chore(deps): Bump github/codeql-action from 4.36.0 to 4.36.1

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.36.0 to 4.36.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/7211b7c8077ea37d8641b6271f6a365a22a5fbfa...87557b9c84dde89fdd9b10e88954ac2f4248e463) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.36.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Merge pull request #453 from crazy-max/yarn-update
2026-06-05 09:38:40 +02:00 · 2026-06-04 03:39:28 +00:00 · 2026-05-28 18:41:14 +02:00 · 2026-05-28 15:11:47 +02:00 · 2026-05-28 10:40:54 +02:00 · 2026-05-28 08:18:46 +00:00
52 changed files with 10896 additions and 9403 deletions
@@ -1,3 +0,0 @@
-/dist/**
-/coverage/**
-/node_modules/**
@@ -1,24 +0,0 @@
-{
-  "env": {
-    "node": true,
-    "es6": true,
-    "jest": true
-  },
-  "extends": [
-    "eslint:recommended",
-    "plugin:@typescript-eslint/eslint-recommended",
-    "plugin:@typescript-eslint/recommended",
-    "plugin:jest/recommended",
-    "plugin:prettier/recommended"
-  ],
-  "parser": "@typescript-eslint/parser",
-  "parserOptions": {
-    "ecmaVersion": "latest",
-    "sourceType": "module"
-  },
-  "plugins": [
-    "@typescript-eslint",
-    "jest",
-    "prettier"
-  ]
-}
@@ -1,9 +1,17 @@
 version: 2
 updates:
  - package-ecosystem: "github-actions"
-    directory: "/"
+    directories:
+      - "/"
+      - "/subaction/matrix"
    schedule:
      interval: "daily"
+    cooldown:
+      default-days: 2
+    groups:
+      crazy-max-dot-github:
+        patterns:
+          - "crazy-max/.github/*"
    labels:
      - "dependencies"
      - "bot"
@@ -11,6 +19,10 @@ updates:
    directory: "/"
    schedule:
      interval: "daily"
+    cooldown:
+      default-days: 2
+      exclude:
+        - "@docker/actions-toolkit"
    versioning-strategy: "increase"
    allow:
      - dependency-type: "production"
@@ -1,5 +1,8 @@
 name: ci-subaction

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -25,37 +28,62 @@ on:
      - 'test/**'

 jobs:
-  list-targets-group:
+  matrix:
    runs-on: ubuntu-latest
-    steps:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
          -
-        name: Checkout
-        uses: actions/checkout@v4
+            testdir: group
+            expected: >
+              [{"target":"t1"},{"target":"t2"}]
          -
-        name: Matrix gen
-        id: gen
-        uses: ./subaction/list-targets
-        with:
-          workdir: ./test/group
-      -
-        name: Show matrix
-        run: |
-          echo matrix=${{ steps.gen.outputs.matrix }}
-
-  list-targets-group-matrix:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Matrix gen
-        id: gen
-        uses: ./subaction/list-targets
-        with:
-          workdir: ./test/group-matrix
+            testdir: group-matrix
            target: validate
+            expected: >
+              [{"target":"lint-default"},{"target":"lint-labs"},{"target":"lint-nydus"},{"target":"lint-proto"},{"target":"lint-yaml"},{"target":"validate-doctoc"},{"target":"validate-vendor"}]
          -
-        name: Show matrix
-        run: |
-          echo matrix=${{ steps.gen.outputs.matrix }}
+            testdir: group-with-platform
+            target: validate
+            expected: >
+              [{"target":"lint"},{"target":"lint-gopls"},{"target":"validate-docs"},{"target":"validate-vendor"}]
+          -
+            testdir: group-with-platform
+            target: validate
+            fields: platforms
+            expected: >
+              [{"target":"lint","platforms":"darwin/amd64"},{"target":"lint","platforms":"darwin/arm64"},{"target":"lint","platforms":"linux/amd64"},{"target":"lint","platforms":"linux/arm64"},{"target":"lint","platforms":"linux/s390x"},{"target":"lint","platforms":"linux/ppc64le"},{"target":"lint","platforms":"linux/riscv64"},{"target":"lint","platforms":"windows/amd64"},{"target":"lint","platforms":"windows/arm64"},{"target":"lint-gopls","platforms":"darwin/amd64"},{"target":"lint-gopls","platforms":"darwin/arm64"},{"target":"lint-gopls","platforms":"linux/amd64"},{"target":"lint-gopls","platforms":"linux/arm64"},{"target":"lint-gopls","platforms":"linux/s390x"},{"target":"lint-gopls","platforms":"linux/ppc64le"},{"target":"lint-gopls","platforms":"linux/riscv64"},{"target":"lint-gopls","platforms":"windows/amd64"},{"target":"lint-gopls","platforms":"windows/arm64"},{"target":"validate-docs"},{"target":"validate-vendor"}]
+          -
+            testdir: group-with-platform
+            target: validate
+            fields: platforms,dockerfile
+            expected: >
+               [{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"darwin/amd64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"darwin/arm64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/amd64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/arm64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/s390x"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/ppc64le"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/riscv64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"windows/amd64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"windows/arm64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"darwin/amd64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"darwin/arm64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/amd64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/arm64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/s390x"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/ppc64le"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/riscv64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"windows/amd64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"windows/arm64"},{"target":"validate-docs","dockerfile":"./hack/dockerfiles/docs.Dockerfile"},{"target":"validate-vendor","dockerfile":"./hack/dockerfiles/vendor.Dockerfile"}]
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Matrix gen
+        id: gen
+        uses: ./subaction/matrix
+        with:
+          workdir: ./test/${{ matrix.testdir }}
+          target: ${{ matrix.target }}
+          fields: ${{ matrix.fields }}
+      -
+        name: Check output
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        env:
+          INPUT_MATRIX: ${{ steps.gen.outputs.matrix }}
+          INPUT_EXPECTED: ${{ matrix.expected }}
+        with:
+          script: |
+            const matrix = JSON.stringify(JSON.parse(core.getInput('matrix')));
+            const expected = JSON.stringify(JSON.parse(core.getInput('expected')));
+            if (matrix !== expected) {
+              throw new Error(`Matrix do not match expected values: ${matrix} != ${expected}`);
+            } else {
+              core.info(`✅`);
+            }
@@ -1,5 +1,8 @@
 name: ci

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -32,8 +35,8 @@ on:
      - 'subaction/**'

 env:
-  BUILDX_VERSION: latest
-  BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1
+  BUILDX_VERSION: edge
+  BUILDKIT_IMAGE: moby/buildkit:latest

 jobs:
  bake:
@@ -46,20 +49,20 @@ jobs:
          - release
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      -
        name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -69,6 +72,7 @@ jobs:
        name: Build and push
        uses: ./
        with:
+          source: .
          builder: ${{ steps.buildx.outputs.name }}
          files: |
            ./test/config.hcl
@@ -81,12 +85,13 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Build
        continue-on-error: true
        uses: ./
        with:
+          source: .
          files: |
            ./test/config.hcl
          set: |
@@ -97,7 +102,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Stop docker
        run: |
@@ -108,12 +113,33 @@ jobs:
        continue-on-error: true
        uses: ./
        with:
+          source: .
          files: |
            ./test/config.hcl
      -
        name: Check
        run: |
-          echo "${{ toJson(steps.bake) }}"
+          if [ "${{ steps.bake.outcome }}" != "failure" ] || [ "${{ steps.bake.conclusion }}" != "success" ]; then
+            echo "::error::Should have failed"
+            exit 1
+          fi
+
+  error-source:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Build
+        id: bake
+        continue-on-error: true
+        uses: ./
+        with:
+          source: ./does-not-exist
+      -
+        name: Check
+        run: |
          if [ "${{ steps.bake.outcome }}" != "failure" ] || [ "${{ steps.bake.conclusion }}" != "success" ]; then
            echo "::error::Should have failed"
            exit 1
@@ -124,7 +150,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Uninstall docker cli
        run: |
@@ -135,7 +161,7 @@ jobs:
          fi
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -144,15 +170,16 @@ jobs:
        name: Build
        uses: ./
        with:
+          source: .
          files: |
            ./test/config.hcl

-  source:
+  remote:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Build
        uses: ./
@@ -174,10 +201,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -187,7 +214,7 @@ jobs:
        name: Build
        uses: ./
        with:
-          workdir: ./test/go
+          source: ./test/go
          targets: binary
          provenance: ${{ matrix.attrs }}
          set: |
@@ -209,16 +236,16 @@ jobs:
            output: /tmp/bake-build
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -228,7 +255,7 @@ jobs:
        name: Build
        uses: ./
        with:
-          workdir: ./test/go
+          source: ./test/go
          targets: ${{ matrix.target }}
          sbom: true
          set: |
@@ -263,18 +290,18 @@ jobs:
    runs-on: ubuntu-latest
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Build
        uses: ./
        with:
-          workdir: ./test/go
+          source: ./test/go
          set: |
            *.platform=linux/amd64
            *.output=type=image,"name=localhost:5000/name/app:v1.0.0,localhost:5000/name/app:latest",push=true
@@ -284,16 +311,16 @@ jobs:
    runs-on: ubuntu-latest
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -303,7 +330,7 @@ jobs:
        name: Build and push
        uses: ./
        with:
-          workdir: ./test/group
+          source: ./test/group
          push: true
          set: |
            t1.tags=localhost:5000/name/app:t1
@@ -314,7 +341,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set malformed docker config
        run: |
@@ -324,6 +351,7 @@ jobs:
        name: Build
        uses: ./
        with:
+          source: .
          files: |
            ./test/config.hcl

@@ -331,7 +359,7 @@ jobs:
    runs-on: ubuntu-latest
    services:
      squid-proxy:
-        image: ubuntu/squid:latest
+        image: ubuntu/squid:latest@sha256:6a097f68bae708cedbabd6188d68c7e2e7a38cedd05a176e1cc0ba29e3bbe029
        ports:
          - 3128:3128
    steps:
@@ -342,7 +370,7 @@ jobs:
          curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy http://127.0.0.1:3128 -v --insecure --head https://www.google.com
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set proxy config
        run: |
@@ -350,7 +378,7 @@ jobs:
          echo '{"proxies":{"default":{"httpProxy":"http://127.0.0.1:3128","httpsProxy":"http://127.0.0.1:3128"}}}' > ~/.docker/config.json
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -361,6 +389,7 @@ jobs:
        name: Build
        uses: ./
        with:
+          source: .
          files: |
            ./test/config.hcl
          targets: app-proxy
@@ -369,7 +398,7 @@ jobs:
    runs-on: ubuntu-latest
    services:
      squid-proxy:
-        image: ubuntu/squid:latest
+        image: ubuntu/squid:latest@sha256:6a097f68bae708cedbabd6188d68c7e2e7a38cedd05a176e1cc0ba29e3bbe029
        ports:
          - 3128:3128
    steps:
@@ -380,10 +409,10 @@ jobs:
          curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy http://127.0.0.1:3128 -v --insecure --head https://www.google.com
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -396,6 +425,7 @@ jobs:
        name: Build
        uses: ./
        with:
+          source: .
          files: |
            ./test/config.hcl

@@ -404,10 +434,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -416,17 +446,40 @@ jobs:
        name: Build
        uses: ./
        with:
-          source: "{{defaultContext}}"
+          files: |
+            ./test/config.hcl
+
+  git-context-query:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: v0.33.0
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+        env:
+          BUILDX_SEND_GIT_QUERY_AS_INPUT: true

  git-context-and-local:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -434,29 +487,29 @@ jobs:
      -
        name: Docker meta
        id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
      -
        name: Build
        uses: ./
        with:
-          source: "{{defaultContext}}"
          files: |
+            ./test/config.hcl
            cwd://${{ steps.meta.outputs.bake-file }}

  multi-output:
    runs-on: ubuntu-latest
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -465,7 +518,7 @@ jobs:
        name: Build and push
        uses: ./
        with:
-          workdir: ./test/go
+          source: ./test/go
          set: |
            *.output=type=image,name=localhost:5000/name/app:latest,push=true
            *.output=type=docker,name=app:local
@@ -490,16 +543,16 @@ jobs:
    runs-on: ubuntu-latest
    services:
      registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
        ports:
          - 5000:5000
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -508,7 +561,7 @@ jobs:
        name: Build and push
        uses: ./
        with:
-          workdir: ./test/go
+          source: ./test/go
          targets: image
          load: true
          push: true
@@ -528,10 +581,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -546,38 +599,15 @@ jobs:
        env:
          DOCKER_BUILD_SUMMARY: false

-  summary-disable-deprecated:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
-          driver-opts: |
-            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
-      -
-        name: Build
-        uses: ./
-        with:
-          files: |
-            ./test/config.hcl
-          targets: app
-        env:
-          DOCKER_BUILD_NO_SUMMARY: true
-
  summary-not-supported:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: v0.12.1
          driver-opts: |
@@ -595,10 +625,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -624,10 +654,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -648,15 +678,15 @@ jobs:
      fail-fast: false
      matrix:
        buildx-version:
-          - latest
+          - edge
          - v0.14.1
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: ${{ matrix.buildx-version }}
          driver-opts: |
@@ -665,7 +695,7 @@ jobs:
        name: Build
        uses: ./
        with:
-          workdir: ./test
+          source: ./test
          files: |
            ./lint.hcl

