Merge pull request #417 from docker/dependabot/npm_and_yarn/vite-7.3.2

chore(deps): Bump vite from 7.3.1 to 7.3.2

.eslintignore

@@ -1,3 +0,0 @@
-/dist/**
-/coverage/**
-/node_modules/**

.eslintrc.json

@@ -1,24 +0,0 @@
-{
-  "env": {
-    "node": true,
-    "es6": true,
-    "jest": true
-  },
-  "extends": [
-    "eslint:recommended",
-    "plugin:@typescript-eslint/eslint-recommended",
-    "plugin:@typescript-eslint/recommended",
-    "plugin:jest/recommended",
-    "plugin:prettier/recommended"
-  ],
-  "parser": "@typescript-eslint/parser",
-  "parserOptions": {
-    "ecmaVersion": "latest",
-    "sourceType": "module"
-  },
-  "plugins": [
-    "@typescript-eslint",
-    "jest",
-    "prettier"
-  ]
-}

.github/dependabot.yml

@@ -4,6 +4,12 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 2
+    groups:
+      crazy-max-dot-github:
+        patterns:
+          - "crazy-max/.github/*"
     labels:
       - "dependencies"
       - "bot"
@@ -11,6 +17,8 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 2
     versioning-strategy: "increase"
     allow:
       - dependency-type: "production"

.github/workflows/ci-subaction.yml

@@ -1,5 +1,8 @@
 name: ci-subaction
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -25,75 +28,62 @@ on:
       - 'test/**'
 
 jobs:
-  list-targets-group:
+  matrix:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          -
+            testdir: group
+            expected: >
+              [{"target":"t1"},{"target":"t2"}]
+          -
+            testdir: group-matrix
+            target: validate
+            expected: >
+              [{"target":"lint-default"},{"target":"lint-labs"},{"target":"lint-nydus"},{"target":"lint-proto"},{"target":"lint-yaml"},{"target":"validate-doctoc"},{"target":"validate-vendor"}]
+          -
+            testdir: group-with-platform
+            target: validate
+            expected: >
+              [{"target":"lint"},{"target":"lint-gopls"},{"target":"validate-docs"},{"target":"validate-vendor"}]
+          -
+            testdir: group-with-platform
+            target: validate
+            fields: platforms
+            expected: >
+              [{"target":"lint","platforms":"darwin/amd64"},{"target":"lint","platforms":"darwin/arm64"},{"target":"lint","platforms":"linux/amd64"},{"target":"lint","platforms":"linux/arm64"},{"target":"lint","platforms":"linux/s390x"},{"target":"lint","platforms":"linux/ppc64le"},{"target":"lint","platforms":"linux/riscv64"},{"target":"lint","platforms":"windows/amd64"},{"target":"lint","platforms":"windows/arm64"},{"target":"lint-gopls","platforms":"darwin/amd64"},{"target":"lint-gopls","platforms":"darwin/arm64"},{"target":"lint-gopls","platforms":"linux/amd64"},{"target":"lint-gopls","platforms":"linux/arm64"},{"target":"lint-gopls","platforms":"linux/s390x"},{"target":"lint-gopls","platforms":"linux/ppc64le"},{"target":"lint-gopls","platforms":"linux/riscv64"},{"target":"lint-gopls","platforms":"windows/amd64"},{"target":"lint-gopls","platforms":"windows/arm64"},{"target":"validate-docs"},{"target":"validate-vendor"}]
+          -
+            testdir: group-with-platform
+            target: validate
+            fields: platforms,dockerfile
+            expected: >
+               [{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"darwin/amd64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"darwin/arm64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/amd64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/arm64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/s390x"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/ppc64le"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/riscv64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"windows/amd64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"windows/arm64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"darwin/amd64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"darwin/arm64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/amd64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/arm64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/s390x"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/ppc64le"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/riscv64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"windows/amd64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"windows/arm64"},{"target":"validate-docs","dockerfile":"./hack/dockerfiles/docs.Dockerfile"},{"target":"validate-vendor","dockerfile":"./hack/dockerfiles/vendor.Dockerfile"}]
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Matrix gen
         id: gen
-        uses: ./subaction/list-targets
+        uses: ./subaction/matrix
         with:
-          workdir: ./test/group
+          workdir: ./test/${{ matrix.testdir }}
+          target: ${{ matrix.target }}
+          fields: ${{ matrix.fields }}
       -
-        name: Check targets
-        uses: actions/github-script@v7
+        name: Check output
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          INPUT_MATRIX: ${{ steps.gen.outputs.matrix }}
+          INPUT_EXPECTED: ${{ matrix.expected }}
         with:
           script: |
-            const targets = `${{ steps.gen.outputs.targets }}`;
-            if (!targets) {
-              core.setFailed('No targets generated');
+            const matrix = JSON.stringify(JSON.parse(core.getInput('matrix')));
+            const expected = JSON.stringify(JSON.parse(core.getInput('expected')));
+            if (matrix !== expected) {
+              throw new Error(`Matrix do not match expected values: ${matrix} != ${expected}`);
+            } else {
+              core.info(`✅`);
             }
-            core.info(`targets=${targets}`);
-
-  list-targets-group-matrix:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Matrix gen
-        id: gen
-        uses: ./subaction/list-targets
-        with:
-          workdir: ./test/group-matrix
-          target: validate
-      -
-        name: Check targets
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const targets = `${{ steps.gen.outputs.targets }}`;
-            if (!targets) {
-              core.setFailed('No targets generated');
-            }
-            core.info(`targets=${targets}`);
-
-  list-targets-multi-files:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Matrix gen
-        id: gen
-        uses: ./subaction/list-targets
-        with:
-          workdir: ./test/multi-files
-          files: |
-            docker-bake.json
-            docker-bake.hcl
-      -
-        name: Check targets
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const targets = `${{ steps.gen.outputs.targets }}`;
-            if (!targets) {
-              core.setFailed('No targets generated');
-            }
-            core.info(`targets=${targets}`);

.github/workflows/ci.yml

@@ -1,5 +1,8 @@
 name: ci
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -46,20 +49,20 @@ jobs:
           - release
     services:
       registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
         ports:
           - 5000:5000
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -82,7 +85,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Build
         continue-on-error: true
@@ -99,7 +102,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Stop docker
         run: |
@@ -116,7 +119,27 @@ jobs:
       -
         name: Check
         run: |
-          echo "${{ toJson(steps.bake) }}"
+          if [ "${{ steps.bake.outcome }}" != "failure" ] || [ "${{ steps.bake.conclusion }}" != "success" ]; then
+            echo "::error::Should have failed"
+            exit 1
+          fi
+
+  error-source:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Build
+        id: bake
+        continue-on-error: true
+        uses: ./
+        with:
+          source: ./does-not-exist
+      -
+        name: Check
+        run: |
           if [ "${{ steps.bake.outcome }}" != "failure" ] || [ "${{ steps.bake.conclusion }}" != "success" ]; then
             echo "::error::Should have failed"
             exit 1
@@ -127,7 +150,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Uninstall docker cli
         run: |
@@ -138,7 +161,7 @@ jobs:
           fi
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -156,7 +179,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Build
         uses: ./
@@ -178,10 +201,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -191,8 +214,7 @@ jobs:
         name: Build
         uses: ./
         with:
-          workdir: ./test/go
-          source: .
+          source: ./test/go
           targets: binary
           provenance: ${{ matrix.attrs }}
           set: |
@@ -214,16 +236,16 @@ jobs:
             output: /tmp/bake-build
     services:
       registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
         ports:
           - 5000:5000
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -233,8 +255,7 @@ jobs:
         name: Build
         uses: ./
         with:
-          workdir: ./test/go
-          source: .
+          source: ./test/go
           targets: ${{ matrix.target }}
           sbom: true
           set: |
@@ -269,19 +290,18 @@ jobs:
     runs-on: ubuntu-latest
     services:
       registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
         ports:
           - 5000:5000
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Build
         uses: ./
         with:
-          workdir: ./test/go
-          source: .
+          source: ./test/go
           set: |
             *.platform=linux/amd64
             *.output=type=image,"name=localhost:5000/name/app:v1.0.0,localhost:5000/name/app:latest",push=true
@@ -291,16 +311,16 @@ jobs:
     runs-on: ubuntu-latest
     services:
       registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
         ports:
           - 5000:5000
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -310,8 +330,7 @@ jobs:
         name: Build and push
         uses: ./
         with:
-          workdir: ./test/group
-          source: .
+          source: ./test/group
           push: true
           set: |
             t1.tags=localhost:5000/name/app:t1
@@ -322,7 +341,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set malformed docker config
         run: |
@@ -340,7 +359,7 @@ jobs:
     runs-on: ubuntu-latest
     services:
       squid-proxy:
-        image: ubuntu/squid:latest
+        image: ubuntu/squid:latest@sha256:6a097f68bae708cedbabd6188d68c7e2e7a38cedd05a176e1cc0ba29e3bbe029
         ports:
           - 3128:3128
     steps:
@@ -351,7 +370,7 @@ jobs:
           curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy http://127.0.0.1:3128 -v --insecure --head https://www.google.com
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set proxy config
         run: |
@@ -359,7 +378,7 @@ jobs:
           echo '{"proxies":{"default":{"httpProxy":"http://127.0.0.1:3128","httpsProxy":"http://127.0.0.1:3128"}}}' > ~/.docker/config.json
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -379,7 +398,7 @@ jobs:
     runs-on: ubuntu-latest
     services:
       squid-proxy:
-        image: ubuntu/squid:latest
+        image: ubuntu/squid:latest@sha256:6a097f68bae708cedbabd6188d68c7e2e7a38cedd05a176e1cc0ba29e3bbe029
         ports:
           - 3128:3128
     steps:
@@ -390,10 +409,10 @@ jobs:
           curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy http://127.0.0.1:3128 -v --insecure --head https://www.google.com
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -415,10 +434,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -426,16 +445,41 @@ jobs:
       -
         name: Build
         uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+
+  git-context-query:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        with:
+          version: v0.33.0
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+        env:
+          BUILDX_SEND_GIT_QUERY_AS_INPUT: true
 
   git-context-and-local:
     runs-on: ubuntu-latest
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -443,28 +487,29 @@ jobs:
       -
         name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
       -
         name: Build
         uses: ./
         with:
           files: |
+            ./test/config.hcl
             cwd://${{ steps.meta.outputs.bake-file }}
 
   multi-output:
     runs-on: ubuntu-latest
     services:
       registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
         ports:
           - 5000:5000
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -473,8 +518,7 @@ jobs:
         name: Build and push
         uses: ./
         with:
-          workdir: ./test/go
-          source: .
+          source: ./test/go
           set: |
             *.output=type=image,name=localhost:5000/name/app:latest,push=true
             *.output=type=docker,name=app:local
@@ -499,16 +543,16 @@ jobs:
     runs-on: ubuntu-latest
     services:
       registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
         ports:
           - 5000:5000
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -517,8 +561,7 @@ jobs:
         name: Build and push
         uses: ./
         with:
-          workdir: ./test/go
-          source: .
+          source: ./test/go
           targets: image
           load: true
           push: true
@@ -538,10 +581,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -556,39 +599,15 @@ jobs:
         env:
           DOCKER_BUILD_SUMMARY: false
 
-  summary-disable-deprecated:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
-          driver-opts: |
-            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
-      -
-        name: Build
-        uses: ./
-        with:
-          source: .
-          files: |
-            ./test/config.hcl
-          targets: app
-        env:
-          DOCKER_BUILD_NO_SUMMARY: true
-
   summary-not-supported:
     runs-on: ubuntu-latest
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: v0.12.1
           driver-opts: |
@@ -606,10 +625,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -635,10 +654,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -653,35 +672,6 @@ jobs:
         env:
           DOCKER_BUILD_RECORD_RETENTION_DAYS: ${{ matrix.days }}
 
-  export-legacy:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        legacy:
-          - false
-          - true
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
-          driver-opts: |
-            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
-      -
-        name: Build
-        uses: ./
-        with:
-          files: |
-            ./test/config.hcl
-          targets: app
-        env:
-          DOCKER_BUILD_EXPORT_LEGACY: ${{ matrix.legacy }}
-
   checks:
     runs-on: ubuntu-latest
     strategy:
@@ -693,10 +683,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ matrix.buildx-version }}
           driver-opts: |
@@ -705,8 +695,7 @@ jobs:
         name: Build
         uses: ./
         with:
-          workdir: ./test
-          source: .
+          source: ./test
           files: |
             ./lint.hcl
 
@@ -715,10 +704,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -727,8 +716,7 @@ jobs:
         name: Build
         uses: ./
         with:
-          workdir: ./test
-          source: .
+          source: ./test
           files: |
             ./lint.hcl
         env:
@@ -747,10 +735,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: ${{ matrix.buildx-version }}
           driver-opts: |
@@ -769,7 +757,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Build
         uses: ./
@@ -779,3 +767,109 @@ jobs:
             ./test/config.hcl
         env:
           BUILDX_NO_DEFAULT_ATTESTATIONS: 1
+
+  call-check:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        id: bake
+        continue-on-error: true
+        uses: ./
+        with:
+          source: ./test
+          files: |
+            ./lint.hcl
+          call: check
+          targets: lint
+      -
+        name: Check
+        run: |
+          if [ "${{ steps.bake.outcome }}" != "failure" ] || [ "${{ steps.bake.conclusion }}" != "success" ]; then
+            echo "::error::Should have failed"
+            exit 1
+          fi
+
+  call-check-multi:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        id: bake
+        continue-on-error: true
+        uses: ./
+        with:
+          source: ./test
+          files: |
+            ./lint.hcl
+          call: check
+      -
+        name: Check
+        run: |
+          if [ "${{ steps.bake.outcome }}" != "failure" ] || [ "${{ steps.bake.conclusion }}" != "success" ]; then
+            echo "::error::Should have failed"
+            exit 1
+          fi
+
+  call-check-nowarning:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        id: bake
+        continue-on-error: true
+        uses: ./
+        with:
+          source: .
+          files: |
+            ./test/config.hcl
+          call: check
+
+  attest-override:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build and push
+        uses: ./
+        with:
+          source: ./test/attest

.github/workflows/codeql.yml

@@ -0,0 +1,46 @@
+name: codeql
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+  pull_request:
+
+env:
+  NODE_VERSION: "24"
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Enable corepack
+        run: |
+          corepack enable
+          yarn --version
+      -
+        name: Set up Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+      -
+        name: Initialize CodeQL
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        with:
+          languages: javascript-typescript
+          build-mode: none
+      -
+        name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        with:
+          category: "/language:javascript-typescript"

