${Util.formatFileSize(exportRes.dockerbuildSize)})`);
-          const uploadRes = await GitHub.uploadArtifact({
-            filename: exportRes.dockerbuildFilename,
-            mimeType: 'application/gzip',
-            retentionDays: 90
-          });
+          core.info(`Build records written to ${exportRes.dockerbuildFilename} (${Util.formatFileSize(exportRes.dockerbuildSize)})`);
+
+          let uploadRes: UploadArtifactResponse | undefined;
+          if (recordUploadEnabled) {
+            uploadRes = await GitHub.uploadArtifact({
+              filename: exportRes.dockerbuildFilename,
+              mimeType: 'application/gzip',
+              retentionDays: recordRetentionDays
+            });
+          }
+
          await GitHub.writeBuildSummary({
            exportRes: exportRes,
            uploadRes: uploadRes,
@@ -229,3 +276,44 @@ async function buildRefs(toolkit: Toolkit, since: Date, builder?: string): Promi
  }
  return refs;
 }
+
+function buildChecksAnnotationsEnabled(): boolean {
+  if (process.env.DOCKER_BUILD_CHECKS_ANNOTATIONS) {
+    return Util.parseBool(process.env.DOCKER_BUILD_CHECKS_ANNOTATIONS);
+  }
+  return true;
+}
+
+function buildSummaryEnabled(): boolean {
+  if (process.env.DOCKER_BUILD_NO_SUMMARY) {
+    core.warning('DOCKER_BUILD_NO_SUMMARY is deprecated. Set DOCKER_BUILD_SUMMARY to false instead.');
+    return !Util.parseBool(process.env.DOCKER_BUILD_NO_SUMMARY);
+  } else if (process.env.DOCKER_BUILD_SUMMARY) {
+    return Util.parseBool(process.env.DOCKER_BUILD_SUMMARY);
+  }
+  return true;
+}
+
+function buildRecordUploadEnabled(): boolean {
+  if (process.env.DOCKER_BUILD_RECORD_UPLOAD) {
+    return Util.parseBool(process.env.DOCKER_BUILD_RECORD_UPLOAD);
+  }
+  return true;
+}
+
+function buildRecordRetentionDays(): number | undefined {
+  let val: string | undefined;
+  if (process.env.DOCKER_BUILD_EXPORT_RETENTION_DAYS) {
+    core.warning('DOCKER_BUILD_EXPORT_RETENTION_DAYS is deprecated. Use DOCKER_BUILD_RECORD_RETENTION_DAYS instead.');
+    val = process.env.DOCKER_BUILD_EXPORT_RETENTION_DAYS;
+  } else if (process.env.DOCKER_BUILD_RECORD_RETENTION_DAYS) {
+    val = process.env.DOCKER_BUILD_RECORD_RETENTION_DAYS;
+  }
+  if (val) {
+    const res = parseInt(val);
+    if (isNaN(res)) {
+      throw Error(`Invalid build record retention days: ${val}`);
+    }
+    return res;
+  }
+}
@@ -1,15 +1,14 @@
 import * as core from '@actions/core';

 import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
-import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder';

 import {Inputs, sanitizeInputs} from './context';

 export const tmpDir = process.env['STATE_tmpDir'] || '';
 export const inputs = process.env['STATE_inputs'] ? JSON.parse(process.env['STATE_inputs']) : undefined;
-export const builder = process.env['STATE_builder'] ? <BuilderInfo>JSON.parse(process.env['STATE_builder']) : undefined;
 export const bakeDefinition = process.env['STATE_bakeDefinition'] ? <BakeDefinition>JSON.parse(process.env['STATE_bakeDefinition']) : undefined;
 export const buildRefs = process.env['STATE_buildRefs'] ? process.env['STATE_buildRefs'].split(',') : [];
+export const isSummarySupported = !!process.env['STATE_isSummarySupported'];

 export function setTmpDir(tmpDir: string) {
  core.saveState('tmpDir', tmpDir);
@@ -19,10 +18,6 @@ export function setInputs(inputs: Inputs) {
  core.saveState('inputs', JSON.stringify(sanitizeInputs(inputs)));
 }

