Merge pull request #253 from crazy-max/allow-input

add allow input

.github/workflows/ci.yml

@@ -691,3 +691,25 @@ jobs:
             ./lint.hcl
         env:
           DOCKER_BUILD_CHECKS_ANNOTATIONS: false
+
+  allow:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          allow: network.host
+          targets: app-entitlements

README.md

@@ -184,6 +184,7 @@ The following inputs can be used as `step.with` keys
 |----------------|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `builder`      | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                        |
 | `source`       | String      | Context to build from. Can be either local (`.`) or a [remote bake definition](https://docs.docker.com/build/customize/bake/file-definition/#remote-definition)    |
+| `allow`        | List/CSV    | Allow build to access specified resources (e.g., `network.host`)                                                                                                   |
 | `files`        | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                                                     |
 | `workdir`      | String      | Working directory of execution                                                                                                                                     |
 | `targets`      | List/CSV    | List of bake targets (`default` target used if empty)                                                                                                              |
@@ -193,7 +194,7 @@ The following inputs can be used as `step.with` keys
 | `provenance`   | Bool/String | [Provenance](https://docs.docker.com/build/attestations/slsa-provenance/) is a shorthand for `--set=*.attest=type=provenance`                                      |
 | `push`         | Bool        | Push is a shorthand for `--set=*.output=type=registry` (default `false`)                                                                                           |
 | `sbom`         | Bool/String | [SBOM](https://docs.docker.com/build/attestations/sbom/) is a shorthand for `--set=*.attest=type=sbom`                                                             |
-| `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (eg: `targetpattern.key=value`)                        |
+| `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (e.g., `targetpattern.key=value`)                      |
 | `github-token` | String      | API token used to authenticate to a Git repository for [remote definitions](https://docs.docker.com/build/bake/remote-definition/) (default `${{ github.token }}`) |
 
 ### outputs

__tests__/context.test.ts

@@ -330,6 +330,23 @@ describe('getArgs', () => {
         '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
       ]
     ],
+    [
+      12,
+      '0.17.0',
+      new Map<string, string>([
+        ['allow', 'network.host'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'bake',
+        '--allow', 'network.host',
+        '--metadata-file', metadataJson,
+        "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
+      ]
+    ],
   ])(
     '[%d] given %p with %p as inputs, returns %p',
     async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {

action.yml

@@ -13,6 +13,9 @@ inputs:
   source:
     description: "Context to build from. Can be either local or a remote bake definition"
     required: false
+  allow:
+    description: "Allow build to access specified resources (e.g., network.host)"
+    required: false
   files:
     description: "List of bake definition files"
     required: false

package.json

@@ -27,7 +27,7 @@
   "packageManager": "yarn@3.6.3",
   "dependencies": {
     "@actions/core": "^1.10.1",
-    "@docker/actions-toolkit": "^0.37.1",
+    "@docker/actions-toolkit": "^0.39.0",
     "handlebars": "^4.7.8"
   },
   "devDependencies": {

src/context.ts

@@ -11,6 +11,7 @@ import {Util} from '@docker/actions-toolkit/lib/util';
 import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
 
 export interface Inputs {
+  allow: string[];
   builder: string;
   files: string[];
   workdir: string;
@@ -28,6 +29,7 @@ export interface Inputs {
 
 export async function getInputs(): Promise<Inputs> {
   return {
+    allow: Util.getInputList('allow'),
     builder: core.getInput('builder'),
     files: Util.getInputList('files'),
     workdir: core.getInput('workdir') || '.',
@@ -80,6 +82,11 @@ async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit:
   if (inputs.source) {
     args.push(inputs.source);
   }
+  if (await toolkit.buildx.versionSatisfies('>=0.17.0')) {
+    if (inputs.allow.length > 0) {
+      args.push('--allow', inputs.allow.join(','));
+    }
+  }
   await Util.asyncForEach(inputs.files, async file => {
     args.push('--file', file);
   });

src/main.ts

@@ -184,13 +184,13 @@ actionsToolkit.run(
       if (!buildSummaryEnabled()) {
         core.info('Build summary disabled');
       } else if (GitHub.isGHES) {
-        core.warning('Build summary is not yet supported on GHES');
+        core.info('Build summary is not yet supported on GHES');
       } else if (!(await toolkit.buildx.versionSatisfies('>=0.13.0'))) {
-        core.warning('Build summary requires Buildx >= 0.13.0');
+        core.info('Build summary requires Buildx >= 0.13.0');
       } else if (builder && builder.driver === 'cloud') {
-        core.warning('Build summary is not yet supported with Docker Build Cloud');
+        core.info('Build summary is not yet supported with Docker Build Cloud');
       } else if (refs.length == 0) {
-        core.warning('Build summary requires at least one build reference');
+        core.info('Build summary requires at least one build reference');
       } else {
         core.info('Build summary supported!');
         stateHelper.setSummarySupported();

