Merge pull request #781 from crazy-max/disable-provenance

Disable provenance by default if not set
update generated content
2025-06-13 14:47:13 +02:00 · 2023-01-30 19:07:44 +01:00 · 2023-01-30 10:15:05 +01:00 · 2023-01-30 10:15:05 +01:00 · 2023-01-13 13:27:37 +01:00 · 2023-01-13 13:23:43 +01:00
70 changed files with 9016 additions and 244 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,2 @@
+/coverage
+/node_modules
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,15 @@
+# This file is for unifying the coding style for different editors and IDEs.
+# More information at http://editorconfig.org
+
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.md]
+trim_trailing_whitespace = false
--- a/.eslintrc.json
+++ b/.eslintrc.json
@ -0,0 +1,23 @@
+{
+  "env": {
+    "node": true,
+    "es2021": true,
+    "jest/globals": true
+  },
+  "extends": [
+    "eslint:recommended",
+    "plugin:@typescript-eslint/recommended",
+    "plugin:jest/recommended",
+    "plugin:prettier/recommended"
+  ],
+  "parser": "@typescript-eslint/parser",
+  "parserOptions": {
+    "ecmaVersion": "latest",
+    "sourceType": "module"
+  },
+  "plugins": [
+    "@typescript-eslint",
+    "jest",
+    "prettier"
+  ]
+}
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,2 @@
+/dist/** linguist-generated=true
+/lib/** linguist-generated=true
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -0,0 +1 @@
+*	@crazy-max
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@ -0,0 +1,31 @@
+## Contributing
+
+Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
+
+Contributions to this project are [released](https://docs.github.com/en/github/site-policy/github-terms-of-service#6-contributions-under-repository-license)
+to the public under the [project's open source license](LICENSE).
+
+## Submitting a pull request
+
+1. [Fork](https://github.com/docker/build-push-action/fork) and clone the repository
+2. Configure and install the dependencies: `yarn install`
+3. Create a new branch: `git checkout -b my-branch-name`
+4. Make your changes
+5. Make sure the tests pass: `docker buildx bake test`
+6. Format code and build javascript artifacts: `docker buildx bake pre-checkin`
+7. Validate all code has correctly formatted and built: `docker buildx bake validate`
+8. Push to your fork and [submit a pull request](https://github.com/docker/build-push-action/compare)
+9. Pat your self on the back and wait for your pull request to be reviewed and merged.
+
+Here are a few things you can do that will increase the likelihood of your pull request being accepted:
+
+- Make sure the `README.md` and any other relevant **documentation are kept up-to-date**.
+- We try to follow [SemVer v2.0.0](https://semver.org/). Randomly breaking public APIs is not an option.
+- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as **separate pull requests**.
+- Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
+
+## Resources
+
+- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
+- [Using Pull Requests](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests)
+- [GitHub Help](https://docs.github.com/en)
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -0,0 +1,37 @@
+---
+name: Bug report
+about: Create a report to help us improve
+---
+
+### Troubleshooting
+
+Before submitting a bug report please read the [Troubleshooting doc](https://github.com/docker/build-push-action/blob/master/TROUBLESHOOTING.md).
+
+### Behaviour
+
+#### Steps to reproduce this issue
+
+1.
+2.
+3.
+
+#### Expected behaviour
+
+> Tell us what should happen
+
+#### Actual behaviour
+
+> Tell us what happens instead
+
+### Configuration
+
+* Repository URL (if public): 
+* Build URL (if public): 
+
+```yml
+# paste your YAML workflow file here and remove sensitive data
+```
+
+### Logs
+
+> Download the [log file of your build](https://docs.github.com/en/actions/managing-workflow-runs/using-workflow-run-logs#downloading-logs) and [attach it](https://docs.github.com/en/github/managing-your-work-on-github/file-attachments-on-issues-and-pull-requests) to this issue.
--- a/.github/SUPPORT.md
+++ b/.github/SUPPORT.md
@ -0,0 +1,31 @@
+# Support [![](https://isitmaintained.com/badge/resolution/docker/build-push-action.svg)](https://isitmaintained.com/project/docker/build-push-action)
+
+First, [be a good guy](https://github.com/kossnocorp/etiquette/blob/master/README.md).
+
+## Reporting an issue
+
+Please do a search in [open issues](https://github.com/docker/build-push-action/issues?utf8=%E2%9C%93&q=) to see if the issue or feature request has already been filed.
+
+If you find your issue already exists, make relevant comments and add your [reaction](https://github.com/blog/2119-add-reactions-to-pull-requests-issues-and-comments). Use a reaction in place of a "+1" comment.
+
+:+1: - upvote
+
+:-1: - downvote
+
+If you cannot find an existing issue that describes your bug or feature, submit an issue using the guidelines below.
+
+## Writing good bug reports and feature requests
+
+File a single issue per problem and feature request.
+
+* Do not enumerate multiple bugs or feature requests in the same issue.
+* Do not add your issue as a comment to an existing issue unless it's for the identical input. Many issues look similar, but have different causes.
+
+The more information you can provide, the more likely someone will be successful reproducing the issue and finding a fix.
+
+You are now ready to [create a new issue](https://github.com/docker/build-push-action/issues/new/choose)!
+
+## Closure policy
+
+* Issues that don't have the information requested above (when applicable) will be closed immediately and the poster directed to the support guidelines.
+* Issues that go a week without a response from original poster are subject to closure at our discretion.
--- a/.github/build-push-action.png
+++ b/.github/build-push-action.png
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    labels:
+      - "dependencies"
+      - "bot"
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    allow:
+      - dependency-type: "production"
+    labels:
+      - "dependencies"
+      - "bot"
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -0,0 +1,870 @@
+name: ci
+
+on:
+  workflow_dispatch:
+    inputs:
+      buildx-version:
+        description: 'Buildx version or Git context'
+        default: 'latest'
+        required: false
+      buildkit-image:
+        description: 'BuildKit image'
+        default: 'moby/buildkit:buildx-stable-1'
+        required: false
+  push:
+    branches:
+      - 'master'
+  pull_request:
+    branches:
+      - 'master'
+
+env:
+  BUILDX_VERSION: latest
+  BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1
+
+jobs:
+  minimal:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+        with:
+          path: action
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./action
+        with:
+          file: ./test/Dockerfile
+
+  git-context:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+        with:
+          path: action
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build and push
+        id: docker_build
+        uses: ./action
+        with:
+          file: ./test/Dockerfile
+          builder: ${{ steps.buildx.outputs.name }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            localhost:5000/name/app:latest
+            localhost:5000/name/app:1.0.0
+      -
+        name: Inspect
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
+      -
+        name: Check digest
+        run: |
+          if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then
+            echo "::error::Digest should not be empty"
+            exit 1
+          fi
+
+  git-context-secret:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+        with:
+          path: action
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build and push
+        id: docker_build
+        uses: ./action
+        with:
+          file: ./test/Dockerfile
+          builder: ${{ steps.buildx.outputs.name }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            localhost:5000/name/app:latest
+            localhost:5000/name/app:1.0.0
+          secrets: |
+            GIT_AUTH_TOKEN=${{ github.token }}
+            "MYSECRET=aaaaaaaa
+            bbbbbbb
+            ccccccccc"
+            FOO=bar
+            "EMPTYLINE=aaaa
+
+            bbbb
+            ccc"
+      -
+        name: Inspect
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
+      -
+        name: Check digest
+        run: |
+          if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then
+            echo "::error::Digest should not be empty"
+            exit 1
+          fi
+
+  path-context:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build and push
+        id: docker_build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/Dockerfile
+          builder: ${{ steps.buildx.outputs.name }}
+          push: true
+          tags: |
+            localhost:5000/name/app:latest
+            localhost:5000/name/app:1.0.0
+      -
+        name: Inspect
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
+      -
+        name: Check digest
+        run: |
+          if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then
+            echo "::error::Digest should not be empty"
+            exit 1
+          fi
+
+  error:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Stop docker
+        run: |
+          sudo systemctl stop docker
+      -
+        name: Build
+        id: docker_build