-export function setBuilder(builder: BuilderInfo) {
-  core.saveState('builder', JSON.stringify(builder));
-}
-
 export function setBakeDefinition(bakeDefinition: BakeDefinition) {
  core.saveState('bakeDefinition', JSON.stringify(bakeDefinition));
 }
@@ -30,3 +25,7 @@ export function setBakeDefinition(bakeDefinition: BakeDefinition) {
 export function setBuildRefs(buildRefs: Array<string>) {
  core.saveState('buildRefs', buildRefs.join(','));
 }
+
+export function setSummarySupported() {
+  core.saveState('isSummarySupported', 'true');
+}
@@ -0,0 +1,84 @@
+## About
+
+This subaction generates a list of Bake targets that can be used in a [GitHub matrix](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix),
+so you can distribute your builds across multiple runners.
+
+![Screenshot](../../.github/bake-action.png)
+
+___
+
+* [Usage](#usage)
+* [Customizing](#customizing)
+  * [inputs](#inputs)
+  * [outputs](#outputs)
+
+## Usage
+
+```hcl
+# docker-bake.hcl
+group "validate" {
+  targets = ["lint", "doctoc"]
+}
+
+target "lint" {
+  target = "lint"
+}
+
+target "doctoc" {
+  target = "doctoc"
+}
+```
+
+```yaml
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      targets: ${{ steps.generate.outputs.targets }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: List targets
+        id: generate
+        uses: docker/bake-action/subaction/list-targets@v6
+        with:
+          target: validate
+
+  validate:
+    runs-on: ubuntu-latest
+    needs:
+      - prepare
+    strategy:
+      fail-fast: false
+      matrix:
+        target: ${{ fromJson(needs.prepare.outputs.targets) }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Validate
+        uses: docker/bake-action@v6
+        with:
+          targets: ${{ matrix.target }}
+```
+
+## Customizing
+
+### inputs
+
+| Name         | Type        | Description                                                                                                                                 |
+|--------------|-------------|---------------------------------------------------------------------------------------------------------------------------------------------|
+| `workdir`    | String      | Working directory to use (defaults to `.`)                                                                                                  |
+| `files`      | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                              |
+| `target`     | String      | The target to use within the bake file                                                                                                      |
+
+### outputs
+
+The following outputs are available
+
+| Name       | Type     | Description                |
+|------------|----------|----------------------------|
+| `targets`  | List/CSV | List of extracted targest  |
@@ -29,7 +29,7 @@ runs:
      with:
        script: |
          let def;
-          const files = `${{ inputs.files }}` ? `${{ inputs.files }}`.split(',') : [];
+          const files = `${{ inputs.files }}` ? `${{ inputs.files }}`.split(/[\r?\n,]+/).filter(Boolean) : [];
          const target = `${{ inputs.target }}`;

          await core.group(`Validating definition`, async () => {
@@ -42,3 +42,8 @@ target "app-proxy" {
  inherits = ["app"]
  dockerfile = "proxy.Dockerfile"
 }
+
+target "app-entitlements" {
+  inherits = ["app"]
+  entitlements = ["network.host"]
+}
@@ -0,0 +1,10 @@
+frOM busybox as base
+cOpy lint-other.Dockerfile .
+
+froM busybox aS notused
+COPY lint-other.Dockerfile .
+
+from scratch
+COPy --from=base \
+  /lint-other.Dockerfile \
+  /
@@ -0,0 +1,12 @@
+frOM busybox as base
+cOpy lint.Dockerfile .
+
+from scratch
+MAINTAINER moby@example.com
+COPy --from=base \
+  /lint.Dockerfile \
+  /
+
+CMD [ "echo", "Hello, Norway!" ]
+CMD [ "echo", "Hello, Sweden!" ]
+ENTRYPOINT my-program start
@@ -0,0 +1,12 @@
+group "default" {
+  targets = ["lint", "lint-other", "lint-inline"]
+}
+target "lint" {
+  dockerfile = "lint.Dockerfile"
+}
+target "lint-other" {
+  dockerfile = "lint-other.Dockerfile"
+}
+target "lint-inline" {
+  dockerfile-inline = "FRoM alpine\nENTRYPOINT [\"echo\", \"hello\"]"
+}
@@ -0,0 +1,15 @@
+group "default" {
+  targets = ["t3"]
+}
+
+target "t3" {
+  name = "${item.tag}"
+  matrix = {
+    item = t3
+  }
+  args = {
+    VERSION = "${item.version}"
+    DUMMY_ARG = "${item.arg}"
+  }
+  tags = ["${item.tag}"]
+}
@@ -0,0 +1,14 @@
+{
+  "t3": [
+    {
+      "version": "v1",
+      "arg": "v1-value",
+      "tag": "v1-tag"
+    },
+    {
+      "version": "v2",
+      "arg": "v2-value",
+      "tag": "v2-tag"
+    }
+  ]
+}
@@ -12,9 +12,9 @@ __metadata:
  languageName: node
  linkType: hard