@@ -674,10 +704,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
          driver-opts: |
@@ -686,8 +716,187 @@ jobs:
        name: Build
        uses: ./
        with:
-          workdir: ./test
+          source: ./test
          files: |
            ./lint.hcl
        env:
          DOCKER_BUILD_CHECKS_ANNOTATIONS: false
+
+  allow:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        buildx-version:
+          - edge
+          - v0.19.0
+          - v0.18.0
+          - v0.17.1
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ matrix.buildx-version }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          allow: network.host
+          targets: app-entitlements
+
+  no-default-attestations:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Build
+        uses: ./
+        with:
+          source: .
+          files: |
+            ./test/config.hcl
+        env:
+          BUILDX_NO_DEFAULT_ATTESTATIONS: 1
+
+  call-check:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        id: bake
+        continue-on-error: true
+        uses: ./
+        with:
+          source: ./test
+          files: |
+            ./lint.hcl
+          call: check
+          targets: lint
+      -
+        name: Check
+        run: |
+          if [ "${{ steps.bake.outcome }}" != "failure" ] || [ "${{ steps.bake.conclusion }}" != "success" ]; then
+            echo "::error::Should have failed"
+            exit 1
+          fi
+
+  call-check-multi:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        id: bake
+        continue-on-error: true
+        uses: ./
+        with:
+          source: ./test
+          files: |
+            ./lint.hcl
+          call: check
+      -
+        name: Check
+        run: |
+          if [ "${{ steps.bake.outcome }}" != "failure" ] || [ "${{ steps.bake.conclusion }}" != "success" ]; then
+            echo "::error::Should have failed"
+            exit 1
+          fi
+
+  call-check-nowarning:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        id: bake
+        continue-on-error: true
+        uses: ./
+        with:
+          source: .
+          files: |
+            ./test/config.hcl
+          call: check
+
+  attest-override:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build and push
+        uses: ./
+        with:
+          source: ./test/attest
+
+  var:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          source: ./test/go
+          targets: binary
+          vars: |
+            DESTDIR=/tmp/build
+      -
+        name: Check output folder
+        working-directory: /tmp/build
+        run: |
+          tree .
@@ -0,0 +1,46 @@
+name: codeql
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+  pull_request:
+
+env:
+  NODE_VERSION: "24"
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Enable corepack
+        run: |
+          corepack enable
+          yarn --version
+      -
+        name: Set up Node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+      -
+        name: Initialize CodeQL
+        uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
+        with:
+          languages: javascript-typescript
+          build-mode: none
+      -
+        name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
+        with:
+          category: "/language:javascript-typescript"
@@ -0,0 +1,17 @@
+name: pr-assign-author
+
+permissions:
+  contents: read
+
+on:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] safe to use without checkout
+    types:
+      - opened
+      - reopened
+
+jobs:
+  run:
+    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@9ba6e6f9450baf3b1237f8035c1fdc45932510bd # v1.8.0
+    permissions:
+      contents: read
+      pull-requests: write
@@ -0,0 +1,28 @@
+name: publish
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Publish
+        uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4
@@ -1,5 +1,8 @@
 name: test

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -23,15 +26,16 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Test
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0
        with:
+          source: .
          targets: test
      -
        name: Upload coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
-          file: ./coverage/clover.xml
+          files: ./coverage/clover.xml
          token: ${{ secrets.CODECOV_TOKEN }}
@@ -0,0 +1,58 @@
+name: update-dist
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+
+jobs:
+  update-dist:
+    if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: GitHub auth token from GitHub App
+        id: docker-read-app
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        with:
+          app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
+          private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
+          owner: docker
+          repositories: bake-action
+          permission-contents: write
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          fetch-depth: 0
+          token: ${{ steps.docker-read-app.outputs.token }}
+      -
+        name: Build
+        uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0
+        with:
+          source: .
+          targets: build
+      -
+        name: Commit and push dist
+        run: |
+          if [ -n "$(git status --porcelain -- dist)" ]; then
+            (
+              set -x
+              git config user.name "github-actions[bot]"
+              git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+              git add dist
+              git commit -m "chore: update generated content"
+              git push
+            )
+          else
+            echo "No changes in dist"
+          fi
@@ -1,5 +1,8 @@
 name: validate

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -15,15 +18,15 @@ jobs:
  prepare:
    runs-on: ubuntu-latest
    outputs:
-      targets: ${{ steps.generate.outputs.targets }}
+      matrix: ${{ steps.generate.outputs.matrix }}
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: List targets
        id: generate
-        uses: ./subaction/list-targets
+        uses: ./subaction/matrix
        with:
          target: validate

@@ -34,13 +37,10 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        target: ${{ fromJson(needs.prepare.outputs.targets) }}
+        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
      -
        name: Validate
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0
        with:
          targets: ${{ matrix.target }}
@@ -0,0 +1,29 @@
+name: zizmor
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+    tags:
+      - 'v*'
+  pull_request:
+
+jobs:
+  zizmor:
+    uses: crazy-max/.github/.github/workflows/zizmor.yml@9ba6e6f9450baf3b1237f8035c1fdc45932510bd # v1.8.0
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      min-severity: medium
+      min-confidence: medium
+      persona: pedantic
@@ -6,6 +6,5 @@
  "singleQuote": true,
  "trailingComma": "none",
  "bracketSpacing": false,
-  "arrowParens": "avoid",
-  "parser": "typescript"
+  "arrowParens": "avoid"
 }
@@ -1,13 +1,21 @@
+# https://yarnpkg.com/configuration/yarnrc
+
+nodeLinker: node-modules
+
 logFilters:
+  - code: YN0004
+    level: discard
  - code: YN0013
    level: discard
  - code: YN0019
    level: discard
  - code: YN0076
    level: discard
+  - code: YN0086
+    level: discard

-nodeLinker: node-modules
-
-plugins:
-  - path: .yarn/plugins/@yarnpkg/plugin-interactive-tools.cjs
-    spec: "@yarnpkg/plugin-interactive-tools"
+compressionLevel: mixed
+enableGlobalCache: false
+enableHardenedMode: true
+enableScripts: false
+npmMinimalAgeGate: 2d
@@ -14,97 +14,66 @@ as a high-level build command.
 ___

 * [Usage](#usage)
-  * [Path context](#path-context)
  * [Git context](#git-context)
+  * [Path context](#path-context)
 * [Summaries](#summaries)
 * [Customizing](#customizing)
  * [inputs](#inputs)
  * [outputs](#outputs)
  * [environment variables](#environment-variables)
 * [Subactions](#subactions)
-  * [`list-targets`](subaction/list-targets)
+  * [`matrix`](subaction/matrix)
+* [Notes](#notes)
+  * [Source semantics](#source-semantics)
 * [Contributing](#contributing)

 ## Usage

-### Path context
-
-By default, this action will use the local bake definition (`source: .`), so
-you need to use the [`actions/checkout`](https://github.com/actions/checkout/)
-action to check out the repository.
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'master'
-
-jobs:
-  bake:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/bake-action@v5
-        with:
-          push: true
-```
-
 ### Git context

-Git context can be provided using the [`source` input](#inputs). This means
-that you don't need to use the [`actions/checkout`](https://github.com/actions/checkout/)
+Since `v6` this action uses the [Git context](https://docs.docker.com/build/bake/remote-definition/)
+to build from a remote bake definition by default like the [build-push-action](https://github.com/docker/build-push-action)
+does. This means that you don't need to use the [`actions/checkout`](https://github.com/actions/checkout/)
 action to check out the repository as [BuildKit](https://docs.docker.com/build/buildkit/)
 will do this directly.

+The git reference will be based on the [event that triggered your workflow](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows)
+and will result in the following context: `https://github.com/<owner>/<repo>.git#<ref>`.
+
 ```yaml
 name: ci

 on:
  push:
-    branches:
-      - 'master'

 jobs:
  bake:
    runs-on: ubuntu-latest
    steps:
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
      -
        name: Login to DockerHub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
      -
        name: Build and push
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v7
        with:
-          source: "${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}"
          push: true
+          set: |
+            *.tags=user/app:latest
 ```

 Be careful because **any file mutation in the steps that precede the build step
 will be ignored, including processing of the `.dockerignore` file** since
 the context is based on the Git reference. However, you can use the
-[Path context](#path-context) alongside the [`actions/checkout`](https://github.com/actions/checkout/)
-action to remove this restriction.
+[Path context](#path-context) using the [`source` input](#inputs) alongside
+the [`actions/checkout`](https://github.com/actions/checkout/) action to remove
+this restriction.

 Default Git context can also be provided using the [Handlebars template](https://handlebarsjs.com/guide/)
 expression `{{defaultContext}}`. Here we can use it to provide a subdirectory
@@ -113,10 +82,12 @@ to the default Git context:
 ```yaml
      -
        name: Build and push
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v7
        with:
          source: "{{defaultContext}}:mysubdir"
          push: true
+          set: |
+            *.tags=user/app:latest
 ```

 Building from the current repository automatically uses the `GITHUB_TOKEN`
@@ -131,14 +102,74 @@ another private repository for remote definitions, you can set the
 ```yaml
      -
        name: Build and push
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v7
        with:
-          source: "${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}"
          push: true
+          set: |
+            *.tags=user/app:latest
        env:
          BUILDX_BAKE_GIT_AUTH_TOKEN: ${{ secrets.MYTOKEN }}
 ```

+### Path context
+
+```yaml
+name: ci
+
+on:
+  push:
+
+jobs:
+  bake:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v6
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v4
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+      -
+        name: Build and push
+        uses: docker/bake-action@v7
+        with:
+          source: .
+          push: true
+          set: |
+            *.tags=user/app:latest
+```
+
+If you point `source` to a subdirectory, relative paths are resolved from that
+subdirectory:
+
+```yaml
+      -
+        name: Build and push
+        uses: docker/bake-action@v7
+        with:
+          source: ./subdir
+          files: ./docker-bake.hcl
+```
+
+For example, if `./subdir/docker-bake.hcl` contains:
+
+```hcl
+target "default" {
+  output = ["type=local,dest=./artifacts"]
+}
+```
+
+The output will be written to `./subdir/artifacts` in the workspace.
+
+> [!NOTE]
+> More info about `source` semantics in the [Source semantics](#source-semantics) section.
+
 ## Summaries

 This action generates a [job summary](https://github.blog/2022-05-09-supercharging-github-actions-with-job-summaries/)
@@ -153,6 +184,19 @@ additional details about the build execution for all the bake targets,
 including build stats, logs, outputs, and more. The build record can be
 imported to Docker Desktop for inspecting the build in greater detail.

+> [!WARNING]
+>
+> If you're using the [`actions/download-artifact`](https://github.com/actions/download-artifact)
+> action in your workflow, you need to ignore the build record artifacts
+> if `name` and `pattern` inputs are not specified ([defaults to download all artifacts](https://github.com/actions/download-artifact?tab=readme-ov-file#download-all-artifacts) of the workflow),
+> otherwise the action will fail:
+> ```yaml
+> - uses: actions/download-artifact@v4
+>   with:
+>     pattern: "!*.dockerbuild"
+> ```
+> More info: https://github.com/actions/toolkit/pull/1874
+
 Summaries are enabled by default, but can be disabled with the
 `DOCKER_BUILD_SUMMARY` [environment variable](#environment-variables).

@@ -181,19 +225,21 @@ The following inputs can be used as `step.with` keys
 > ```

 | Name           | Type        | Description                                                                                                                                                                                                                                                            |
-|----------------|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|----------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `builder`      | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                                                                                                                            |
-| `source`       | String      | Context to build from. Can be either local (`.`) or a [remote bake definition](https://docs.docker.com/build/customize/bake/file-definition/#remote-definition)    |
+| `allow`        | List/CSV    | Allow build to access specified resources (e.g., `network.host`)                                                                                                                                                                                                       |
+| `call`         | String      | Set method for evaluating build (e.g., check)                                                                                                                                                                                                                          |
 | `files`        | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                                                                                                                                                         |
-| `workdir`      | String      | Working directory of execution                                                                                                                                     |
-| `targets`      | List/CSV    | List of bake targets (`default` target used if empty)                                                                                                              |
 | `no-cache`     | Bool        | Do not use cache when building the image (default `false`)                                                                                                                                                                                                             |
 | `pull`         | Bool        | Always attempt to pull a newer version of the image (default `false`)                                                                                                                                                                                                  |
 | `load`         | Bool        | Load is a shorthand for `--set=*.output=type=docker` (default `false`)                                                                                                                                                                                                 |
 | `provenance`   | Bool/String | [Provenance](https://docs.docker.com/build/attestations/slsa-provenance/) is a shorthand for `--set=*.attest=type=provenance`                                                                                                                                          |
 | `push`         | Bool        | Push is a shorthand for `--set=*.output=type=registry` (default `false`)                                                                                                                                                                                               |
 | `sbom`         | Bool/String | [SBOM](https://docs.docker.com/build/attestations/sbom/) is a shorthand for `--set=*.attest=type=sbom`                                                                                                                                                                 |
-| `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (eg: `targetpattern.key=value`)                        |
+| `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (e.g., `targetpattern.key=value`)                                                                                                                          |
+| `source`       | String      | Build source to use. Supports local path and [remote bake definition](https://docs.docker.com/build/bake/remote-definition/). With a local path, Bake runs from that directory, so all relative paths are resolved from it. See [Source semantics](#source-semantics). |
+| `targets`      | List/CSV    | List of bake targets (`default` target used if empty)                                                                                                                                                                                                                  |
+| `vars`         | List        | [Variables](https://docs.docker.com/build/bake/variables/) to set in the Bake definition as list of key-value pair                                                                                                                                                     |
 | `github-token` | String      | API token used to authenticate to a Git repository for [remote definitions](https://docs.docker.com/build/bake/remote-definition/) (default `${{ github.token }}`)                                                                                                     |

 ### outputs
@@ -215,7 +261,24 @@ The following outputs are available

 ## Subactions

-* [`list-targets`](subaction/list-targets)
+* [`matrix`](subaction/matrix)
+
+## Notes
+
+### Source semantics
+
+`source` accepts either a Git/remote bake definition (for example `{{defaultContext}}` or `{{defaultContext}}:subdir`)
+or a local path (for example `.` or `./subdir`). When `source` is a local path,
+the action runs Bake from that directory (equivalent to `cd <path> && docker buildx bake`).
+
+This local path mode affects all relative paths resolved by Bake, not only
+target `context` fields. This includes paths used by local outputs, cache
+import/export, and `cwd://` references.
+
+| `source`                                                              | Behavior                                                                                       |
+|-----------------------------------------------------------------------|------------------------------------------------------------------------------------------------|
+| Git/remote (`{{defaultContext}}`, `https://...git#ref`, `...:subdir`) | Uses [remote bake definition](https://docs.docker.com/build/bake/remote-definition/) behavior. |
+| Local path (`.`, `./subdir`)                                          | Changes Bake working directory to that path before invoking Bake.                              |