+        continue-on-error: true
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/Dockerfile
+      -
+        name: Check
+        run: |
+          echo "${{ toJson(steps.docker_build) }}"
+          if [ "${{ steps.docker_build.outcome }}" != "failure" ] || [ "${{ steps.docker_build.conclusion }}" != "success" ]; then
+            echo "::error::Should have failed"
+            exit 1
+          fi
+
+  error-buildx:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        id: docker_build
+        continue-on-error: true
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/Dockerfile
+          platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
+          push: true
+          tags: localhost:5000/name/app:latest
+      -
+        name: Check
+        run: |
+          echo "${{ toJson(steps.docker_build) }}"
+          if [ "${{ steps.docker_build.outcome }}" != "failure" ] || [ "${{ steps.docker_build.conclusion }}" != "success" ]; then
+            echo "::error::Should have failed"
+            exit 1
+          fi
+
+  docker-driver:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Build
+        id: docker_build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/Dockerfile
+          push: true
+          tags: localhost:5000/name/app:latest
+
+  export-docker:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/Dockerfile
+          load: true
+          tags: myimage:latest
+      -
+        name: Inspect
+        run: |
+          docker image inspect myimage:latest
+
+  secret:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: .
+          file: ./test/secret.Dockerfile
+          secrets: |
+            MYSECRET=foo
+            INVALID_SECRET=
+
+  network:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: List networks
+        run: docker network ls
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          tags: name/app:latest
+          network: host
+
+  shm-size:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/shmsize.Dockerfile
+          tags: name/app:latest
+          shm-size: 2g
+
+  ulimit:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/ulimit.Dockerfile
+          tags: name/app:latest
+          ulimit: |
+            nofile=1024:1024
+            nproc=3
+
+  cgroup-parent:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/cgroup.Dockerfile
+          tags: name/app:latest
+          cgroup-parent: foo
+
+  add-hosts:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/addhost.Dockerfile
+          tags: name/app:latest
+          add-hosts: |
+            docker:10.180.0.1
+            foo:10.0.0.1
+
+  build-contexts:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/buildcontext.Dockerfile
+          build-contexts: |
+            alpine=docker-image://debian:stable-slim
+          tags: name/app:latest
+
+  no-cache-filters:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/nocachefilter.Dockerfile
+          no-cache-filters: build
+          tags: name/app:latest
+          cache-from: type=gha,scope=nocachefilter
+          cache-to: type=gha,scope=nocachefilter,mode=max
+
+  attests-compat:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - buildx: latest
+            buildkit: moby/buildkit:buildx-stable-1
+          - buildx: latest
+            buildkit: moby/buildkit:v0.10.6
+          - buildx: v0.9.1
+            buildkit: moby/buildkit:buildx-stable-1
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ matrix.buildx }}
+          driver-opts: |
+            network=host
+            image=${{ matrix.buildkit }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test/go
+          file: ./test/go/Dockerfile
+          outputs: type=cacheonly
+
+  provenance:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        attrs:
+          - ''
+          - mode=max
+          - builder-id=foo
+          - false
+          - true
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test/go
+          file: ./test/go/Dockerfile
+          target: binary
+          outputs: type=oci,dest=/tmp/build.tar
+          provenance: ${{ matrix.attrs }}
+          cache-from: type=gha,scope=provenance
+          cache-to: type=gha,scope=provenance,mode=max
+
+  sbom:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - target: image
+            output: type=image,name=localhost:5000/name/app:latest,push=true
+          - target: binary
+            output: /tmp/buildx-build
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test/go
+          file: ./test/go/Dockerfile
+          target: ${{ matrix.target }}
+          outputs: ${{ matrix.output }}
+          sbom: true
+          cache-from: type=gha,scope=attests-${{ matrix.target }}
+          cache-to: type=gha,scope=attests-${{ matrix.target }},mode=max
+      -
+        name: Inspect image
+        if: matrix.target == 'image'
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
+      -
+        name: Check output folder
+        if: matrix.target == 'binary'
+        run: |
+          tree /tmp/buildx-build
+      -
+        name: Print SBOM
+        if: matrix.target == 'binary'
+        run: |
+          cat /tmp/buildx-build/sbom.spdx.json | jq
+
+  multi:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        dockerfile:
+          - multi
+          - multi-sudo
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build and push
+        id: docker_build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/${{ matrix.dockerfile }}.Dockerfile
+          builder: ${{ steps.buildx.outputs.name }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            localhost:5000/name/app:latest
+            localhost:5000/name/app:1.0.0
+      -
+        name: Inspect
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
+      -
+        name: Check digest
+        run: |
+          if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then
+            echo "::error::Digest should not be empty"
+            exit 1
+          fi
+
+  digest:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_IMAGE: localhost:5000/name/app
+    strategy:
+      fail-fast: false
+      matrix:
+        driver:
+          - docker
+          - docker-container
+        load:
+          - true
+          - false
+        push:
+          - true
+          - false
+        exclude:
+          - driver: docker
+            load: true
+            push: true
+          - driver: docker-container
+            load: true
+            push: true
+          - driver: docker
+            load: false
+            push: false
+          - driver: docker-container
+            load: false
+            push: false
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver: ${{ matrix.driver }}
+          driver-opts: |
+            network=host
+      -
+        name: Build
+        id: docker_build
+        uses: ./
+        with:
+          context: ./test
+          load: ${{ matrix.load }}
+          push: ${{ matrix.push }}
+          tags: ${{ env.DOCKER_IMAGE }}:latest
+          platforms: ${{ matrix.platforms }}
+      -
+        name: Docker images
+        run: |
+          docker image ls --no-trunc
+      -
+        name: Check digest
+        if: ${{ matrix.push }}
+        run: |
+          if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then
+            echo "::error::Digest should not be empty"
+            exit 1
+          fi
+      -
+        name: Check manifest
+        if: ${{ matrix.push }}
+        run: |
+          set -x
+          docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}@${{ steps.docker_build.outputs.digest }} --format '{{json .}}'
+      -
+        name: Check image ID
+        run: |
+          if [ -z "${{ steps.docker_build.outputs.imageid }}" ]; then
+            echo "::error::Image ID should not be empty"
+            exit 1
+          fi
+      -
+        name: Inspect image
+        if: ${{ matrix.load }}
+        run: |
+          set -x
+          docker image inspect ${{ steps.docker_build.outputs.imageid }}
+
+  registry-cache:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build and push
+        id: docker_build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/multi.Dockerfile
+          builder: ${{ steps.buildx.outputs.name }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            localhost:5000/name/app:latest
+            localhost:5000/name/app:1.0.0
+          cache-from: type=registry,ref=localhost:5000/name/app
+          cache-to: type=inline
+      -
+        name: Inspect
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
+      -
+        name: Check digest
+        run: |
+          if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then
+            echo "::error::Digest should not be empty"
+            exit 1
+          fi
+
+  github-cache:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Build and push
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/multi.Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            localhost:5000/name/app:latest
+            localhost:5000/name/app:1.0.0
+          cache-from: type=gha,scope=ci-${{ matrix.buildx_version }}
+          cache-to: type=gha,scope=ci-${{ matrix.buildx_version }}
+      -
+        name: Inspect
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
+
+  standalone:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Uninstall moby cli
+        run: |
+          sudo apt-get purge -y moby-cli moby-buildx
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/Dockerfile
