Merge pull request #284 from crazy-max/fix-git-auth-token

set GIT_AUTH_TOKEN secret if Git context used
chore: update generated content
2026-06-05 01:38:39 +02:00 · 2025-01-14 13:52:00 +01:00 · 2025-01-10 11:33:07 +01:00 · 2025-01-10 11:33:06 +01:00 · 2025-01-10 10:24:17 +01:00 · 2025-01-10 10:19:39 +01:00
12 changed files with 60 additions and 39 deletions
@@ -729,6 +729,7 @@ jobs:
        name: Build
        uses: ./
        with:
+          source: .
          files: |
            ./test/config.hcl
          allow: network.host
@@ -21,12 +21,9 @@ jobs:
  test:
    runs-on: ubuntu-latest
    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
      -
        name: Test
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
        with:
          targets: test
      -
@@ -36,11 +36,8 @@ jobs:
      matrix:
        target: ${{ fromJson(needs.prepare.outputs.targets) }}
    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
      -
        name: Validate
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
        with:
          targets: ${{ matrix.target }}
@@ -59,7 +59,7 @@ jobs:
        uses: docker/setup-buildx-action@v3
      -
        name: Build and push
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
        with:
          push: true
          set: |
@@ -80,7 +80,7 @@ to the default Git context:
 ```yaml
      -
        name: Build and push
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
        with:
          source: "{{defaultContext}}:mysubdir"
          push: true
@@ -100,7 +100,7 @@ another private repository for remote definitions, you can set the
 ```yaml
      -
        name: Build and push
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
        with:
          push: true
          set: |
@@ -135,7 +135,7 @@ jobs:
        uses: docker/setup-buildx-action@v3
      -
        name: Build and push
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
        with:
          source: .
          push: true
@@ -1,3 +1,9 @@
+target "_common" {
+  args = {
+    BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1
+  }
+}
+
 group "default" {
  targets = ["build"]
 }
@@ -11,42 +17,49 @@ group "validate" {
 }

 target "build" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "build-update"
  output = ["."]
 }

 target "build-validate" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "build-validate"
  output = ["type=cacheonly"]
 }

 target "format" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "format-update"
  output = ["."]
 }

 target "lint" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "lint"
  output = ["type=cacheonly"]
 }

 target "vendor" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "vendor-update"
  output = ["."]
 }

 target "vendor-validate" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "vendor-validate"
  output = ["type=cacheonly"]
 }

 target "test" {
+  inherits = ["_common"]
  dockerfile = "dev.Dockerfile"
  target = "test-coverage"
  output = ["./coverage"]
@@ -27,7 +27,7 @@
  "packageManager": "yarn@3.6.3",
  "dependencies": {
    "@actions/core": "^1.11.1",
-    "@docker/actions-toolkit": "^0.49.0",
+    "@docker/actions-toolkit": "^0.50.0",
    "handlebars": "^4.7.8"
  },
  "devDependencies": {
@@ -68,6 +68,10 @@ export function sanitizeInputs(inputs: Inputs) {
  return res;
 }

+export function getGitAuthToken(inputs: Inputs): string {
+  return process.env.BUILDX_BAKE_GIT_AUTH_TOKEN ?? inputs['github-token'];
+}
+
 export async function getArgs(inputs: Inputs, definition: BakeDefinition, toolkit: Toolkit): Promise<Array<string>> {
  // prettier-ignore
  return [
@@ -97,6 +101,15 @@ async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit:
  await Util.asyncForEach(inputs.set, async set => {
    args.push('--set', set);
  });
+  if (await toolkit.buildx.versionSatisfies('<0.20.0')) {
+    // For buildx versions < 0.20.0, we need to set GIT_AUTH_TOKEN secret as it
+    // doesn't infer BUILDX_BAKE_GIT_AUTH_TOKEN environment variable for build
+    // request: https://github.com/docker/buildx/pull/2905
+    const gitAuthToken = getGitAuthToken(inputs);
+    if (gitAuthToken && !Bake.hasGitAuthTokenSecret(definition) && inputs.source.startsWith(Context.gitContext())) {
+      args.push('--set', `*.secrets=${Build.resolveSecretString(`GIT_AUTH_TOKEN=${gitAuthToken}`)}`);
+    }
+  }
  if (await toolkit.buildx.versionSatisfies('>=0.6.0')) {
    args.push('--metadata-file', toolkit.buildxBake.getMetadataFilePath());
  }
@@ -30,7 +30,7 @@ actionsToolkit.run(
    stateHelper.setInputs(inputs);

    const toolkit = new Toolkit();
-    const gitAuthToken = process.env.BUILDX_BAKE_GIT_AUTH_TOKEN ?? inputs['github-token'];
+    const gitAuthToken = context.getGitAuthToken(inputs);

    await core.group(`GitHub Actions runtime token ACs`, async () => {
      try {
@@ -42,7 +42,7 @@ jobs:
      -
        name: List targets
        id: generate
-        uses: docker/bake-action/subaction/list-targets@v4
+        uses: docker/bake-action/subaction/list-targets@v6
        with:
          target: validate