.github/workflows/pr-assign-author.yml

@@ -4,14 +4,14 @@ permissions:
   contents: read
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] safe to use without checkout
     types:
       - opened
       - reopened
 
 jobs:
   run:
-    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@1b673f36fad86812f538c1df9794904038a23cbf
+    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@d89fe92d808a15e2b2ed5cdb62db7c172c31410d # v1.6.0
     permissions:
       contents: read
       pull-requests: write

.github/workflows/publish.yml

@@ -1,5 +1,12 @@
 name: publish
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   release:
     types:
@@ -15,7 +22,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Publish
-        uses: actions/publish-immutable-action@v0.0.4
+        uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4

.github/workflows/test.yml

@@ -1,5 +1,8 @@
 name: test
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -23,16 +26,16 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Test
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
         with:
           source: .
           targets: test
       -
         name: Upload coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
           files: ./coverage/clover.xml
           token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/update-dist.yml

@@ -0,0 +1,56 @@
+name: update-dist
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+
+jobs:
+  update-dist:
+    if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: GitHub auth token from GitHub App
+        id: docker-read-app
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        with:
+          app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
+          private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
+          owner: docker
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          fetch-depth: 0
+          token: ${{ steps.docker-read-app.outputs.token }}
+      -
+        name: Build
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
+        with:
+          source: .
+          targets: build
+      -
+        name: Commit and push dist
+        run: |
+          if [ -n "$(git status --porcelain -- dist)" ]; then
+            (
+              set -x
+              git config user.name "github-actions[bot]"
+              git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+              git add dist
+              git commit -m "chore: update generated content"
+              git push
+            )
+          else
+            echo "No changes in dist"
+          fi

.github/workflows/validate.yml

@@ -1,5 +1,8 @@
 name: validate
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -15,15 +18,15 @@ jobs:
   prepare:
     runs-on: ubuntu-latest
     outputs:
-      targets: ${{ steps.generate.outputs.targets }}
+      matrix: ${{ steps.generate.outputs.matrix }}
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: List targets
         id: generate
-        uses: ./subaction/list-targets
+        uses: ./subaction/matrix
         with:
           target: validate
 
@@ -34,10 +37,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        target: ${{ fromJson(needs.prepare.outputs.targets) }}
+        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
     steps:
       -
         name: Validate
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
         with:
           targets: ${{ matrix.target }}

.github/workflows/zizmor.yml

@@ -0,0 +1,29 @@
+name: zizmor
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+    tags:
+      - 'v*'
+  pull_request:
+
+jobs:
+  zizmor:
+    uses: crazy-max/.github/.github/workflows/zizmor.yml@d89fe92d808a15e2b2ed5cdb62db7c172c31410d # v1.6.0
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      min-severity: medium
+      min-confidence: medium
+      persona: pedantic

.github/zizmor.yml

@@ -0,0 +1,3 @@
+rules:
+  secrets-outside-env: # FIXME: remove this rule when zizmor 1.24.0 is released, fixing the right persona attached to this rule: https://github.com/zizmorcore/zizmor/pull/1783
+    disable: true

.prettierrc.json

@@ -6,6 +6,5 @@
   "singleQuote": true,
   "trailingComma": "none",
   "bracketSpacing": false,
-  "arrowParens": "avoid",
-  "parser": "typescript"
+  "arrowParens": "avoid"
 }

.yarnrc.yml

@@ -1,3 +1,9 @@
+# https://yarnpkg.com/configuration/yarnrc
+
+compressionLevel: mixed
+enableGlobalCache: false
+enableHardenedMode: true
+
 logFilters:
   - code: YN0013
     level: discard
@@ -5,9 +11,7 @@ logFilters:
     level: discard
   - code: YN0076
     level: discard
+  - code: YN0086
+    level: discard
 
 nodeLinker: node-modules
-
-plugins:
-  - path: .yarn/plugins/@yarnpkg/plugin-interactive-tools.cjs
-    spec: "@yarnpkg/plugin-interactive-tools"

README.md

@@ -22,7 +22,9 @@ ___
   * [outputs](#outputs)
   * [environment variables](#environment-variables)
 * [Subactions](#subactions)
-  * [`list-targets`](subaction/list-targets)
+  * [`matrix`](subaction/matrix)
+* [Notes](#notes)
+  * [Source semantics](#source-semantics)
 * [Contributing](#contributing)
 