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@ -0,0 +1,123 @@
+name: e2e
+
+on:
+  workflow_dispatch:
+    inputs:
+      buildx-version:
+        description: 'Buildx version or Git context'
+        default: 'latest'
+        required: false
+      buildkit-image:
+        description: 'BuildKit image'
+        default: 'moby/buildkit:buildx-stable-1'
+        required: false
+  schedule:
+    - cron: '0 10 * * *'
+  push:
+    branches:
+      - 'master'
+    tags:
+      - v*
+
+env:
+  BUILDX_VERSION: latest
+  BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          -
+            registry: ''
+            slug: ghactionstest/ghactionstest
+            username_secret: DOCKERHUB_USERNAME
+            password_secret: DOCKERHUB_TOKEN
+          -
+            registry: ghcr.io
+            slug: ghcr.io/docker-ghactiontest/test
+            username_secret: GHCR_USERNAME
+            password_secret: GHCR_PAT
+          -
+            registry: registry.gitlab.com
+            slug: registry.gitlab.com/test1716/test
+            username_secret: GITLAB_USERNAME
+            password_secret: GITLAB_TOKEN
+          -
+            registry: 175142243308.dkr.ecr.us-east-2.amazonaws.com
+            slug: 175142243308.dkr.ecr.us-east-2.amazonaws.com/sandbox/test-docker-action
+            username_secret: AWS_ACCESS_KEY_ID
+            password_secret: AWS_SECRET_ACCESS_KEY
+          -
+            registry: public.ecr.aws
+            slug: public.ecr.aws/q3b5f1u4/test-docker-action
+            username_secret: AWS_ACCESS_KEY_ID
+            password_secret: AWS_SECRET_ACCESS_KEY
+          -
+            registry: us-east4-docker.pkg.dev
+            slug: us-east4-docker.pkg.dev/sandbox-298914/docker-official-github-actions/test-docker-action
+            username_secret: GAR_USERNAME
+            password_secret: GAR_JSON_KEY
+          -
+            registry: gcr.io
+            slug: gcr.io/sandbox-298914/test-docker-action
+            username_secret: GCR_USERNAME
+            password_secret: GCR_JSON_KEY
+          -
+            registry: officialgithubactions.azurecr.io
+            slug: officialgithubactions.azurecr.io/test-docker-action
+            username_secret: AZURE_CLIENT_ID
+            password_secret: AZURE_CLIENT_SECRET
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ matrix.slug }}
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Login to Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ matrix.registry }}
+          username: ${{ secrets[matrix.username_secret] }}
+          password: ${{ secrets[matrix.password_secret] }}
+      -
+        name: Build and push
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/multi.Dockerfile
+          platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=registry,ref=${{ matrix.slug }}:master
+          cache-to: type=inline
+      -
+        name: Inspect image
+        if: github.event_name != 'pull_request'
+        run: |
+          docker pull ${{ matrix.slug }}:${{ steps.meta.outputs.version }}
+          docker image inspect ${{ matrix.slug }}:${{ steps.meta.outputs.version }}
+      -
+        name: Check manifest
+        if: github.event_name != 'pull_request'
+        run: |
+          docker buildx imagetools inspect ${{ matrix.slug }}:${{ steps.meta.outputs.version }} --format '{{json .}}'
--- a/.github/workflows/example.yml
+++ b/.github/workflows/example.yml
@ -0,0 +1,74 @@
+# This workflow is provided just as an example and not for repo testing/verification
+name: example
+
+on:
+  schedule:
+    - cron: '0 10 * * 0'
+  push:
+    branches:
+      - '**'
+    tags:
+      - 'v*.*.*'
+  pull_request:
+
+env:
+  DOCKER_IMAGE: localhost:5000/name/app
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.DOCKER_IMAGE }}
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          driver-opts: network=host
+      -
+        name: Build and export to Docker client
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/Dockerfile
+          load: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+      -
+        name: Build and push to local registry
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/Dockerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+      -
+        name: Inspect image
+        run: |
+          docker image inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }}
+      -
+        name: Check manifest
+        if: github.event_name != 'pull_request'
+        run: |
+          docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} --format '{{json .}}'
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -1,37 +0,0 @@
-name: CI
-
-on:
-  push:
-    branches:
-      - master
-    tags:
-      - '*'
-  pull_request:
-
-jobs:
-  build:
-    name: build
-    runs-on: ubuntu-latest
-    timeout-minutes: 3
-    steps:
-
-    - name: Checkout
-      uses: actions/checkout@v2
-    
-    - name: Run local registry
-      run: docker run -d -p 5000:5000 registry:2
-    
-    - name: Build and push image
-      uses: ./
-      env:
-        DOCKER_BUILDKIT: 1
-      with:
-        registry: localhost:5000
-        repository: temp/workflow
-        tags: foo
-      
-    - name: Remove local image
-      run: docker image rm localhost:5000/temp/workflow:foo
-
-    - name: Run image from registry
-      run: docker run localhost:5000/temp/workflow:foo
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -0,0 +1,32 @@
+name: test
+
+on:
+  push:
+    branches:
+      - 'master'
+  pull_request:
+    branches:
+      - 'master'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Validate
+        uses: docker/bake-action@v2
+        with:
+          targets: validate
+      -
+        name: Test
+        uses: docker/bake-action@v2
+        with:
+          targets: test
+      -
+        name: Upload coverage
+        uses: codecov/codecov-action@v3
+        with:
+          file: ./coverage/clover.xml
--- a/.github/workflows/virtual-env.yml
+++ b/.github/workflows/virtual-env.yml
@ -0,0 +1,72 @@
+name: virtual-env
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 10 * * *'
+  push:
+    branches:
+      - 'master'
+    paths:
+      - '.github/workflows/virtual-env.yml'
+  pull_request:
+    branches:
+      - 'master'
+    paths:
+      - '.github/workflows/virtual-env.yml'
+
+jobs:
+  os:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - ubuntu-22.04
+          - ubuntu-20.04
+          - ubuntu-18.04
+    steps:
+      -
+        name: File system
+        run: df -ah
+      -
+        name: Mounts
+        run: mount
+      -
+        name: Node info
+        run: node -p process
+      -
+        name: NPM version
+        run: npm version
+      -
+        name: List install packages
+        run: apt list --installed
+      -
+        name: Docker daemon conf
+        run: |
+          cat /etc/docker/daemon.json
+      -
+        name: Docker info
+        run: docker info
+      -
+        name: Docker version
+        run: docker version
+      -
+        name: Cgroups
+        run: |
+          sudo apt-get install -y cgroup-tools
+          lscgroup
+      -
+        name: buildx version
+        run: docker buildx version
+      -
+        name: containerd version
+        run: containerd --version
+      -
+        name: Docker images
+        run: docker image ls
+      -
+        name: Dump context
+        if: always()
+        uses: crazy-max/ghaction-dump-context@v1
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,95 @@
+node_modules
+lib
+
+# Jetbrains
+/.idea
+/*.iml
+
+# Rest of the file pulled from https://github.com/github/gitignore/blob/master/Node.gitignore
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+jspm_packages/
+
+# TypeScript v1 declaration files
+typings/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+.env.test
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+
+# next.js build output
+.next
+
+# nuxt.js build output
+.nuxt
+
+# vuepress build output
+.vuepress/dist
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
--- a/.prettierrc.json
+++ b/.prettierrc.json
@ -0,0 +1,11 @@
+{
+  "printWidth": 240,
+  "tabWidth": 2,
+  "useTabs": false,
+  "semi": true,
+  "singleQuote": true,
+  "trailingComma": "none",
+  "bracketSpacing": false,
+  "arrowParens": "avoid",
+  "parser": "typescript"
+}
--- a/3
+++ b/3
@ -1,3 +0,0 @@
-FROM alpine:3
-
-ENTRYPOINT ["echo", "docker github actions"]
--- a/README.md
+++ b/README.md
@ -1,195 +1,247 @@
-# build-push-action
+[![GitHub release](https://img.shields.io/github/release/docker/build-push-action.svg?style=flat-square)](https://github.com/docker/build-push-action/releases/latest)
+[![GitHub marketplace](https://img.shields.io/badge/marketplace-build--and--push--docker--images-blue?logo=github&style=flat-square)](https://github.com/marketplace/actions/build-and-push-docker-images)
+[![CI workflow](https://img.shields.io/github/actions/workflow/status/docker/build-push-action/ci.yml?branch=master&label=ci&logo=github&style=flat-square)](https://github.com/docker/build-push-action/actions?workflow=ci)
+[![Test workflow](https://img.shields.io/github/actions/workflow/status/docker/build-push-action/test.yml?branch=master&label=test&logo=github&style=flat-square)](https://github.com/docker/build-push-action/actions?workflow=test)
+[![Codecov](https://img.shields.io/codecov/c/github/docker/build-push-action?logo=codecov&style=flat-square)](https://codecov.io/gh/docker/build-push-action)

-Builds and pushes Docker images and will log in to a Docker registry if required.
+## About

-Suggestions and issues can be posted on the repositories [issues page](https://github.com/docker/build-push-action/issues).
+GitHub Action to build and push Docker images with [Buildx](https://github.com/docker/buildx)
+with full support of the features provided by [Moby BuildKit](https://github.com/moby/buildkit)
+builder toolkit. This includes multi-platform build, secrets, remote cache, etc.
+and different builder deployment/namespacing options.

-[Inputs](#Inputs)
-* [repository](#repository)
-* [username](#username)
-* [password](#password)
-* [registry](#registry)
-* [tags](#tags)
-* [tag_with_ref](#tag_with_ref)
-* [tag_with_sha](#tag_with_sha)
-* [path](#path)
-* [dockerfile](#dockerfile)
-* [target](#target)
-* [always_pull](#always_pull)
-* [build_args](#build_args)
-* [labels](#labels)
-* [add_git_labels](#add_git_labels)
-* [push](#push)
+![Screenshot](.github/build-push-action.png)

-[Example usage](#Example-usage)
+___

-## Inputs
+* [Usage](#usage)
+  * [Git context](#git-context)
+  * [Path context](#path-context)
+* [Examples](#examples)
+* [Customizing](#customizing)
+  * [inputs](#inputs)
+  * [outputs](#outputs)
+* [Troubleshooting](#troubleshooting)
+* [Contributing](#contributing)

-### `repository`
+## Usage

-**Required** Docker repository to tag the image with.
+In the examples below we are also using 3 other actions:

-### `username`
+* [`setup-buildx`](https://github.com/docker/setup-buildx-action) action will
+  create and boot a builder using by default the [`docker-container` driver](https://docs.docker.com/build/building/drivers/docker-container/).
+  This is **not required but recommended** using it to be able to build
+  multi-platform images, export cache, etc.
+* [`setup-qemu`](https://github.com/docker/setup-qemu-action) action can be
+  useful if you want to add emulation support with QEMU to be able to build
+  against more platforms. 
+* [`login`](https://github.com/docker/login-action) action will take care to
+  log in against a Docker registry.

-Username used to log in to a Docker registry. If not set then no login will occur.
+### Git context

-### `password`
+By default, this action uses the [Git context](https://docs.docker.com/engine/reference/commandline/build/#git-repositories),
+so you don't need to use the [`actions/checkout`](https://github.com/actions/checkout/)
+action to check out the repository as this will be done directly by [BuildKit](https://github.com/moby/buildkit).

-Password or personal access token used to log in to a Docker registry. If not set then no login will occur.
-
-### `registry`
-
-Server address of Docker registry. If not set then will default to Docker Hub.
-
-### `tags`
-
-Comma-delimited list of tags. These will be added to the registry/repository to form the image's tags.
-
-Example:
+The git reference will be based on the [event that triggered your workflow](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows)
+and will result in the following context: `https://github.com/<owner>/<repo>.git#<ref>`.

 ```yaml
-tags: tag1,tag2
+name: ci
+
+on:
+  push:
+    branches:
+      - 'main'
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Build and push
+        uses: docker/build-push-action@v3
+        with:
+          push: true
+          tags: user/app:latest
 ```

-### `tag_with_ref`
+Be careful because **any file mutation in the steps that precede the build step
+will be ignored, including processing of the `.dockerignore` file** since
+the context is based on the Git reference. However, you can use the
+[Path context](#path-context) using the [`context` input](#inputs) alongside
+the [`actions/checkout`](https://github.com/actions/checkout/) action to remove
+this restriction.

-Boolean value. Defaults to `false`.
-
-Automatically tags the built image with the git reference. The format of the tag depends on the type of git reference with all forward slashes replaced with `-`.
-
-For pushes to a branch the reference will be `refs/heads/{branch-name}` and the tag will be `{branch-name}`. If `{branch-name}` is master then the tag will be `latest`.
-
-For pull requests the reference will be `refs/pull/{pull-request}` and the tag will be `pr-{pull-request}`.
-
-For git tags the reference will be `refs/tags/{git-tag}` and the tag will be `{git-tag}`.
-
-Examples:
-
-|Git Reference|Image tag|
-|---|---|
-|`refs/heads/master`|`latest`|
-|`refs/heads/my/branch`|`my-branch`|
-|`refs/pull/2/merge`|`pr-2-merge`|
-|`refs/tags/v1.0.0`|`v1.0.0`|
-
-### `tag_with_sha`
-
-Boolean value. Defaults to `false`.
-
-Automatically tags the built image with the git short SHA prefixed with `sha-`.
-
-Example:
-
-|Git SHA|Image tag|
-|---|---|
-|`676cae2f85471aeff6776463c72881ebd902dcf9`|`sha-676cae2`|
-
-### `path`
-
-Path to the build context. Defaults to `.`
-
-### `dockerfile`
-
-Path to the Dockerfile. Defaults to `{path}/Dockerfile`
-
-Note when set this path is **not** relative to the `path` input but is instead relative to the current working directory.
-
-### `target`
-
-Sets the target stage to build.
-
-### `always_pull`
-
-Boolean value. Defaults to `false`.
-
-Always attempt to pull a newer version of the image.
-
-### `build_args`
-
-Comma-delimited list of build-time variables.
-
-Example:
+Default Git context can also be provided using the [Handlebars template](https://handlebarsjs.com/guide/)
+expression `{{defaultContext}}`. Here we can use it to provide a subdirectory
+to the default Git context:

 ```yaml
-build_args: arg1=value1,arg2=value2
+      -
+        # Setting up Docker Buildx with docker-container driver is required
+        # at the moment to be able to use a subdirectory with Git context
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Build and push
+        uses: docker/build-push-action@v3
+        with:
+          context: "{{defaultContext}}:mysubdir"
+          push: true
+          tags: user/app:latest
 ```

-### `labels`
+> **Warning**
+>
+> Subdirectory for Git context is available from [BuildKit v0.9.0](https://github.com/moby/buildkit/releases/tag/v0.9.0).
+> If you're using the `docker` builder (default if `setup-buildx-action` not used),
+> then BuildKit in Docker Engine will be used. As Docker Engine < v22.x.x embeds
+> Buildkit 0.8.2 at the moment, it does not support this feature. It's therefore
+> required to use the `setup-buildx-action` at the moment.

-Comma-delimited list of labels to add to the built image.
-
-Example:
+Building from the current repository automatically uses the [GitHub Token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication),
+so it does not need to be passed. If you want to authenticate against another
+private repository, you have to use a [secret](https://docs.docker.com/build/ci/github-actions/examples/#secrets)
+named `GIT_AUTH_TOKEN` to be able to authenticate against it with Buildx:

 ```yaml
-labels: label_name_1=label_value_1,label_name_2=label_value_2
+      -
+        name: Build and push
+        uses: docker/build-push-action@v3
+        with:
+          push: true
+          tags: user/app:latest
+          secrets: |
+            GIT_AUTH_TOKEN=${{ secrets.MYTOKEN }}
 ```

-### `add_git_labels`
-
-Boolean value. Defaults to `false`.
-
-Adds labels with git repository information to the built image based on the standards set out in https://github.com/opencontainers/image-spec/blob/master/annotations.md.
-
-The labels are:
-
-|Label key|Example value|Description|
-|---|---|---|
-|`org.opencontainers.image.created`|`2020-03-06T23:00:00Z`|Date and time on which the image was built (string, date-time as defined by RFC 3339).|
-|`org.opencontainers.image.source`|`https://github.com/myorg/myrepository`|URL to the GitHub repository.|
-|`org.opencontainers.image.revision`|`676cae2f85471aeff6776463c72881ebd902dcf9`|The full git SHA of this commit.|
-
-
-### `push`
-
-Boolean value. Defaults to `true`.
-
-Whether to push the built image.
-
-## Example usage
-
-The following will build the root Dockerfile, tag the image as `myorg/myrepository:latest`, log in to Docker Hub using GitHub secrets, and push the image to the Docker Hub repository `myorg/myrepository`:
+### Path context

 ```yaml
-uses: docker/build-push-action@v1
-with:
-  username: ${{ secrets.DOCKER_USERNAME }}
-  password: ${{ secrets.DOCKER_PASSWORD }}
-  repository: myorg/myrepository
-  tags: latest
+name: ci
+
+on:
+  push:
+    branches:
+      - 'main'
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Build and push
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          push: true
+          tags: user/app:latest
 ```

-The following will build the root Dockerfile, tag the image with the git reference and SHA as described above, log in to Docker Hub using GitHub secrets, and push the image to the Docker Hub repository `myorg/myrepository`:
+## Examples

-```yaml
-uses: docker/build-push-action@v1
-with:
-  username: ${{ secrets.DOCKER_USERNAME }}
-  password: ${{ secrets.DOCKER_PASSWORD }}
-  repository: myorg/myrepository
-  tag_with_ref: true
-  tag_with_sha: true
-```
+See https://docs.docker.com/build/ci/github-actions/examples/.

-The following will only push the image when the event that kicked off the workflow was a push of a git tag:
+## Customizing

-```yaml
-uses: docker/build-push-action@v1
-with:
-  username: ${{ secrets.DOCKER_USERNAME }}
-  password: ${{ secrets.DOCKER_PASSWORD }}
-  repository: myorg/myrepository
-  tag_with_ref: true
-  push: ${{ startsWith(github.ref, 'refs/tags/') }}
-```
+### inputs

-The following builds the `mytarget` stage and pushes that:
- 
-```yaml
-uses: docker/build-push-action@v1
-with:
-  username: ${{ secrets.DOCKER_USERNAME }}
-  password: ${{ secrets.DOCKER_PASSWORD }}
-  repository: myorg/myrepository
-  tag_with_ref: true
-  target: mytarget
-```
+Following inputs can be used as `step.with` keys
+
+> `List` type is a newline-delimited string
+> ```yaml
+> cache-from: |
+>   user/app:cache
+>   type=local,src=path/to/dir
+> ```
+
+> `CSV` type is a comma-delimited string
+> ```yaml
+> tags: name/app:latest,name/app:1.0.0
+> ```
+
+| Name               | Type        | Description                                                                                                                                                                       |
+|--------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `add-hosts`        | List/CSV    | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`)      |
+| `allow`            | List/CSV    | List of [extra privileged entitlement](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow) (e.g., `network.host,security.insecure`)                         |
+| `attests`          | List        | List of [attestation](https://docs.docker.com/build/attestations/) parameters (e.g., `type=sbom,generator=image`)                                                                 | 
+| `builder`          | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                                       |
+| `build-args`       | List        | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg)                                                                      |
+| `build-contexts`   | List        | List of additional [build contexts](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context) (e.g., `name=path`)                                         |
+| `cache-from`       | List        | List of [external cache sources](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from) (e.g., `type=local,src=path/to/dir`)                              |
+| `cache-to`         | List        | List of [cache export destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-to) (e.g., `type=local,dest=path/to/dir`)                            |
+| `cgroup-parent`    | String      | Optional [parent cgroup](https://docs.docker.com/engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent) for the container used in the build              |
+| `context`          | String      | Build's context is the set of files located in the specified [`PATH` or `URL`](https://docs.docker.com/engine/reference/commandline/build/) (default [Git context](#git-context)) |
+| `file`             | String      | Path to the Dockerfile. (default `{context}/Dockerfile`)                                                                                                                          |
+| `labels`           | List        | List of metadata for an image                                                                                                                                                     |
+| `load`             | Bool        | [Load](https://docs.docker.com/engine/reference/commandline/buildx_build/#load) is a shorthand for `--output=type=docker` (default `false`)                                       |
+| `network`          | String      | Set the networking mode for the `RUN` instructions during build                                                                                                                   |
+| `no-cache`         | Bool        | Do not use cache when building the image (default `false`)                                                                                                                        |
+| `no-cache-filters` | List/CSV    | Do not cache specified stages                                                                                                                                                     |
+| `outputs`¹         | List        | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`)                                         |
+| `platforms`        | List/CSV    | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build                                                                 |
+| `provenance`       | Bool/String | Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build (shorthand for `--attest=type=provenance`)                           |
+| `pull`             | Bool        | Always attempt to pull all referenced images (default `false`)                                                                                                                    |
+| `push`             | Bool        | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`)                                     |
+| `sbom`             | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`)                                                  |
+| `secrets`          | List        | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`)                |
+| `secret-files`     | List        | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`)         |
+| `shm-size`         | String      | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`)                                                                    |
+| `ssh`              | List        | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build                                                 |
+| `tags`             | List/CSV    | List of tags                                                                                                                                                                      |
+| `target`           | String      | Sets the target stage to build                                                                                                                                                    |
+| `ulimit`           | List        | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`)                                                            |
+| `github-token`     | String      | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`)                                                            |
+
+> **Note**
+>
+> * ¹ multiple `outputs` are [not yet supported](https://github.com/moby/buildkit/issues/1555)
+
+### outputs
+
+Following outputs are available
+
+| Name       | Type    | Description           |
+|------------|---------|-----------------------|
+| `imageid`  | String  | Image ID              |
+| `digest`   | String  | Image digest          |
+| `metadata` | JSON    | Build result metadata |
+
+## Troubleshooting
+
+See [TROUBLESHOOTING.md](TROUBLESHOOTING.md)
+
+## Contributing
+
+Want to contribute? Awesome! You can find information about contributing to
+this project in the [CONTRIBUTING.md](/.github/CONTRIBUTING.md)
--- a/TROUBLESHOOTING.md
+++ b/TROUBLESHOOTING.md
@ -0,0 +1,137 @@
+# Troubleshooting
+
+* [Cannot push to a registry](#cannot-push-to-a-registry)
+  * [BuildKit container logs](#buildkit-container-logs)
+  * [With containerd](#with-containerd)
+* [`repository name must be lowercase`](#repository-name-must-be-lowercase)
+
+## Cannot push to a registry
+
+While pushing to a registry, you may encounter these kinds of issues:
+
+* `failed commit on ref "layer-sha256:...": invalid content digest in response: invalid checksum digest format`
+* `failed commit on ref "layer-sha256:...": no response`
+* `failed commit on ref "manifest-sha256:...": unexpected status: 400 Bad Request`
+* `failed commit on ref "manifest-sha256:...": unexpected status: 401 Unauthorized`
+* `unexpected response: 401 Unauthorized`
+
+These issues are not directly related to this action but are rather linked to
+[Buildx](https://github.com/docker/buildx), [BuildKit](https://github.com/moby/buildkit),
+[containerd](https://github.com/containerd/containerd) or the registry on which
+you're pushing your image. The quality of error message depends on the registry
+and are usually not very informative.
+
+### BuildKit container logs
+
+To help you solve this, you have to [enable debugging in the setup-buildx](https://github.com/docker/setup-buildx-action#buildkit-container-logs)
+action step and attach BuildKit container logs to your issue.
+
+### With containerd
+
+Next you can test pushing with [containerd action](https://github.com/crazy-max/ghaction-setup-containerd)
+using the following workflow. If it works then open an issue on [BuildKit](https://github.com/moby/buildkit)
+repository.
+
+```yaml
+name: containerd
+
+on:
+  push:
+
+jobs:
+  containerd:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          buildkitd-flags: --debug
+      -
+        name: Set up containerd
+        uses: crazy-max/ghaction-setup-containerd@v2
+      -
+        name: Build Docker image
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          tags: docker.io/user/app:latest
+          outputs: type=oci,dest=/tmp/image.tar
+      -
+        name: Import image in containerd
+        run: |
+          sudo ctr i import --base-name docker.io/user/app --digests --all-platforms /tmp/image.tar
+      -
+        name: Push image with containerd
+        run: |
+          sudo ctr --debug i push --user "${{ secrets.DOCKER_USERNAME }}:${{ secrets.DOCKER_PASSWORD }}" docker.io/user/app:latest
+```
+
+## `repository name must be lowercase`
+
+You may encounter this issue if you're using `github.repository` as a repo slug
+in your tag:
+
+```
+#6 exporting to image
+#6 exporting layers
+#6 exporting layers 1.2s done
+#6 exporting manifest sha256:b47f7dfb97b89ccd5de553af3c8cd94c4795884cbe5693e93946b1d95a7b1d12 0.0s done
+#6 exporting config sha256:995e93fab8196893192f08a38deea6769dc4d98f86cf705eccc24ec96a3e271c 0.0s done
+#6 ERROR: invalid reference format: repository name must be lowercase
+------
+ > exporting to image:
+------
+error: failed to solve: invalid reference format: repository name must be lowercase
+```
+
+or a cache reference:
+
+```
+#10 importing cache manifest from ghcr.io/My-Org/repo:main
+#10 ERROR: invalid reference format: repository name must be lowercase
+```
+
+To fix this issue you can use our [metadata action](https://github.com/docker/metadata-action)
+to generate sanitized tags:
+
+```yaml
+- name: Docker meta
+  id: meta
+  uses: docker/metadata-action@v4
+  with:
+    images: ghcr.io/${{ github.repository }}
+    tags: latest
+
+- name: Build and push
+  uses: docker/build-push-action@v3
+  with:
+    context: .
+    push: true
+    tags: ${{ steps.meta.outputs.tags }}
+```
+
+Or a dedicated step to sanitize the slug:
+
+```yaml
+- name: Sanitize repo slug
+  uses: actions/github-script@v6
+  id: repo_slug
+  with:
+    result-encoding: string
+    script: return 'ghcr.io/${{ github.repository }}'.toLowerCase()
+
+- name: Build and push
+  uses: docker/build-push-action@v3
+  with:
+    context: .
+    push: true
+    tags: ${{ steps.repo_slug.outputs.result }}:latest
+```
--- a/tests/buildx.test.ts
+++ b/tests/buildx.test.ts
@ -0,0 +1,146 @@
+import {describe, expect, it, jest, test} from '@jest/globals';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as semver from 'semver';
+import * as exec from '@actions/exec';
+import * as buildx from '../src/buildx';
+import * as context from '../src/context';
+
+const tmpNameSync = path.join('/tmp/.docker-build-push-jest', '.tmpname-jest').split(path.sep).join(path.posix.sep);
+const imageID = 'sha256:bfb45ab72e46908183546477a08f8867fc40cebadd00af54b071b097aed127a9';
+const metadata = `{
+  "containerimage.config.digest": "sha256:059b68a595b22564a1cbc167af369349fdc2ecc1f7bc092c2235cbf601a795fd",
+  "containerimage.digest": "sha256:b09b9482c72371486bb2c1d2c2a2633ed1d0b8389e12c8d52b9e052725c0c83c"
+}`;
+
+jest.spyOn(context, 'tmpDir').mockImplementation((): string => {
+  const tmpDir = path.join('/tmp/.docker-build-push-jest').split(path.sep).join(path.posix.sep);
+  if (!fs.existsSync(tmpDir)) {
+    fs.mkdirSync(tmpDir, {recursive: true});
+  }
+  return tmpDir;
+});
+
+jest.spyOn(context, 'tmpNameSync').mockImplementation((): string => {
+  return tmpNameSync;
+});
+
+describe('getImageID', () => {
+  it('matches', async () => {
+    const imageIDFile = await buildx.getImageIDFile();
+    await fs.writeFileSync(imageIDFile, imageID);
+    const expected = await buildx.getImageID();
+    expect(expected).toEqual(imageID);
+  });
+});
+
+describe('getMetadata', () => {
+  it('matches', async () => {
+    const metadataFile = await buildx.getMetadataFile();
+    await fs.writeFileSync(metadataFile, metadata);
+    const expected = await buildx.getMetadata();
+    expect(expected).toEqual(metadata);
+  });
+});
+
+describe('getDigest', () => {
+  it('matches', async () => {
+    const metadataFile = await buildx.getMetadataFile();
+    await fs.writeFileSync(metadataFile, metadata);
+    const expected = await buildx.getDigest(metadata);
+    expect(expected).toEqual('sha256:b09b9482c72371486bb2c1d2c2a2633ed1d0b8389e12c8d52b9e052725c0c83c');
+  });
+});
+
+describe('isLocalOrTarExporter', () => {
+  test.each([
+    [['type=registry,ref=user/app'], false],
+    [['type=docker'], false],
+    [['type=local,dest=./release-out'], true],
+    [['type=tar,dest=/tmp/image.tar'], true],
+    [['type=docker', 'type=tar,dest=/tmp/image.tar'], true],
+    [['"type=tar","dest=/tmp/image.tar"'], true],
+    [['" type= local" , dest=./release-out'], true],
+    [['.'], true]
+  ])('given %p returns %p', async (outputs: Array<string>, expected: boolean) => {
+    expect(buildx.isLocalOrTarExporter(outputs)).toEqual(expected);
+  });
+});
+
+describe('isAvailable', () => {
+  const execSpy = jest.spyOn(exec, 'getExecOutput');
+  buildx.isAvailable();
+
+  // eslint-disable-next-line jest/no-standalone-expect
+  expect(execSpy).toHaveBeenCalledWith(`docker`, ['buildx'], {
+    silent: true,
+    ignoreReturnCode: true
+  });
+});
+
+describe('isAvailable standalone', () => {
+  const execSpy = jest.spyOn(exec, 'getExecOutput');
+  buildx.isAvailable(true);
+
+  // eslint-disable-next-line jest/no-standalone-expect
+  expect(execSpy).toHaveBeenCalledWith(`buildx`, [], {
+    silent: true,
+    ignoreReturnCode: true
+  });
+});
+
+describe('getVersion', () => {
+  it('valid', async () => {
+    const version = await buildx.getVersion();
+    expect(semver.valid(version)).not.toBeNull();
+  });
+});
+
+describe('parseVersion', () => {
+  test.each([
+    ['github.com/docker/buildx 0.4.1+azure bda4882a65349ca359216b135896bddc1d92461c', '0.4.1'],
+    ['github.com/docker/buildx v0.4.1 bda4882a65349ca359216b135896bddc1d92461c', '0.4.1'],
+    ['github.com/docker/buildx v0.4.2 fb7b670b764764dc4716df3eba07ffdae4cc47b2', '0.4.2'],