 ## Contributing

@@ -1,207 +0,0 @@
-import {jest} from '@jest/globals';
-
-export const context = {
-  repo: {
-    owner: 'docker',
-    repo: 'build-push-action'
-  },
-  ref: 'refs/heads/master',
-  runId: 123456789,
-  payload: {
-    after: '860c1904a1ce19322e91ac35af1ab07466440c37',
-    base_ref: null,
-    before: '5f3331d7f7044c18ca9f12c77d961c4d7cf3276a',
-    commits: [
-      {
-        author: {
-          email: 'crazy-max@users.noreply.github.com',
-          name: 'CrazyMax',
-          username: 'crazy-max'
-        },
-        committer: {
-          email: 'crazy-max@users.noreply.github.com',
-          name: 'CrazyMax',
-          username: 'crazy-max'
-        },
-        distinct: true,
-        id: '860c1904a1ce19322e91ac35af1ab07466440c37',
-        message: 'hello dev',
-        timestamp: '2022-04-19T11:27:24+02:00',
-        tree_id: 'd2c60af597e863787d2d27f569e30495b0b92820',
-        url: 'https://github.com/docker/test-docker-action/commit/860c1904a1ce19322e91ac35af1ab07466440c37'
-      }
-    ],
-    compare: 'https://github.com/docker/test-docker-action/compare/5f3331d7f704...860c1904a1ce',
-    created: false,
-    deleted: false,
-    forced: false,
-    head_commit: {
-      author: {
-        email: 'crazy-max@users.noreply.github.com',
-        name: 'CrazyMax',
-        username: 'crazy-max'
-      },
-      committer: {
-        email: 'crazy-max@users.noreply.github.com',
-        name: 'CrazyMax',
-        username: 'crazy-max'
-      },
-      distinct: true,
-      id: '860c1904a1ce19322e91ac35af1ab07466440c37',
-      message: 'hello dev',
-      timestamp: '2022-04-19T11:27:24+02:00',
-      tree_id: 'd2c60af597e863787d2d27f569e30495b0b92820',
-      url: 'https://github.com/docker/test-docker-action/commit/860c1904a1ce19322e91ac35af1ab07466440c37'
-    },
-    organization: {
-      avatar_url: 'https://avatars.githubusercontent.com/u/5429470?v=4',
-      description: 'Docker helps developers bring their ideas to life by conquering the complexity of app development.',
-      events_url: 'https://api.github.com/orgs/docker/events',
-      hooks_url: 'https://api.github.com/orgs/docker/hooks',
-      id: 5429470,
-      issues_url: 'https://api.github.com/orgs/docker/issues',
-      login: 'docker',
-      members_url: 'https://api.github.com/orgs/docker/members{/member}',
-      node_id: 'MDEyOk9yZ2FuaXphdGlvbjU0Mjk0NzA=',
-      public_members_url: 'https://api.github.com/orgs/docker/public_members{/member}',
-      repos_url: 'https://api.github.com/orgs/docker/repos',
-      url: 'https://api.github.com/orgs/docker'
-    },
-    pusher: {
-      email: 'github@crazymax.dev',
-      name: 'crazy-max'
-    },
-    ref: 'refs/heads/dev',
-    repository: {
-      allow_forking: true,
-      archive_url: 'https://api.github.com/repos/docker/test-docker-action/{archive_format}{/ref}',
-      archived: false,
-      assignees_url: 'https://api.github.com/repos/docker/test-docker-action/assignees{/user}',
-      blobs_url: 'https://api.github.com/repos/docker/test-docker-action/git/blobs{/sha}',
-      branches_url: 'https://api.github.com/repos/docker/test-docker-action/branches{/branch}',
-      clone_url: 'https://github.com/docker/test-docker-action.git',
-      collaborators_url: 'https://api.github.com/repos/docker/test-docker-action/collaborators{/collaborator}',
-      comments_url: 'https://api.github.com/repos/docker/test-docker-action/comments{/number}',
-      commits_url: 'https://api.github.com/repos/docker/test-docker-action/commits{/sha}',
-      compare_url: 'https://api.github.com/repos/docker/test-docker-action/compare/{base}...{head}',
-      contents_url: 'https://api.github.com/repos/docker/test-docker-action/contents/{+path}',
-      contributors_url: 'https://api.github.com/repos/docker/test-docker-action/contributors',
-      created_at: 1596792180,
-      default_branch: 'master',
-      deployments_url: 'https://api.github.com/repos/docker/test-docker-action/deployments',
-      description: 'Test "Docker" Actions',
-      disabled: false,
-      downloads_url: 'https://api.github.com/repos/docker/test-docker-action/downloads',
-      events_url: 'https://api.github.com/repos/docker/test-docker-action/events',
-      fork: false,
-      forks: 1,
-      forks_count: 1,
-      forks_url: 'https://api.github.com/repos/docker/test-docker-action/forks',
-      full_name: 'docker/test-docker-action',
-      git_commits_url: 'https://api.github.com/repos/docker/test-docker-action/git/commits{/sha}',
-      git_refs_url: 'https://api.github.com/repos/docker/test-docker-action/git/refs{/sha}',
-      git_tags_url: 'https://api.github.com/repos/docker/test-docker-action/git/tags{/sha}',
-      git_url: 'git://github.com/docker/test-docker-action.git',
-      has_downloads: true,
-      has_issues: true,
-      has_pages: false,
-      has_projects: true,
-      has_wiki: true,
-      homepage: '',
-      hooks_url: 'https://api.github.com/repos/docker/test-docker-action/hooks',
-      html_url: 'https://github.com/docker/test-docker-action',
-      id: 285789493,
-      is_template: false,
-      issue_comment_url: 'https://api.github.com/repos/docker/test-docker-action/issues/comments{/number}',
-      issue_events_url: 'https://api.github.com/repos/docker/test-docker-action/issues/events{/number}',
-      issues_url: 'https://api.github.com/repos/docker/test-docker-action/issues{/number}',
-      keys_url: 'https://api.github.com/repos/docker/test-docker-action/keys{/key_id}',
-      labels_url: 'https://api.github.com/repos/docker/test-docker-action/labels{/name}',
-      language: 'JavaScript',
-      languages_url: 'https://api.github.com/repos/docker/test-docker-action/languages',
-      license: {
-        key: 'mit',
-        name: 'MIT License',
-        node_id: 'MDc6TGljZW5zZTEz',
-        spdx_id: 'MIT',
-        url: 'https://api.github.com/licenses/mit'
-      },
-      master_branch: 'master',
-      merges_url: 'https://api.github.com/repos/docker/test-docker-action/merges',
-      milestones_url: 'https://api.github.com/repos/docker/test-docker-action/milestones{/number}',
-      mirror_url: null,
-      name: 'test-docker-action',
-      node_id: 'MDEwOlJlcG9zaXRvcnkyODU3ODk0OTM=',
-      notifications_url: 'https://api.github.com/repos/docker/test-docker-action/notifications{?since,all,participating}',
-      open_issues: 6,
-      open_issues_count: 6,
-      organization: 'docker',
-      owner: {
-        avatar_url: 'https://avatars.githubusercontent.com/u/5429470?v=4',
-        email: 'info@docker.com',
-        events_url: 'https://api.github.com/users/docker/events{/privacy}',
-        followers_url: 'https://api.github.com/users/docker/followers',
-        following_url: 'https://api.github.com/users/docker/following{/other_user}',
-        gists_url: 'https://api.github.com/users/docker/gists{/gist_id}',
-        gravatar_id: '',
-        html_url: 'https://github.com/docker',
-        id: 5429470,
-        login: 'docker',
-        name: 'docker',
-        node_id: 'MDEyOk9yZ2FuaXphdGlvbjU0Mjk0NzA=',
-        organizations_url: 'https://api.github.com/users/docker/orgs',
-        received_events_url: 'https://api.github.com/users/docker/received_events',
-        repos_url: 'https://api.github.com/users/docker/repos',
-        site_admin: false,
-        starred_url: 'https://api.github.com/users/docker/starred{/owner}{/repo}',
-        subscriptions_url: 'https://api.github.com/users/docker/subscriptions',
-        type: 'Organization',
-        url: 'https://api.github.com/users/docker'
-      },
-      private: true,
-      pulls_url: 'https://api.github.com/repos/docker/test-docker-action/pulls{/number}',
-      pushed_at: 1650360446,
-      releases_url: 'https://api.github.com/repos/docker/test-docker-action/releases{/id}',
-      size: 796,
-      ssh_url: 'git@github.com:docker/test-docker-action.git',
-      stargazers: 0,
-      stargazers_count: 0,
-      stargazers_url: 'https://api.github.com/repos/docker/test-docker-action/stargazers',
-      statuses_url: 'https://api.github.com/repos/docker/test-docker-action/statuses/{sha}',
-      subscribers_url: 'https://api.github.com/repos/docker/test-docker-action/subscribers',
-      subscription_url: 'https://api.github.com/repos/docker/test-docker-action/subscription',
-      svn_url: 'https://github.com/docker/test-docker-action',
-      tags_url: 'https://api.github.com/repos/docker/test-docker-action/tags',
-      teams_url: 'https://api.github.com/repos/docker/test-docker-action/teams',
-      topics: [],
-      trees_url: 'https://api.github.com/repos/docker/test-docker-action/git/trees{/sha}',
-      updated_at: '2022-04-19T09:05:09Z',
-      url: 'https://github.com/docker/test-docker-action',
-      visibility: 'private',
-      watchers: 0,
-      watchers_count: 0
-    },
-    sender: {
-      avatar_url: 'https://avatars.githubusercontent.com/u/1951866?v=4',
-      events_url: 'https://api.github.com/users/crazy-max/events{/privacy}',
-      followers_url: 'https://api.github.com/users/crazy-max/followers',
-      following_url: 'https://api.github.com/users/crazy-max/following{/other_user}',
-      gists_url: 'https://api.github.com/users/crazy-max/gists{/gist_id}',
-      gravatar_id: '',
-      html_url: 'https://github.com/crazy-max',
-      id: 1951866,
-      login: 'crazy-max',
-      node_id: 'MDQ6VXNlcjE5NTE4NjY=',
-      organizations_url: 'https://api.github.com/users/crazy-max/orgs',
-      received_events_url: 'https://api.github.com/users/crazy-max/received_events',
-      repos_url: 'https://api.github.com/users/crazy-max/repos',
-      site_admin: false,
-      starred_url: 'https://api.github.com/users/crazy-max/starred{/owner}{/repo}',
-      subscriptions_url: 'https://api.github.com/users/crazy-max/subscriptions',
-      type: 'User',
-      url: 'https://api.github.com/users/crazy-max'
-    }
-  }
-};
-
-export const getOctokit = jest.fn();
@@ -1,127 +1,48 @@
-import {beforeEach, describe, expect, jest, test} from '@jest/globals';
+import {afterEach, beforeEach, describe, expect, test, vi} from 'vitest';
 import * as fs from 'fs';
+import * as os from 'os';
 import * as path from 'path';

-import {Bake} from '@docker/actions-toolkit/lib/buildx/bake';
-import {Builder} from '@docker/actions-toolkit/lib/buildx/builder';
-import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx';
-import {Context} from '@docker/actions-toolkit/lib/context';
-import {Docker} from '@docker/actions-toolkit/lib/docker/docker';
-import {GitHub} from '@docker/actions-toolkit/lib/github';
-import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
+import {Bake} from '@docker/actions-toolkit/lib/buildx/bake.js';
+import {Build} from '@docker/actions-toolkit/lib/buildx/build.js';
+import {Builder} from '@docker/actions-toolkit/lib/buildx/builder.js';
+import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx.js';
+import {Docker} from '@docker/actions-toolkit/lib/docker/docker.js';
+import {Toolkit} from '@docker/actions-toolkit/lib/toolkit.js';

-import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
-import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder';
-import {GitHubRepo} from '@docker/actions-toolkit/lib/types/github';
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake.js';
+import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder.js';

-import * as context from '../src/context';
+import * as context from '../src/context.js';

-const tmpDir = path.join('/tmp', '.docker-bake-action-jest');
-const tmpName = path.join(tmpDir, '.tmpname-jest');
+const tmpDir = fs.mkdtempSync(path.join(process.env.TEMP || os.tmpdir(), 'context-'));
+const fixturesDir = path.join(__dirname, 'fixtures');

-import repoFixture from './fixtures/github-repo.json';
-jest.spyOn(GitHub.prototype, 'repoData').mockImplementation((): Promise<GitHubRepo> => {
-  return <Promise<GitHubRepo>>(repoFixture as unknown);
-});
-
-jest.spyOn(Context, 'tmpDir').mockImplementation((): string => {
-  if (!fs.existsSync(tmpDir)) {
-    fs.mkdirSync(tmpDir, {recursive: true});
-  }
-  return tmpDir;
-});
-
-jest.spyOn(Context, 'tmpName').mockImplementation((): string => {
-  return tmpName;
-});
-
-jest.spyOn(Docker, 'isAvailable').mockImplementation(async (): Promise<boolean> => {
+vi.spyOn(Docker, 'isAvailable').mockImplementation(async (): Promise<boolean> => {
  return true;
 });

 const metadataJson = path.join(tmpDir, 'metadata.json');
-jest.spyOn(Bake.prototype, 'getMetadataFilePath').mockImplementation((): string => {
+vi.spyOn(Bake.prototype, 'getMetadataFilePath').mockImplementation((): string => {
  return metadataJson;
 });

-jest.spyOn(Builder.prototype, 'inspect').mockImplementation(async (): Promise<BuilderInfo> => {
+type BuilderInfoFixture = Omit<BuilderInfo, 'lastActivity'> & {lastActivity: string};
+const builderInfoFixture = <BuilderInfoFixture>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'builder-info.json'), {encoding: 'utf-8'}).trim());
+vi.spyOn(Builder.prototype, 'inspect').mockImplementation(async (): Promise<BuilderInfo> => {
  return {
-    name: 'builder2',
-    driver: 'docker-container',
-    lastActivity: new Date('2023-01-16 09:45:23 +0000 UTC'),
-    nodes: [
-      {
-        buildkit: 'v0.11.0',
-        'buildkitd-flags': '--debug --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host',
-        'driver-opts': ['BUILDKIT_STEP_LOG_MAX_SIZE=10485760', 'BUILDKIT_STEP_LOG_MAX_SPEED=10485760', 'JAEGER_TRACE=localhost:6831', 'image=moby/buildkit:latest', 'network=host'],
-        endpoint: 'unix:///var/run/docker.sock',
-        name: 'builder20',
-        platforms: 'linux/amd64,linux/amd64/v2,linux/amd64/v3,linux/arm64,linux/riscv64,linux/ppc64le,linux/s390x,linux/386,linux/mips64le,linux/mips64,linux/arm/v7,linux/arm/v6',
-        status: 'running'
-      }
-    ]
+    ...builderInfoFixture,
+    lastActivity: new Date(builderInfoFixture.lastActivity)
  };
 });

-jest.spyOn(Bake.prototype, 'getDefinition').mockImplementation(async (): Promise<BakeDefinition> => {
-  return JSON.parse(`{
-    "group": {
-      "default": {
-        "targets": [
-          "validate"
-        ]
-      },
-      "validate": {
-        "targets": [
-          "lint",
-          "validate-vendor",
-          "validate-docs"
-        ]
-      }
-    },
-    "target": {
-      "lint": {
-        "context": ".",
-        "dockerfile": "./hack/dockerfiles/lint.Dockerfile",
-        "args": {
-          "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
-          "GO_VERSION": "1.20"
-        },
-        "output": [
-          "type=cacheonly"
-        ]
-      },
-      "validate-docs": {
-        "context": ".",
-        "dockerfile": "./hack/dockerfiles/docs.Dockerfile",
-        "args": {
-          "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
-          "BUILDX_EXPERIMENTAL": "1",
-          "FORMATS": "md",
-          "GO_VERSION": "1.20"
-        },
-        "target": "validate",
-        "output": [
-          "type=cacheonly"
-        ]
-      },
-      "validate-vendor": {
-        "context": ".",
-        "dockerfile": "./hack/dockerfiles/vendor.Dockerfile",
-        "args": {
-          "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
-          "GO_VERSION": "1.20"
-        },
-        "target": "validate",
-        "output": [
-          "type=cacheonly"
-        ]
-      }
-    }
-  }`) as BakeDefinition;
+vi.spyOn(Bake.prototype, 'getDefinition').mockImplementation(async (): Promise<BakeDefinition> => {
+  return <BakeDefinition>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'bake-def.json'), {encoding: 'utf-8'}).trim());
 });

-describe('getArgs', () => {
+describe('getInputs', () => {
+  const originalEnv = process.env;
+
  beforeEach(() => {
    process.env = Object.keys(process.env).reduce((object, key) => {
      if (!key.startsWith('INPUT_')) {
@@ -131,12 +52,64 @@ describe('getArgs', () => {
    }, {});
  });

+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  function setRequiredBooleanInputs(): void {
+    setInput('no-cache', 'false');
+    setInput('pull', 'false');
+    setInput('load', 'false');
+    setInput('push', 'false');
+  }
+
+  test('uses Build git context when source input is empty', async () => {
+    const gitContext = 'https://github.com/docker/bake-action.git?ref=refs/heads/master&checksum=0123456789abcdef';
+    const gitContextSpy = vi.spyOn(Build.prototype, 'gitContext').mockResolvedValue(gitContext);
+    setRequiredBooleanInputs();
+    const inputs = await context.getInputs();
+    expect(inputs.source).toEqual({
+      remoteRef: gitContext
+    });
+    expect(gitContextSpy).toHaveBeenCalledTimes(1);
+    gitContextSpy.mockRestore();
+  });
+
+  test('renders defaultContext source templates from Build git context', async () => {
+    const gitContext = 'https://github.com/docker/bake-action.git#refs/heads/master';
+    const gitContextSpy = vi.spyOn(Build.prototype, 'gitContext').mockResolvedValue(gitContext);
+    setRequiredBooleanInputs();
+    setInput('source', '{{defaultContext}}:subdir');
+    const inputs = await context.getInputs();
+    expect(inputs.source).toEqual({
+      remoteRef: `${gitContext}:subdir`
+    });
+    expect(gitContextSpy).toHaveBeenCalledTimes(1);
+    gitContextSpy.mockRestore();
+  });
+});
+
+describe('getArgs', () => {
+  const originalEnv = process.env;
+  beforeEach(() => {
+    process.env = Object.keys(process.env).reduce((object, key) => {
+      if (!key.startsWith('INPUT_')) {
+        object[key] = process.env[key];
+      }
+      return object;
+    }, {});
+  });
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
  // prettier-ignore
  test.each([
    [
      0,
      '0.4.1',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -144,12 +117,14 @@ describe('getArgs', () => {
      ]),
      [
        'bake',
-      ]
+      ],
+      undefined
    ],
    [
      1,
      '0.8.2',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -158,12 +133,14 @@ describe('getArgs', () => {
      [
        'bake',
        '--metadata-file', metadataJson
-      ]
+      ],
+      undefined
    ],
    [
      2,
      '0.8.2',
      new Map<string, string>([
+        ['source', '.'],
        ['targets', 'webapp\nvalidate'],
        ['load', 'false'],
        ['no-cache', 'false'],
@@ -174,12 +151,14 @@ describe('getArgs', () => {
        'bake',
        '--metadata-file', metadataJson,
        'webapp', 'validate'
-      ]
+      ],
+      undefined
    ],
    [
      3,
      '0.8.2',
      new Map<string, string>([
+        ['source', '.'],
        ['set', '*.cache-from=type=gha\n*.cache-to=type=gha'],
        ['load', 'false'],
        ['no-cache', 'false'],
@@ -191,12 +170,14 @@ describe('getArgs', () => {
        '--set', '*.cache-from=type=gha',
        '--set', '*.cache-to=type=gha',
        '--metadata-file', metadataJson
-      ]
+      ],
+      undefined
    ],
    [
      4,
      '0.10.0',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -205,13 +186,17 @@ describe('getArgs', () => {
      [
        'bake',
        '--metadata-file', metadataJson,
-        "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
-      ]
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+      ],
+      undefined
    ],
    [
      5,
      '0.10.0',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -221,13 +206,15 @@ describe('getArgs', () => {
      [
        'bake',
        '--metadata-file', metadataJson,
-        "--provenance", `builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
-      ]
+        "--provenance", `builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      undefined
    ],
    [
      6,
      '0.10.0',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -237,13 +224,15 @@ describe('getArgs', () => {
      [
        'bake',
        '--metadata-file', metadataJson,
-        "--provenance", `mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
-      ]
+        "--provenance", `mode=max,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      undefined
    ],
    [
      7,
      '0.10.0',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -254,12 +243,14 @@ describe('getArgs', () => {
        'bake',
        '--metadata-file', metadataJson,
        "--provenance", 'false'
-      ]
+      ],
+      undefined
    ],
    [
      8,
      '0.10.0',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -270,12 +261,14 @@ describe('getArgs', () => {
        'bake',
        '--metadata-file', metadataJson,
        "--provenance", 'builder-id=foo'
-      ]
+      ],
+      undefined
    ],
    [
      9,
      '0.10.0',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -288,14 +281,18 @@ describe('getArgs', () => {
        '--set', '*.platform=linux/amd64,linux/ppc64le,linux/s390x',
        '--set', `*.output=type=image,"name=moby/buildkit:v0.11.0,moby/buildkit:latest",push=true`,
        '--metadata-file', metadataJson,
-        '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
        'image-all'
-      ]
+      ],
+      undefined
    ],
    [
      10,
      '0.10.0',
      new Map<string, string>([
+        ['source', '.'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -307,15 +304,17 @@ describe('getArgs', () => {
        'bake',
        '--set', `*.labels.foo=bar=#baz`,
        '--metadata-file', metadataJson,
-        '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
        'image-all'
-      ]
+      ],
+      undefined
    ],
    [
      11,
      '0.10.0',
      new Map<string, string>([
-        ['source', '{{defaultContext}}'],
        ['load', 'false'],
        ['no-cache', 'false'],
        ['push', 'false'],
@@ -324,20 +323,137 @@ describe('getArgs', () => {
      ]),
      [
        'bake',
-        'https://github.com/docker/build-push-action.git#refs/heads/master',
+        'https://github.com/docker/bake-action.git#refs/heads/master',
        '--file', './foo.hcl',
        '--metadata-file', metadataJson,
-        '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
-      ]
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      undefined
+    ],
+    [
+      12,
+      '0.17.0',
+      new Map<string, string>([
+        ['source', '.'],
+        ['allow', 'network.host'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'bake',
+        '--allow', 'network.host',
+        '--metadata-file', metadataJson,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      undefined
+    ],
+    [
+      13,
+      '0.15.0',
+      new Map<string, string>([
+        ['source', '{{defaultContext}}:subdir'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['files', './foo.hcl'],
+      ]),
+      [
+        'bake',
+        'https://github.com/docker/bake-action.git#refs/heads/master:subdir',
+        '--file', './foo.hcl',
+        '--metadata-file', metadataJson,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      undefined
+    ],
+    [
+      14,
+      '0.15.0',
+      new Map<string, string>([
+        ['source', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false']
+      ]),
+      [
+        'bake',
+        '--metadata-file', metadataJson
+      ],
+      new Map<string, string>([
+        ['BUILDX_NO_DEFAULT_ATTESTATIONS', '1']
+      ])
+    ],
+    [
+      15,
+      '0.29.0',
+      new Map<string, string>([
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['files', './foo.hcl'],
+      ]),
+      [
+        'bake',
+        'https://github.com/docker/bake-action.git?ref=refs/heads/master',
+        '--allow', 'fs=*',
+        '--file', './foo.hcl',
+        '--metadata-file', metadataJson,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      new Map<string, string>([
+        ['BUILDX_SEND_GIT_QUERY_AS_INPUT', 'true']
+      ])
+    ],
+    [
+      16,
+      '0.28.0',
+      new Map<string, string>([
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['files', './foo.hcl'],
+      ]),
+      [
+        'bake',
+        'https://github.com/docker/bake-action.git#refs/heads/master',
+        '--allow', 'fs=*',
+        '--file', './foo.hcl',
+        '--metadata-file', metadataJson,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      new Map<string, string>([
+        ['BUILDX_SEND_GIT_QUERY_AS_INPUT', 'true']
+      ])
    ],
  ])(
-    '[%d] given %p with %p as inputs, returns %p',
-    async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {
+    '[%d] given %o with %o as inputs, returns %o',
+    async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>, envs: Map<string, string> | undefined) => {
+      if (envs) {
+        envs.forEach((value: string, name: string) => {
+          process.env[name] = value;
+        });
+      }
      inputs.forEach((value: string, name: string) => {
        setInput(name, value);
      });
      const toolkit = new Toolkit();
-      jest.spyOn(Buildx.prototype, 'version').mockImplementation(async (): Promise<string> => {
+      vi.spyOn(Buildx.prototype, 'version').mockImplementation(async (): Promise<string> => {
        return buildxVersion;
      });
      const inp = await context.getInputs();
@@ -350,11 +466,11 @@ describe('getArgs', () => {
          provenance: inp.provenance,
          push: inp.push,
          sbom: inp.sbom,
-          source: inp.source,
+          source: inp.source.remoteRef,
          targets: inp.targets
        },
        {
-          cwd: inp.workdir
+          cwd: inp.source.workdir,
        }
      );
      const res = await context.getArgs(inp, definition, toolkit);
@@ -0,0 +1,55 @@
+{
+  "group": {
+    "default": {
+      "targets": [
+        "validate"
+      ]
+    },
+    "validate": {
+      "targets": [
+        "lint",
+        "validate-vendor",
+        "validate-docs"
+      ]
+    }
+  },
+  "target": {
+    "lint": {
+      "context": ".",
+      "dockerfile": "./hack/dockerfiles/lint.Dockerfile",
+      "args": {
+        "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
+        "GO_VERSION": "1.20"
+      },
+      "output": [
+        "type=cacheonly"
+      ]
+    },
+    "validate-docs": {
+      "context": ".",
+      "dockerfile": "./hack/dockerfiles/docs.Dockerfile",
+      "args": {
+        "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
+        "BUILDX_EXPERIMENTAL": "1",
+        "FORMATS": "md",
+        "GO_VERSION": "1.20"
+      },
+      "target": "validate",
+      "output": [
+        "type=cacheonly"
+      ]
+    },
+    "validate-vendor": {
+      "context": ".",
+      "dockerfile": "./hack/dockerfiles/vendor.Dockerfile",
+      "args": {
+        "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
+        "GO_VERSION": "1.20"
+      },
+      "target": "validate",
+      "output": [
+        "type=cacheonly"
+      ]
+    }
+  }
+}
@@ -0,0 +1,22 @@
+{
+  "name": "builder2",
+  "driver": "docker-container",
+  "lastActivity": "2023-01-16 09:45:23 +0000 UTC",
+  "nodes": [
+    {
+      "buildkit": "v0.11.0",
+      "buildkitd-flags": "--debug --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host",
+      "driver-opts": [
+        "BUILDKIT_STEP_LOG_MAX_SIZE=10485760",
+        "BUILDKIT_STEP_LOG_MAX_SPEED=10485760",
+        "JAEGER_TRACE=localhost:6831",
+        "image=moby/buildkit:latest",
+        "network=host"
+      ],
+      "endpoint": "unix:///var/run/docker.sock",
+      "name": "builder20",
+      "platforms": "linux/amd64,linux/amd64/v2,linux/amd64/v3,linux/arm64,linux/riscv64,linux/ppc64le,linux/s390x,linux/386,linux/mips64le,linux/mips64,linux/arm/v7,linux/arm/v6",
+      "status": "running"
+    }
+  ]
+}
@@ -1,362 +0,0 @@
-{
-  "id": 1296269,
-  "node_id": "MDEwOlJlcG9zaXRvcnkxMjk2MjY5",
-  "name": "Hello-World",
-  "full_name": "octocat/Hello-World",
-  "owner": {
-    "login": "octocat",
-    "id": 1,
-    "node_id": "MDQ6VXNlcjE=",
-    "avatar_url": "https://github.com/images/error/octocat_happy.gif",
-    "gravatar_id": "",
-    "url": "https://api.github.com/users/octocat",
-    "html_url": "https://github.com/octocat",
-    "followers_url": "https://api.github.com/users/octocat/followers",
-    "following_url": "https://api.github.com/users/octocat/following{/other_user}",
-    "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
-    "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
-    "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
-    "organizations_url": "https://api.github.com/users/octocat/orgs",
-    "repos_url": "https://api.github.com/users/octocat/repos",
-    "events_url": "https://api.github.com/users/octocat/events{/privacy}",
-    "received_events_url": "https://api.github.com/users/octocat/received_events",
-    "type": "User",
-    "site_admin": false
-  },
-  "private": false,
-  "html_url": "https://github.com/octocat/Hello-World",
-  "description": "This your first repo!",
-  "fork": false,
-  "url": "https://api.github.com/repos/octocat/Hello-World",
-  "archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}",
-  "assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}",
-  "blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}",
-  "branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}",
-  "collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}",
-  "comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}",
-  "commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}",
-  "compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}",
-  "contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}",
-  "contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors",
-  "deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments",
-  "downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads",
-  "events_url": "http://api.github.com/repos/octocat/Hello-World/events",
-  "forks_url": "http://api.github.com/repos/octocat/Hello-World/forks",
-  "git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}",
-  "git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}",
-  "git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}",
-  "git_url": "git:github.com/octocat/Hello-World.git",
-  "issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}",
-  "issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}",
-  "issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}",
-  "keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}",
-  "labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}",
-  "languages_url": "http://api.github.com/repos/octocat/Hello-World/languages",
-  "merges_url": "http://api.github.com/repos/octocat/Hello-World/merges",
-  "milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}",
-  "notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}",
-  "pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}",
-  "releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}",
-  "ssh_url": "git@github.com:octocat/Hello-World.git",
-  "stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers",
-  "statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}",
-  "subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers",
-  "subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription",
-  "tags_url": "http://api.github.com/repos/octocat/Hello-World/tags",
-  "teams_url": "http://api.github.com/repos/octocat/Hello-World/teams",
-  "trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}",
-  "clone_url": "https://github.com/octocat/Hello-World.git",
-  "mirror_url": "git:git.example.com/octocat/Hello-World",
-  "hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks",
-  "svn_url": "https://svn.github.com/octocat/Hello-World",
-  "homepage": "https://github.com",
-  "language": null,
-  "forks_count": 9,
-  "stargazers_count": 80,
-  "watchers_count": 80,
-  "size": 108,
-  "default_branch": "master",
-  "open_issues_count": 0,
-  "is_template": true,
-  "topics": [
-    "octocat",
-    "atom",
-    "electron",
-    "api"
-  ],
-  "has_issues": true,
-  "has_projects": true,
-  "has_wiki": true,
-  "has_pages": false,
-  "has_downloads": true,
-  "archived": false,
-  "disabled": false,
-  "visibility": "public",
-  "pushed_at": "2011-01-26T19:06:43Z",
-  "created_at": "2011-01-26T19:01:12Z",
-  "updated_at": "2011-01-26T19:14:43Z",
-  "permissions": {
-    "pull": true,
-    "triage": true,
-    "push": false,
-    "maintain": false,
-    "admin": false
-  },
-  "allow_rebase_merge": true,
-  "template_repository": null,
-  "temp_clone_token": "ABTLWHOULUVAXGTRYU7OC2876QJ2O",
-  "allow_squash_merge": true,
-  "delete_branch_on_merge": true,
-  "allow_merge_commit": true,
-  "subscribers_count": 42,
-  "network_count": 0,
-  "license": {
-    "key": "mit",
-    "name": "MIT License",
-    "spdx_id": "MIT",
-    "url": "https://api.github.com/licenses/mit",
-    "node_id": "MDc6TGljZW5zZW1pdA=="
-  },
-  "organization": {
-    "login": "octocat",
-    "id": 1,
-    "node_id": "MDQ6VXNlcjE=",
-    "avatar_url": "https://github.com/images/error/octocat_happy.gif",
-    "gravatar_id": "",
-    "url": "https://api.github.com/users/octocat",
-    "html_url": "https://github.com/octocat",
-    "followers_url": "https://api.github.com/users/octocat/followers",
-    "following_url": "https://api.github.com/users/octocat/following{/other_user}",
-    "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
-    "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
-    "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
-    "organizations_url": "https://api.github.com/users/octocat/orgs",
-    "repos_url": "https://api.github.com/users/octocat/repos",
-    "events_url": "https://api.github.com/users/octocat/events{/privacy}",
-    "received_events_url": "https://api.github.com/users/octocat/received_events",
-    "type": "Organization",
-    "site_admin": false
-  },
-  "parent": {
-    "id": 1296269,
-    "node_id": "MDEwOlJlcG9zaXRvcnkxMjk2MjY5",
-    "name": "Hello-World",
-    "full_name": "octocat/Hello-World",
-    "owner": {
-      "login": "octocat",
-      "id": 1,
-      "node_id": "MDQ6VXNlcjE=",
-      "avatar_url": "https://github.com/images/error/octocat_happy.gif",
-      "gravatar_id": "",
-      "url": "https://api.github.com/users/octocat",
-      "html_url": "https://github.com/octocat",
-      "followers_url": "https://api.github.com/users/octocat/followers",
-      "following_url": "https://api.github.com/users/octocat/following{/other_user}",
-      "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
-      "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
-      "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
-      "organizations_url": "https://api.github.com/users/octocat/orgs",
-      "repos_url": "https://api.github.com/users/octocat/repos",
-      "events_url": "https://api.github.com/users/octocat/events{/privacy}",
-      "received_events_url": "https://api.github.com/users/octocat/received_events",
-      "type": "User",
-      "site_admin": false
-    },
-    "private": false,
-    "html_url": "https://github.com/octocat/Hello-World",
-    "description": "This your first repo!",
-    "fork": false,
-    "url": "https://api.github.com/repos/octocat/Hello-World",
-    "archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}",
-    "assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}",
-    "blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}",
-    "branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}",
-    "collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}",
-    "comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}",
-    "commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}",
-    "compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}",
-    "contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}",
-    "contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors",
-    "deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments",
-    "downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads",
-    "events_url": "http://api.github.com/repos/octocat/Hello-World/events",
-    "forks_url": "http://api.github.com/repos/octocat/Hello-World/forks",
-    "git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}",
-    "git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}",
-    "git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}",
-    "git_url": "git:github.com/octocat/Hello-World.git",
-    "issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}",
-    "issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}",
-    "issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}",
-    "keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}",
-    "labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}",
-    "languages_url": "http://api.github.com/repos/octocat/Hello-World/languages",
-    "merges_url": "http://api.github.com/repos/octocat/Hello-World/merges",
-    "milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}",
-    "notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}",
-    "pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}",
-    "releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}",
-    "ssh_url": "git@github.com:octocat/Hello-World.git",
-    "stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers",
-    "statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}",
-    "subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers",
-    "subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription",
-    "tags_url": "http://api.github.com/repos/octocat/Hello-World/tags",
-    "teams_url": "http://api.github.com/repos/octocat/Hello-World/teams",
-    "trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}",
-    "clone_url": "https://github.com/octocat/Hello-World.git",
-    "mirror_url": "git:git.example.com/octocat/Hello-World",
-    "hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks",
-    "svn_url": "https://svn.github.com/octocat/Hello-World",
-    "homepage": "https://github.com",
-    "language": null,
-    "forks_count": 9,
-    "stargazers_count": 80,
-    "watchers_count": 80,
-    "size": 108,
-    "default_branch": "master",
-    "open_issues_count": 0,
-    "is_template": true,
-    "topics": [
-      "octocat",
-      "atom",
-      "electron",
-      "api"
-    ],
-    "has_issues": true,
-    "has_projects": true,
-    "has_wiki": true,
-    "has_pages": false,
-    "has_downloads": true,
-    "archived": false,
-    "disabled": false,
-    "visibility": "public",
-    "pushed_at": "2011-01-26T19:06:43Z",
-    "created_at": "2011-01-26T19:01:12Z",
-    "updated_at": "2011-01-26T19:14:43Z",
-    "permissions": {
-      "admin": false,
-      "push": false,
-      "pull": true
-    },
-    "allow_rebase_merge": true,
-    "template_repository": null,
-    "temp_clone_token": "ABTLWHOULUVAXGTRYU7OC2876QJ2O",
-    "allow_squash_merge": true,
-    "delete_branch_on_merge": true,
-    "allow_merge_commit": true,
-    "subscribers_count": 42,
-    "network_count": 0
-  },
-  "source": {
-    "id": 1296269,
-    "node_id": "MDEwOlJlcG9zaXRvcnkxMjk2MjY5",
-    "name": "Hello-World",
-    "full_name": "octocat/Hello-World",
-    "owner": {
-      "login": "octocat",
-      "id": 1,
-      "node_id": "MDQ6VXNlcjE=",
-      "avatar_url": "https://github.com/images/error/octocat_happy.gif",
-      "gravatar_id": "",
-      "url": "https://api.github.com/users/octocat",
-      "html_url": "https://github.com/octocat",
-      "followers_url": "https://api.github.com/users/octocat/followers",
-      "following_url": "https://api.github.com/users/octocat/following{/other_user}",
-      "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
-      "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
-      "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
-      "organizations_url": "https://api.github.com/users/octocat/orgs",
-      "repos_url": "https://api.github.com/users/octocat/repos",
-      "events_url": "https://api.github.com/users/octocat/events{/privacy}",
-      "received_events_url": "https://api.github.com/users/octocat/received_events",
-      "type": "User",
-      "site_admin": false
-    },
-    "private": false,
-    "html_url": "https://github.com/octocat/Hello-World",
-    "description": "This your first repo!",
-    "fork": false,
-    "url": "https://api.github.com/repos/octocat/Hello-World",
-    "archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}",
-    "assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}",
-    "blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}",
-    "branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}",
-    "collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}",
-    "comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}",
-    "commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}",
-    "compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}",
-    "contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}",
-    "contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors",
-    "deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments",
-    "downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads",
-    "events_url": "http://api.github.com/repos/octocat/Hello-World/events",
-    "forks_url": "http://api.github.com/repos/octocat/Hello-World/forks",
-    "git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}",
-    "git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}",
-    "git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}",
-    "git_url": "git:github.com/octocat/Hello-World.git",
-    "issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}",
-    "issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}",
-    "issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}",
-    "keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}",
-    "labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}",
-    "languages_url": "http://api.github.com/repos/octocat/Hello-World/languages",
-    "merges_url": "http://api.github.com/repos/octocat/Hello-World/merges",
-    "milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}",
-    "notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}",
-    "pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}",
-    "releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}",
-    "ssh_url": "git@github.com:octocat/Hello-World.git",
-    "stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers",
-    "statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}",
-    "subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers",
-    "subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription",
-    "tags_url": "http://api.github.com/repos/octocat/Hello-World/tags",
-    "teams_url": "http://api.github.com/repos/octocat/Hello-World/teams",
-    "trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}",
-    "clone_url": "https://github.com/octocat/Hello-World.git",
-    "mirror_url": "git:git.example.com/octocat/Hello-World",
-    "hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks",
-    "svn_url": "https://svn.github.com/octocat/Hello-World",
-    "homepage": "https://github.com",
-    "language": null,
-    "forks_count": 9,
-    "stargazers_count": 80,
-    "watchers_count": 80,
-    "size": 108,
-    "default_branch": "master",
-    "open_issues_count": 0,
-    "is_template": true,
-    "topics": [
-      "octocat",
-      "atom",
-      "electron",
-      "api"
-    ],
-    "has_issues": true,
-    "has_projects": true,
-    "has_wiki": true,
-    "has_pages": false,
-    "has_downloads": true,
-    "archived": false,
-    "disabled": false,
-    "visibility": "public",
-    "pushed_at": "2011-01-26T19:06:43Z",
-    "created_at": "2011-01-26T19:01:12Z",
-    "updated_at": "2011-01-26T19:14:43Z",
-    "permissions": {
-      "admin": false,
-      "push": false,
-      "pull": true
-    },
-    "allow_rebase_merge": true,
-    "template_repository": null,
-    "temp_clone_token": "ABTLWHOULUVAXGTRYU7OC2876QJ2O",
-    "allow_squash_merge": true,
-    "delete_branch_on_merge": true,
-    "allow_merge_commit": true,
-    "subscribers_count": 42,
-    "network_count": 0
-  }
-}
@@ -0,0 +1,39 @@
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import {vi} from 'vitest';
+
+const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'docker-bake-action-'));
+
+const githubPayload = {
+  repository: {
+    private: true
+  }
+};
+
+const githubEventPath = path.join(tmpDir, 'github-event.json');
+fs.writeFileSync(githubEventPath, JSON.stringify(githubPayload));
+
+process.env = Object.assign({}, process.env, {
+  TEMP: tmpDir,
+  GITHUB_REPOSITORY: 'docker/bake-action',
+  GITHUB_REF: 'refs/heads/master',
+  GITHUB_RUN_ID: '123456789',
+  GITHUB_RUN_ATTEMPT: '1',
+  GITHUB_EVENT_PATH: githubEventPath,
+  RUNNER_TEMP: path.join(tmpDir, 'runner-temp'),
+  RUNNER_TOOL_CACHE: path.join(tmpDir, 'runner-tool-cache')
+});
+
+vi.mock('@actions/github', () => ({
+  context: {
+    repo: {
+      owner: 'docker',
+      repo: 'bake-action'
+    },
+    ref: 'refs/heads/master',
+    runId: 123456789,
+    payload: githubPayload
+  },
+  getOctokit: vi.fn()
+}));
@@ -10,19 +10,15 @@ inputs:
  builder:
    description: "Builder instance"
    required: false
-  source:
-    description: "Context to build from. Can be either local or a remote bake definition"
+  allow:
+    description: "Allow build to access specified resources (e.g., network.host)"
+    required: false
+  call:
+    description: "Set method for evaluating build (e.g., check)"
    required: false
  files:
    description: "List of bake definition files"
    required: false
-  workdir:
-    description: "Working directory of bake execution"
-    required: false
-    default: '.'
-  targets:
-    description: "List of bake targets"
-    required: false
  no-cache:
    description: "Do not use cache when building the image"
    required: false
@@ -48,6 +44,15 @@ inputs:
  set:
    description: "List of targets values to override (eg. targetpattern.key=value)"
    required: false
+  source:
+    description: "Context to build from. Can be either local to specify the working directory or a remote bake definition"
+    required: false
+  targets:
+    description: "List of bake targets"
+    required: false
+  vars:
+    description: "Variables to set in the Bake definition as list of key-value pair"
+    required: false
  github-token:
    description: "API token used to authenticate to a Git repository for remote definitions"
    default: ${{ github.token }}
@@ -58,6 +63,6 @@ outputs:
    description: 'Build result metadata'

 runs:
-  using: 'node20'
-  main: 'dist/index.js'
-  post: 'dist/index.js'
+  using: 'node24'
+  main: 'dist/index.cjs'
+  post: 'dist/index.cjs'
@@ -1,12 +1,13 @@
 # syntax=docker/dockerfile:1

-ARG NODE_VERSION=20
+ARG NODE_VERSION=24

 FROM node:${NODE_VERSION}-alpine AS base
-RUN apk add --no-cache cpio findutils git
+RUN apk add --no-cache cpio findutils git rsync
 WORKDIR /src
 RUN --mount=type=bind,target=.,rw \
  --mount=type=cache,target=/src/.yarn/cache <<EOT
+  set -e
  corepack enable
  yarn --version
  yarn config set --home enableTelemetry 0
@@ -27,25 +28,34 @@ RUN --mount=type=bind,target=.,rw <<EOT
  git add -A
  cp -rf /vendor/* .
  if [ -n "$(git status --porcelain -- yarn.lock)" ]; then
-    echo >&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor-update"'
+    echo >&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor"'
    git status --porcelain -- yarn.lock
    exit 1
  fi
 EOT

 FROM deps AS build
-RUN --mount=type=bind,target=.,rw \
+RUN --mount=target=/context \
  --mount=type=cache,target=/src/.yarn/cache \
-  --mount=type=cache,target=/src/node_modules \
-  yarn run build && mkdir /out && cp -Rf dist /out/
+  --mount=type=cache,target=/src/node_modules <<EOT
+  set -e
+  rsync -a /context/. .
+  rm -rf dist
+  yarn run build
+  mkdir /out
+  cp -r dist /out
+EOT

 FROM scratch AS build-update
 COPY --from=build /out /

 FROM build AS build-validate
-RUN --mount=type=bind,target=.,rw <<EOT
+RUN --mount=target=/context \
+  --mount=target=.,type=tmpfs <<EOT
  set -e
+  rsync -a /context/. .
  git add -A
+  rm -rf dist
  cp -rf /out/* .
  if [ -n "$(git status --porcelain -- dist)" ]; then
    echo >&2 'ERROR: Build result differs. Please build first with "docker buildx bake build"'
@@ -58,8 +68,7 @@ FROM deps AS format
 RUN --mount=type=bind,target=.,rw \
  --mount=type=cache,target=/src/.yarn/cache \
  --mount=type=cache,target=/src/node_modules \
-  yarn run format \
-  && mkdir /out && find . -name '*.ts' -not -path './node_modules/*' -not -path './.yarn/*' | cpio -pdm /out
+  yarn run format && mkdir /out && find . -name '*.ts' -not -path './node_modules/*' -not -path './.yarn/*' | cpio -pdm /out

 FROM scratch AS format-update
 COPY --from=format /out /
@@ -74,7 +83,7 @@ FROM deps AS test
 RUN --mount=type=bind,target=.,rw \
  --mount=type=cache,target=/src/.yarn/cache \
  --mount=type=cache,target=/src/node_modules \
-  yarn run test --coverage --coverageDirectory=/tmp/coverage
+  yarn run test --coverage --coverage.reportsDirectory=/tmp/coverage

 FROM scratch AS test-coverage
 COPY --from=test /tmp/coverage /
@@ -1,3 +1,9 @@
+target "_common" {
+  args = {
+    BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1
+  }
+}
+
 group "default" {
  targets = ["build"]
 }
@@ -11,42 +17,49 @@ group "validate" {
 }

 target "build" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "build-update"
  output = ["."]
 }

 target "build-validate" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "build-validate"
  output = ["type=cacheonly"]
 }

 target "format" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "format-update"
  output = ["."]
 }

 target "lint" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "lint"
  output = ["type=cacheonly"]
 }

 target "vendor" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "vendor-update"
  output = ["."]
 }

 target "vendor-validate" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "vendor-validate"
  output = ["type=cacheonly"]
 }

 target "test" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "test-coverage"
  output = ["./coverage"]
@@ -0,0 +1,52 @@
+import {defineConfig} from 'eslint/config';
+import js from '@eslint/js';
+import tseslint from '@typescript-eslint/eslint-plugin';
+import vitest from '@vitest/eslint-plugin';
+import globals from 'globals';
+import eslintConfigPrettier from 'eslint-config-prettier/flat';
+import eslintPluginPrettier from 'eslint-plugin-prettier';
+
+export default defineConfig([
+  {
+    ignores: ['.yarn/**/*', 'coverage/**/*', 'dist/**/*']
+  },
+  js.configs.recommended,
+  ...tseslint.configs['flat/recommended'],
+  eslintConfigPrettier,
+  {
+    languageOptions: {
+      globals: {
+        ...globals.node
+      }
+    }
+  },
+  {
+    files: ['__tests__/**'],
+    ...vitest.configs.recommended,
+    languageOptions: {
+      globals: {
+        ...globals.node,
+        ...vitest.environments.env.globals
+      }
+    },
+    rules: {
+      ...vitest.configs.recommended.rules,
+      'vitest/no-conditional-expect': 'error',
+      'vitest/no-disabled-tests': 0
+    }
+  },
+  {
+    plugins: {
+      prettier: eslintPluginPrettier
+    },
+    rules: {
+      'prettier/prettier': 'error',
+      '@typescript-eslint/no-require-imports': [
+        'error',
+        {
+          allowAsImport: true
+        }
+      ]
+    }
+  }
+]);
@@ -1,30 +0,0 @@
-import fs from 'fs';
-import os from 'os';
-import path from 'path';
-
-const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'docker-bake-action-'));
-
-process.env = Object.assign({}, process.env, {
-  TEMP: tmpDir,
-  GITHUB_REPOSITORY: 'docker/bake-action',
-  RUNNER_TEMP: path.join(tmpDir, 'runner-temp'),
-  RUNNER_TOOL_CACHE: path.join(tmpDir, 'runner-tool-cache')
-}) as {
-  [key: string]: string;
-};
-
-module.exports = {
-  clearMocks: true,
-  testEnvironment: 'node',
-  moduleFileExtensions: ['js', 'ts'],
-  testMatch: ['**/*.test.ts'],
-  transform: {
-    '^.+\\.ts$': 'ts-jest'
-  },
-  moduleNameMapper: {
-    '^csv-parse/sync': '<rootDir>/node_modules/csv-parse/dist/cjs/sync.cjs'
-  },
-  collectCoverageFrom: ['src/**/{!(main.ts),}.ts'],
-  coveragePathIgnorePatterns: ['lib/', 'node_modules/', '__mocks__/', '__tests__/'],
-  verbose: true
-};
@@ -1,16 +1,14 @@
 {
  "name": "docker-buildx-bake",
  "description": "GitHub Action to use Docker Buildx Bake as a high-level build command",
+  "type": "module",
  "main": "src/main.ts",
  "scripts": {
-    "build": "ncc build --source-map --minify --license licenses.txt",
-    "lint": "yarn run prettier && yarn run eslint",
-    "format": "yarn run prettier:fix && yarn run eslint:fix",
-    "eslint": "eslint --max-warnings=0 .",
-    "eslint:fix": "eslint --fix .",
-    "prettier": "prettier --check \"./**/*.ts\"",
-    "prettier:fix": "prettier --write \"./**/*.ts\"",
-    "test": "jest"
+    "build": "esbuild src/main.ts --bundle --platform=node --target=node24 --format=cjs --outfile=dist/index.cjs --sourcemap --minify && yarn run license",
+    "lint": "eslint --max-warnings=0 .",
+    "format": "eslint --fix .",
+    "test": "vitest run",
+    "license": "generate-license-file --input package.json --output dist/licenses.txt --overwrite --ci --no-spinner --eol lf"
  },
  "repository": {
    "type": "git",
@@ -24,25 +22,27 @@
  ],
  "author": "Docker Inc.",
  "license": "Apache-2.0",
-  "packageManager": "yarn@3.6.3",
+  "packageManager": "yarn@4.15.0",
  "dependencies": {
-    "@actions/core": "^1.10.1",
-    "@docker/actions-toolkit": "^0.37.1",
-    "handlebars": "^4.7.8"
+    "@actions/core": "^3.0.1",
+    "@docker/actions-toolkit": "^0.91.0",
+    "handlebars": "^4.7.9"
  },
  "devDependencies": {
-    "@types/node": "^20.12.12",
-    "@typescript-eslint/eslint-plugin": "^7.9.0",
-    "@typescript-eslint/parser": "^7.9.0",
-    "@vercel/ncc": "^0.38.1",
-    "eslint": "^8.57.0",
-    "eslint-config-prettier": "^9.1.0",
-    "eslint-plugin-jest": "^28.5.0",
-    "eslint-plugin-prettier": "^5.1.3",
-    "jest": "^29.7.0",
-    "prettier": "^3.2.5",
-    "ts-jest": "^29.1.2",
-    "ts-node": "^10.9.2",
-    "typescript": "^5.4.5"
+    "@eslint/js": "^9.39.3",
+    "@types/node": "^24.11.0",
+    "@typescript-eslint/eslint-plugin": "^8.56.1",
+    "@typescript-eslint/parser": "^8.56.1",
+    "@vitest/coverage-v8": "^4.0.18",
+    "@vitest/eslint-plugin": "^1.6.9",
+    "esbuild": "^0.28.0",
+    "eslint": "^9.39.3",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-prettier": "^5.5.5",
+    "generate-license-file": "^4.1.1",
+    "globals": "^17.3.0",
+    "prettier": "^3.8.1",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.18"
  }
 }
@@ -1,20 +1,25 @@
+import * as fs from 'fs';
 import * as core from '@actions/core';
 import * as handlebars from 'handlebars';

-import {Bake} from '@docker/actions-toolkit/lib/buildx/bake';
-import {Build} from '@docker/actions-toolkit/lib/buildx/build';
-import {Context} from '@docker/actions-toolkit/lib/context';
-import {GitHub} from '@docker/actions-toolkit/lib/github';
-import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
-import {Util} from '@docker/actions-toolkit/lib/util';
+import {Bake} from '@docker/actions-toolkit/lib/buildx/bake.js';
+import {Build} from '@docker/actions-toolkit/lib/buildx/build.js';
+import {GitHub} from '@docker/actions-toolkit/lib/github/github.js';
+import {Toolkit} from '@docker/actions-toolkit/lib/toolkit.js';
+import {Util} from '@docker/actions-toolkit/lib/util.js';

-import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake.js';
+
+export interface BakeContext {
+  remoteRef?: string;
+  workdir?: string;
+}

 export interface Inputs {
  builder: string;
+  allow: string[];
+  call: string;
  files: string[];
-  workdir: string;
-  targets: string[];
  'no-cache': boolean;
  pull: boolean;
  load: boolean;
@@ -22,16 +27,18 @@ export interface Inputs {
  push: boolean;
  sbom: string;
  set: string[];
-  source: string;
+  source: BakeContext;
+  targets: string[];
+  vars: string[];
  'github-token': string;
 }

 export async function getInputs(): Promise<Inputs> {
  return {
    builder: core.getInput('builder'),
+    allow: Util.getInputList('allow'),
+    call: core.getInput('call'),
    files: Util.getInputList('files'),
-    workdir: core.getInput('workdir') || '.',
-    targets: Util.getInputList('targets'),
    'no-cache': core.getBooleanInput('no-cache'),
    pull: core.getBooleanInput('pull'),
    load: core.getBooleanInput('load'),
@@ -39,33 +46,13 @@ export async function getInputs(): Promise<Inputs> {
    push: core.getBooleanInput('push'),
    sbom: core.getInput('sbom'),
    set: Util.getInputList('set', {ignoreComma: true, quote: false}),
-    source: getSourceInput('source'),
+    source: await getBakeContext(core.getInput('source')),
+    targets: Util.getInputList('targets'),
+    vars: Util.getInputList('vars', {ignoreComma: true, quote: false}),
    'github-token': core.getInput('github-token')
  };
 }