-"@actions/artifact@npm:^2.1.7":
-  version: 2.1.7
-  resolution: "@actions/artifact@npm:2.1.7"
+"@actions/artifact@npm:^2.2.1":
+  version: 2.2.1
+  resolution: "@actions/artifact@npm:2.2.1"
  dependencies:
    "@actions/core": ^1.10.0
    "@actions/github": ^5.1.1
@@ -26,19 +26,18 @@ __metadata:
    "@octokit/request-error": ^5.0.0
    "@protobuf-ts/plugin": ^2.2.3-alpha.1
    archiver: ^7.0.1
-    crypto: ^1.0.1
    jwt-decode: ^3.1.2
    twirp-ts: ^2.5.0
    unzip-stream: ^0.3.1
-  checksum: 346c7caf43bdeb4a96c044ca3a6a005d82b977178b1a6be2c6954dfd59fef3344d2576bdd07c6cac9b54207cc88d7b1161cabd08c7cc15a1db86bf82463b36c7
+  checksum: 6ce4e62d941f17743c845637cdd832ca34c77efe0c31cf7f6ab3ad0531e54e62d4379198e8af5e84463b5f5ae0bc0ea11d41cc77c5fae7e511c7ef01742892ea
  languageName: node
  linkType: hard

-"@actions/cache@npm:^3.2.4":
-  version: 3.2.4
-  resolution: "@actions/cache@npm:3.2.4"
+"@actions/cache@npm:^3.3.0":
+  version: 3.3.0
+  resolution: "@actions/cache@npm:3.3.0"
  dependencies:
-    "@actions/core": ^1.10.0
+    "@actions/core": ^1.11.1
    "@actions/exec": ^1.0.1
    "@actions/glob": ^0.1.0
    "@actions/http-client": ^2.1.1
@@ -47,12 +46,11 @@ __metadata:
    "@azure/ms-rest-js": ^2.6.0
    "@azure/storage-blob": ^12.13.0
    semver: ^6.3.1
-    uuid: ^3.3.3
-  checksum: 5bf5f7541bea4906b553440a9ffee5699e11dfb729365c6cb0bbd37e147a1a0993369fdad16bfa3e2b01ec7fa57dac66276278bfd4a389009246a75ea953e61d
+  checksum: f0761b1491b7706a80b44d68ed52eb48c04653fc939525a7c7b606e9d9251c40c7e4ac20846ab92ac32db6869e1a6f0f574bd6b7fec1ab9378c8e199c5acc9c9
  languageName: node
  linkType: hard

-"@actions/core@npm:^1.10.0, @actions/core@npm:^1.10.1, @actions/core@npm:^1.2.6":
+"@actions/core@npm:^1.10.0, @actions/core@npm:^1.2.6":
  version: 1.10.1
  resolution: "@actions/core@npm:1.10.1"
  dependencies:
@@ -62,6 +60,16 @@ __metadata:
  languageName: node
  linkType: hard

+"@actions/core@npm:^1.11.1":
+  version: 1.11.1
+  resolution: "@actions/core@npm:1.11.1"
+  dependencies:
+    "@actions/exec": ^1.1.1
+    "@actions/http-client": ^2.0.1
+  checksum: 9ac7a3e0b478bfefd862dcb4ddaa1d8c3f9076bb1931d3d280918d1749e7783480c6a009c1b009c8bf5093e2d77d9f4e023d70416145bf246f0071736d4ef839
+  languageName: node
+  linkType: hard
+
 "@actions/exec@npm:^1.0.0, @actions/exec@npm:^1.0.1, @actions/exec@npm:^1.1.1":
  version: 1.1.1
  resolution: "@actions/exec@npm:1.1.1"
@@ -105,7 +113,7 @@ __metadata:
  languageName: node
  linkType: hard