 ## Usage
@@ -50,16 +52,16 @@ jobs:
     steps:
       -
         name: Login to DockerHub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
       -
         name: Build and push
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v7
         with:
           push: true
           set: |
@@ -80,7 +82,7 @@ to the default Git context:
 ```yaml
       -
         name: Build and push
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v7
         with:
           source: "{{defaultContext}}:mysubdir"
           push: true
@@ -100,7 +102,7 @@ another private repository for remote definitions, you can set the
 ```yaml
       -
         name: Build and push
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v7
         with:
           push: true
           set: |
@@ -123,19 +125,19 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       -
         name: Login to DockerHub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
       -
         name: Build and push
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v7
         with:
           source: .
           push: true
@@ -143,6 +145,31 @@ jobs:
             *.tags=user/app:latest
 ```
 
+If you point `source` to a subdirectory, relative paths are resolved from that
+subdirectory:
+
+```yaml
+      -
+        name: Build and push
+        uses: docker/bake-action@v7
+        with:
+          source: ./subdir
+          files: ./docker-bake.hcl
+```
+
+For example, if `./subdir/docker-bake.hcl` contains:
+
+```hcl
+target "default" {
+  output = ["type=local,dest=./artifacts"]
+}
+```
+
+The output will be written to `./subdir/artifacts` in the workspace.
+
+> [!NOTE]
+> More info about `source` semantics in the [Source semantics](#source-semantics) section.
+
 ## Summaries
 
 This action generates a [job summary](https://github.blog/2022-05-09-supercharging-github-actions-with-job-summaries/)
@@ -197,22 +224,22 @@ The following inputs can be used as `step.with` keys
 > targets: default,release
 > ```
 
-| Name           | Type        | Description                                                                                                                                                        |
-|----------------|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `builder`      | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                        |
-| `source`       | String      | Context to build from. Can be either local (`.`) or a [remote bake definition](https://docs.docker.com/build/customize/bake/file-definition/#remote-definition)    |
-| `allow`        | List/CSV    | Allow build to access specified resources (e.g., `network.host`)                                                                                                   |
-| `files`        | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                                                     |
-| `workdir`      | String      | Working directory of execution                                                                                                                                     |
-| `targets`      | List/CSV    | List of bake targets (`default` target used if empty)                                                                                                              |
-| `no-cache`     | Bool        | Do not use cache when building the image (default `false`)                                                                                                         |
-| `pull`         | Bool        | Always attempt to pull a newer version of the image (default `false`)                                                                                              |
-| `load`         | Bool        | Load is a shorthand for `--set=*.output=type=docker` (default `false`)                                                                                             |
-| `provenance`   | Bool/String | [Provenance](https://docs.docker.com/build/attestations/slsa-provenance/) is a shorthand for `--set=*.attest=type=provenance`                                      |
-| `push`         | Bool        | Push is a shorthand for `--set=*.output=type=registry` (default `false`)                                                                                           |
-| `sbom`         | Bool/String | [SBOM](https://docs.docker.com/build/attestations/sbom/) is a shorthand for `--set=*.attest=type=sbom`                                                             |
-| `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (e.g., `targetpattern.key=value`)                      |
-| `github-token` | String      | API token used to authenticate to a Git repository for [remote definitions](https://docs.docker.com/build/bake/remote-definition/) (default `${{ github.token }}`) |
+| Name           | Type        | Description                                                                                                                                                                                                                                                            |
+|----------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `builder`      | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                                                                                                                            |
+| `allow`        | List/CSV    | Allow build to access specified resources (e.g., `network.host`)                                                                                                                                                                                                       |
+| `call`         | String      | Set method for evaluating build (e.g., check)                                                                                                                                                                                                                          |
+| `files`        | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                                                                                                                                                         |
+| `no-cache`     | Bool        | Do not use cache when building the image (default `false`)                                                                                                                                                                                                             |
+| `pull`         | Bool        | Always attempt to pull a newer version of the image (default `false`)                                                                                                                                                                                                  |
+| `load`         | Bool        | Load is a shorthand for `--set=*.output=type=docker` (default `false`)                                                                                                                                                                                                 |
+| `provenance`   | Bool/String | [Provenance](https://docs.docker.com/build/attestations/slsa-provenance/) is a shorthand for `--set=*.attest=type=provenance`                                                                                                                                          |
+| `push`         | Bool        | Push is a shorthand for `--set=*.output=type=registry` (default `false`)                                                                                                                                                                                               |
+| `sbom`         | Bool/String | [SBOM](https://docs.docker.com/build/attestations/sbom/) is a shorthand for `--set=*.attest=type=sbom`                                                                                                                                                                 |
+| `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (e.g., `targetpattern.key=value`)                                                                                                                          |
+| `source`       | String      | Build source to use. Supports local path and [remote bake definition](https://docs.docker.com/build/bake/remote-definition/). With a local path, Bake runs from that directory, so all relative paths are resolved from it. See [Source semantics](#source-semantics). |
+| `targets`      | List/CSV    | List of bake targets (`default` target used if empty)                                                                                                                                                                                                                  |
+| `github-token` | String      | API token used to authenticate to a Git repository for [remote definitions](https://docs.docker.com/build/bake/remote-definition/) (default `${{ github.token }}`)                                                                                                     |
 
 ### outputs
 
@@ -230,11 +257,27 @@ The following outputs are available
 | `DOCKER_BUILD_SUMMARY`               | Bool   | `true`  | If `false`, [build summary](https://docs.docker.com/build/ci/github-actions/build-summary/) generation is disabled                                                                                                                                                 |
 | `DOCKER_BUILD_RECORD_UPLOAD`         | Bool   | `true`  | If `false`, build record upload as [GitHub artifact](https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts) is disabled                                                                                                            |
 | `DOCKER_BUILD_RECORD_RETENTION_DAYS` | Number |         | Duration after which build record artifact will expire in days. Defaults to repository/org [retention settings](https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration#artifact-and-log-retention-policy) if unset or `0` |
-| `DOCKER_BUILD_EXPORT_LEGACY`         | Bool   | `false` | If `true`, exports build using legacy export-build tool instead of [`buildx history export` command](https://docs.docker.com/reference/cli/docker/buildx/history/export/)                                                                                          |
 
 ## Subactions
 
-* [`list-targets`](subaction/list-targets)
+* [`matrix`](subaction/matrix)
+
+## Notes
+
+### Source semantics
+
+`source` accepts either a Git/remote bake definition (for example `{{defaultContext}}` or `{{defaultContext}}:subdir`)
+or a local path (for example `.` or `./subdir`). When `source` is a local path,
+the action runs Bake from that directory (equivalent to `cd <path> && docker buildx bake`).
+
+This local path mode affects all relative paths resolved by Bake, not only
+target `context` fields. This includes paths used by local outputs, cache
+import/export, and `cwd://` references.
+
+| `source`                                                              | Behavior                                                                                       |
+|-----------------------------------------------------------------------|------------------------------------------------------------------------------------------------|
+| Git/remote (`{{defaultContext}}`, `https://...git#ref`, `...:subdir`) | Uses [remote bake definition](https://docs.docker.com/build/bake/remote-definition/) behavior. |
+| Local path (`.`, `./subdir`)                                          | Changes Bake working directory to that path before invoking Bake.                              |
 
 ## Contributing
 

__mocks__/@actions/github.ts

@@ -1,207 +0,0 @@
-import {jest} from '@jest/globals';
-
-export const context = {
-  repo: {
-    owner: 'docker',
-    repo: 'build-push-action'
-  },
-  ref: 'refs/heads/master',
-  runId: 123456789,
-  payload: {
-    after: '860c1904a1ce19322e91ac35af1ab07466440c37',
-    base_ref: null,
-    before: '5f3331d7f7044c18ca9f12c77d961c4d7cf3276a',
-    commits: [
-      {
-        author: {
-          email: 'crazy-max@users.noreply.github.com',
-          name: 'CrazyMax',
-          username: 'crazy-max'
-        },
-        committer: {
-          email: 'crazy-max@users.noreply.github.com',
-          name: 'CrazyMax',
-          username: 'crazy-max'
-        },
-        distinct: true,
-        id: '860c1904a1ce19322e91ac35af1ab07466440c37',
-        message: 'hello dev',
-        timestamp: '2022-04-19T11:27:24+02:00',
-        tree_id: 'd2c60af597e863787d2d27f569e30495b0b92820',
-        url: 'https://github.com/docker/test-docker-action/commit/860c1904a1ce19322e91ac35af1ab07466440c37'
-      }
-    ],
-    compare: 'https://github.com/docker/test-docker-action/compare/5f3331d7f704...860c1904a1ce',
-    created: false,
-    deleted: false,
-    forced: false,
-    head_commit: {
-      author: {
-        email: 'crazy-max@users.noreply.github.com',
-        name: 'CrazyMax',
-        username: 'crazy-max'
-      },
-      committer: {
-        email: 'crazy-max@users.noreply.github.com',
-        name: 'CrazyMax',
-        username: 'crazy-max'
-      },
-      distinct: true,
-      id: '860c1904a1ce19322e91ac35af1ab07466440c37',
-      message: 'hello dev',
-      timestamp: '2022-04-19T11:27:24+02:00',
-      tree_id: 'd2c60af597e863787d2d27f569e30495b0b92820',
-      url: 'https://github.com/docker/test-docker-action/commit/860c1904a1ce19322e91ac35af1ab07466440c37'
-    },
-    organization: {
-      avatar_url: 'https://avatars.githubusercontent.com/u/5429470?v=4',
-      description: 'Docker helps developers bring their ideas to life by conquering the complexity of app development.',
-      events_url: 'https://api.github.com/orgs/docker/events',
-      hooks_url: 'https://api.github.com/orgs/docker/hooks',
-      id: 5429470,
-      issues_url: 'https://api.github.com/orgs/docker/issues',
-      login: 'docker',
-      members_url: 'https://api.github.com/orgs/docker/members{/member}',
-      node_id: 'MDEyOk9yZ2FuaXphdGlvbjU0Mjk0NzA=',
-      public_members_url: 'https://api.github.com/orgs/docker/public_members{/member}',
-      repos_url: 'https://api.github.com/orgs/docker/repos',
-      url: 'https://api.github.com/orgs/docker'
-    },
-    pusher: {
-      email: 'github@crazymax.dev',
-      name: 'crazy-max'
-    },
-    ref: 'refs/heads/dev',
-    repository: {
-      allow_forking: true,
-      archive_url: 'https://api.github.com/repos/docker/test-docker-action/{archive_format}{/ref}',
-      archived: false,
-      assignees_url: 'https://api.github.com/repos/docker/test-docker-action/assignees{/user}',
-      blobs_url: 'https://api.github.com/repos/docker/test-docker-action/git/blobs{/sha}',
-      branches_url: 'https://api.github.com/repos/docker/test-docker-action/branches{/branch}',
-      clone_url: 'https://github.com/docker/test-docker-action.git',
-      collaborators_url: 'https://api.github.com/repos/docker/test-docker-action/collaborators{/collaborator}',
-      comments_url: 'https://api.github.com/repos/docker/test-docker-action/comments{/number}',
-      commits_url: 'https://api.github.com/repos/docker/test-docker-action/commits{/sha}',
-      compare_url: 'https://api.github.com/repos/docker/test-docker-action/compare/{base}...{head}',
-      contents_url: 'https://api.github.com/repos/docker/test-docker-action/contents/{+path}',
-      contributors_url: 'https://api.github.com/repos/docker/test-docker-action/contributors',
-      created_at: 1596792180,
-      default_branch: 'master',
-      deployments_url: 'https://api.github.com/repos/docker/test-docker-action/deployments',
-      description: 'Test "Docker" Actions',
-      disabled: false,
-      downloads_url: 'https://api.github.com/repos/docker/test-docker-action/downloads',
-      events_url: 'https://api.github.com/repos/docker/test-docker-action/events',
-      fork: false,
-      forks: 1,
-      forks_count: 1,
-      forks_url: 'https://api.github.com/repos/docker/test-docker-action/forks',
-      full_name: 'docker/test-docker-action',
-      git_commits_url: 'https://api.github.com/repos/docker/test-docker-action/git/commits{/sha}',
-      git_refs_url: 'https://api.github.com/repos/docker/test-docker-action/git/refs{/sha}',
-      git_tags_url: 'https://api.github.com/repos/docker/test-docker-action/git/tags{/sha}',
-      git_url: 'git://github.com/docker/test-docker-action.git',
-      has_downloads: true,
-      has_issues: true,
-      has_pages: false,
-      has_projects: true,
-      has_wiki: true,
-      homepage: '',
-      hooks_url: 'https://api.github.com/repos/docker/test-docker-action/hooks',
-      html_url: 'https://github.com/docker/test-docker-action',
-      id: 285789493,
-      is_template: false,
-      issue_comment_url: 'https://api.github.com/repos/docker/test-docker-action/issues/comments{/number}',
-      issue_events_url: 'https://api.github.com/repos/docker/test-docker-action/issues/events{/number}',