-export function sanitizeInputs(inputs: Inputs) {
-  const res = {};
-  for (const key of Object.keys(inputs)) {
-    if (key === 'github-token') {
-      continue;
-    }
-    const value: string | string[] | boolean = inputs[key];
-    if (typeof value === 'boolean' && value === false) {
-      continue;
-    } else if (Array.isArray(value) && value.length === 0) {
-      continue;
-    } else if (!value) {
-      continue;
-    }
-    if (key === 'workdir' && value === '.') {
-      continue;
-    }
-    res[key] = value;
-  }
-  return res;
-}
-
 export async function getArgs(inputs: Inputs, definition: BakeDefinition, toolkit: Toolkit): Promise<Array<string>> {
  // prettier-ignore
  return [
@@ -77,32 +64,61 @@ export async function getArgs(inputs: Inputs, definition: BakeDefinition, toolki

 async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit: Toolkit): Promise<Array<string>> {
  const args: Array<string> = ['bake'];
-  if (inputs.source) {
-    args.push(inputs.source);
+  if (inputs.source.remoteRef) {
+    args.push(inputs.source.remoteRef);
  }
-  await Util.asyncForEach(inputs.files, async file => {
+  if (await toolkit.buildx.versionSatisfies('>=0.17.0')) {
+    if (await toolkit.buildx.versionSatisfies('>=0.18.0')) {
+      // allow filesystem entitlements by default
+      inputs.allow.push('fs=*');
+    }
+    await Util.asyncForEach(inputs.allow, async (allow: string) => {
+      args.push('--allow', allow);
+    });
+  }
+  if (inputs.call) {
+    if (!(await toolkit.buildx.versionSatisfies('>=0.16.0'))) {
+      throw new Error(`Buildx >= 0.16.0 is required to use the call input.`);
+    }
+    args.push('--call', inputs.call);
+  }
+  await Util.asyncForEach(inputs.files, async (file: string) => {
    args.push('--file', file);
  });
-  await Util.asyncForEach(inputs.set, async set => {
-    args.push('--set', set);
+  await Util.asyncForEach(inputs.set, async (s: string) => {
+    args.push('--set', s);
  });
+  if (inputs.vars.length > 0) {
+    if (!(await toolkit.buildx.versionSatisfies('>=0.31.0'))) {
+      throw new Error(`Buildx >= 0.31.0 is required to use the vars input.`);
+    }
+    await Util.asyncForEach(inputs.vars, async (v: string) => {
+      args.push('--var', v);
+    });
+  }
  if (await toolkit.buildx.versionSatisfies('>=0.6.0')) {
    args.push('--metadata-file', toolkit.buildxBake.getMetadataFilePath());
  }
  if (await toolkit.buildx.versionSatisfies('>=0.10.0')) {
    if (inputs.provenance) {
      args.push('--provenance', inputs.provenance);
-    } else if ((await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Bake.hasDockerExporter(definition, inputs.load)) {
-      // if provenance not specified and BuildKit version compatible for
+    } else if (!noDefaultAttestations() && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Bake.hasDockerExporter(definition, inputs.load)) {
+      // check if provenance attestation is already specified in the bake
+      // definition and if not specified and BuildKit version compatible for
      // attestation, set default provenance. Also needs to make sure user
      // doesn't want to explicitly load the image to docker.
+      for (const targetName in definition.target) {
+        const target = definition.target[targetName];
+        if (!Array.isArray(target.attest) || !target.attest.some(attest => attest?.type === 'provenance')) {
          if (GitHub.context.payload.repository?.private ?? false) {
            // if this is a private repository, we set the default provenance
            // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
-        args.push('--provenance', Build.resolveProvenanceAttrs(`mode=min,inline-only=true`));
+            args.push('--set', `${targetName}.attest=type=provenance,${Build.resolveProvenanceAttrs(`mode=min,inline-only=true`)}`);
          } else {
            // for a public repository, we set max provenance mode.
-        args.push('--provenance', Build.resolveProvenanceAttrs(`mode=max`));
+            args.push('--set', `${targetName}.attest=type=provenance,${Build.resolveProvenanceAttrs(`mode=max`)}`);
+          }
+        }
      }
    }
    if (inputs.sbom) {
@@ -132,12 +148,32 @@ async function getCommonArgs(inputs: Inputs): Promise<Array<string>> {
  return args;
 }

-function getSourceInput(name: string): string {
-  let source = handlebars.compile(core.getInput(name))({
-    defaultContext: Context.gitContext()
+async function getBakeContext(sourceInput: string): Promise<BakeContext> {
+  const defaultContext = await new Build().gitContext();
+  let bakeContext = handlebars.compile(sourceInput)({
+    defaultContext: defaultContext
  });
-  if (source === '.') {
-    source = '';
+  if (!bakeContext) {
+    bakeContext = defaultContext;
  }
-  return source;
+  if (Util.isValidRef(bakeContext)) {
+    return {
+      remoteRef: bakeContext
+    };
+  }
+  try {
+    fs.statSync(sourceInput).isDirectory();
+  } catch {
+    throw new Error(`Invalid source: ${sourceInput} does not exist or is not a directory.`);
+  }
+  return {
+    workdir: bakeContext
+  };
+}
+
+function noDefaultAttestations(): boolean {
+  if (process.env.BUILDX_NO_DEFAULT_ATTESTATIONS) {
+    return Util.parseBool(process.env.BUILDX_NO_DEFAULT_ATTESTATIONS);
+  }
+  return false;
 }
@@ -3,22 +3,24 @@ import * as path from 'path';
 import * as core from '@actions/core';
 import * as actionsToolkit from '@docker/actions-toolkit';

-import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx';
-import {History as BuildxHistory} from '@docker/actions-toolkit/lib/buildx/history';
-import {Context} from '@docker/actions-toolkit/lib/context';
-import {Docker} from '@docker/actions-toolkit/lib/docker/docker';
-import {Exec} from '@docker/actions-toolkit/lib/exec';
-import {GitHub} from '@docker/actions-toolkit/lib/github';
-import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
-import {Util} from '@docker/actions-toolkit/lib/util';
+import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx.js';
+import {History as BuildxHistory} from '@docker/actions-toolkit/lib/buildx/history.js';
+import {Context} from '@docker/actions-toolkit/lib/context.js';
+import {Docker} from '@docker/actions-toolkit/lib/docker/docker.js';
+import {Exec} from '@docker/actions-toolkit/lib/exec.js';
+import {GitHub} from '@docker/actions-toolkit/lib/github/github.js';
+import {GitHubArtifact} from '@docker/actions-toolkit/lib/github/artifact.js';
+import {GitHubSummary} from '@docker/actions-toolkit/lib/github/summary.js';
+import {Toolkit} from '@docker/actions-toolkit/lib/toolkit.js';
+import {Util} from '@docker/actions-toolkit/lib/util.js';

-import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
-import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder';
-import {ConfigFile} from '@docker/actions-toolkit/lib/types/docker/docker';
-import {UploadArtifactResponse} from '@docker/actions-toolkit/lib/types/github';
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake.js';
+import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder.js';
+import {ConfigFile} from '@docker/actions-toolkit/lib/types/docker/docker.js';
+import {UploadResponse as UploadArtifactResponse} from '@docker/actions-toolkit/lib/types/github/artifact.js';

-import * as context from './context';
-import * as stateHelper from './state-helper';
+import * as context from './context.js';
+import * as stateHelper from './state-helper.js';

 actionsToolkit.run(
  // main
@@ -26,8 +28,8 @@ actionsToolkit.run(
    const startedTime = new Date();

    const inputs: context.Inputs = await context.getInputs();
+    stateHelper.setSummaryInputs(inputs);
    core.debug(`inputs: ${JSON.stringify(inputs)}`);
-    stateHelper.setInputs(inputs);

    const toolkit = new Toolkit();
    const gitAuthToken = process.env.BUILDX_BAKE_GIT_AUTH_TOKEN ?? inputs['github-token'];
@@ -88,6 +90,8 @@ actionsToolkit.run(
    let builder: BuilderInfo;
    await core.group(`Builder info`, async () => {
      builder = await toolkit.builder.inspect(inputs.builder);
+      stateHelper.setBuilderDriver(builder.driver ?? '');
+      stateHelper.setBuilderEndpoint(builder.nodes?.[0]?.endpoint ?? '');
      core.info(JSON.stringify(builder, null, 2));
    });

@@ -95,6 +99,7 @@ actionsToolkit.run(
    await core.group(`Parsing raw definition`, async () => {
      definition = await toolkit.buildxBake.getDefinition(
        {
+          allow: inputs.allow,
          files: inputs.files,
          load: inputs.load,
          noCache: inputs['no-cache'],
@@ -102,12 +107,13 @@ actionsToolkit.run(
          provenance: inputs.provenance,
          push: inputs.push,
          sbom: inputs.sbom,
-          source: inputs.source,
+          source: inputs.source.remoteRef,
          targets: inputs.targets,
+          vars: inputs.vars,
          githubToken: gitAuthToken
        },
        {
-          cwd: inputs.workdir
+          cwd: inputs.source.workdir
        }
      );
    });
@@ -126,21 +132,44 @@ actionsToolkit.run(
    };

    await core.group(`Bake definition`, async () => {
-      await Exec.exec(buildCmd.command, [...buildCmd.args, '--print'], {
-        cwd: inputs.workdir,
-        env: buildEnv
+      await Exec.getExecOutput(buildCmd.command, [...buildCmd.args, '--print'], {
+        cwd: inputs.source.workdir,
+        env: buildEnv,
+        ignoreReturnCode: true
+      }).then(res => {
+        if (res.stderr.length > 0 && res.exitCode != 0) {
+          throw Error(res.stderr);
+        }
      });
    });

    let err: Error | undefined;
    await Exec.getExecOutput(buildCmd.command, buildCmd.args, {
-      cwd: inputs.workdir,
+      cwd: inputs.source.workdir,
      env: buildEnv,
      ignoreReturnCode: true
    }).then(res => {
-      if (res.stderr.length > 0 && res.exitCode != 0) {
+      if (res.exitCode != 0) {
+        if (inputs.call && inputs.call === 'check' && res.stdout.length > 0) {
+          // checks warnings are printed to stdout: https://github.com/docker/buildx/pull/2647
+          // with bake we can have multiple targets being checked so we need to
+          // count the total number of warnings
+          const totalWarnings = [...res.stdout.matchAll(/^Check complete, (\d+) warnings? (?:has|have) been found!/gm)].reduce((sum, m) => sum + parseInt(m[1], 10), 0);
+          if (totalWarnings > 0) {
+            // https://github.com/docker/buildx/blob/1e50e8ddabe108f009b9925e13a321d7c8f99f26/commands/build.go#L797-L803
+            if (totalWarnings === 1) {
+              err = Error(`Check complete, ${totalWarnings} warning has been found!`);
+            } else {
+              err = Error(`Check complete, ${totalWarnings} warnings have been found!`);
+            }
+          } else {
+            // if there are no warnings found, return the first line of stdout
+            err = Error(res.stdout.split('\n')[0]?.trim());
+          }
+        } else if (res.stderr.length > 0) {
          err = Error(`buildx bake failed with: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
        }
+      }
    });

    const metadata = toolkit.buildxBake.resolveMetadata();
@@ -183,12 +212,12 @@ actionsToolkit.run(
    await core.group(`Check build summary support`, async () => {
      if (!buildSummaryEnabled()) {
        core.info('Build summary disabled');
+      } else if (inputs.call && inputs.call !== 'build') {
+        core.info(`Build summary skipped for ${inputs.call} subrequest`);
      } else if (GitHub.isGHES) {
        core.info('Build summary is not yet supported on GHES');
-      } else if (!(await toolkit.buildx.versionSatisfies('>=0.13.0'))) {
-        core.info('Build summary requires Buildx >= 0.13.0');
-      } else if (builder && builder.driver === 'cloud') {
-        core.info('Build summary is not yet supported with Docker Build Cloud');
+      } else if (!(await toolkit.buildx.versionSatisfies('>=0.23.0'))) {
+        core.info('Build summary requires Buildx >= 0.23.0');
      } else if (refs.length == 0) {
        core.info('Build summary requires at least one build reference');
      } else {
@@ -220,18 +249,19 @@ actionsToolkit.run(

          let uploadRes: UploadArtifactResponse | undefined;
          if (recordUploadEnabled) {
-            uploadRes = await GitHub.uploadArtifact({
+            uploadRes = await GitHubArtifact.upload({
              filename: exportRes.dockerbuildFilename,
-              mimeType: 'application/gzip',
              retentionDays: recordRetentionDays
            });
          }

-          await GitHub.writeBuildSummary({
+          await GitHubSummary.writeBuildSummary({
            exportRes: exportRes,
            uploadRes: uploadRes,
-            inputs: stateHelper.inputs,
-            bakeDefinition: stateHelper.bakeDefinition
+            inputs: stateHelper.summaryInputs,
+            bakeDefinition: stateHelper.bakeDefinition,
+            driver: stateHelper.builderDriver,
+            endpoint: stateHelper.builderEndpoint
          });
        } catch (e) {
          core.warning(e.message);
@@ -279,10 +309,7 @@ function buildChecksAnnotationsEnabled(): boolean {
 }

 function buildSummaryEnabled(): boolean {
-  if (process.env.DOCKER_BUILD_NO_SUMMARY) {
-    core.warning('DOCKER_BUILD_NO_SUMMARY is deprecated. Set DOCKER_BUILD_SUMMARY to false instead.');
-    return !Util.parseBool(process.env.DOCKER_BUILD_NO_SUMMARY);
-  } else if (process.env.DOCKER_BUILD_SUMMARY) {
+  if (process.env.DOCKER_BUILD_SUMMARY) {
    return Util.parseBool(process.env.DOCKER_BUILD_SUMMARY);
  }
  return true;
@@ -296,13 +323,7 @@ function buildRecordUploadEnabled(): boolean {
 }

 function buildRecordRetentionDays(): number | undefined {
-  let val: string | undefined;
-  if (process.env.DOCKER_BUILD_EXPORT_RETENTION_DAYS) {
-    core.warning('DOCKER_BUILD_EXPORT_RETENTION_DAYS is deprecated. Use DOCKER_BUILD_RECORD_RETENTION_DAYS instead.');
-    val = process.env.DOCKER_BUILD_EXPORT_RETENTION_DAYS;
-  } else if (process.env.DOCKER_BUILD_RECORD_RETENTION_DAYS) {
-    val = process.env.DOCKER_BUILD_RECORD_RETENTION_DAYS;
-  }
+  const val = process.env.DOCKER_BUILD_RECORD_RETENTION_DAYS;
  if (val) {
    const res = parseInt(val);
    if (isNaN(res)) {
@@ -1,12 +1,16 @@
 import * as core from '@actions/core';

-import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake.js';

-import {Inputs, sanitizeInputs} from './context';
+import {Inputs} from './context.js';

 export const tmpDir = process.env['STATE_tmpDir'] || '';
-export const inputs = process.env['STATE_inputs'] ? JSON.parse(process.env['STATE_inputs']) : undefined;
+
+export const builderDriver = process.env['STATE_builderDriver'] || '';
+export const builderEndpoint = process.env['STATE_builderEndpoint'] || '';
+export const summaryInputs = process.env['STATE_summaryInputs'] ? JSON.parse(process.env['STATE_summaryInputs']) : undefined;
 export const bakeDefinition = process.env['STATE_bakeDefinition'] ? <BakeDefinition>JSON.parse(process.env['STATE_bakeDefinition']) : undefined;
+
 export const buildRefs = process.env['STATE_buildRefs'] ? process.env['STATE_buildRefs'].split(',') : [];
 export const isSummarySupported = !!process.env['STATE_isSummarySupported'];

@@ -14,8 +18,12 @@ export function setTmpDir(tmpDir: string) {
  core.saveState('tmpDir', tmpDir);
 }