-"@actions/http-client@npm:^2.0.1, @actions/http-client@npm:^2.1.0, @actions/http-client@npm:^2.1.1, @actions/http-client@npm:^2.2.0, @actions/http-client@npm:^2.2.1":
+"@actions/http-client@npm:^2.0.1, @actions/http-client@npm:^2.1.0, @actions/http-client@npm:^2.1.1, @actions/http-client@npm:^2.2.0":
  version: 2.2.1
  resolution: "@actions/http-client@npm:2.2.1"
  dependencies:
@@ -115,6 +123,16 @@ __metadata:
  languageName: node
  linkType: hard

+"@actions/http-client@npm:^2.2.3":
+  version: 2.2.3
+  resolution: "@actions/http-client@npm:2.2.3"
+  dependencies:
+    tunnel: ^0.0.6
+    undici: ^5.25.4
+  checksum: 5d395df575d30ae599efa10dd715e72944b015e753db61f0a823f737acbb0e99743d4a9f25e812b18ec8cc34f86c73565d075c449e01ffa891577b6595212dde
+  languageName: node
+  linkType: hard
+
 "@actions/io@npm:^1.0.1, @actions/io@npm:^1.1.1, @actions/io@npm:^1.1.3":
  version: 1.1.3
  resolution: "@actions/io@npm:1.1.3"
@@ -1048,31 +1066,32 @@ __metadata:
  languageName: node
  linkType: hard

-"@docker/actions-toolkit@npm:^0.26.0":
-  version: 0.26.0
-  resolution: "@docker/actions-toolkit@npm:0.26.0"
+"@docker/actions-toolkit@npm:^0.50.0":
+  version: 0.50.0
+  resolution: "@docker/actions-toolkit@npm:0.50.0"
  dependencies:
-    "@actions/artifact": ^2.1.7
-    "@actions/cache": ^3.2.4
-    "@actions/core": ^1.10.1
+    "@actions/artifact": ^2.2.1
+    "@actions/cache": ^3.3.0
+    "@actions/core": ^1.11.1
    "@actions/exec": ^1.1.1
    "@actions/github": ^6.0.0
-    "@actions/http-client": ^2.2.1
+    "@actions/http-client": ^2.2.3
    "@actions/io": ^1.1.3
    "@actions/tool-cache": ^2.0.1
    "@azure/storage-blob": ^12.15.0
    "@octokit/core": ^5.1.0
    "@octokit/plugin-rest-endpoint-methods": ^10.4.0
    async-retry: ^1.3.3
-    csv-parse: ^5.5.6
+    csv-parse: ^5.6.0
    gunzip-maybe: ^1.4.2
    handlebars: ^4.7.8
+    he: ^1.2.0
    js-yaml: ^4.1.0
    jwt-decode: ^4.0.0
-    semver: ^7.6.2
+    semver: ^7.6.3
    tar-stream: ^3.1.7
    tmp: ^0.2.3
-  checksum: bc5b8311758a6cfed9e9f575cc18f70bd9b39316d7604e9b57ba7500e7a1c5b2034e29e9ada18187a7dac50f02f60f8fa257e30440b458417628efa4b7f254bb
+  checksum: dc1b0323f142f96cbac47be327ebdbc9038a8835f32f174e24c3d8113df03ca6fb034be6ffadeab1e1d234ccd6931e09915c96a8732065e35a576e459d3471ff
  languageName: node
  linkType: hard

@@ -3024,27 +3043,20 @@ __metadata:
  linkType: hard

 "cross-spawn@npm:^7.0.0, cross-spawn@npm:^7.0.2, cross-spawn@npm:^7.0.3":
-  version: 7.0.3
-  resolution: "cross-spawn@npm:7.0.3"
+  version: 7.0.6
+  resolution: "cross-spawn@npm:7.0.6"
  dependencies:
    path-key: ^3.1.0
    shebang-command: ^2.0.0
    which: ^2.0.1
-  checksum: 671cc7c7288c3a8406f3c69a3ae2fc85555c04169e9d611def9a675635472614f1c0ed0ef80955d5b6d4e724f6ced67f0ad1bb006c2ea643488fcfef994d7f52
+  checksum: 8d306efacaf6f3f60e0224c287664093fa9185680b2d195852ba9a863f85d02dcc737094c6e512175f8ee0161f9b87c73c6826034c2422e39de7d6569cf4503b
  languageName: node
  linkType: hard