-      issues_url: 'https://api.github.com/repos/docker/test-docker-action/issues{/number}',
-      keys_url: 'https://api.github.com/repos/docker/test-docker-action/keys{/key_id}',
-      labels_url: 'https://api.github.com/repos/docker/test-docker-action/labels{/name}',
-      language: 'JavaScript',
-      languages_url: 'https://api.github.com/repos/docker/test-docker-action/languages',
-      license: {
-        key: 'mit',
-        name: 'MIT License',
-        node_id: 'MDc6TGljZW5zZTEz',
-        spdx_id: 'MIT',
-        url: 'https://api.github.com/licenses/mit'
-      },
-      master_branch: 'master',
-      merges_url: 'https://api.github.com/repos/docker/test-docker-action/merges',
-      milestones_url: 'https://api.github.com/repos/docker/test-docker-action/milestones{/number}',
-      mirror_url: null,
-      name: 'test-docker-action',
-      node_id: 'MDEwOlJlcG9zaXRvcnkyODU3ODk0OTM=',
-      notifications_url: 'https://api.github.com/repos/docker/test-docker-action/notifications{?since,all,participating}',
-      open_issues: 6,
-      open_issues_count: 6,
-      organization: 'docker',
-      owner: {
-        avatar_url: 'https://avatars.githubusercontent.com/u/5429470?v=4',
-        email: 'info@docker.com',
-        events_url: 'https://api.github.com/users/docker/events{/privacy}',
-        followers_url: 'https://api.github.com/users/docker/followers',
-        following_url: 'https://api.github.com/users/docker/following{/other_user}',
-        gists_url: 'https://api.github.com/users/docker/gists{/gist_id}',
-        gravatar_id: '',
-        html_url: 'https://github.com/docker',
-        id: 5429470,
-        login: 'docker',
-        name: 'docker',
-        node_id: 'MDEyOk9yZ2FuaXphdGlvbjU0Mjk0NzA=',
-        organizations_url: 'https://api.github.com/users/docker/orgs',
-        received_events_url: 'https://api.github.com/users/docker/received_events',
-        repos_url: 'https://api.github.com/users/docker/repos',
-        site_admin: false,
-        starred_url: 'https://api.github.com/users/docker/starred{/owner}{/repo}',
-        subscriptions_url: 'https://api.github.com/users/docker/subscriptions',
-        type: 'Organization',
-        url: 'https://api.github.com/users/docker'
-      },
-      private: true,
-      pulls_url: 'https://api.github.com/repos/docker/test-docker-action/pulls{/number}',
-      pushed_at: 1650360446,
-      releases_url: 'https://api.github.com/repos/docker/test-docker-action/releases{/id}',
-      size: 796,
-      ssh_url: 'git@github.com:docker/test-docker-action.git',
-      stargazers: 0,
-      stargazers_count: 0,
-      stargazers_url: 'https://api.github.com/repos/docker/test-docker-action/stargazers',
-      statuses_url: 'https://api.github.com/repos/docker/test-docker-action/statuses/{sha}',
-      subscribers_url: 'https://api.github.com/repos/docker/test-docker-action/subscribers',
-      subscription_url: 'https://api.github.com/repos/docker/test-docker-action/subscription',
-      svn_url: 'https://github.com/docker/test-docker-action',
-      tags_url: 'https://api.github.com/repos/docker/test-docker-action/tags',
-      teams_url: 'https://api.github.com/repos/docker/test-docker-action/teams',
-      topics: [],
-      trees_url: 'https://api.github.com/repos/docker/test-docker-action/git/trees{/sha}',
-      updated_at: '2022-04-19T09:05:09Z',
-      url: 'https://github.com/docker/test-docker-action',
-      visibility: 'private',
-      watchers: 0,
-      watchers_count: 0
-    },
-    sender: {
-      avatar_url: 'https://avatars.githubusercontent.com/u/1951866?v=4',
-      events_url: 'https://api.github.com/users/crazy-max/events{/privacy}',
-      followers_url: 'https://api.github.com/users/crazy-max/followers',
-      following_url: 'https://api.github.com/users/crazy-max/following{/other_user}',
-      gists_url: 'https://api.github.com/users/crazy-max/gists{/gist_id}',
-      gravatar_id: '',
-      html_url: 'https://github.com/crazy-max',
-      id: 1951866,
-      login: 'crazy-max',
-      node_id: 'MDQ6VXNlcjE5NTE4NjY=',
-      organizations_url: 'https://api.github.com/users/crazy-max/orgs',
-      received_events_url: 'https://api.github.com/users/crazy-max/received_events',
-      repos_url: 'https://api.github.com/users/crazy-max/repos',
-      site_admin: false,
-      starred_url: 'https://api.github.com/users/crazy-max/starred{/owner}{/repo}',
-      subscriptions_url: 'https://api.github.com/users/crazy-max/subscriptions',
-      type: 'User',
-      url: 'https://api.github.com/users/crazy-max'
-    }
-  }
-};
-
-export const getOctokit = jest.fn();

__tests__/context.test.ts

@@ -1,124 +1,92 @@
-import {afterEach, beforeEach, describe, expect, jest, test} from '@jest/globals';
+import {afterEach, beforeEach, describe, expect, test, vi} from 'vitest';
 import * as fs from 'fs';
+import * as os from 'os';
 import * as path from 'path';
 
-import {Bake} from '@docker/actions-toolkit/lib/buildx/bake';
-import {Builder} from '@docker/actions-toolkit/lib/buildx/builder';
-import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx';
-import {Context} from '@docker/actions-toolkit/lib/context';
-import {Docker} from '@docker/actions-toolkit/lib/docker/docker';
-import {GitHub} from '@docker/actions-toolkit/lib/github';
-import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
+import {Bake} from '@docker/actions-toolkit/lib/buildx/bake.js';
+import {Build} from '@docker/actions-toolkit/lib/buildx/build.js';
+import {Builder} from '@docker/actions-toolkit/lib/buildx/builder.js';
+import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx.js';
+import {Docker} from '@docker/actions-toolkit/lib/docker/docker.js';
+import {Toolkit} from '@docker/actions-toolkit/lib/toolkit.js';
 
-import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
-import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder';
-import {GitHubRepo} from '@docker/actions-toolkit/lib/types/github';
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake.js';
+import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder.js';
 
-import * as context from '../src/context';
+import * as context from '../src/context.js';
 
-const tmpDir = path.join('/tmp', '.docker-bake-action-jest');
-const tmpName = path.join(tmpDir, '.tmpname-jest');
+const tmpDir = fs.mkdtempSync(path.join(process.env.TEMP || os.tmpdir(), 'context-'));
+const fixturesDir = path.join(__dirname, 'fixtures');
 
-import repoFixture from './fixtures/github-repo.json';
-jest.spyOn(GitHub.prototype, 'repoData').mockImplementation((): Promise<GitHubRepo> => {
-  return <Promise<GitHubRepo>>(repoFixture as unknown);
-});
-
-jest.spyOn(Context, 'tmpDir').mockImplementation((): string => {
-  if (!fs.existsSync(tmpDir)) {
-    fs.mkdirSync(tmpDir, {recursive: true});
-  }
-  return tmpDir;
-});
-
-jest.spyOn(Context, 'tmpName').mockImplementation((): string => {
-  return tmpName;
-});
-
-jest.spyOn(Docker, 'isAvailable').mockImplementation(async (): Promise<boolean> => {
+vi.spyOn(Docker, 'isAvailable').mockImplementation(async (): Promise<boolean> => {
   return true;
 });
 
 const metadataJson = path.join(tmpDir, 'metadata.json');
-jest.spyOn(Bake.prototype, 'getMetadataFilePath').mockImplementation((): string => {
+vi.spyOn(Bake.prototype, 'getMetadataFilePath').mockImplementation((): string => {
   return metadataJson;
 });
 
-jest.spyOn(Builder.prototype, 'inspect').mockImplementation(async (): Promise<BuilderInfo> => {
+type BuilderInfoFixture = Omit<BuilderInfo, 'lastActivity'> & {lastActivity: string};
+const builderInfoFixture = <BuilderInfoFixture>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'builder-info.json'), {encoding: 'utf-8'}).trim());
+vi.spyOn(Builder.prototype, 'inspect').mockImplementation(async (): Promise<BuilderInfo> => {
   return {
-    name: 'builder2',
-    driver: 'docker-container',
-    lastActivity: new Date('2023-01-16 09:45:23 +0000 UTC'),
-    nodes: [
-      {
-        buildkit: 'v0.11.0',
-        'buildkitd-flags': '--debug --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host',
-        'driver-opts': ['BUILDKIT_STEP_LOG_MAX_SIZE=10485760', 'BUILDKIT_STEP_LOG_MAX_SPEED=10485760', 'JAEGER_TRACE=localhost:6831', 'image=moby/buildkit:latest', 'network=host'],
-        endpoint: 'unix:///var/run/docker.sock',
-        name: 'builder20',
-        platforms: 'linux/amd64,linux/amd64/v2,linux/amd64/v3,linux/arm64,linux/riscv64,linux/ppc64le,linux/s390x,linux/386,linux/mips64le,linux/mips64,linux/arm/v7,linux/arm/v6',
-        status: 'running'
-      }
-    ]
+    ...builderInfoFixture,
+    lastActivity: new Date(builderInfoFixture.lastActivity)
   };
 });
 
-jest.spyOn(Bake.prototype, 'getDefinition').mockImplementation(async (): Promise<BakeDefinition> => {
-  return JSON.parse(`{
-    "group": {
-      "default": {
-        "targets": [
-          "validate"
-        ]
-      },
-      "validate": {
-        "targets": [
-          "lint",
-          "validate-vendor",
-          "validate-docs"
-        ]
+vi.spyOn(Bake.prototype, 'getDefinition').mockImplementation(async (): Promise<BakeDefinition> => {
+  return <BakeDefinition>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'bake-def.json'), {encoding: 'utf-8'}).trim());
+});
+
+describe('getInputs', () => {
+  const originalEnv = process.env;
+
+  beforeEach(() => {
+    process.env = Object.keys(process.env).reduce((object, key) => {
+      if (!key.startsWith('INPUT_')) {
+        object[key] = process.env[key];
       }
-    },
-    "target": {
-      "lint": {
-        "context": ".",
-        "dockerfile": "./hack/dockerfiles/lint.Dockerfile",
-        "args": {
-          "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
-          "GO_VERSION": "1.20"
-        },
-        "output": [
-          "type=cacheonly"
-        ]
-      },
-      "validate-docs": {
-        "context": ".",
-        "dockerfile": "./hack/dockerfiles/docs.Dockerfile",
-        "args": {
-          "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
-          "BUILDX_EXPERIMENTAL": "1",
-          "FORMATS": "md",
-          "GO_VERSION": "1.20"
-        },
-        "target": "validate",
-        "output": [
-          "type=cacheonly"
-        ]
-      },
-      "validate-vendor": {
-        "context": ".",
-        "dockerfile": "./hack/dockerfiles/vendor.Dockerfile",
-        "args": {
-          "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
-          "GO_VERSION": "1.20"
-        },
-        "target": "validate",
-        "output": [
-          "type=cacheonly"
-        ]
-      }
-    }
-  }`) as BakeDefinition;
+      return object;
+    }, {});
+  });
+
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  function setRequiredBooleanInputs(): void {
+    setInput('no-cache', 'false');
+    setInput('pull', 'false');
+    setInput('load', 'false');
+    setInput('push', 'false');
+  }
+
+  test('uses Build git context when source input is empty', async () => {
+    const gitContext = 'https://github.com/docker/bake-action.git?ref=refs/heads/master&checksum=0123456789abcdef';
+    const gitContextSpy = vi.spyOn(Build.prototype, 'gitContext').mockResolvedValue(gitContext);
+    setRequiredBooleanInputs();
+    const inputs = await context.getInputs();
+    expect(inputs.source).toEqual({
+      remoteRef: gitContext
+    });
+    expect(gitContextSpy).toHaveBeenCalledTimes(1);
+    gitContextSpy.mockRestore();
+  });
+
+  test('renders defaultContext source templates from Build git context', async () => {
+    const gitContext = 'https://github.com/docker/bake-action.git#refs/heads/master';
+    const gitContextSpy = vi.spyOn(Build.prototype, 'gitContext').mockResolvedValue(gitContext);
+    setRequiredBooleanInputs();
+    setInput('source', '{{defaultContext}}:subdir');
+    const inputs = await context.getInputs();
+    expect(inputs.source).toEqual({
+      remoteRef: `${gitContext}:subdir`
+    });
+    expect(gitContextSpy).toHaveBeenCalledTimes(1);
+    gitContextSpy.mockRestore();
+  });
 });
 
 describe('getArgs', () => {
@@ -218,7 +186,9 @@ describe('getArgs', () => {
       [
         'bake',
         '--metadata-file', metadataJson,
-        "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
       ],
       undefined
     ],
@@ -236,7 +206,7 @@ describe('getArgs', () => {
       [
         'bake',
         '--metadata-file', metadataJson,
-        "--provenance", `builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
+        "--provenance", `builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
       ],
       undefined
     ],
@@ -254,7 +224,7 @@ describe('getArgs', () => {
       [
         'bake',
         '--metadata-file', metadataJson,
-        "--provenance", `mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
+        "--provenance", `mode=max,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
       ],
       undefined
     ],
@@ -311,7 +281,9 @@ describe('getArgs', () => {
         '--set', '*.platform=linux/amd64,linux/ppc64le,linux/s390x',
         '--set', `*.output=type=image,"name=moby/buildkit:v0.11.0,moby/buildkit:latest",push=true`,
         '--metadata-file', metadataJson,
-        '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
         'image-all'
       ],
       undefined
@@ -332,7 +304,9 @@ describe('getArgs', () => {
         'bake',
         '--set', `*.labels.foo=bar=#baz`,
         '--metadata-file', metadataJson,
-        '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
         'image-all'
       ],
       undefined
@@ -349,10 +323,12 @@ describe('getArgs', () => {
       ]),
       [
         'bake',
-        'https://github.com/docker/build-push-action.git#refs/heads/master',
+        'https://github.com/docker/bake-action.git#refs/heads/master',
         '--file', './foo.hcl',
         '--metadata-file', metadataJson,
-        '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
       ],
       undefined
     ],
@@ -371,7 +347,9 @@ describe('getArgs', () => {
         'bake',
         '--allow', 'network.host',
         '--metadata-file', metadataJson,
-        "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
       ],
       undefined
     ],
@@ -388,10 +366,12 @@ describe('getArgs', () => {
       ]),
       [
         'bake',
-        'https://github.com/docker/build-push-action.git#refs/heads/master:subdir',
+        'https://github.com/docker/bake-action.git#refs/heads/master:subdir',
         '--file', './foo.hcl',
         '--metadata-file', metadataJson,
-        '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
       ],
       undefined
     ],
@@ -413,8 +393,56 @@ describe('getArgs', () => {
         ['BUILDX_NO_DEFAULT_ATTESTATIONS', '1']
       ])
     ],
+    [
+      15,
+      '0.29.0',
+      new Map<string, string>([
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['files', './foo.hcl'],
+      ]),
+      [
+        'bake',
+        'https://github.com/docker/bake-action.git?ref=refs/heads/master',
+        '--allow', 'fs=*',
+        '--file', './foo.hcl',
+        '--metadata-file', metadataJson,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      new Map<string, string>([
+        ['BUILDX_SEND_GIT_QUERY_AS_INPUT', 'true']
+      ])
+    ],
+    [
+      16,
+      '0.28.0',
+      new Map<string, string>([
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['files', './foo.hcl'],
+      ]),
+      [
+        'bake',
+        'https://github.com/docker/bake-action.git#refs/heads/master',
+        '--allow', 'fs=*',
+        '--file', './foo.hcl',
+        '--metadata-file', metadataJson,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      new Map<string, string>([
+        ['BUILDX_SEND_GIT_QUERY_AS_INPUT', 'true']
+      ])
+    ],
   ])(
-    '[%d] given %p with %p as inputs, returns %p',
+    '[%d] given %o with %o as inputs, returns %o',
     async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>, envs: Map<string, string> | undefined) => {
       if (envs) {
         envs.forEach((value: string, name: string) => {
@@ -425,7 +453,7 @@ describe('getArgs', () => {
         setInput(name, value);
       });
       const toolkit = new Toolkit();
-      jest.spyOn(Buildx.prototype, 'version').mockImplementation(async (): Promise<string> => {
+      vi.spyOn(Buildx.prototype, 'version').mockImplementation(async (): Promise<string> => {
         return buildxVersion;
       });
       const inp = await context.getInputs();
@@ -438,11 +466,11 @@ describe('getArgs', () => {
           provenance: inp.provenance,
           push: inp.push,
           sbom: inp.sbom,
-          source: inp.source,
+          source: inp.source.remoteRef,
           targets: inp.targets
         },
         {
-          cwd: inp.workdir
+          cwd: inp.source.workdir,
         }
       );
       const res = await context.getArgs(inp, definition, toolkit);

__tests__/fixtures/bake-def.json

@@ -0,0 +1,55 @@
+{
+  "group": {
+    "default": {
+      "targets": [
+        "validate"
+      ]
+    },
+    "validate": {
+      "targets": [
+        "lint",