test/config.hcl

@@ -42,3 +42,8 @@ target "app-proxy" {
   inherits = ["app"]
   dockerfile = "proxy.Dockerfile"
 }
+
+target "app-entitlements" {
+  inherits = ["app"]
+  entitlements = ["network.host"]
+}

yarn.lock

@@ -105,7 +105,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@actions/http-client@npm:^2.0.1, @actions/http-client@npm:^2.1.0, @actions/http-client@npm:^2.1.1, @actions/http-client@npm:^2.2.0, @actions/http-client@npm:^2.2.1":
+"@actions/http-client@npm:^2.0.1, @actions/http-client@npm:^2.1.0, @actions/http-client@npm:^2.1.1, @actions/http-client@npm:^2.2.0":
   version: 2.2.1
   resolution: "@actions/http-client@npm:2.2.1"
   dependencies:
@@ -115,6 +115,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@actions/http-client@npm:^2.2.3":
+  version: 2.2.3
+  resolution: "@actions/http-client@npm:2.2.3"
+  dependencies:
+    tunnel: ^0.0.6
+    undici: ^5.25.4
+  checksum: 5d395df575d30ae599efa10dd715e72944b015e753db61f0a823f737acbb0e99743d4a9f25e812b18ec8cc34f86c73565d075c449e01ffa891577b6595212dde
+  languageName: node
+  linkType: hard
+
 "@actions/io@npm:^1.0.1, @actions/io@npm:^1.1.1, @actions/io@npm:^1.1.3":
   version: 1.1.3
   resolution: "@actions/io@npm:1.1.3"
@@ -1048,16 +1058,16 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@docker/actions-toolkit@npm:^0.37.1":
+"@docker/actions-toolkit@npm:^0.39.0":
-  version: 0.37.1
+  version: 0.39.0
-  resolution: "@docker/actions-toolkit@npm:0.37.1"
+  resolution: "@docker/actions-toolkit@npm:0.39.0"
   dependencies:
     "@actions/artifact": ^2.1.9
     "@actions/cache": ^3.2.4
     "@actions/core": ^1.10.1
     "@actions/exec": ^1.1.1
     "@actions/github": ^6.0.0
-    "@actions/http-client": ^2.2.1
+    "@actions/http-client": ^2.2.3
     "@actions/io": ^1.1.3
     "@actions/tool-cache": ^2.0.1
     "@azure/storage-blob": ^12.15.0
@@ -1073,7 +1083,7 @@ __metadata:
     semver: ^7.6.3
     tar-stream: ^3.1.7
     tmp: ^0.2.3
-  checksum: 7024fb86cc72e95df681ccdfdd44f3828f447e759138d5b70bff4f29cb4cb83fc487674adcff3c0c31cdf2e5fa5f1ee55bb6fbd01981fa053b8809e2639580a3
+  checksum: 9dafe3c3e02f6f78c8da4cfb8bc726ae5eef9b6a2fedfca5d75ee6d6c559745c12aa16587dd595360f76be91803235dc66e0852e595ef7a582506fa0d4402983
   languageName: node
   linkType: hard
 
@@ -3148,7 +3158,7 @@ __metadata:
   resolution: "docker-buildx-bake@workspace:."
   dependencies:
     "@actions/core": ^1.10.1
-    "@docker/actions-toolkit": ^0.37.1
+    "@docker/actions-toolkit": ^0.39.0
     "@types/node": ^20.12.12
     "@typescript-eslint/eslint-plugin": ^7.9.0
     "@typescript-eslint/parser": ^7.9.0
@@ -5464,9 +5474,9 @@ __metadata:
   linkType: hard
 
 "path-to-regexp@npm:^6.2.0":
-  version: 6.2.2
+  version: 6.3.0
-  resolution: "path-to-regexp@npm:6.2.2"
+  resolution: "path-to-regexp@npm:6.3.0"
-  checksum: b7b0005c36f5099f9ed1fb20a820d2e4ed1297ffe683ea1d678f5e976eb9544f01debb281369dabdc26da82e6453901bf71acf2c7ed14b9243536c2a45286c33
+  checksum: eca78602e6434a1b6799d511d375ec044e8d7e28f5a48aa5c28d57d8152fb52f3fc62fb1cfc5dfa2198e1f041c2a82ed14043d75740a2fe60e91b5089a153250
   languageName: node
   linkType: hard