-"crypto@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "crypto@npm:1.0.1"
-  checksum: 087fe3165bd94c333a49e6ed66a0193911f63eac38a24f379b3001a5fe260a59c413646e53a0f67875ba13902b2686d81dc703cb2c147a4ec727dcdc04e5645e
-  languageName: node
-  linkType: hard
-
-"csv-parse@npm:^5.5.6":
-  version: 5.5.6
-  resolution: "csv-parse@npm:5.5.6"
-  checksum: ee06f97f674487dc1d001b360de8ea510a41b9d971abf43bcf9c3be22c83a3634df0d3ebfbe52fd49d145077066be7ff9f25de3fc6b71aefb973099b04147a25
+"csv-parse@npm:^5.6.0":
+  version: 5.6.0
+  resolution: "csv-parse@npm:5.6.0"
+  checksum: 173e176bdaf212bab37d0f6d39a06d039d24a1c0ee40b9f1023ebf8b36095934807deeb493c0fb58592b39b0682ccd0be5c9e8d2b137c08807e7031595ea7a51
  languageName: node
  linkType: hard

@@ -3146,8 +3158,8 @@ __metadata:
  version: 0.0.0-use.local
  resolution: "docker-buildx-bake@workspace:."
  dependencies:
-    "@actions/core": ^1.10.1
-    "@docker/actions-toolkit": ^0.26.0
+    "@actions/core": ^1.11.1
+    "@docker/actions-toolkit": ^0.50.0
    "@types/node": ^20.12.12
    "@typescript-eslint/eslint-plugin": ^7.9.0
    "@typescript-eslint/parser": ^7.9.0
@@ -3946,6 +3958,15 @@ __metadata:
  languageName: node
  linkType: hard

+"he@npm:^1.2.0":
+  version: 1.2.0
+  resolution: "he@npm:1.2.0"
+  bin:
+    he: bin/he
+  checksum: 3d4d6babccccd79c5c5a3f929a68af33360d6445587d628087f39a965079d84f18ce9c3d3f917ee1e3978916fc833bb8b29377c3b403f919426f91bc6965e7a7
+  languageName: node
+  linkType: hard
+
 "html-escaper@npm:^2.0.0":
  version: 2.0.2
  resolution: "html-escaper@npm:2.0.2"
@@ -5454,9 +5475,9 @@ __metadata:
  linkType: hard

 "path-to-regexp@npm:^6.2.0":
-  version: 6.2.2
-  resolution: "path-to-regexp@npm:6.2.2"
-  checksum: b7b0005c36f5099f9ed1fb20a820d2e4ed1297ffe683ea1d678f5e976eb9544f01debb281369dabdc26da82e6453901bf71acf2c7ed14b9243536c2a45286c33
+  version: 6.3.0
+  resolution: "path-to-regexp@npm:6.3.0"
+  checksum: eca78602e6434a1b6799d511d375ec044e8d7e28f5a48aa5c28d57d8152fb52f3fc62fb1cfc5dfa2198e1f041c2a82ed14043d75740a2fe60e91b5089a153250
  languageName: node
  linkType: hard

@@ -5846,7 +5867,7 @@ __metadata:
  languageName: node
  linkType: hard

-"semver@npm:^7.6.0, semver@npm:^7.6.2":
+"semver@npm:^7.6.0":
  version: 7.6.2
  resolution: "semver@npm:7.6.2"
  bin:
@@ -5855,6 +5876,15 @@ __metadata:
  languageName: node
  linkType: hard

+"semver@npm:^7.6.3":
+  version: 7.6.3
+  resolution: "semver@npm:7.6.3"
+  bin:
+    semver: bin/semver.js
+  checksum: 4110ec5d015c9438f322257b1c51fe30276e5f766a3f64c09edd1d7ea7118ecbc3f379f3b69032bacf13116dc7abc4ad8ce0d7e2bd642e26b0d271b56b61a7d8
+  languageName: node
+  linkType: hard
+
 "shebang-command@npm:^2.0.0":
  version: 2.0.0
  resolution: "shebang-command@npm:2.0.0"
@@ -6549,7 +6579,7 @@ __metadata:
  languageName: node
  linkType: hard

-"uuid@npm:^3.3.2, uuid@npm:^3.3.3":
+"uuid@npm:^3.3.2":
  version: 3.4.0
  resolution: "uuid@npm:3.4.0"
  bin: