Merge pull request #453 from crazy-max/yarn-update

update yarn to 4.15.0

.github/dependabot.yml

@@ -1,9 +1,17 @@
 version: 2
 updates:
   - package-ecosystem: "github-actions"
-    directory: "/"
+    directories:
+      - "/"
+      - "/subaction/matrix"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 2
+    groups:
+      crazy-max-dot-github:
+        patterns:
+          - "crazy-max/.github/*"
     labels:
       - "dependencies"
       - "bot"
@@ -11,6 +19,10 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 2
+      exclude:
+        - "@docker/actions-toolkit"
     versioning-strategy: "increase"
     allow:
       - dependency-type: "production"

.github/workflows/ci-subaction.yml

@@ -1,5 +1,8 @@
 name: ci-subaction
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -60,7 +63,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Matrix gen
         id: gen
@@ -71,7 +74,7 @@ jobs:
           fields: ${{ matrix.fields }}
       -
         name: Check output
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           INPUT_MATRIX: ${{ steps.gen.outputs.matrix }}
           INPUT_EXPECTED: ${{ matrix.expected }}

.github/workflows/ci.yml

@@ -1,5 +1,8 @@
 name: ci
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -46,20 +49,20 @@ jobs:
           - release
     services:
       registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
         ports:
           - 5000:5000
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -82,7 +85,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Build
         continue-on-error: true
@@ -99,7 +102,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Stop docker
         run: |
@@ -126,7 +129,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Build
         id: bake
@@ -147,7 +150,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Uninstall docker cli
         run: |
@@ -158,7 +161,7 @@ jobs:
           fi
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -176,7 +179,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Build
         uses: ./
@@ -198,10 +201,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -233,16 +236,16 @@ jobs:
             output: /tmp/bake-build
     services:
       registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
         ports:
           - 5000:5000
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -287,13 +290,13 @@ jobs:
     runs-on: ubuntu-latest
     services:
       registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
         ports:
           - 5000:5000
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Build
         uses: ./
@@ -308,16 +311,16 @@ jobs:
     runs-on: ubuntu-latest
     services:
       registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
         ports:
           - 5000:5000
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -338,7 +341,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set malformed docker config
         run: |
@@ -356,7 +359,7 @@ jobs:
     runs-on: ubuntu-latest
     services:
       squid-proxy:
-        image: ubuntu/squid:latest
+        image: ubuntu/squid:latest@sha256:6a097f68bae708cedbabd6188d68c7e2e7a38cedd05a176e1cc0ba29e3bbe029
         ports:
           - 3128:3128
     steps:
@@ -367,7 +370,7 @@ jobs:
           curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy http://127.0.0.1:3128 -v --insecure --head https://www.google.com
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set proxy config
         run: |
@@ -375,7 +378,7 @@ jobs:
           echo '{"proxies":{"default":{"httpProxy":"http://127.0.0.1:3128","httpsProxy":"http://127.0.0.1:3128"}}}' > ~/.docker/config.json
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -395,7 +398,7 @@ jobs:
     runs-on: ubuntu-latest
     services:
       squid-proxy:
-        image: ubuntu/squid:latest
+        image: ubuntu/squid:latest@sha256:6a097f68bae708cedbabd6188d68c7e2e7a38cedd05a176e1cc0ba29e3bbe029
         ports:
           - 3128:3128
     steps:
@@ -406,10 +409,10 @@ jobs:
           curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy http://127.0.0.1:3128 -v --insecure --head https://www.google.com
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -431,10 +434,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -442,16 +445,41 @@ jobs:
       -
         name: Build
         uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+
+  git-context-query:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: v0.33.0
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+        env:
+          BUILDX_SEND_GIT_QUERY_AS_INPUT: true
 
   git-context-and-local:
     runs-on: ubuntu-latest
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -459,28 +487,29 @@ jobs:
       -
         name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
       -
         name: Build
         uses: ./
         with:
           files: |
+            ./test/config.hcl
             cwd://${{ steps.meta.outputs.bake-file }}
 
   multi-output:
     runs-on: ubuntu-latest
     services:
       registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
         ports:
           - 5000:5000
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -514,16 +543,16 @@ jobs:
     runs-on: ubuntu-latest
     services:
       registry:
-        image: registry:2
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
         ports:
           - 5000:5000
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -552,10 +581,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -575,10 +604,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: v0.12.1
           driver-opts: |
@@ -596,10 +625,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -625,10 +654,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -654,10 +683,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ matrix.buildx-version }}
           driver-opts: |
@@ -675,10 +704,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -706,10 +735,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ matrix.buildx-version }}
           driver-opts: |
@@ -728,7 +757,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Build
         uses: ./
@@ -744,10 +773,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -776,10 +805,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -807,10 +836,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -831,10 +860,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -844,3 +873,30 @@ jobs:
         uses: ./
         with:
           source: ./test/attest
+
+  var:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          source: ./test/go
+          targets: binary
+          vars: |
+            DESTDIR=/tmp/build
+      -
+        name: Check output folder
+        working-directory: /tmp/build
+        run: |
+          tree .

.github/workflows/codeql.yml

@@ -0,0 +1,46 @@
+name: codeql
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+  pull_request:
+
+env:
+  NODE_VERSION: "24"
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Enable corepack
+        run: |
+          corepack enable
+          yarn --version
+      -
+        name: Set up Node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+      -
+        name: Initialize CodeQL
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          languages: javascript-typescript
+          build-mode: none
+      -
+        name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          category: "/language:javascript-typescript"

.github/workflows/pr-assign-author.yml

@@ -4,14 +4,14 @@ permissions:
   contents: read
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] safe to use without checkout
     types:
       - opened
       - reopened
 
 jobs:
   run:
-    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@1b673f36fad86812f538c1df9794904038a23cbf
+    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@9ba6e6f9450baf3b1237f8035c1fdc45932510bd # v1.8.0
     permissions:
       contents: read
       pull-requests: write

.github/workflows/publish.yml

@@ -1,5 +1,12 @@
 name: publish
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   release:
     types:
@@ -15,7 +22,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Publish
-        uses: actions/publish-immutable-action@v0.0.4
+        uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4

.github/workflows/test.yml

@@ -1,5 +1,8 @@
 name: test
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -23,16 +26,16 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Test
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0
         with:
           source: .
           targets: test
       -
         name: Upload coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
         with:
           files: ./coverage/clover.xml
           token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/update-dist.yml

@@ -1,5 +1,12 @@
 name: update-dist
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   pull_request:
     types:
@@ -8,27 +15,29 @@ on:
 
 jobs:
   update-dist:
-    if: github.actor == 'dependabot[bot]'
+    if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
     runs-on: ubuntu-latest
     steps:
       -
         name: GitHub auth token from GitHub App
         id: docker-read-app
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         with:
           app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
           private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
           owner: docker
+          repositories: bake-action
+          permission-contents: write
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 0
-          token: ${{ steps.docker-read-app.outputs.token || github.token }}
+          token: ${{ steps.docker-read-app.outputs.token }}
       -
         name: Build
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0
         with:
           source: .
           targets: build

.github/workflows/validate.yml

@@ -1,5 +1,8 @@
 name: validate
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -19,7 +22,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: List targets
         id: generate
@@ -38,6 +41,6 @@ jobs:
     steps:
       -
         name: Validate
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0
         with:
           targets: ${{ matrix.target }}

.github/workflows/zizmor.yml

@@ -0,0 +1,29 @@
+name: zizmor
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+    tags:
+      - 'v*'
+  pull_request:
+
+jobs:
+  zizmor:
+    uses: crazy-max/.github/.github/workflows/zizmor.yml@9ba6e6f9450baf3b1237f8035c1fdc45932510bd # v1.8.0
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      min-severity: medium
+      min-confidence: medium
+      persona: pedantic

.yarnrc.yml

@@ -1,10 +1,10 @@
 # https://yarnpkg.com/configuration/yarnrc
 
-compressionLevel: mixed
+nodeLinker: node-modules
-enableGlobalCache: false
-enableHardenedMode: true
 
 logFilters:
+  - code: YN0004
+    level: discard
   - code: YN0013
     level: discard
   - code: YN0019
@@ -14,4 +14,8 @@ logFilters:
   - code: YN0086
     level: discard
 
-nodeLinker: node-modules
+compressionLevel: mixed
+enableGlobalCache: false
+enableHardenedMode: true
+enableScripts: false
+npmMinimalAgeGate: 2d

README.md

@@ -52,16 +52,16 @@ jobs:
     steps:
       -
         name: Login to DockerHub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
       -
         name: Build and push
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v7
         with:
           push: true
           set: |
@@ -82,7 +82,7 @@ to the default Git context:
 ```yaml
       -
         name: Build and push
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v7
         with:
           source: "{{defaultContext}}:mysubdir"
           push: true
@@ -102,7 +102,7 @@ another private repository for remote definitions, you can set the
 ```yaml
       -
         name: Build and push
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v7
         with:
           push: true
           set: |
@@ -125,19 +125,19 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       -
         name: Login to DockerHub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
       -
         name: Build and push
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v7
         with:
           source: .
           push: true
@@ -151,7 +151,7 @@ subdirectory:
 ```yaml
       -
         name: Build and push
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v7
         with:
           source: ./subdir
           files: ./docker-bake.hcl
@@ -239,6 +239,7 @@ The following inputs can be used as `step.with` keys
 | `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (e.g., `targetpattern.key=value`)                                                                                                                          |
 | `source`       | String      | Build source to use. Supports local path and [remote bake definition](https://docs.docker.com/build/bake/remote-definition/). With a local path, Bake runs from that directory, so all relative paths are resolved from it. See [Source semantics](#source-semantics). |
 | `targets`      | List/CSV    | List of bake targets (`default` target used if empty)                                                                                                                                                                                                                  |
+| `vars`         | List        | [Variables](https://docs.docker.com/build/bake/variables/) to set in the Bake definition as list of key-value pair                                                                                                                                                     |
 | `github-token` | String      | API token used to authenticate to a Git repository for [remote definitions](https://docs.docker.com/build/bake/remote-definition/) (default `${{ github.token }}`)                                                                                                     |
 
 ### outputs

__tests__/context.test.ts

@@ -4,6 +4,7 @@ import * as os from 'os';
 import * as path from 'path';
 
 import {Bake} from '@docker/actions-toolkit/lib/buildx/bake.js';
+import {Build} from '@docker/actions-toolkit/lib/buildx/build.js';
 import {Builder} from '@docker/actions-toolkit/lib/buildx/builder.js';
 import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx.js';
 import {Docker} from '@docker/actions-toolkit/lib/docker/docker.js';
@@ -39,6 +40,55 @@ vi.spyOn(Bake.prototype, 'getDefinition').mockImplementation(async (): Promise<B
   return <BakeDefinition>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'bake-def.json'), {encoding: 'utf-8'}).trim());
 });
 
+describe('getInputs', () => {
+  const originalEnv = process.env;
+
+  beforeEach(() => {
+    process.env = Object.keys(process.env).reduce((object, key) => {
+      if (!key.startsWith('INPUT_')) {
+        object[key] = process.env[key];
+      }
+      return object;
+    }, {});
+  });
+
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  function setRequiredBooleanInputs(): void {
+    setInput('no-cache', 'false');
+    setInput('pull', 'false');
+    setInput('load', 'false');
+    setInput('push', 'false');
+  }
+
+  test('uses Build git context when source input is empty', async () => {
+    const gitContext = 'https://github.com/docker/bake-action.git?ref=refs/heads/master&checksum=0123456789abcdef';
+    const gitContextSpy = vi.spyOn(Build.prototype, 'gitContext').mockResolvedValue(gitContext);
+    setRequiredBooleanInputs();
+    const inputs = await context.getInputs();
+    expect(inputs.source).toEqual({
+      remoteRef: gitContext
+    });
+    expect(gitContextSpy).toHaveBeenCalledTimes(1);
+    gitContextSpy.mockRestore();
+  });
+
+  test('renders defaultContext source templates from Build git context', async () => {
+    const gitContext = 'https://github.com/docker/bake-action.git#refs/heads/master';
+    const gitContextSpy = vi.spyOn(Build.prototype, 'gitContext').mockResolvedValue(gitContext);
+    setRequiredBooleanInputs();
+    setInput('source', '{{defaultContext}}:subdir');
+    const inputs = await context.getInputs();
+    expect(inputs.source).toEqual({
+      remoteRef: `${gitContext}:subdir`
+    });
+    expect(gitContextSpy).toHaveBeenCalledTimes(1);
+    gitContextSpy.mockRestore();
+  });
+});
+
 describe('getArgs', () => {
   const originalEnv = process.env;
   beforeEach(() => {
@@ -343,6 +393,54 @@ describe('getArgs', () => {
         ['BUILDX_NO_DEFAULT_ATTESTATIONS', '1']
       ])
     ],
+    [
+      15,
+      '0.29.0',
+      new Map<string, string>([
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['files', './foo.hcl'],
+      ]),
+      [
+        'bake',
+        'https://github.com/docker/bake-action.git?ref=refs/heads/master',
+        '--allow', 'fs=*',
+        '--file', './foo.hcl',
+        '--metadata-file', metadataJson,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      new Map<string, string>([
+        ['BUILDX_SEND_GIT_QUERY_AS_INPUT', 'true']
+      ])
+    ],
+    [
+      16,
+      '0.28.0',
+      new Map<string, string>([
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['files', './foo.hcl'],
+      ]),
+      [
+        'bake',
+        'https://github.com/docker/bake-action.git#refs/heads/master',
+        '--allow', 'fs=*',
+        '--file', './foo.hcl',
+        '--metadata-file', metadataJson,
+        '--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`,
+        '--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/bake-action/actions/runs/123456789/attempts/1`
+      ],
+      new Map<string, string>([
+        ['BUILDX_SEND_GIT_QUERY_AS_INPUT', 'true']
+      ])
+    ],
   ])(
     '[%d] given %o with %o as inputs, returns %o',
     async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>, envs: Map<string, string> | undefined) => {

action.yml

@@ -50,6 +50,9 @@ inputs:
   targets:
     description: "List of bake targets"
     required: false
+  vars:
+    description: "Variables to set in the Bake definition as list of key-value pair"
+    required: false
   github-token:
     description: "API token used to authenticate to a Git repository for remote definitions"
     default: ${{ github.token }}
@@ -61,5 +64,5 @@ outputs:
 
 runs:
   using: 'node24'
-  main: 'dist/index.js'
+  main: 'dist/index.cjs'
-  post: 'dist/index.js'
+  post: 'dist/index.cjs'

dist/606.index.js

@@ -1,301 +0,0 @@
-export const id = 606;
-export const ids = [606];
-export const modules = {
-
-/***/ 606:
-/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
-
-/* harmony export */ __webpack_require__.d(__webpack_exports__, {
-/* harmony export */   "default": () => (/* binding */ pMap)
-/* harmony export */ });
-/* unused harmony exports pMapIterable, pMapSkip */
-async function pMap(
-	iterable,
-	mapper,
-	{
-		concurrency = Number.POSITIVE_INFINITY,
-		stopOnError = true,
-		signal,
-	} = {},
-) {
-	return new Promise((resolve_, reject_) => {
-		if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
-			throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
-		}
-
-		if (typeof mapper !== 'function') {
-			throw new TypeError('Mapper function is required');
-		}
-
-		if (!((Number.isSafeInteger(concurrency) && concurrency >= 1) || concurrency === Number.POSITIVE_INFINITY)) {
-			throw new TypeError(`Expected \`concurrency\` to be an integer from 1 and up or \`Infinity\`, got \`${concurrency}\` (${typeof concurrency})`);
-		}
-
-		const result = [];
-		const errors = [];
-		const skippedIndexesMap = new Map();
-		let isRejected = false;
-		let isResolved = false;
-		let isIterableDone = false;
-		let resolvingCount = 0;
-		let currentIndex = 0;
-		const iterator = iterable[Symbol.iterator] === undefined ? iterable[Symbol.asyncIterator]() : iterable[Symbol.iterator]();
-
-		const signalListener = () => {
-			reject(signal.reason);
-		};
-
-		const cleanup = () => {
-			signal?.removeEventListener('abort', signalListener);
-		};
-
-		const resolve = value => {
-			resolve_(value);
-			cleanup();
-		};
-
-		const reject = reason => {
-			isRejected = true;
-			isResolved = true;
-			reject_(reason);
-			cleanup();
-		};
-
-		if (signal) {
-			if (signal.aborted) {
-				reject(signal.reason);
-			}
-
-			signal.addEventListener('abort', signalListener, {once: true});
-		}
-
-		const next = async () => {
-			if (isResolved) {
-				return;
-			}
-
-			const nextItem = await iterator.next();
-
-			const index = currentIndex;
-			currentIndex++;
-
-			// Note: `iterator.next()` can be called many times in parallel.
-			// This can cause multiple calls to this `next()` function to
-			// receive a `nextItem` with `done === true`.
-			// The shutdown logic that rejects/resolves must be protected
-			// so it runs only one time as the `skippedIndex` logic is
-			// non-idempotent.
-			if (nextItem.done) {
-				isIterableDone = true;
-
-				if (resolvingCount === 0 && !isResolved) {
-					if (!stopOnError && errors.length > 0) {
-						reject(new AggregateError(errors)); // eslint-disable-line unicorn/error-message
-						return;
-					}
-
-					isResolved = true;
-
-					if (skippedIndexesMap.size === 0) {
-						resolve(result);
-						return;
-					}
-
-					const pureResult = [];
-
-					// Support multiple `pMapSkip`'s.
-					for (const [index, value] of result.entries()) {
-						if (skippedIndexesMap.get(index) === pMapSkip) {
-							continue;
-						}
-
-						pureResult.push(value);
-					}
-
-					resolve(pureResult);
-				}
-
-				return;
-			}
-
-			resolvingCount++;
-
-			// Intentionally detached
-			(async () => {
-				try {
-					const element = await nextItem.value;
-
-					if (isResolved) {
-						return;
-					}
-
-					const value = await mapper(element, index);
-
-					// Use Map to stage the index of the element.
-					if (value === pMapSkip) {
-						skippedIndexesMap.set(index, value);
-					}
-
-					result[index] = value;
-
-					resolvingCount--;
-					await next();
-				} catch (error) {
-					if (stopOnError) {
-						reject(error);
-					} else {
-						errors.push(error);
-						resolvingCount--;
-
-						// In that case we can't really continue regardless of `stopOnError` state
-						// since an iterable is likely to continue throwing after it throws once.
-						// If we continue calling `next()` indefinitely we will likely end up
-						// in an infinite loop of failed iteration.
-						try {
-							await next();
-						} catch (error) {
-							reject(error);
-						}
-					}
-				}
-			})();
-		};
-
-		// Create the concurrent runners in a detached (non-awaited)
-		// promise. We need this so we can await the `next()` calls
-		// to stop creating runners before hitting the concurrency limit
-		// if the iterable has already been marked as done.
-		// NOTE: We *must* do this for async iterators otherwise we'll spin up
-		// infinite `next()` calls by default and never start the event loop.
-		(async () => {
-			for (let index = 0; index < concurrency; index++) {
-				try {
-					// eslint-disable-next-line no-await-in-loop
-					await next();
-				} catch (error) {
-					reject(error);
-					break;
-				}
-
-				if (isIterableDone || isRejected) {
-					break;
-				}
-			}
-		})();
-	});
-}
-
-function pMapIterable(
-	iterable,
-	mapper,
-	{
-		concurrency = Number.POSITIVE_INFINITY,
-		backpressure = concurrency,
-	} = {},
-) {
-	if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
-		throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
-	}
-
-	if (typeof mapper !== 'function') {
-		throw new TypeError('Mapper function is required');
-	}
-
-	if (!((Number.isSafeInteger(concurrency) && concurrency >= 1) || concurrency === Number.POSITIVE_INFINITY)) {
-		throw new TypeError(`Expected \`concurrency\` to be an integer from 1 and up or \`Infinity\`, got \`${concurrency}\` (${typeof concurrency})`);
-	}
-
-	if (!((Number.isSafeInteger(backpressure) && backpressure >= concurrency) || backpressure === Number.POSITIVE_INFINITY)) {
-		throw new TypeError(`Expected \`backpressure\` to be an integer from \`concurrency\` (${concurrency}) and up or \`Infinity\`, got \`${backpressure}\` (${typeof backpressure})`);
-	}
-
-	return {
-		async * [Symbol.asyncIterator]() {
-			const iterator = iterable[Symbol.asyncIterator] === undefined ? iterable[Symbol.iterator]() : iterable[Symbol.asyncIterator]();
-
-			const promises = [];
-			let pendingPromisesCount = 0;
-			let isDone = false;
-			let index = 0;
-
-			function trySpawn() {
-				if (isDone || !(pendingPromisesCount < concurrency && promises.length < backpressure)) {
-					return;
-				}
-
-				pendingPromisesCount++;
-
-				const promise = (async () => {
-					const {done, value} = await iterator.next();
-
-					if (done) {
-						pendingPromisesCount--;
-						return {done: true};
-					}
-
-					// Spawn if still below concurrency and backpressure limit
-					trySpawn();
-
-					try {
-						const returnValue = await mapper(await value, index++);
-
-						pendingPromisesCount--;
-
-						if (returnValue === pMapSkip) {
-							const index = promises.indexOf(promise);
-
-							if (index > 0) {
-								promises.splice(index, 1);
-							}
-						}
-
-						// Spawn if still below backpressure limit and just dropped below concurrency limit
-						trySpawn();
-
-						return {done: false, value: returnValue};
-					} catch (error) {
-						pendingPromisesCount--;
-						isDone = true;
-						return {error};
-					}
-				})();
-
-				promises.push(promise);
-			}
-
-			trySpawn();
-
-			while (promises.length > 0) {
-				const {error, done, value} = await promises[0]; // eslint-disable-line no-await-in-loop
-
-				promises.shift();
-
-				if (error) {
-					throw error;
-				}
-
-				if (done) {
-					return;
-				}
-
-				// Spawn if just dropped below backpressure limit and below the concurrency limit
-				trySpawn();
-
-				if (value === pMapSkip) {
-					continue;
-				}
-
-				yield value;
-			}
-		},
-	};
-}
-
-const pMapSkip = Symbol('skip');
-
-
-/***/ })
-
-};
-
-//# sourceMappingURL=606.index.js.map

dist/package.json

@@ -1,3 +0,0 @@
-{
-  "type": "module"
-}

package.json

@@ -4,10 +4,11 @@
   "type": "module",
   "main": "src/main.ts",
   "scripts": {
-    "build": "ncc build --source-map --minify --license licenses.txt",
+    "build": "esbuild src/main.ts --bundle --platform=node --target=node24 --format=cjs --outfile=dist/index.cjs --sourcemap --minify && yarn run license",
     "lint": "eslint --max-warnings=0 .",
     "format": "eslint --fix .",
-    "test": "vitest run"
+    "test": "vitest run",
+    "license": "generate-license-file --input package.json --output dist/licenses.txt --overwrite --ci --no-spinner --eol lf"
   },
   "repository": {
     "type": "git",
@@ -21,23 +22,24 @@
   ],
   "author": "Docker Inc.",
   "license": "Apache-2.0",
-  "packageManager": "yarn@4.9.2",
+  "packageManager": "yarn@4.15.0",
   "dependencies": {
-    "@actions/core": "^3.0.0",
+    "@actions/core": "^3.0.1",
-    "@docker/actions-toolkit": "^0.79.0",
+    "@docker/actions-toolkit": "^0.91.0",
-    "handlebars": "^4.7.8"
+    "handlebars": "^4.7.9"
   },
   "devDependencies": {
     "@eslint/js": "^9.39.3",
     "@types/node": "^24.11.0",
     "@typescript-eslint/eslint-plugin": "^8.56.1",
     "@typescript-eslint/parser": "^8.56.1",
-    "@vercel/ncc": "^0.38.4",
     "@vitest/coverage-v8": "^4.0.18",
     "@vitest/eslint-plugin": "^1.6.9",
+    "esbuild": "^0.28.0",
     "eslint": "^9.39.3",
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-prettier": "^5.5.5",
+    "generate-license-file": "^4.1.1",
     "globals": "^17.3.0",
     "prettier": "^3.8.1",
     "typescript": "^5.9.3",

src/context.ts

@@ -4,7 +4,6 @@ import * as handlebars from 'handlebars';
 
 import {Bake} from '@docker/actions-toolkit/lib/buildx/bake.js';
 import {Build} from '@docker/actions-toolkit/lib/buildx/build.js';
-import {Context} from '@docker/actions-toolkit/lib/context.js';
 import {GitHub} from '@docker/actions-toolkit/lib/github/github.js';
 import {Toolkit} from '@docker/actions-toolkit/lib/toolkit.js';
 import {Util} from '@docker/actions-toolkit/lib/util.js';
@@ -30,6 +29,7 @@ export interface Inputs {
   set: string[];
   source: BakeContext;
   targets: string[];
+  vars: string[];
   'github-token': string;
 }
 
@@ -46,8 +46,9 @@ export async function getInputs(): Promise<Inputs> {
     push: core.getBooleanInput('push'),
     sbom: core.getInput('sbom'),
     set: Util.getInputList('set', {ignoreComma: true, quote: false}),
-    source: getBakeContext(core.getInput('source')),
+    source: await getBakeContext(core.getInput('source')),
     targets: Util.getInputList('targets'),
+    vars: Util.getInputList('vars', {ignoreComma: true, quote: false}),
     'github-token': core.getInput('github-token')
   };
 }
@@ -71,22 +72,30 @@ async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit:
       // allow filesystem entitlements by default
       inputs.allow.push('fs=*');
     }
-    await Util.asyncForEach(inputs.allow, async allow => {
+    await Util.asyncForEach(inputs.allow, async (allow: string) => {
       args.push('--allow', allow);
     });
   }
   if (inputs.call) {
     if (!(await toolkit.buildx.versionSatisfies('>=0.16.0'))) {
-      throw new Error(`Buildx >= 0.16.0 is required to use the call flag.`);
+      throw new Error(`Buildx >= 0.16.0 is required to use the call input.`);
     }
     args.push('--call', inputs.call);
   }
-  await Util.asyncForEach(inputs.files, async file => {
+  await Util.asyncForEach(inputs.files, async (file: string) => {
     args.push('--file', file);
   });
-  await Util.asyncForEach(inputs.set, async set => {
+  await Util.asyncForEach(inputs.set, async (s: string) => {
-    args.push('--set', set);
+    args.push('--set', s);
   });
+  if (inputs.vars.length > 0) {
+    if (!(await toolkit.buildx.versionSatisfies('>=0.31.0'))) {
+      throw new Error(`Buildx >= 0.31.0 is required to use the vars input.`);
+    }
+    await Util.asyncForEach(inputs.vars, async (v: string) => {
+      args.push('--var', v);
+    });
+  }
   if (await toolkit.buildx.versionSatisfies('>=0.6.0')) {
     args.push('--metadata-file', toolkit.buildxBake.getMetadataFilePath());
   }
@@ -139,12 +148,13 @@ async function getCommonArgs(inputs: Inputs): Promise<Array<string>> {
   return args;
 }
 
-function getBakeContext(sourceInput: string): BakeContext {
+async function getBakeContext(sourceInput: string): Promise<BakeContext> {
+  const defaultContext = await new Build().gitContext();
   let bakeContext = handlebars.compile(sourceInput)({
-    defaultContext: Context.gitContext()
+    defaultContext: defaultContext
   });
   if (!bakeContext) {
-    bakeContext = Context.gitContext();
+    bakeContext = defaultContext;
   }
   if (Util.isValidRef(bakeContext)) {
     return {

src/main.ts

@@ -109,6 +109,7 @@ actionsToolkit.run(
           sbom: inputs.sbom,
           source: inputs.source.remoteRef,
           targets: inputs.targets,
+          vars: inputs.vars,
           githubToken: gitAuthToken
         },
         {

subaction/matrix/README.md

@@ -41,11 +41,11 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       -
         name: Generate matrix
         id: generate
-        uses: docker/bake-action/subaction/matrix@v6
+        uses: docker/bake-action/subaction/matrix@v7
         with:
           target: validate
 
@@ -60,7 +60,7 @@ jobs:
     steps:
       -
         name: Validate
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v7
         with:
           targets: ${{ matrix.target }}
 ```
@@ -95,11 +95,11 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       -
         name: Generate matrix
         id: generate
-        uses: docker/bake-action/subaction/matrix@v6
+        uses: docker/bake-action/subaction/matrix@v7
         with:
           target: lint
           fields: platforms
@@ -115,7 +115,7 @@ jobs:
     steps:
       -
         name: Lint
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v7
         with:
           targets: ${{ matrix.target }}
           set: |

subaction/matrix/action.yml

@@ -28,7 +28,7 @@ runs:
     -
       name: Generate
       id: generate
-      uses: actions/github-script@v7
+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
       env:
         INPUT_WORKDIR: ${{ inputs.workdir }}
         INPUT_FILES: ${{ inputs.files }}

test/config.hcl

@@ -6,21 +6,26 @@ group "release" {
   targets = ["db", "app-plus"]
 }
 
+# Special target: https://github.com/docker/metadata-action#bake-definition
+target "docker-metadata-action" {
+  tags = [
+    "localhost:5000/name/app:latest",
+    "localhost:5000/name/app:1.0.0"
+  ]
+}
+
 target "db" {
   context = "./test"
   tags = ["docker.io/tonistiigi/db"]
 }
 
 target "app" {
+  inherits = ["docker-metadata-action"]
   context = "./test"
   dockerfile = "Dockerfile"
   args = {
     name = "foo"
   }
-  tags = [
-    "localhost:5000/name/app:latest",
-    "localhost:5000/name/app:1.0.0"
-  ]
 }
 
 target "cross" {