+        "validate-vendor",
+        "validate-docs"
+      ]
+    }
+  },
+  "target": {
+    "lint": {
+      "context": ".",
+      "dockerfile": "./hack/dockerfiles/lint.Dockerfile",
+      "args": {
+        "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
+        "GO_VERSION": "1.20"
+      },
+      "output": [
+        "type=cacheonly"
+      ]
+    },
+    "validate-docs": {
+      "context": ".",
+      "dockerfile": "./hack/dockerfiles/docs.Dockerfile",
+      "args": {
+        "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
+        "BUILDX_EXPERIMENTAL": "1",
+        "FORMATS": "md",
+        "GO_VERSION": "1.20"
+      },
+      "target": "validate",
+      "output": [
+        "type=cacheonly"
+      ]
+    },
+    "validate-vendor": {
+      "context": ".",
+      "dockerfile": "./hack/dockerfiles/vendor.Dockerfile",
+      "args": {
+        "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
+        "GO_VERSION": "1.20"
+      },
+      "target": "validate",
+      "output": [
+        "type=cacheonly"
+      ]
+    }
+  }
+}

__tests__/fixtures/builder-info.json

@@ -0,0 +1,22 @@
+{
+  "name": "builder2",
+  "driver": "docker-container",
+  "lastActivity": "2023-01-16 09:45:23 +0000 UTC",
+  "nodes": [
+    {
+      "buildkit": "v0.11.0",
+      "buildkitd-flags": "--debug --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host",
+      "driver-opts": [
+        "BUILDKIT_STEP_LOG_MAX_SIZE=10485760",
+        "BUILDKIT_STEP_LOG_MAX_SPEED=10485760",
+        "JAEGER_TRACE=localhost:6831",
+        "image=moby/buildkit:latest",
+        "network=host"
+      ],
+      "endpoint": "unix:///var/run/docker.sock",
+      "name": "builder20",
+      "platforms": "linux/amd64,linux/amd64/v2,linux/amd64/v3,linux/arm64,linux/riscv64,linux/ppc64le,linux/s390x,linux/386,linux/mips64le,linux/mips64,linux/arm/v7,linux/arm/v6",
+      "status": "running"
+    }
+  ]
+}

__tests__/fixtures/github-repo.json

@@ -1,362 +0,0 @@
-{
-  "id": 1296269,
-  "node_id": "MDEwOlJlcG9zaXRvcnkxMjk2MjY5",
-  "name": "Hello-World",
-  "full_name": "octocat/Hello-World",
-  "owner": {
-    "login": "octocat",
-    "id": 1,
-    "node_id": "MDQ6VXNlcjE=",
-    "avatar_url": "https://github.com/images/error/octocat_happy.gif",
-    "gravatar_id": "",
-    "url": "https://api.github.com/users/octocat",
-    "html_url": "https://github.com/octocat",
-    "followers_url": "https://api.github.com/users/octocat/followers",
-    "following_url": "https://api.github.com/users/octocat/following{/other_user}",
-    "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
-    "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
-    "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
-    "organizations_url": "https://api.github.com/users/octocat/orgs",
-    "repos_url": "https://api.github.com/users/octocat/repos",
-    "events_url": "https://api.github.com/users/octocat/events{/privacy}",
-    "received_events_url": "https://api.github.com/users/octocat/received_events",
-    "type": "User",
-    "site_admin": false
-  },
-  "private": false,
-  "html_url": "https://github.com/octocat/Hello-World",
-  "description": "This your first repo!",
-  "fork": false,
-  "url": "https://api.github.com/repos/octocat/Hello-World",
-  "archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}",
-  "assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}",
-  "blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}",
-  "branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}",
-  "collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}",
-  "comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}",
-  "commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}",
-  "compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}",
-  "contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}",
-  "contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors",
-  "deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments",
-  "downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads",
-  "events_url": "http://api.github.com/repos/octocat/Hello-World/events",
-  "forks_url": "http://api.github.com/repos/octocat/Hello-World/forks",
-  "git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}",
-  "git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}",
-  "git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}",
-  "git_url": "git:github.com/octocat/Hello-World.git",
-  "issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}",
-  "issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}",
-  "issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}",
-  "keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}",
-  "labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}",
-  "languages_url": "http://api.github.com/repos/octocat/Hello-World/languages",
-  "merges_url": "http://api.github.com/repos/octocat/Hello-World/merges",
-  "milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}",
-  "notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}",
-  "pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}",
-  "releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}",
-  "ssh_url": "git@github.com:octocat/Hello-World.git",
-  "stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers",
-  "statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}",
-  "subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers",
-  "subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription",
-  "tags_url": "http://api.github.com/repos/octocat/Hello-World/tags",
-  "teams_url": "http://api.github.com/repos/octocat/Hello-World/teams",
-  "trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}",
-  "clone_url": "https://github.com/octocat/Hello-World.git",
-  "mirror_url": "git:git.example.com/octocat/Hello-World",
-  "hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks",
-  "svn_url": "https://svn.github.com/octocat/Hello-World",
-  "homepage": "https://github.com",
-  "language": null,
-  "forks_count": 9,
-  "stargazers_count": 80,
-  "watchers_count": 80,
-  "size": 108,
-  "default_branch": "master",
-  "open_issues_count": 0,
-  "is_template": true,
-  "topics": [
-    "octocat",
-    "atom",
-    "electron",
-    "api"
-  ],
-  "has_issues": true,
-  "has_projects": true,
-  "has_wiki": true,
-  "has_pages": false,
-  "has_downloads": true,
-  "archived": false,
-  "disabled": false,
-  "visibility": "public",
-  "pushed_at": "2011-01-26T19:06:43Z",
-  "created_at": "2011-01-26T19:01:12Z",
-  "updated_at": "2011-01-26T19:14:43Z",
-  "permissions": {
-    "pull": true,
-    "triage": true,
-    "push": false,
-    "maintain": false,
-    "admin": false
-  },
-  "allow_rebase_merge": true,
-  "template_repository": null,
-  "temp_clone_token": "ABTLWHOULUVAXGTRYU7OC2876QJ2O",
-  "allow_squash_merge": true,
-  "delete_branch_on_merge": true,
-  "allow_merge_commit": true,
-  "subscribers_count": 42,
-  "network_count": 0,
-  "license": {
-    "key": "mit",
-    "name": "MIT License",
-    "spdx_id": "MIT",
-    "url": "https://api.github.com/licenses/mit",
-    "node_id": "MDc6TGljZW5zZW1pdA=="
-  },
-  "organization": {
-    "login": "octocat",
-    "id": 1,
-    "node_id": "MDQ6VXNlcjE=",
-    "avatar_url": "https://github.com/images/error/octocat_happy.gif",
-    "gravatar_id": "",
-    "url": "https://api.github.com/users/octocat",
-    "html_url": "https://github.com/octocat",
-    "followers_url": "https://api.github.com/users/octocat/followers",
-    "following_url": "https://api.github.com/users/octocat/following{/other_user}",
-    "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
-    "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
-    "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
-    "organizations_url": "https://api.github.com/users/octocat/orgs",
-    "repos_url": "https://api.github.com/users/octocat/repos",
-    "events_url": "https://api.github.com/users/octocat/events{/privacy}",
-    "received_events_url": "https://api.github.com/users/octocat/received_events",
-    "type": "Organization",
-    "site_admin": false
-  },
-  "parent": {
-    "id": 1296269,
-    "node_id": "MDEwOlJlcG9zaXRvcnkxMjk2MjY5",
-    "name": "Hello-World",
-    "full_name": "octocat/Hello-World",
-    "owner": {
-      "login": "octocat",
-      "id": 1,
-      "node_id": "MDQ6VXNlcjE=",
-      "avatar_url": "https://github.com/images/error/octocat_happy.gif",
-      "gravatar_id": "",
-      "url": "https://api.github.com/users/octocat",
-      "html_url": "https://github.com/octocat",
-      "followers_url": "https://api.github.com/users/octocat/followers",
-      "following_url": "https://api.github.com/users/octocat/following{/other_user}",
-      "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
-      "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
-      "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
-      "organizations_url": "https://api.github.com/users/octocat/orgs",
-      "repos_url": "https://api.github.com/users/octocat/repos",
-      "events_url": "https://api.github.com/users/octocat/events{/privacy}",
-      "received_events_url": "https://api.github.com/users/octocat/received_events",
-      "type": "User",
-      "site_admin": false
-    },
-    "private": false,
-    "html_url": "https://github.com/octocat/Hello-World",
-    "description": "This your first repo!",
-    "fork": false,
-    "url": "https://api.github.com/repos/octocat/Hello-World",
-    "archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}",
-    "assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}",
-    "blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}",
-    "branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}",
-    "collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}",
-    "comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}",
-    "commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}",
-    "compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}",
-    "contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}",
-    "contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors",
-    "deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments",
-    "downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads",
-    "events_url": "http://api.github.com/repos/octocat/Hello-World/events",
-    "forks_url": "http://api.github.com/repos/octocat/Hello-World/forks",
-    "git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}",
-    "git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}",
-    "git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}",
-    "git_url": "git:github.com/octocat/Hello-World.git",
-    "issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}",
-    "issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}",
-    "issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}",
-    "keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}",
-    "labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}",
-    "languages_url": "http://api.github.com/repos/octocat/Hello-World/languages",
-    "merges_url": "http://api.github.com/repos/octocat/Hello-World/merges",
-    "milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}",
-    "notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}",
-    "pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}",
-    "releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}",
-    "ssh_url": "git@github.com:octocat/Hello-World.git",
-    "stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers",
-    "statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}",
-    "subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers",
-    "subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription",
-    "tags_url": "http://api.github.com/repos/octocat/Hello-World/tags",
-    "teams_url": "http://api.github.com/repos/octocat/Hello-World/teams",
-    "trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}",
-    "clone_url": "https://github.com/octocat/Hello-World.git",
-    "mirror_url": "git:git.example.com/octocat/Hello-World",
-    "hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks",
-    "svn_url": "https://svn.github.com/octocat/Hello-World",
-    "homepage": "https://github.com",
-    "language": null,
-    "forks_count": 9,
-    "stargazers_count": 80,
-    "watchers_count": 80,
-    "size": 108,
-    "default_branch": "master",
-    "open_issues_count": 0,
-    "is_template": true,
-    "topics": [
-      "octocat",
-      "atom",
-      "electron",
-      "api"
-    ],
-    "has_issues": true,
-    "has_projects": true,
-    "has_wiki": true,
-    "has_pages": false,
-    "has_downloads": true,
-    "archived": false,
-    "disabled": false,
-    "visibility": "public",
-    "pushed_at": "2011-01-26T19:06:43Z",
-    "created_at": "2011-01-26T19:01:12Z",
-    "updated_at": "2011-01-26T19:14:43Z",
-    "permissions": {
-      "admin": false,
-      "push": false,
-      "pull": true
-    },
-    "allow_rebase_merge": true,
-    "template_repository": null,
-    "temp_clone_token": "ABTLWHOULUVAXGTRYU7OC2876QJ2O",
-    "allow_squash_merge": true,
-    "delete_branch_on_merge": true,
-    "allow_merge_commit": true,
-    "subscribers_count": 42,
-    "network_count": 0
-  },
-  "source": {
-    "id": 1296269,
-    "node_id": "MDEwOlJlcG9zaXRvcnkxMjk2MjY5",
-    "name": "Hello-World",
-    "full_name": "octocat/Hello-World",
-    "owner": {
-      "login": "octocat",
-      "id": 1,
-      "node_id": "MDQ6VXNlcjE=",
-      "avatar_url": "https://github.com/images/error/octocat_happy.gif",
-      "gravatar_id": "",
-      "url": "https://api.github.com/users/octocat",
-      "html_url": "https://github.com/octocat",
-      "followers_url": "https://api.github.com/users/octocat/followers",
-      "following_url": "https://api.github.com/users/octocat/following{/other_user}",
-      "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
-      "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
-      "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
-      "organizations_url": "https://api.github.com/users/octocat/orgs",
-      "repos_url": "https://api.github.com/users/octocat/repos",
-      "events_url": "https://api.github.com/users/octocat/events{/privacy}",
-      "received_events_url": "https://api.github.com/users/octocat/received_events",
-      "type": "User",
-      "site_admin": false
-    },
-    "private": false,
-    "html_url": "https://github.com/octocat/Hello-World",
-    "description": "This your first repo!",
-    "fork": false,
-    "url": "https://api.github.com/repos/octocat/Hello-World",
-    "archive_url": "http://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}",
-    "assignees_url": "http://api.github.com/repos/octocat/Hello-World/assignees{/user}",
-    "blobs_url": "http://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}",
-    "branches_url": "http://api.github.com/repos/octocat/Hello-World/branches{/branch}",
-    "collaborators_url": "http://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}",
-    "comments_url": "http://api.github.com/repos/octocat/Hello-World/comments{/number}",
-    "commits_url": "http://api.github.com/repos/octocat/Hello-World/commits{/sha}",
-    "compare_url": "http://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}",
-    "contents_url": "http://api.github.com/repos/octocat/Hello-World/contents/{+path}",
-    "contributors_url": "http://api.github.com/repos/octocat/Hello-World/contributors",
-    "deployments_url": "http://api.github.com/repos/octocat/Hello-World/deployments",
-    "downloads_url": "http://api.github.com/repos/octocat/Hello-World/downloads",
-    "events_url": "http://api.github.com/repos/octocat/Hello-World/events",
-    "forks_url": "http://api.github.com/repos/octocat/Hello-World/forks",
-    "git_commits_url": "http://api.github.com/repos/octocat/Hello-World/git/commits{/sha}",
-    "git_refs_url": "http://api.github.com/repos/octocat/Hello-World/git/refs{/sha}",
-    "git_tags_url": "http://api.github.com/repos/octocat/Hello-World/git/tags{/sha}",
-    "git_url": "git:github.com/octocat/Hello-World.git",
-    "issue_comment_url": "http://api.github.com/repos/octocat/Hello-World/issues/comments{/number}",
-    "issue_events_url": "http://api.github.com/repos/octocat/Hello-World/issues/events{/number}",
-    "issues_url": "http://api.github.com/repos/octocat/Hello-World/issues{/number}",
-    "keys_url": "http://api.github.com/repos/octocat/Hello-World/keys{/key_id}",
-    "labels_url": "http://api.github.com/repos/octocat/Hello-World/labels{/name}",
-    "languages_url": "http://api.github.com/repos/octocat/Hello-World/languages",
-    "merges_url": "http://api.github.com/repos/octocat/Hello-World/merges",
-    "milestones_url": "http://api.github.com/repos/octocat/Hello-World/milestones{/number}",
-    "notifications_url": "http://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}",
-    "pulls_url": "http://api.github.com/repos/octocat/Hello-World/pulls{/number}",