-export function setInputs(inputs: Inputs) {
-  core.saveState('inputs', JSON.stringify(sanitizeInputs(inputs)));
+export function setBuilderDriver(builderDriver: string) {
+  core.saveState('builderDriver', builderDriver);
+}
+
+export function setBuilderEndpoint(builderEndpoint: string) {
+  core.saveState('builderEndpoint', builderEndpoint);
 }

 export function setBakeDefinition(bakeDefinition: BakeDefinition) {
@@ -29,3 +37,25 @@ export function setBuildRefs(buildRefs: Array<string>) {
 export function setSummarySupported() {
  core.saveState('isSummarySupported', 'true');
 }
+
+export function setSummaryInputs(inputs: Inputs) {
+  const res = {};
+  if (inputs.source.remoteRef || inputs.source.workdir) {
+    res['source'] = inputs.source.remoteRef || inputs.source.workdir;
+  }
+  for (const key of Object.keys(inputs)) {
+    if (key === 'source' || key === 'github-token') {
+      continue;
+    }
+    const value: string | string[] | boolean = inputs[key];
+    if (typeof value === 'boolean' && !value) {
+      continue;
+    } else if (Array.isArray(value) && value.length === 0) {
+      continue;
+    } else if (!value) {
+      continue;
+    }
+    res[key] = value;
+  }
+  core.saveState('summaryInputs', JSON.stringify(res));
+}
@@ -1,84 +0,0 @@
-## About
-
-This subaction generates a list of Bake targets that can be used in a [GitHub matrix](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix),
-so you can distribute your builds across multiple runners.
-
-![Screenshot](../../.github/bake-action.png)
-
-___
-
-* [Usage](#usage)
-* [Customizing](#customizing)
-  * [inputs](#inputs)
-  * [outputs](#outputs)
-
-## Usage
-
-```hcl
-# docker-bake.hcl
-group "validate" {
-  targets = ["lint", "doctoc"]
-}
-
-target "lint" {
-  target = "lint"
-}
-
-target "doctoc" {
-  target = "doctoc"
-}
-```
-
-```yaml
-jobs:
-  prepare:
-    runs-on: ubuntu-latest
-    outputs:
-      targets: ${{ steps.generate.outputs.targets }}
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: List targets
-        id: generate
-        uses: docker/bake-action/subaction/list-targets@v4
-        with:
-          target: validate
-
-  validate:
-    runs-on: ubuntu-latest
-    needs:
-      - prepare
-    strategy:
-      fail-fast: false
-      matrix:
-        target: ${{ fromJson(needs.prepare.outputs.targets) }}
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Validate
-        uses: docker/bake-action@v5
-        with:
-          targets: ${{ matrix.target }}
-```
-
-## Customizing
-
-### inputs
-
-| Name         | Type        | Description                                                                                                                                 |
-|--------------|-------------|---------------------------------------------------------------------------------------------------------------------------------------------|
-| `workdir`    | String      | Working directory to use (defaults to `.`)                                                                                                  |
-| `files`      | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                              |
-| `target`     | String      | The target to use within the bake file                                                                                                      |
-
-### outputs
-
-The following outputs are available
-
-| Name       | Type     | Description                |
-|------------|----------|----------------------------|
-| `targets`  | List/CSV | List of extracted targest  |
@@ -1,61 +0,0 @@
-# https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions
-name: 'List Bake targets'
-description: 'Generate a list of Bake targets to help distributing builds in your workflow'
-
-inputs:
-  workdir:
-    description: Working directory
-    default: '.'
-    required: false
-  files:
-    description: Comma separated list of Bake files
-    required: false
-  target:
-    description: Bake target
-    required: false
-
-outputs:
-  targets:
-    description: List of targets
-    value: ${{ steps.generate.outputs.targets }}
-
-runs:
-  using: composite
-  steps:
-    -
-      name: Generate
-      id: generate
-      uses: actions/github-script@v7
-      with:
-        script: |
-          let def;
-          const files = `${{ inputs.files }}` ? `${{ inputs.files }}`.split(',') : [];
-          const target = `${{ inputs.target }}`;
-
-          await core.group(`Validating definition`, async () => {
-            let args = ['buildx', 'bake'];
-            for (const file of files) {
-              args.push('--file', file);
-            }
-            if (target) {
-              args.push(target);
-            }
-            args.push('--print');
-
-            const res = await exec.getExecOutput('docker', args, {
-              ignoreReturnCode: true,
-              silent: true,
-              cwd: `${{ inputs.workdir }}`
-            });
-            if (res.stderr.length > 0 && res.exitCode != 0) {
-              throw new Error(res.stderr);
-            }
-            def = JSON.parse(res.stdout.trim());
-            core.info(JSON.stringify(def, null, 2));
-          });
-
-          await core.group(`Set output`, async () => {
-            const targets = Object.keys(def.target);
-            core.info(`targets: ${JSON.stringify(targets)}`);
-            core.setOutput('targets', JSON.stringify(targets));
-          });
@@ -0,0 +1,140 @@
+## About
+
+This subaction generates a multi-dimension matrix that can be used in a [GitHub matrix](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix)
+through the [`include` property](https://docs.github.com/en/actions/how-tos/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow#expanding-or-adding-matrix-configurations)
+so you can distribute your builds across multiple runners.
+
+![Screenshot](../../.github/subaction-matrix.png)
+
+___
+
+* [Usage](#usage)
+* [Customizing](#customizing)
+  * [inputs](#inputs)
+  * [outputs](#outputs)
+
+## Usage
+
+### List targets
+
+```hcl
+# docker-bake.hcl
+group "validate" {
+  targets = ["lint", "doctoc"]
+}
+
+target "lint" {
+  target = "lint"
+}
+
+target "doctoc" {
+  target = "doctoc"
+}
+```
+
+```yaml
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v6
+      -
+        name: Generate matrix
+        id: generate
+        uses: docker/bake-action/subaction/matrix@v7
+        with:
+          target: validate
+
+  validate:
+    runs-on: ubuntu-latest
+    needs:
+      - prepare
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
+    steps:
+      -
+        name: Validate
+        uses: docker/bake-action@v7
+        with:
+          targets: ${{ matrix.target }}
+```
+
+### Platforms split
+
+```hcl
+# docker-bake.hcl
+target "lint" {
+  dockerfile = "./hack/dockerfiles/lint.Dockerfile"
+  output = ["type=cacheonly"]
+  platforms = [
+    "darwin/amd64",
+    "darwin/arm64",
+    "linux/amd64",
+    "linux/arm64",
+    "linux/s390x",
+    "linux/ppc64le",
+    "linux/riscv64",
+    "windows/amd64",
+    "windows/arm64"
+  ]
+}
+```
+
+```yaml
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v6
+      -
+        name: Generate matrix
+        id: generate
+        uses: docker/bake-action/subaction/matrix@v7
+        with:
+          target: lint
+          fields: platforms
+
+  lint:
+    runs-on: ${{ startsWith(matrix.platforms, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
+    needs:
+      - prepare
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
+    steps:
+      -
+        name: Lint
+        uses: docker/bake-action@v7
+        with:
+          targets: ${{ matrix.target }}
+          set: |
+            *.platform=${{ matrix.platforms }}
+```
+
+## Customizing
+
+### inputs
+
+| Name      | Type     | Description                                                                                    |
+|-----------|----------|------------------------------------------------------------------------------------------------|
+| `workdir` | String   | Working directory to use (defaults to `.`)                                                     |
+| `files`   | List/CSV | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/) |
+| `target`  | String   | The target to use within the bake file                                                         |
+| `fields`  | String   | List of extra fields to include in the matrix                                                  |
+
+### outputs
+
+| Name     | Type | Description          |
+|----------|------|----------------------|
+| `matrix` | JSON | Matrix configuration |
@@ -0,0 +1,101 @@
+# https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions
+name: 'Matrix'
+description: 'Generate a matrix from a Bake definition to help distributing builds in your workflow'
+
+inputs:
+  workdir:
+    description: Working directory
+    default: '.'
+    required: false
+  files:
+    description: List of Bake files
+    required: false
+  target:
+    description: Bake target
+    required: false
+  fields:
+    description: List of extra fields to include in the matrix
+    required: false
+
+outputs:
+  matrix:
+    description: Matrix configuration
+    value: ${{ steps.generate.outputs.includes }}
+
+runs:
+  using: composite
+  steps:
+    -
+      name: Generate
+      id: generate
+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      env:
+        INPUT_WORKDIR: ${{ inputs.workdir }}
+        INPUT_FILES: ${{ inputs.files }}
+        INPUT_TARGET: ${{ inputs.target }}
+        INPUT_FIELDS: ${{ inputs.fields }}
+      with:
+        script: |
+          function getInputList(name) {
+            return core.getInput(name) ? core.getInput(name).split(/[\r?\n,]+/).filter(x => x !== '') : [];
+          }
+
+          const workdir = core.getInput('workdir');
+          const files = getInputList('files');
+          const target = core.getInput('target');
+          const fields = getInputList('fields');
+
+          let def = {};
+          await core.group(`Parsing definition`, async () => {
+            let args = ['buildx', 'bake'];
+            for (const file of files) {
+              args.push('--file', file);
+            }
+            if (target) {
+              args.push(target);
+            }
+            args.push('--print');
+            const res = await exec.getExecOutput('docker', args, {
+              ignoreReturnCode: true,
+              silent: true,
+              cwd: workdir
+            });
+            if (res.stderr.length > 0 && res.exitCode != 0) {
+              throw new Error(res.stderr);
+            }
+            def = JSON.parse(res.stdout.trim());
+            core.info(JSON.stringify(def, null, 2));
+          });
+
+          await core.group(`Generating matrix`, async () => {
+            const result = [];
+            for (const targetName of Object.keys(def.target)) {
+              const target = def.target[targetName];
+              const entry = { target: targetName };
+              if (fields.length === 0) {
+                result.push({ ...entry });
+                continue;
+              }
+              let fieldFound = false;
+              Object.keys(target).forEach(field => {
+                if (fields.includes(field)) {
+                  fieldFound = true;
+                  const value = target[field];
+                  if (Array.isArray(value)) {
+                    value.forEach((v) => {
+                      entry[field] = v;
+                      result.push({ ...entry });
+                    });
+                  } else {
+                    entry[field] = value;
+                    result.push({ ...entry });
+                  }
+                }
+              });
+              if (!fieldFound) {
+                result.push({ ...entry });
+              }
+            }
+            core.info(JSON.stringify(result, null, 2));
+            core.setOutput('includes', JSON.stringify(result));
+          });
@@ -0,0 +1,10 @@
+# syntax=docker/dockerfile:1
+
+FROM busybox AS t1
+RUN echo "Hello t1"
+
+FROM busybox AS t2
+RUN echo "Hello t2"
+
+FROM busybox AS t3
+RUN echo "Hello t3"
@@ -0,0 +1,17 @@
+group "default" {
+  targets = ["t1", "t2", "t3"]
+}
+
+target "t1" {
+  target = "t1"
+}
+
+target "t2" {
+  target = "t2"
+  attest = ["type=provenance,mode=min"]
+}
+
+target "t3" {
+  target = "t3"
+  attest = ["type=sbom"]
+}
@@ -6,21 +6,26 @@ group "release" {
  targets = ["db", "app-plus"]
 }

+# Special target: https://github.com/docker/metadata-action#bake-definition
+target "docker-metadata-action" {
+  tags = [
+    "localhost:5000/name/app:latest",
+    "localhost:5000/name/app:1.0.0"
+  ]
+}
+
 target "db" {
  context = "./test"
  tags = ["docker.io/tonistiigi/db"]
 }

 target "app" {
+  inherits = ["docker-metadata-action"]
  context = "./test"
  dockerfile = "Dockerfile"
  args = {
    name = "foo"
  }
-  tags = [
-    "localhost:5000/name/app:latest",
-    "localhost:5000/name/app:1.0.0"
-  ]
 }

 target "cross" {
@@ -42,3 +47,8 @@ target "app-proxy" {
  inherits = ["app"]
  dockerfile = "proxy.Dockerfile"
 }
+
+target "app-entitlements" {
+  inherits = ["app"]
+  entitlements = ["network.host"]
+}
@@ -0,0 +1,36 @@
+group "validate" {
+  targets = ["lint", "lint-gopls", "validate-vendor", "validate-docs"]
+}
+
+target "lint" {
+  dockerfile = "./hack/dockerfiles/lint.Dockerfile"
+  output = ["type=cacheonly"]
+  platforms = [
+    "darwin/amd64",
+    "darwin/arm64",
+    "linux/amd64",
+    "linux/arm64",
+    "linux/s390x",
+    "linux/ppc64le",
+    "linux/riscv64",
+    "windows/amd64",
+    "windows/arm64"
+  ]
+}
+
+target "lint-gopls" {
+  inherits = ["lint"]
+  target = "gopls-analyze"
+}
+
+target "validate-vendor" {
+  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}
+
+target "validate-docs" {
+  dockerfile = "./hack/dockerfiles/docs.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}
@@ -0,0 +1,15 @@
+group "default" {
+  targets = ["t3"]
+}
+
+target "t3" {
+  name = "${item.tag}"
+  matrix = {
+    item = t3
+  }
+  args = {
+    VERSION = "${item.version}"
+    DUMMY_ARG = "${item.arg}"
+  }
+  tags = ["${item.tag}"]
+}
@@ -0,0 +1,14 @@
+{
+  "t3": [
+    {
+      "version": "v1",
+      "arg": "v1-value",
+      "tag": "v1-tag"
+    },
+    {
+      "version": "v2",
+      "arg": "v2-value",
+      "tag": "v2-tag"
+    }
+  ]
+}
@@ -1,9 +1,8 @@
 {
  "compilerOptions": {
+    "module": "nodenext",
+    "moduleResolution": "nodenext",
    "esModuleInterop": true,
-    "target": "es6",
-    "module": "commonjs",
-    "strict": true,
    "newLine": "lf",
    "outDir": "./lib",
    "rootDir": "./src",
@@ -12,11 +11,7 @@
    "resolveJsonModule": true,
    "useUnknownInCatchVariables": false,
  },
-  "exclude": [
-    "./__mocks__/**/*",
-    "./__tests__/**/*",
-    "./lib/**/*",
-    "node_modules",
-    "jest.config.ts"
+  "include": [
+    "src/**/*.ts"
  ]
 }
@@ -0,0 +1,16 @@
+import {defineConfig} from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    clearMocks: true,
+    environment: 'node',
+    setupFiles: ['./__tests__/setup.unit.ts'],
+    include: ['**/*.test.ts'],
+    coverage: {
+      provider: 'v8',
+      reporter: ['clover'],
+      include: ['src/**/*.ts'],
+      exclude: ['src/**/main.ts']
+    }
+  }
+});