@@ -60,7 +60,7 @@ jobs:
        uses: actions/checkout@v4
      -
        name: Validate
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
        with:
          targets: ${{ matrix.target }}
 ```
@@ -12,9 +12,9 @@ __metadata:
  languageName: node
  linkType: hard

-"@actions/artifact@npm:^2.1.11":
-  version: 2.1.11
-  resolution: "@actions/artifact@npm:2.1.11"
+"@actions/artifact@npm:^2.2.1":
+  version: 2.2.1
+  resolution: "@actions/artifact@npm:2.2.1"
  dependencies:
    "@actions/core": ^1.10.0
    "@actions/github": ^5.1.1
@@ -29,7 +29,7 @@ __metadata:
    jwt-decode: ^3.1.2
    twirp-ts: ^2.5.0
    unzip-stream: ^0.3.1
-  checksum: dbdafaad11cc573768a00f6b8a7f5109f587eb9461564ae8f15ea8fd1d6a719041df45a92ec204a43a8a1e7ce2c21d8e4229543579b89a3ca8ea30dedddf2fc9
+  checksum: 6ce4e62d941f17743c845637cdd832ca34c77efe0c31cf7f6ab3ad0531e54e62d4379198e8af5e84463b5f5ae0bc0ea11d41cc77c5fae7e511c7ef01742892ea
  languageName: node
  linkType: hard

@@ -1066,11 +1066,11 @@ __metadata:
  languageName: node
  linkType: hard

-"@docker/actions-toolkit@npm:^0.49.0":
-  version: 0.49.0
-  resolution: "@docker/actions-toolkit@npm:0.49.0"
+"@docker/actions-toolkit@npm:^0.50.0":
+  version: 0.50.0
+  resolution: "@docker/actions-toolkit@npm:0.50.0"
  dependencies:
-    "@actions/artifact": ^2.1.11
+    "@actions/artifact": ^2.2.1
    "@actions/cache": ^3.3.0
    "@actions/core": ^1.11.1
    "@actions/exec": ^1.1.1
@@ -1091,7 +1091,7 @@ __metadata:
    semver: ^7.6.3
    tar-stream: ^3.1.7
    tmp: ^0.2.3
-  checksum: 5e945601180002f129f095bba2d7d938b5ca69e87631d5e96a0d3b2254a8b034ab4bafbf7582ea82995e39610ad00fd68b34ab5875b9b314690328f714ad79d0
+  checksum: dc1b0323f142f96cbac47be327ebdbc9038a8835f32f174e24c3d8113df03ca6fb034be6ffadeab1e1d234ccd6931e09915c96a8732065e35a576e459d3471ff
  languageName: node
  linkType: hard

@@ -3159,7 +3159,7 @@ __metadata:
  resolution: "docker-buildx-bake@workspace:."
  dependencies:
    "@actions/core": ^1.11.1
-    "@docker/actions-toolkit": ^0.49.0
+    "@docker/actions-toolkit": ^0.50.0
    "@types/node": ^20.12.12
    "@typescript-eslint/eslint-plugin": ^7.9.0
    "@typescript-eslint/parser": ^7.9.0
Author	SHA1	Message	Date
CrazyMax	5a1b7c9786	Merge pull request #284 from crazy-max/fix-git-auth-token set GIT_AUTH_TOKEN secret if Git context used	2025-01-14 13:52:00 +01:00
CrazyMax	a23a0ceb07	chore: update generated content Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2025-01-10 11:33:07 +01:00
CrazyMax	932b78563b	set GIT_AUTH_TOKEN secret if Git context used Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2025-01-10 11:33:06 +01:00
CrazyMax	ded8f8f101	Merge pull request #283 from docker/dependabot/npm_and_yarn/docker/actions-toolkit-0.50.0 chore(deps): Bump @docker/actions-toolkit from 0.49.0 to 0.50.0	2025-01-10 10:24:17 +01:00
CrazyMax	d0cc8f345a	chore: update generated content Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2025-01-10 10:19:39 +01:00
dependabot[bot]	8afe15ffcc	chore(deps): Bump @docker/actions-toolkit from 0.49.0 to 0.50.0 Bumps [@docker/actions-toolkit](https://github.com/docker/actions-toolkit) from 0.49.0 to 0.50.0. - [Release notes](https://github.com/docker/actions-toolkit/releases) - [Commits](https://github.com/docker/actions-toolkit/compare/v0.49.0...v0.50.0) --- updated-dependencies: - dependency-name: "@docker/actions-toolkit" dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2025-01-10 08:49:34 +00:00
CrazyMax	77f4fc97b7	Merge pull request #282 from crazy-max/update-git-keep-dir chore: put context keep dir within the bake definition	2025-01-08 13:49:57 +01:00
CrazyMax	bf35764d1d	chore: put context keep dir within the bake definition Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2025-01-08 13:47:36 +01:00
CrazyMax	309da7d154	Merge pull request #281 from crazy-max/bump-major bump actions to latest major	2025-01-08 11:13:45 +01:00
CrazyMax	23cff4f49a	bump actions to latest major Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2025-01-08 11:10:40 +01:00