-    "releases_url": "http://api.github.com/repos/octocat/Hello-World/releases{/id}",
-    "ssh_url": "git@github.com:octocat/Hello-World.git",
-    "stargazers_url": "http://api.github.com/repos/octocat/Hello-World/stargazers",
-    "statuses_url": "http://api.github.com/repos/octocat/Hello-World/statuses/{sha}",
-    "subscribers_url": "http://api.github.com/repos/octocat/Hello-World/subscribers",
-    "subscription_url": "http://api.github.com/repos/octocat/Hello-World/subscription",
-    "tags_url": "http://api.github.com/repos/octocat/Hello-World/tags",
-    "teams_url": "http://api.github.com/repos/octocat/Hello-World/teams",
-    "trees_url": "http://api.github.com/repos/octocat/Hello-World/git/trees{/sha}",
-    "clone_url": "https://github.com/octocat/Hello-World.git",
-    "mirror_url": "git:git.example.com/octocat/Hello-World",
-    "hooks_url": "http://api.github.com/repos/octocat/Hello-World/hooks",
-    "svn_url": "https://svn.github.com/octocat/Hello-World",
-    "homepage": "https://github.com",
-    "language": null,
-    "forks_count": 9,
-    "stargazers_count": 80,
-    "watchers_count": 80,
-    "size": 108,
-    "default_branch": "master",
-    "open_issues_count": 0,
-    "is_template": true,
-    "topics": [
-      "octocat",
-      "atom",
-      "electron",
-      "api"
-    ],
-    "has_issues": true,
-    "has_projects": true,
-    "has_wiki": true,
-    "has_pages": false,
-    "has_downloads": true,
-    "archived": false,
-    "disabled": false,
-    "visibility": "public",
-    "pushed_at": "2011-01-26T19:06:43Z",
-    "created_at": "2011-01-26T19:01:12Z",
-    "updated_at": "2011-01-26T19:14:43Z",
-    "permissions": {
-      "admin": false,
-      "push": false,
-      "pull": true
-    },
-    "allow_rebase_merge": true,
-    "template_repository": null,
-    "temp_clone_token": "ABTLWHOULUVAXGTRYU7OC2876QJ2O",
-    "allow_squash_merge": true,
-    "delete_branch_on_merge": true,
-    "allow_merge_commit": true,
-    "subscribers_count": 42,
-    "network_count": 0
-  }
-}

__tests__/setup.unit.ts

@@ -0,0 +1,39 @@
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import {vi} from 'vitest';
+
+const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'docker-bake-action-'));
+
+const githubPayload = {
+  repository: {
+    private: true
+  }
+};
+
+const githubEventPath = path.join(tmpDir, 'github-event.json');
+fs.writeFileSync(githubEventPath, JSON.stringify(githubPayload));
+
+process.env = Object.assign({}, process.env, {
+  TEMP: tmpDir,
+  GITHUB_REPOSITORY: 'docker/bake-action',
+  GITHUB_REF: 'refs/heads/master',
+  GITHUB_RUN_ID: '123456789',
+  GITHUB_RUN_ATTEMPT: '1',
+  GITHUB_EVENT_PATH: githubEventPath,
+  RUNNER_TEMP: path.join(tmpDir, 'runner-temp'),
+  RUNNER_TOOL_CACHE: path.join(tmpDir, 'runner-tool-cache')
+});
+
+vi.mock('@actions/github', () => ({
+  context: {
+    repo: {
+      owner: 'docker',
+      repo: 'bake-action'
+    },
+    ref: 'refs/heads/master',
+    runId: 123456789,
+    payload: githubPayload
+  },
+  getOctokit: vi.fn()
+}));

action.yml

@@ -10,22 +10,15 @@ inputs:
   builder:
     description: "Builder instance"
     required: false
-  source:
-    description: "Context to build from. Can be either local or a remote bake definition"
-    required: false
   allow:
     description: "Allow build to access specified resources (e.g., network.host)"
     required: false
+  call:
+    description: "Set method for evaluating build (e.g., check)"
+    required: false
   files:
     description: "List of bake definition files"
     required: false
-  workdir:
-    description: "Working directory of bake execution"
-    required: false
-    default: '.'
-  targets:
-    description: "List of bake targets"
-    required: false
   no-cache:
     description: "Do not use cache when building the image"
     required: false
@@ -51,6 +44,12 @@ inputs:
   set:
     description: "List of targets values to override (eg. targetpattern.key=value)"
     required: false
+  source:
+    description: "Context to build from. Can be either local to specify the working directory or a remote bake definition"
+    required: false
+  targets:
+    description: "List of bake targets"
+    required: false
   github-token:
     description: "API token used to authenticate to a Git repository for remote definitions"
     default: ${{ github.token }}
@@ -61,6 +60,6 @@ outputs:
     description: 'Build result metadata'
 
 runs:
-  using: 'node20'
+  using: 'node24'
   main: 'dist/index.js'
   post: 'dist/index.js'

dev.Dockerfile

@@ -1,12 +1,13 @@
 # syntax=docker/dockerfile:1
 
-ARG NODE_VERSION=20
+ARG NODE_VERSION=24
 
 FROM node:${NODE_VERSION}-alpine AS base
-RUN apk add --no-cache cpio findutils git
+RUN apk add --no-cache cpio findutils git rsync
 WORKDIR /src
 RUN --mount=type=bind,target=.,rw \
   --mount=type=cache,target=/src/.yarn/cache <<EOT
+  set -e
   corepack enable
   yarn --version
   yarn config set --home enableTelemetry 0
@@ -27,25 +28,34 @@ RUN --mount=type=bind,target=.,rw <<EOT
   git add -A
   cp -rf /vendor/* .
   if [ -n "$(git status --porcelain -- yarn.lock)" ]; then
-    echo >&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor-update"'
+    echo >&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor"'
     git status --porcelain -- yarn.lock
     exit 1
   fi
 EOT
 
 FROM deps AS build
-RUN --mount=type=bind,target=.,rw \
+RUN --mount=target=/context \
   --mount=type=cache,target=/src/.yarn/cache \
-  --mount=type=cache,target=/src/node_modules \
-  yarn run build && mkdir /out && cp -Rf dist /out/
+  --mount=type=cache,target=/src/node_modules <<EOT
+  set -e
+  rsync -a /context/. .
+  rm -rf dist
+  yarn run build
+  mkdir /out
+  cp -r dist /out
+EOT
 
 FROM scratch AS build-update
 COPY --from=build /out /
 
 FROM build AS build-validate
-RUN --mount=type=bind,target=.,rw <<EOT
+RUN --mount=target=/context \
+  --mount=target=.,type=tmpfs <<EOT
   set -e
+  rsync -a /context/. .
   git add -A
+  rm -rf dist
   cp -rf /out/* .
   if [ -n "$(git status --porcelain -- dist)" ]; then
     echo >&2 'ERROR: Build result differs. Please build first with "docker buildx bake build"'
@@ -58,8 +68,7 @@ FROM deps AS format
 RUN --mount=type=bind,target=.,rw \
   --mount=type=cache,target=/src/.yarn/cache \
   --mount=type=cache,target=/src/node_modules \
-  yarn run format \
-  && mkdir /out && find . -name '*.ts' -not -path './node_modules/*' -not -path './.yarn/*' | cpio -pdm /out
+  yarn run format && mkdir /out && find . -name '*.ts' -not -path './node_modules/*' -not -path './.yarn/*' | cpio -pdm /out
 
 FROM scratch AS format-update
 COPY --from=format /out /
@@ -74,7 +83,7 @@ FROM deps AS test
 RUN --mount=type=bind,target=.,rw \
   --mount=type=cache,target=/src/.yarn/cache \
   --mount=type=cache,target=/src/node_modules \
-  yarn run test --coverage --coverageDirectory=/tmp/coverage
+  yarn run test --coverage --coverage.reportsDirectory=/tmp/coverage
 
 FROM scratch AS test-coverage
 COPY --from=test /tmp/coverage /

dist/606.index.js

@@ -0,0 +1,301 @@
+export const id = 606;
+export const ids = [606];
+export const modules = {
+
+/***/ 606:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   "default": () => (/* binding */ pMap)
+/* harmony export */ });
+/* unused harmony exports pMapIterable, pMapSkip */
+async function pMap(
+	iterable,
+	mapper,
+	{
+		concurrency = Number.POSITIVE_INFINITY,
+		stopOnError = true,
+		signal,
+	} = {},
+) {
+	return new Promise((resolve_, reject_) => {
+		if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
+			throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
+		}
+
+		if (typeof mapper !== 'function') {
+			throw new TypeError('Mapper function is required');
+		}
+
+		if (!((Number.isSafeInteger(concurrency) && concurrency >= 1) || concurrency === Number.POSITIVE_INFINITY)) {
+			throw new TypeError(`Expected \`concurrency\` to be an integer from 1 and up or \`Infinity\`, got \`${concurrency}\` (${typeof concurrency})`);
+		}
+
+		const result = [];
+		const errors = [];
+		const skippedIndexesMap = new Map();
+		let isRejected = false;
+		let isResolved = false;
+		let isIterableDone = false;
+		let resolvingCount = 0;
+		let currentIndex = 0;
+		const iterator = iterable[Symbol.iterator] === undefined ? iterable[Symbol.asyncIterator]() : iterable[Symbol.iterator]();
+
+		const signalListener = () => {
+			reject(signal.reason);
+		};
+
+		const cleanup = () => {
+			signal?.removeEventListener('abort', signalListener);
+		};
+
+		const resolve = value => {
+			resolve_(value);
+			cleanup();
+		};
+
+		const reject = reason => {
+			isRejected = true;
+			isResolved = true;
+			reject_(reason);
+			cleanup();
+		};
+
+		if (signal) {
+			if (signal.aborted) {
+				reject(signal.reason);
+			}
+
+			signal.addEventListener('abort', signalListener, {once: true});
+		}
+
+		const next = async () => {
+			if (isResolved) {
+				return;
+			}
+
+			const nextItem = await iterator.next();
+
+			const index = currentIndex;
+			currentIndex++;
+
+			// Note: `iterator.next()` can be called many times in parallel.
+			// This can cause multiple calls to this `next()` function to
+			// receive a `nextItem` with `done === true`.
+			// The shutdown logic that rejects/resolves must be protected
+			// so it runs only one time as the `skippedIndex` logic is
+			// non-idempotent.
+			if (nextItem.done) {
+				isIterableDone = true;
+
+				if (resolvingCount === 0 && !isResolved) {
+					if (!stopOnError && errors.length > 0) {
+						reject(new AggregateError(errors)); // eslint-disable-line unicorn/error-message
+						return;
+					}
+
+					isResolved = true;
+
+					if (skippedIndexesMap.size === 0) {
+						resolve(result);
+						return;
+					}
+
+					const pureResult = [];
+
+					// Support multiple `pMapSkip`'s.
+					for (const [index, value] of result.entries()) {
+						if (skippedIndexesMap.get(index) === pMapSkip) {
+							continue;
+						}
+
+						pureResult.push(value);
+					}
+
+					resolve(pureResult);
+				}
+
+				return;
+			}
+
+			resolvingCount++;
+
+			// Intentionally detached
+			(async () => {
+				try {
+					const element = await nextItem.value;
+
+					if (isResolved) {
+						return;
+					}
+
+					const value = await mapper(element, index);
+
+					// Use Map to stage the index of the element.
+					if (value === pMapSkip) {
+						skippedIndexesMap.set(index, value);
+					}
+
+					result[index] = value;
+
+					resolvingCount--;
+					await next();
+				} catch (error) {
+					if (stopOnError) {
+						reject(error);
+					} else {
+						errors.push(error);
+						resolvingCount--;
+
+						// In that case we can't really continue regardless of `stopOnError` state
+						// since an iterable is likely to continue throwing after it throws once.
+						// If we continue calling `next()` indefinitely we will likely end up
+						// in an infinite loop of failed iteration.
+						try {
+							await next();
+						} catch (error) {
+							reject(error);
+						}
+					}
+				}
+			})();
+		};
+
+		// Create the concurrent runners in a detached (non-awaited)
+		// promise. We need this so we can await the `next()` calls
+		// to stop creating runners before hitting the concurrency limit
+		// if the iterable has already been marked as done.
+		// NOTE: We *must* do this for async iterators otherwise we'll spin up
+		// infinite `next()` calls by default and never start the event loop.
+		(async () => {
+			for (let index = 0; index < concurrency; index++) {
+				try {
+					// eslint-disable-next-line no-await-in-loop
+					await next();
+				} catch (error) {
+					reject(error);
+					break;
+				}
+
+				if (isIterableDone || isRejected) {
+					break;
+				}
+			}
+		})();
+	});
+}
+
+function pMapIterable(
+	iterable,
+	mapper,
+	{
+		concurrency = Number.POSITIVE_INFINITY,
+		backpressure = concurrency,
+	} = {},
+) {
+	if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
+		throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
+	}
+
+	if (typeof mapper !== 'function') {
+		throw new TypeError('Mapper function is required');
+	}
+
+	if (!((Number.isSafeInteger(concurrency) && concurrency >= 1) || concurrency === Number.POSITIVE_INFINITY)) {
+		throw new TypeError(`Expected \`concurrency\` to be an integer from 1 and up or \`Infinity\`, got \`${concurrency}\` (${typeof concurrency})`);
+	}
+
+	if (!((Number.isSafeInteger(backpressure) && backpressure >= concurrency) || backpressure === Number.POSITIVE_INFINITY)) {
+		throw new TypeError(`Expected \`backpressure\` to be an integer from \`concurrency\` (${concurrency}) and up or \`Infinity\`, got \`${backpressure}\` (${typeof backpressure})`);
+	}
+
+	return {
+		async * [Symbol.asyncIterator]() {
+			const iterator = iterable[Symbol.asyncIterator] === undefined ? iterable[Symbol.iterator]() : iterable[Symbol.asyncIterator]();
+
+			const promises = [];
+			let pendingPromisesCount = 0;
+			let isDone = false;
+			let index = 0;
+
+			function trySpawn() {
+				if (isDone || !(pendingPromisesCount < concurrency && promises.length < backpressure)) {
+					return;
+				}
+
+				pendingPromisesCount++;
+
+				const promise = (async () => {
+					const {done, value} = await iterator.next();
+
+					if (done) {
+						pendingPromisesCount--;
+						return {done: true};
+					}
+
+					// Spawn if still below concurrency and backpressure limit
+					trySpawn();
+
+					try {
+						const returnValue = await mapper(await value, index++);
+
+						pendingPromisesCount--;
+
+						if (returnValue === pMapSkip) {
+							const index = promises.indexOf(promise);
+
+							if (index > 0) {
+								promises.splice(index, 1);
+							}
+						}
+
+						// Spawn if still below backpressure limit and just dropped below concurrency limit
+						trySpawn();
+
+						return {done: false, value: returnValue};
+					} catch (error) {
+						pendingPromisesCount--;
+						isDone = true;
+						return {error};
+					}
+				})();
+
+				promises.push(promise);
+			}
+
+			trySpawn();
+
+			while (promises.length > 0) {
+				const {error, done, value} = await promises[0]; // eslint-disable-line no-await-in-loop
+
+				promises.shift();
+
+				if (error) {
+					throw error;
+				}
+
+				if (done) {
+					return;
+				}
+
+				// Spawn if just dropped below backpressure limit and below the concurrency limit
+				trySpawn();
+
+				if (value === pMapSkip) {
+					continue;
+				}
+
+				yield value;
+			}
+		},
+	};
+}
+
+const pMapSkip = Symbol('skip');
+
+
+/***/ })
+
+};
+
+//# sourceMappingURL=606.index.js.map

dist/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

eslint.config.mjs

@@ -0,0 +1,52 @@
+import {defineConfig} from 'eslint/config';
+import js from '@eslint/js';
+import tseslint from '@typescript-eslint/eslint-plugin';
+import vitest from '@vitest/eslint-plugin';
+import globals from 'globals';
+import eslintConfigPrettier from 'eslint-config-prettier/flat';
+import eslintPluginPrettier from 'eslint-plugin-prettier';
+
+export default defineConfig([
+  {
+    ignores: ['.yarn/**/*', 'coverage/**/*', 'dist/**/*']
+  },
+  js.configs.recommended,
+  ...tseslint.configs['flat/recommended'],
+  eslintConfigPrettier,
+  {
+    languageOptions: {
+      globals: {
+        ...globals.node
+      }
+    }
+  },
+  {
+    files: ['__tests__/**'],
+    ...vitest.configs.recommended,
+    languageOptions: {
+      globals: {
+        ...globals.node,
+        ...vitest.environments.env.globals
+      }
+    },
+    rules: {
+      ...vitest.configs.recommended.rules,
+      'vitest/no-conditional-expect': 'error',
+      'vitest/no-disabled-tests': 0
+    }
+  },
+  {
+    plugins: {
+      prettier: eslintPluginPrettier
+    },
+    rules: {
+      'prettier/prettier': 'error',
+      '@typescript-eslint/no-require-imports': [
+        'error',
+        {
+          allowAsImport: true
+        }
+      ]
+    }
+  }
+]);

jest.config.ts

@@ -1,30 +0,0 @@
-import fs from 'fs';
-import os from 'os';
-import path from 'path';
-
-const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'docker-bake-action-'));
-
-process.env = Object.assign({}, process.env, {
-  TEMP: tmpDir,
-  GITHUB_REPOSITORY: 'docker/bake-action',
-  RUNNER_TEMP: path.join(tmpDir, 'runner-temp'),
-  RUNNER_TOOL_CACHE: path.join(tmpDir, 'runner-tool-cache')
-}) as {
-  [key: string]: string;
-};
-
-module.exports = {
-  clearMocks: true,
-  testEnvironment: 'node',
-  moduleFileExtensions: ['js', 'ts'],
-  testMatch: ['**/*.test.ts'],
-  transform: {
-    '^.+\\.ts$': 'ts-jest'
-  },
-  moduleNameMapper: {
-    '^csv-parse/sync': '<rootDir>/node_modules/csv-parse/dist/cjs/sync.cjs'
-  },
-  collectCoverageFrom: ['src/**/{!(main.ts),}.ts'],
-  coveragePathIgnorePatterns: ['lib/', 'node_modules/', '__mocks__/', '__tests__/'],
-  verbose: true
-};

package.json

@@ -1,16 +1,13 @@
 {
   "name": "docker-buildx-bake",
   "description": "GitHub Action to use Docker Buildx Bake as a high-level build command",
+  "type": "module",
   "main": "src/main.ts",
   "scripts": {
     "build": "ncc build --source-map --minify --license licenses.txt",
-    "lint": "yarn run prettier && yarn run eslint",
-    "format": "yarn run prettier:fix && yarn run eslint:fix",
-    "eslint": "eslint --max-warnings=0 .",
-    "eslint:fix": "eslint --fix .",
-    "prettier": "prettier --check \"./**/*.ts\"",
-    "prettier:fix": "prettier --write \"./**/*.ts\"",
-    "test": "jest"
+    "lint": "eslint --max-warnings=0 .",
+    "format": "eslint --fix .",
+    "test": "vitest run"
   },
   "repository": {
     "type": "git",
@@ -24,25 +21,26 @@
   ],
   "author": "Docker Inc.",
   "license": "Apache-2.0",
-  "packageManager": "yarn@3.6.3",
+  "packageManager": "yarn@4.9.2",
   "dependencies": {
-    "@actions/core": "^1.11.1",
-    "@docker/actions-toolkit": "^0.61.0",
-    "handlebars": "^4.7.8"
+    "@actions/core": "^3.0.0",
+    "@docker/actions-toolkit": "^0.87.0",
+    "handlebars": "^4.7.9"
   },
   "devDependencies": {
-    "@types/node": "^20.12.12",
-    "@typescript-eslint/eslint-plugin": "^7.9.0",
-    "@typescript-eslint/parser": "^7.9.0",
-    "@vercel/ncc": "^0.38.1",
-    "eslint": "^8.57.0",
-    "eslint-config-prettier": "^9.1.0",
-    "eslint-plugin-jest": "^28.5.0",
-    "eslint-plugin-prettier": "^5.1.3",
-    "jest": "^29.7.0",
-    "prettier": "^3.2.5",
-    "ts-jest": "^29.1.2",
-    "ts-node": "^10.9.2",
-    "typescript": "^5.4.5"
+    "@eslint/js": "^9.39.3",
+    "@types/node": "^24.11.0",
+    "@typescript-eslint/eslint-plugin": "^8.56.1",
+    "@typescript-eslint/parser": "^8.56.1",
+    "@vercel/ncc": "^0.38.4",
+    "@vitest/coverage-v8": "^4.0.18",
+    "@vitest/eslint-plugin": "^1.6.9",
+    "eslint": "^9.39.3",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-prettier": "^5.5.5",
+    "globals": "^17.3.0",
+    "prettier": "^3.8.1",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.18"
   }
 }

src/context.ts

@@ -1,21 +1,25 @@
+import * as fs from 'fs';
 import * as core from '@actions/core';
 import * as handlebars from 'handlebars';
 
-import {Bake} from '@docker/actions-toolkit/lib/buildx/bake';
-import {Build} from '@docker/actions-toolkit/lib/buildx/build';
-import {Context} from '@docker/actions-toolkit/lib/context';
-import {GitHub} from '@docker/actions-toolkit/lib/github';
-import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
-import {Util} from '@docker/actions-toolkit/lib/util';
+import {Bake} from '@docker/actions-toolkit/lib/buildx/bake.js';
+import {Build} from '@docker/actions-toolkit/lib/buildx/build.js';
+import {GitHub} from '@docker/actions-toolkit/lib/github/github.js';
+import {Toolkit} from '@docker/actions-toolkit/lib/toolkit.js';
+import {Util} from '@docker/actions-toolkit/lib/util.js';
 
-import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake.js';
+
+export interface BakeContext {
+  remoteRef?: string;
+  workdir?: string;
+}
 
 export interface Inputs {
-  allow: string[];
   builder: string;
+  allow: string[];
+  call: string;
   files: string[];
-  workdir: string;
-  targets: string[];
   'no-cache': boolean;
   pull: boolean;
   load: boolean;
@@ -23,17 +27,17 @@ export interface Inputs {
   push: boolean;
   sbom: string;
   set: string[];
-  source: string;
+  source: BakeContext;
+  targets: string[];
   'github-token': string;
 }
 
 export async function getInputs(): Promise<Inputs> {
   return {
-    allow: Util.getInputList('allow'),
     builder: core.getInput('builder'),
+    allow: Util.getInputList('allow'),
+    call: core.getInput('call'),
     files: Util.getInputList('files'),
-    workdir: core.getInput('workdir') || '.',
-    targets: Util.getInputList('targets'),
     'no-cache': core.getBooleanInput('no-cache'),
     pull: core.getBooleanInput('pull'),
     load: core.getBooleanInput('load'),
@@ -41,33 +45,12 @@ export async function getInputs(): Promise<Inputs> {
     push: core.getBooleanInput('push'),
     sbom: core.getInput('sbom'),
     set: Util.getInputList('set', {ignoreComma: true, quote: false}),
-    source: getSourceInput('source'),
+    source: await getBakeContext(core.getInput('source')),
+    targets: Util.getInputList('targets'),
     'github-token': core.getInput('github-token')
   };
 }
 
-export function sanitizeInputs(inputs: Inputs) {
-  const res = {};
-  for (const key of Object.keys(inputs)) {
-    if (key === 'github-token') {
-      continue;
-    }
-    const value: string | string[] | boolean = inputs[key];
-    if (typeof value === 'boolean' && value === false) {
-      continue;
-    } else if (Array.isArray(value) && value.length === 0) {
-      continue;
-    } else if (!value) {
-      continue;
-    }
-    if (key === 'workdir' && value === '.') {
-      continue;
-    }
-    res[key] = value;
-  }
-  return res;
-}
-
 export async function getArgs(inputs: Inputs, definition: BakeDefinition, toolkit: Toolkit): Promise<Array<string>> {
   // prettier-ignore
   return [
@@ -79,8 +62,8 @@ export async function getArgs(inputs: Inputs, definition: BakeDefinition, toolki
 
 async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit: Toolkit): Promise<Array<string>> {
   const args: Array<string> = ['bake'];
-  if (inputs.source) {
-    args.push(inputs.source);
+  if (inputs.source.remoteRef) {
+    args.push(inputs.source.remoteRef);
   }
   if (await toolkit.buildx.versionSatisfies('>=0.17.0')) {
     if (await toolkit.buildx.versionSatisfies('>=0.18.0')) {
@@ -91,6 +74,12 @@ async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit:
       args.push('--allow', allow);
     });
   }
+  if (inputs.call) {
+    if (!(await toolkit.buildx.versionSatisfies('>=0.16.0'))) {
+      throw new Error(`Buildx >= 0.16.0 is required to use the call flag.`);
+    }
+    args.push('--call', inputs.call);
+  }
   await Util.asyncForEach(inputs.files, async file => {
     args.push('--file', file);
   });
@@ -104,16 +93,22 @@ async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit:
     if (inputs.provenance) {
       args.push('--provenance', inputs.provenance);
     } else if (!noDefaultAttestations() && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Bake.hasDockerExporter(definition, inputs.load)) {
-      // if provenance not specified and BuildKit version compatible for
+      // check if provenance attestation is already specified in the bake
+      // definition and if not specified and BuildKit version compatible for
       // attestation, set default provenance. Also needs to make sure user
       // doesn't want to explicitly load the image to docker.
-      if (GitHub.context.payload.repository?.private ?? false) {
-        // if this is a private repository, we set the default provenance
-        // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
-        args.push('--provenance', Build.resolveProvenanceAttrs(`mode=min,inline-only=true`));
-      } else {
-        // for a public repository, we set max provenance mode.
-        args.push('--provenance', Build.resolveProvenanceAttrs(`mode=max`));
+      for (const targetName in definition.target) {
+        const target = definition.target[targetName];
+        if (!Array.isArray(target.attest) || !target.attest.some(attest => attest?.type === 'provenance')) {
+          if (GitHub.context.payload.repository?.private ?? false) {
+            // if this is a private repository, we set the default provenance
+            // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
+            args.push('--set', `${targetName}.attest=type=provenance,${Build.resolveProvenanceAttrs(`mode=min,inline-only=true`)}`);
+          } else {
+            // for a public repository, we set max provenance mode.
+            args.push('--set', `${targetName}.attest=type=provenance,${Build.resolveProvenanceAttrs(`mode=max`)}`);
+          }
+        }
       }
     }
     if (inputs.sbom) {
@@ -143,17 +138,27 @@ async function getCommonArgs(inputs: Inputs): Promise<Array<string>> {
   return args;
 }
 
-function getSourceInput(name: string): string {
-  let source = handlebars.compile(core.getInput(name))({
-    defaultContext: Context.gitContext()
+async function getBakeContext(sourceInput: string): Promise<BakeContext> {
+  const defaultContext = await new Build().gitContext();
+  let bakeContext = handlebars.compile(sourceInput)({
+    defaultContext: defaultContext
   });
-  if (!source) {
-    source = Context.gitContext();
+  if (!bakeContext) {
+    bakeContext = defaultContext;
   }
-  if (source === '.') {
-    source = '';
+  if (Util.isValidRef(bakeContext)) {
+    return {
+      remoteRef: bakeContext
+    };
   }
-  return source;
+  try {
+    fs.statSync(sourceInput).isDirectory();
+  } catch {
+    throw new Error(`Invalid source: ${sourceInput} does not exist or is not a directory.`);
+  }
+  return {
+    workdir: bakeContext
+  };
 }
 
 function noDefaultAttestations(): boolean {

src/main.ts

@@ -3,22 +3,24 @@ import * as path from 'path';
 import * as core from '@actions/core';
 import * as actionsToolkit from '@docker/actions-toolkit';
 
-import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx';
-import {History as BuildxHistory} from '@docker/actions-toolkit/lib/buildx/history';
-import {Context} from '@docker/actions-toolkit/lib/context';
-import {Docker} from '@docker/actions-toolkit/lib/docker/docker';
-import {Exec} from '@docker/actions-toolkit/lib/exec';
-import {GitHub} from '@docker/actions-toolkit/lib/github';
-import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
-import {Util} from '@docker/actions-toolkit/lib/util';
+import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx.js';
+import {History as BuildxHistory} from '@docker/actions-toolkit/lib/buildx/history.js';
+import {Context} from '@docker/actions-toolkit/lib/context.js';
+import {Docker} from '@docker/actions-toolkit/lib/docker/docker.js';
+import {Exec} from '@docker/actions-toolkit/lib/exec.js';
+import {GitHub} from '@docker/actions-toolkit/lib/github/github.js';
+import {GitHubArtifact} from '@docker/actions-toolkit/lib/github/artifact.js';
+import {GitHubSummary} from '@docker/actions-toolkit/lib/github/summary.js';
+import {Toolkit} from '@docker/actions-toolkit/lib/toolkit.js';
+import {Util} from '@docker/actions-toolkit/lib/util.js';
 
-import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
-import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder';
-import {ConfigFile} from '@docker/actions-toolkit/lib/types/docker/docker';
-import {UploadArtifactResponse} from '@docker/actions-toolkit/lib/types/github';
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake.js';
+import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder.js';
+import {ConfigFile} from '@docker/actions-toolkit/lib/types/docker/docker.js';
+import {UploadResponse as UploadArtifactResponse} from '@docker/actions-toolkit/lib/types/github/artifact.js';
 
-import * as context from './context';
-import * as stateHelper from './state-helper';
+import * as context from './context.js';
+import * as stateHelper from './state-helper.js';
 
 actionsToolkit.run(
   // main
@@ -26,8 +28,8 @@ actionsToolkit.run(
     const startedTime = new Date();
 
     const inputs: context.Inputs = await context.getInputs();
+    stateHelper.setSummaryInputs(inputs);
     core.debug(`inputs: ${JSON.stringify(inputs)}`);
-    stateHelper.setInputs(inputs);
 
     const toolkit = new Toolkit();
     const gitAuthToken = process.env.BUILDX_BAKE_GIT_AUTH_TOKEN ?? inputs['github-token'];
@@ -88,6 +90,8 @@ actionsToolkit.run(
     let builder: BuilderInfo;
     await core.group(`Builder info`, async () => {
       builder = await toolkit.builder.inspect(inputs.builder);
+      stateHelper.setBuilderDriver(builder.driver ?? '');
+      stateHelper.setBuilderEndpoint(builder.nodes?.[0]?.endpoint ?? '');
       core.info(JSON.stringify(builder, null, 2));
     });
 
@@ -103,12 +107,12 @@ actionsToolkit.run(
           provenance: inputs.provenance,
           push: inputs.push,
           sbom: inputs.sbom,
-          source: inputs.source,
+          source: inputs.source.remoteRef,
           targets: inputs.targets,
           githubToken: gitAuthToken
         },
         {
-          cwd: inputs.workdir
+          cwd: inputs.source.workdir
         }
       );
     });
@@ -128,7 +132,7 @@ actionsToolkit.run(
 
     await core.group(`Bake definition`, async () => {
       await Exec.getExecOutput(buildCmd.command, [...buildCmd.args, '--print'], {
-        cwd: inputs.workdir,
+        cwd: inputs.source.workdir,
         env: buildEnv,
         ignoreReturnCode: true
       }).then(res => {
@@ -140,12 +144,30 @@ actionsToolkit.run(
 
     let err: Error | undefined;
     await Exec.getExecOutput(buildCmd.command, buildCmd.args, {
-      cwd: inputs.workdir,
+      cwd: inputs.source.workdir,
       env: buildEnv,
       ignoreReturnCode: true
     }).then(res => {
-      if (res.stderr.length > 0 && res.exitCode != 0) {
-        err = Error(`buildx bake failed with: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
+      if (res.exitCode != 0) {
+        if (inputs.call && inputs.call === 'check' && res.stdout.length > 0) {
+          // checks warnings are printed to stdout: https://github.com/docker/buildx/pull/2647
+          // with bake we can have multiple targets being checked so we need to
+          // count the total number of warnings
+          const totalWarnings = [...res.stdout.matchAll(/^Check complete, (\d+) warnings? (?:has|have) been found!/gm)].reduce((sum, m) => sum + parseInt(m[1], 10), 0);
+          if (totalWarnings > 0) {
+            // https://github.com/docker/buildx/blob/1e50e8ddabe108f009b9925e13a321d7c8f99f26/commands/build.go#L797-L803
+            if (totalWarnings === 1) {
+              err = Error(`Check complete, ${totalWarnings} warning has been found!`);
+            } else {
+              err = Error(`Check complete, ${totalWarnings} warnings have been found!`);
+            }
+          } else {
+            // if there are no warnings found, return the first line of stdout
+            err = Error(res.stdout.split('\n')[0]?.trim());
+          }
+        } else if (res.stderr.length > 0) {
+          err = Error(`buildx bake failed with: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
+        }
       }
     });
 
@@ -189,12 +211,12 @@ actionsToolkit.run(
     await core.group(`Check build summary support`, async () => {
       if (!buildSummaryEnabled()) {
         core.info('Build summary disabled');
+      } else if (inputs.call && inputs.call !== 'build') {
+        core.info(`Build summary skipped for ${inputs.call} subrequest`);
       } else if (GitHub.isGHES) {
         core.info('Build summary is not yet supported on GHES');
-      } else if (!(await toolkit.buildx.versionSatisfies('>=0.13.0'))) {
-        core.info('Build summary requires Buildx >= 0.13.0');
-      } else if (builder && builder.driver === 'cloud') {
-        core.info('Build summary is not yet supported with Docker Build Cloud');
+      } else if (!(await toolkit.buildx.versionSatisfies('>=0.23.0'))) {
+        core.info('Build summary requires Buildx >= 0.23.0');
       } else if (refs.length == 0) {
         core.info('Build summary requires at least one build reference');
       } else {
@@ -220,25 +242,25 @@ actionsToolkit.run(
 
           const buildxHistory = new BuildxHistory();
           const exportRes = await buildxHistory.export({
-            refs: stateHelper.buildRefs,
-            useContainer: buildExportLegacy()
+            refs: stateHelper.buildRefs
           });
           core.info(`Build records written to ${exportRes.dockerbuildFilename} (${Util.formatFileSize(exportRes.dockerbuildSize)})`);
 
           let uploadRes: UploadArtifactResponse | undefined;
           if (recordUploadEnabled) {
-            uploadRes = await GitHub.uploadArtifact({
+            uploadRes = await GitHubArtifact.upload({
               filename: exportRes.dockerbuildFilename,
-              mimeType: 'application/gzip',
               retentionDays: recordRetentionDays
             });
           }
 
-          await GitHub.writeBuildSummary({
+          await GitHubSummary.writeBuildSummary({
             exportRes: exportRes,
             uploadRes: uploadRes,
-            inputs: stateHelper.inputs,
-            bakeDefinition: stateHelper.bakeDefinition
+            inputs: stateHelper.summaryInputs,
+            bakeDefinition: stateHelper.bakeDefinition,
+            driver: stateHelper.builderDriver,
+            endpoint: stateHelper.builderEndpoint
           });
         } catch (e) {
           core.warning(e.message);
@@ -286,10 +308,7 @@ function buildChecksAnnotationsEnabled(): boolean {
 }
 
 function buildSummaryEnabled(): boolean {
-  if (process.env.DOCKER_BUILD_NO_SUMMARY) {
-    core.warning('DOCKER_BUILD_NO_SUMMARY is deprecated. Set DOCKER_BUILD_SUMMARY to false instead.');
-    return !Util.parseBool(process.env.DOCKER_BUILD_NO_SUMMARY);
-  } else if (process.env.DOCKER_BUILD_SUMMARY) {
+  if (process.env.DOCKER_BUILD_SUMMARY) {
     return Util.parseBool(process.env.DOCKER_BUILD_SUMMARY);
   }
   return true;
@@ -303,13 +322,7 @@ function buildRecordUploadEnabled(): boolean {
 }
 
 function buildRecordRetentionDays(): number | undefined {
-  let val: string | undefined;
-  if (process.env.DOCKER_BUILD_EXPORT_RETENTION_DAYS) {
-    core.warning('DOCKER_BUILD_EXPORT_RETENTION_DAYS is deprecated. Use DOCKER_BUILD_RECORD_RETENTION_DAYS instead.');
-    val = process.env.DOCKER_BUILD_EXPORT_RETENTION_DAYS;
-  } else if (process.env.DOCKER_BUILD_RECORD_RETENTION_DAYS) {
-    val = process.env.DOCKER_BUILD_RECORD_RETENTION_DAYS;
-  }
+  const val = process.env.DOCKER_BUILD_RECORD_RETENTION_DAYS;
   if (val) {
     const res = parseInt(val);
     if (isNaN(res)) {
@@ -318,10 +331,3 @@ function buildRecordRetentionDays(): number | undefined {
     return res;
   }
 }
-
-function buildExportLegacy(): boolean {
-  if (process.env.DOCKER_BUILD_EXPORT_LEGACY) {
-    return Util.parseBool(process.env.DOCKER_BUILD_EXPORT_LEGACY);
-  }
-  return false;
-}

src/state-helper.ts

@@ -1,12 +1,16 @@
 import * as core from '@actions/core';
 
-import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
+import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake.js';
 
-import {Inputs, sanitizeInputs} from './context';
+import {Inputs} from './context.js';
 
 export const tmpDir = process.env['STATE_tmpDir'] || '';
-export const inputs = process.env['STATE_inputs'] ? JSON.parse(process.env['STATE_inputs']) : undefined;
+
+export const builderDriver = process.env['STATE_builderDriver'] || '';
+export const builderEndpoint = process.env['STATE_builderEndpoint'] || '';
+export const summaryInputs = process.env['STATE_summaryInputs'] ? JSON.parse(process.env['STATE_summaryInputs']) : undefined;
 export const bakeDefinition = process.env['STATE_bakeDefinition'] ? <BakeDefinition>JSON.parse(process.env['STATE_bakeDefinition']) : undefined;
+
 export const buildRefs = process.env['STATE_buildRefs'] ? process.env['STATE_buildRefs'].split(',') : [];
 export const isSummarySupported = !!process.env['STATE_isSummarySupported'];
 
@@ -14,8 +18,12 @@ export function setTmpDir(tmpDir: string) {
   core.saveState('tmpDir', tmpDir);
 }
 
-export function setInputs(inputs: Inputs) {
-  core.saveState('inputs', JSON.stringify(sanitizeInputs(inputs)));
+export function setBuilderDriver(builderDriver: string) {
+  core.saveState('builderDriver', builderDriver);
+}
+
+export function setBuilderEndpoint(builderEndpoint: string) {
+  core.saveState('builderEndpoint', builderEndpoint);
 }
 
 export function setBakeDefinition(bakeDefinition: BakeDefinition) {
@@ -29,3 +37,25 @@ export function setBuildRefs(buildRefs: Array<string>) {
 export function setSummarySupported() {
   core.saveState('isSummarySupported', 'true');
 }
+
+export function setSummaryInputs(inputs: Inputs) {
+  const res = {};
+  if (inputs.source.remoteRef || inputs.source.workdir) {
+    res['source'] = inputs.source.remoteRef || inputs.source.workdir;
+  }
+  for (const key of Object.keys(inputs)) {
+    if (key === 'source' || key === 'github-token') {
+      continue;
+    }
+    const value: string | string[] | boolean = inputs[key];
+    if (typeof value === 'boolean' && !value) {
+      continue;
+    } else if (Array.isArray(value) && value.length === 0) {
+      continue;
+    } else if (!value) {
+      continue;
+    }
+    res[key] = value;
+  }
+  core.saveState('summaryInputs', JSON.stringify(res));
+}

subaction/list-targets/README.md

@@ -1,84 +0,0 @@
-## About
-
-This subaction generates a list of Bake targets that can be used in a [GitHub matrix](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix),
-so you can distribute your builds across multiple runners.
-
-![Screenshot](../../.github/bake-action.png)
-
-___
-
-* [Usage](#usage)
-* [Customizing](#customizing)
-  * [inputs](#inputs)
-  * [outputs](#outputs)
-
-## Usage
-
-```hcl
-# docker-bake.hcl
-group "validate" {
-  targets = ["lint", "doctoc"]
-}
-
-target "lint" {
-  target = "lint"
-}
-
-target "doctoc" {
-  target = "doctoc"
-}
-```
-
-```yaml
-jobs:
-  prepare:
-    runs-on: ubuntu-latest
-    outputs:
-      targets: ${{ steps.generate.outputs.targets }}
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: List targets
-        id: generate
-        uses: docker/bake-action/subaction/list-targets@v6
-        with:
-          target: validate
-
-  validate:
-    runs-on: ubuntu-latest
-    needs:
-      - prepare
-    strategy:
-      fail-fast: false
-      matrix:
-        target: ${{ fromJson(needs.prepare.outputs.targets) }}
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Validate
-        uses: docker/bake-action@v6
-        with:
-          targets: ${{ matrix.target }}
-```
-
-## Customizing
-
-### inputs
-
-| Name         | Type        | Description                                                                                                                                 |
-|--------------|-------------|---------------------------------------------------------------------------------------------------------------------------------------------|
-| `workdir`    | String      | Working directory to use (defaults to `.`)                                                                                                  |
-| `files`      | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                              |
-| `target`     | String      | The target to use within the bake file                                                                                                      |
-
-### outputs
-
-The following outputs are available
-
-| Name       | Type     | Description                |
-|------------|----------|----------------------------|
-| `targets`  | List/CSV | List of extracted targest  |

subaction/list-targets/action.yml

@@ -1,61 +0,0 @@
-# https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions
-name: 'List Bake targets'
-description: 'Generate a list of Bake targets to help distributing builds in your workflow'
-
-inputs:
-  workdir:
-    description: Working directory
-    default: '.'
-    required: false
-  files:
-    description: Comma separated list of Bake files
-    required: false
-  target:
-    description: Bake target
-    required: false
-
-outputs:
-  targets:
-    description: List of targets
-    value: ${{ steps.generate.outputs.targets }}
-
-runs:
-  using: composite
-  steps:
-    -
-      name: Generate
-      id: generate
-      uses: actions/github-script@v7
-      with:
-        script: |
-          let def;
-          const files = `${{ inputs.files }}` ? `${{ inputs.files }}`.split(/[\r?\n,]+/).filter(Boolean) : [];
-          const target = `${{ inputs.target }}`;
-
-          await core.group(`Validating definition`, async () => {
-            let args = ['buildx', 'bake'];
-            for (const file of files) {
-              args.push('--file', file);
-            }
-            if (target) {
-              args.push(target);
-            }
-            args.push('--print');
-
-            const res = await exec.getExecOutput('docker', args, {
-              ignoreReturnCode: true,
-              silent: true,
-              cwd: `${{ inputs.workdir }}`
-            });
-            if (res.stderr.length > 0 && res.exitCode != 0) {
-              throw new Error(res.stderr);
-            }
-            def = JSON.parse(res.stdout.trim());
-            core.info(JSON.stringify(def, null, 2));
-          });
-
-          await core.group(`Set output`, async () => {
-            const targets = Object.keys(def.target);
-            core.info(`targets: ${JSON.stringify(targets)}`);
-            core.setOutput('targets', JSON.stringify(targets));
-          });

subaction/matrix/README.md

@@ -0,0 +1,140 @@
+## About
+
+This subaction generates a multi-dimension matrix that can be used in a [GitHub matrix](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix)
+through the [`include` property](https://docs.github.com/en/actions/how-tos/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow#expanding-or-adding-matrix-configurations)
+so you can distribute your builds across multiple runners.
+
+![Screenshot](../../.github/subaction-matrix.png)
+
+___
+
+* [Usage](#usage)
+* [Customizing](#customizing)
+  * [inputs](#inputs)
+  * [outputs](#outputs)
+
+## Usage
+
+### List targets
+
+```hcl
+# docker-bake.hcl
+group "validate" {
+  targets = ["lint", "doctoc"]
+}
+
+target "lint" {
+  target = "lint"
+}
+
+target "doctoc" {
+  target = "doctoc"
+}
+```
+
+```yaml
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v6
+      -
+        name: Generate matrix
+        id: generate
+        uses: docker/bake-action/subaction/matrix@v7
+        with:
+          target: validate
+
+  validate:
+    runs-on: ubuntu-latest
+    needs:
+      - prepare
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
+    steps:
+      -
+        name: Validate
+        uses: docker/bake-action@v7
+        with:
+          targets: ${{ matrix.target }}
+```
+
+### Platforms split
+
+```hcl
+# docker-bake.hcl
+target "lint" {
+  dockerfile = "./hack/dockerfiles/lint.Dockerfile"
+  output = ["type=cacheonly"]
+  platforms = [
+    "darwin/amd64",
+    "darwin/arm64",
+    "linux/amd64",
+    "linux/arm64",
+    "linux/s390x",
+    "linux/ppc64le",
+    "linux/riscv64",
+    "windows/amd64",
+    "windows/arm64"
+  ]
+}
+```
+
+```yaml
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v6
+      -
+        name: Generate matrix
+        id: generate
+        uses: docker/bake-action/subaction/matrix@v7
+        with:
+          target: lint
+          fields: platforms
+
+  lint:
+    runs-on: ${{ startsWith(matrix.platforms, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
+    needs:
+      - prepare
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
+    steps:
+      -
+        name: Lint
+        uses: docker/bake-action@v7
+        with:
+          targets: ${{ matrix.target }}
+          set: |
+            *.platform=${{ matrix.platforms }}
+```
+
+## Customizing
+
+### inputs
+
+| Name      | Type     | Description                                                                                    |
+|-----------|----------|------------------------------------------------------------------------------------------------|
+| `workdir` | String   | Working directory to use (defaults to `.`)                                                     |
+| `files`   | List/CSV | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/) |
+| `target`  | String   | The target to use within the bake file                                                         |
+| `fields`  | String   | List of extra fields to include in the matrix                                                  |
+
+### outputs
+
+| Name     | Type | Description          |
+|----------|------|----------------------|
+| `matrix` | JSON | Matrix configuration |

subaction/matrix/action.yml

@@ -0,0 +1,101 @@
+# https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions
+name: 'Matrix'
+description: 'Generate a matrix from a Bake definition to help distributing builds in your workflow'
+
+inputs:
+  workdir:
+    description: Working directory
+    default: '.'
+    required: false
+  files:
+    description: List of Bake files
+    required: false
+  target:
+    description: Bake target
+    required: false
+  fields:
+    description: List of extra fields to include in the matrix
+    required: false
+
+outputs:
+  matrix:
+    description: Matrix configuration
+    value: ${{ steps.generate.outputs.includes }}
+
+runs:
+  using: composite
+  steps:
+    -
+      name: Generate
+      id: generate
+      uses: actions/github-script@v8
+      env:
+        INPUT_WORKDIR: ${{ inputs.workdir }}
+        INPUT_FILES: ${{ inputs.files }}
+        INPUT_TARGET: ${{ inputs.target }}
+        INPUT_FIELDS: ${{ inputs.fields }}
+      with:
+        script: |
+          function getInputList(name) {
+            return core.getInput(name) ? core.getInput(name).split(/[\r?\n,]+/).filter(x => x !== '') : [];
+          }
+
+          const workdir = core.getInput('workdir');
+          const files = getInputList('files');
+          const target = core.getInput('target');
+          const fields = getInputList('fields');
+
+          let def = {};
+          await core.group(`Parsing definition`, async () => {
+            let args = ['buildx', 'bake'];
+            for (const file of files) {
+              args.push('--file', file);
+            }
+            if (target) {
+              args.push(target);
+            }
+            args.push('--print');
+            const res = await exec.getExecOutput('docker', args, {
+              ignoreReturnCode: true,
+              silent: true,
+              cwd: workdir
+            });
+            if (res.stderr.length > 0 && res.exitCode != 0) {
+              throw new Error(res.stderr);
+            }
+            def = JSON.parse(res.stdout.trim());
+            core.info(JSON.stringify(def, null, 2));
+          });
+
+          await core.group(`Generating matrix`, async () => {
+            const result = [];
+            for (const targetName of Object.keys(def.target)) {
+              const target = def.target[targetName];
+              const entry = { target: targetName };
+              if (fields.length === 0) {
+                result.push({ ...entry });
+                continue;
+              }
+              let fieldFound = false;
+              Object.keys(target).forEach(field => {
+                if (fields.includes(field)) {
+                  fieldFound = true;
+                  const value = target[field];
+                  if (Array.isArray(value)) {
+                    value.forEach((v) => {
+                      entry[field] = v;
+                      result.push({ ...entry });
+                    });
+                  } else {
+                    entry[field] = value;
+                    result.push({ ...entry });
+                  }
+                }
+              });
+              if (!fieldFound) {
+                result.push({ ...entry });
+              }
+            }
+            core.info(JSON.stringify(result, null, 2));
+            core.setOutput('includes', JSON.stringify(result));
+          });

test/attest/Dockerfile

@@ -0,0 +1,10 @@
+# syntax=docker/dockerfile:1
+
+FROM busybox AS t1
+RUN echo "Hello t1"
+
+FROM busybox AS t2
+RUN echo "Hello t2"
+
+FROM busybox AS t3
+RUN echo "Hello t3"

test/attest/docker-bake.hcl

@@ -0,0 +1,17 @@
+group "default" {
+  targets = ["t1", "t2", "t3"]
+}
+
+target "t1" {
+  target = "t1"
+}
+
+target "t2" {
+  target = "t2"
+  attest = ["type=provenance,mode=min"]
+}
+
+target "t3" {
+  target = "t3"
+  attest = ["type=sbom"]
+}

test/config.hcl

@@ -6,21 +6,26 @@ group "release" {
   targets = ["db", "app-plus"]
 }
 
+# Special target: https://github.com/docker/metadata-action#bake-definition
+target "docker-metadata-action" {
+  tags = [
+    "localhost:5000/name/app:latest",
+    "localhost:5000/name/app:1.0.0"
+  ]
+}
+
 target "db" {
   context = "./test"
   tags = ["docker.io/tonistiigi/db"]
 }
 
 target "app" {
+  inherits = ["docker-metadata-action"]
   context = "./test"
   dockerfile = "Dockerfile"
   args = {
     name = "foo"
   }
-  tags = [
-    "localhost:5000/name/app:latest",
-    "localhost:5000/name/app:1.0.0"
-  ]
 }
 
 target "cross" {

test/group-with-platform/docker-bake.hcl

@@ -0,0 +1,36 @@
+group "validate" {
+  targets = ["lint", "lint-gopls", "validate-vendor", "validate-docs"]
+}
+
+target "lint" {
+  dockerfile = "./hack/dockerfiles/lint.Dockerfile"
+  output = ["type=cacheonly"]
+  platforms = [
+    "darwin/amd64",
+    "darwin/arm64",
+    "linux/amd64",
+    "linux/arm64",
+    "linux/s390x",
+    "linux/ppc64le",
+    "linux/riscv64",
+    "windows/amd64",
+    "windows/arm64"
+  ]
+}
+
+target "lint-gopls" {
+  inherits = ["lint"]
+  target = "gopls-analyze"
+}
+
+target "validate-vendor" {
+  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}
+
+target "validate-docs" {
+  dockerfile = "./hack/dockerfiles/docs.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}

tsconfig.json

@@ -1,9 +1,8 @@
 {
   "compilerOptions": {
+    "module": "nodenext",
+    "moduleResolution": "nodenext",
     "esModuleInterop": true,
-    "target": "es6",
-    "module": "commonjs",
-    "strict": true,
     "newLine": "lf",
     "outDir": "./lib",
     "rootDir": "./src",
@@ -12,11 +11,7 @@
     "resolveJsonModule": true,
     "useUnknownInCatchVariables": false,
   },
-  "exclude": [
-    "./__mocks__/**/*",
-    "./__tests__/**/*",
-    "./lib/**/*",
-    "node_modules",
-    "jest.config.ts"
+  "include": [
+    "src/**/*.ts"
   ]
 }

vitest.config.ts

@@ -0,0 +1,16 @@
+import {defineConfig} from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    clearMocks: true,
+    environment: 'node',
+    setupFiles: ['./__tests__/setup.unit.ts'],
+    include: ['**/*.test.ts'],
+    coverage: {
+      provider: 'v8',
+      reporter: ['clover'],
+      include: ['src/**/*.ts'],
+      exclude: ['src/**/main.ts']
+    }
+  }
+});