+    ['github.com/docker/buildx f117971 f11797113e5a9b86bd976329c5dbb8a8bfdfadfa', 'f117971']
+  ])('given %p', async (stdout, expected) => {
+    expect(buildx.parseVersion(stdout)).toEqual(expected);
+  });
+});
+
+describe('satisfies', () => {
+  test.each([
+    ['0.4.1', '>=0.3.2', true],
+    ['bda4882a65349ca359216b135896bddc1d92461c', '>0.1.0', false],
+    ['f117971', '>0.6.0', true]
+  ])('given %p', async (version, range, expected) => {
+    expect(buildx.satisfies(version, range)).toBe(expected);
+  });
+});
+
+describe('getSecret', () => {
+  test.each([
+    ['A_SECRET=abcdef0123456789', false, 'A_SECRET', 'abcdef0123456789', false],
+    ['GIT_AUTH_TOKEN=abcdefghijklmno=0123456789', false, 'GIT_AUTH_TOKEN', 'abcdefghijklmno=0123456789', false],
+    ['MY_KEY=c3RyaW5nLXdpdGgtZXF1YWxzCg==', false, 'MY_KEY', 'c3RyaW5nLXdpdGgtZXF1YWxzCg==', false],
+    ['aaaaaaaa', false, '', '', true],
+    ['aaaaaaaa=', false, '', '', true],
+    ['=bbbbbbb', false, '', '', true],
+    [`foo=${path.join(__dirname, 'fixtures', 'secret.txt').split(path.sep).join(path.posix.sep)}`, true, 'foo', 'bar', false],
+    [`notfound=secret`, true, '', '', true]
+  ])('given %p key and %p secret', async (kvp, file, exKey, exValue, invalid) => {
+    try {
+      let secret: string;
+      if (file) {
+        secret = await buildx.getSecretFile(kvp);
+      } else {
+        secret = await buildx.getSecretString(kvp);
+      }
+      expect(true).toBe(!invalid);
+      expect(secret).toEqual(`id=${exKey},src=${tmpNameSync}`);
+      expect(fs.readFileSync(tmpNameSync, 'utf-8')).toEqual(exValue);
+    } catch (err) {
+      // eslint-disable-next-line jest/no-conditional-expect
+      expect(true).toBe(invalid);
+    }
+  });
+});
--- a/tests/context.test.ts
+++ b/tests/context.test.ts
@ -0,0 +1,856 @@
+import {beforeEach, describe, expect, it, jest, test} from '@jest/globals';
+import * as fs from 'fs';
+import * as path from 'path';
+
+import * as buildx from '../src/buildx';
+import * as context from '../src/context';
+
+const pgp = `-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+lQdGBF6tzaABEACjFbX7PFEG6vDPN2MPyxYW7/3o/sonORj4HXUFjFxxJxktJ3x3
+N1ayHPJ1lqIeoiY7jVbq0ZdEVGkd3YsKG9ZMdZkzGzY6PQPC/+M8OnzOiOPwUdWc
+Tdhh115LvVz0MMKYiab6Sn9cgxj9On3LCQKpjvMDpPo9Ttf6v2GQIw8h2ACvdzQ
+71LtIELS/I+dLbfZiwpUu2fhQT13EJkEnYMOYwM5jNUd66P9itUc7MrOWjkicrKP
+oF1dQaCM+tuKuxvD8WLdiwU5x60NoGkJHHUehKQXl2dVzjpqEqHKEBJt9tfJ9lpE
+YIisgwB8o3pes0fgCehjW2zI95/o9+ayJ6nl4g5+mSvWRXEu66h71nwM0Yuvquk8
+3me7qhYfDrDdCwcxS5BS1hwakTgUQLD99FZjbx1j8sq96I65O0GRdyU2PR8KIjwu
+JrkTH4ZlKxK3FQghUhFoA5GkiDb+eClmRMSni5qg+81T4XChmUkEprA3eWCHL+Ma
+xRNNxLS+r6hH9HG5JBxpV3iaTI9HHpnQKhEeaLXqsUTDZliN9hP7Ywo8bpUB8j2d
+oWYwDV4dPyMKr6Fb8RDCh2q5gJGbVp8w/NmmBTeL+IP2fFggJkRfyumv3Ul7x66L
+tBFQ4rYo4JUUrGweSTneG6REIgxH66hIrNl6Vo/D1ZyknTe1dMOu/BTkkQARAQAB
+/gcDAqra8KO+h3bfyu90vxTL1ro4x/x9il7VBcWlIR4cBP7Imgxv+T4hwPIu8P1x
+lOlxLNWegFOV0idoTy1o3VLLBev/F+IlspX4A+2XEIddR6nZnKFi0Lv2L4TKgE9E
+VJJTszmviDIRLMLN9dWzDfA8hj5tR5Inot92CHRF414AS22JHvlhbFSLQnjqsN+C
+n1cQpNOJhkxsSfZsxjnFa/70y/u8v0o8mzyLZmk9HpzRHGzoz8IfpLp8OTqBR9u6
+zzoKLy16zZO55OKbj7h8uVZvDUq9l8iDICpqWMdZqBJIl56MBexYKgYxh3YO/8v2
+oXli+8Xuaq5QLiCN3yT7IbKoYzplnFfaJwFiMh7R1iPLXaYAZ0qdRijlbtseTK1m
+oHNkwUbxVzjkh4LfE8UpmMwZn5ZjWni3230SoiXuKy0OHkGvwGvWWAL1mEuoYuUI
+mFMcH5MnixP8oQYZKDj2IR/yEeOpdU6B/tr3Tk1NidLf7pUMqG7Ff1NU6dAUeBpa
+9xahITMjHvrhgMISY4IYZep5cEnVw8lQTpUJtW/ePMzrFhu3sA7oNdj9joW/VMfz
+H7MHwwavtICsYqoqV3lnjX4EC9dW6o8PTUg2u956dmtK7KAyUK/+w2aLNGT28ChN
+jhRYHvHzB9Kw5asqI/lTM49eqslBqYQMTTjdBphkYuSZQzNMf291j/ZmoLhD1A1a
+S8tUnNygKV4D1cJYgSXfzhFoU8ib/0SPo+KqQ+CzGS+wxXg6WNBA6wepTjpnVVx3
+4JADP8IJcDC3P0iwAreWjSy15F1cvemFFB0SLNUkyZGzsxtKzbM1+8khl68+eazC
+LzRj0rxfIF5znWjX1QFhKxCk6eF0IWDY0+b3DBkmChME9YDXJ3TthcqA7JgcX4JI
+M4/wdqhgerJYOmj+i2Q0M+Bu02icOJYMwTMMsDVl7XGHkaCuRgZ54eZAUH7JFwUm
+1Ct3tcaqiTMmz0ngHVqBTauzgqKDvzwdVqdfg05H364nJMay/3omR6GayIb5CwSo
+xdNVwG3myPPradT9MP09mDr4ys2zcnQmCkvTVBF6cMZ1Eh6PQQ8CyQWv0zkaBnqj
+JrM1hRpgW4ZlRosSIjCaaJjolN5QDcXBM9TbW9ww+ZYstazN2bV1ZQ7BEjlHQPa1
+BhzMsvqkbETHsIpDNF52gZKn3Q9eIX05BeadzpHUb5/XOheIHVIdhSaTlgl/qQW5
+hQgPGSzSV6KhXEY7aevTdvOgq++WiELkjfz2f2lQFesTjFoQWEvxVDUmLxHtEhaN
+DOuh4H3mX5Opn3pLQmqWVhJTbFdx+g5qQd0NCW4mDaTFWTRLFLZQsSJxDSeg9xrY
+gmaii8NhMZRwquADW+6iU6KfraBhngi7HRz4TfqPr9ma/KUY464cqim1fnwXejyx
+jsb5YHR9R66i+F6P/ysF5w+QuVdDt1fnf9GLay0r6qxpA8ft2vGPcDs4806Huj+7
+Aq5VeJaNkCuh3GR3xVnCFAz/7AtkO6xKuZm8B3q904UuMdSmkhWbaobIuF/B2B6S
+eawIXQHEOplK3ic26d8Ckf4gbjeORfELcMAEi5nGXpTThCdmxQApCLxAYYnTfQT1
+xhlDwT9xPEabo98mIwJJsAU5VsTDYW+qfo4qIx8gYoSKc9Xu3yVh3n+9k43Gcm5V
+9lvK1slijf+TzODZt/jsmkF8mPjXyP5KOI+xQp/m4PxW3pp57YrYj/Rnwga+8DKX
+jMsW7mLAAZ/e+PY6z/s3x1Krfk+Bb5Ph4mI0zjw5weQdtyEToRgveda0GEpvZSBU
+ZXN0ZXIgPGpvZUBmb28uYmFyPokCNgQQAQgAIAUCXq3NoAYLCQcIAwIEFQgKAgQW
+AgEAAhkBAhsDAh4BAAoJEH2FHrctc72gxtQP/AulaClIcn/kDt43mhYnyLglPfbo
+AqPlU26chXolBg0Wo0frFY3aIs5SrcWEf8aR4XLwCFGyi3vya0CUxjghN5tZBYqo
+vswbT00zP3ohxxlJFCRRR9bc7OZXCgTddtfVf6EKrUAzIkbWyAhaJnwJy/1UGpSw
+SEO/KpastrVKf3sv1wqOeFQ4DFyjaNda+xv3dVWS8db7KogqJiPFZXrQK3FKVIxS
+fxRSmKaYN7//d+xwVAEY++RrnL/o8B2kV6N68cCpQWJELyYnJzis9LBcWd/3wiYh
+efTyY+ePKUjcB+kEZnyJfLc7C2hll2e7UJ0fxv+k8vHReRhrNWmGRXsjNRxiw3U0
+hfvxD/C8nyqAbeTHp4XDX78Tc3XCysAqIYboIL+RyewDMjjLj5vzUYAdUdtyNaD7
+C6M2R6pN1GAt52CJmC/Z6F7W7GFGoYOdEkVdMQDsjCwScyEUNlGj9Zagw5M2EgSe
+6gaHgMgTzsMzCc4W6WV5RcS55cfDNOXtxPsMJTt4FmXrjl11prBzpMfpU5a9zxDZ
+oi54ZZ8VPE6jsT4Lzw3sni3c83wm28ArM20AzZ1vh7fk3Sfd0u4Yaz7s9JlEm5+D
+34tEyli28+QjCQc18EfQUiJqiYEJRxJXJ3esvMHfYi45pV/Eh5DgRW1305fUJV/6
+rGpg0NejsHoZdZPnQdGBF6tzaABEAC4mVXTkVk6Kdfa4r5zlzsoIrR27laUlMkb
+OBMt+aokqS+BEbmTnMg6xIAmcUT5uvGAc8S/WhrPoYfc15fTUyHIz8ZbDoAg0LO6
+0Io4VkAvNJNEnsSV9VdLBh/XYlc4K49JqKyWTL4/FJFAGbsmHY3b+QU90AS6FYRv
+KeBAoiyebrjx0vmzb8E8h3xthVLN+AfMlR1ickY62zvnpkbncSMY/skur1D2KfbF
+3sFprty2pEtjFcyB5+18l2IyyHGOlEUw1PZdOAV4/Myh1EZRgYBPs80lYTJALCVF
+IdOakH33WJCImtNZB0AbDTABG+JtMjQGscOa0qzf1Y/7tlhgCrynBBdaIJTx95TD
+21BUHcHOu5yTIS6Ulysxfkv611+BiOKHgdq7DVGP78VuzA7bCjlP1+vHqIt3cnIa
+t2tEyuZ/XF4uc3/i4g0uP9r7AmtET7Z6SKECWjpVv+UEgLx5Cv+ql+LSKYQMvU9a
+i3B1F9fatn3FSLVYrL4aRxu4TSw9POb0/lgDNmN3lGQOsjGCZPibkHjgPEVxKuiq
+9Oi38/VTQ0ZKAmHwBTq1WTZIrPrCW0/YMQ6yIJZulwQ9Yx1cgzYzEfg04fPXlXMi
+vkvNpKbYIICzqj0/DVztz9wgpW6mnd0A2VX2dqbMM0fJUCHA6pj8AvXY4R+9Q4rj
+eWRK9ycInQARAQAB/gcDApjt7biRO0PEyrrAiUwDMsJL4/CVMu11qUWEPjKe2Grh
+ZTW3N+m3neKPRULu+LUtndUcEdVWUCoDzAJ7MwihZtV5vKST/5Scd2inonOaJqoA
+nS3wnEMN/Sc93HAZiZnFx3NKjQVNCwbuEs45mXkkcjLm2iadrTL8fL4acsu5IsvD
+LbDwVOPeNnHKl6Hr20e39fK0FuJEyH49JM6U3B1/8385sJB8+E24+hvSF81aMddh
+Ne4Bc3ZYiYaKxe1quPNKC0CQhAZiT7LsMfkInXr0hY1I+kISNXEJ1dPYOEWiv0Ze
+jD5Pupn34okKNEeBCx+dK8BmUCi6Jgs7McUA7hN0D/YUS++5fuR55UQq2j8Ui0tS
+P8GDr86upH3PgEL0STh9fYfJ7TesxurwonWjlmmT62Myl4Pr+RmpS6PXOnhtcADm
+eGLpzhTveFj4JBLMpyYHgBTqcs12zfprATOpsI/89kmQoGCZpG6+AbfSHqNNPdy2
+eqUCBhOZlIIda1z/cexmU3f/gBqyflFf8fkvmlO4AvI8aMH3OpgHdWnzh+AB51xj
+kmdD/oWel9v7Dz4HoZUfwFaLZ0fE3P9voD8e+sCwqQwVqRY4L/BOYPD5noVOKgOj
+ABNKu5uKrobj6rFUi6DTUCjFGcmoF1Sc06xFNaagUNggRbmlC/dz22RWdDUYv5ra
+N6TxIDkGC0cK6ujyK0nes3DN0aHjgwWuMXDYkN3UckiebI4Cv/eF9jvUKOSiIcy1
+RtxdazZS4dYg2LBMeJKVkPi5elsNyw2812nEY3du/nEkQYXfYgWOF27OR+g4Y9Yw
+1BiqJ1TTjbQnd/khOCrrbzDH1mw00+1XVsT6wjObuYqqxPPS87UrqmMf6OdoYfPm
+zEOnNLBnsJ5VQM3A3pcT40RfdBrZRO8LjGhzKTreyq3C+jz0RLa5HNE8GgOhGyck
+ME4h+RhXlE8KGM+tTo6PA1NJSrEt+8kZzxjP4rIEn0aVthCkNXK12inuXtnHm0ao
+iLUlQOsfPFEnzl0TUPd7+z7j/wB+XiKU/AyEUuB0mvdxdKtqXvajahOyhLjzHQhz
+ZnNlgANGtiqcSoJmkJ8yAvhrtQX51fQLftxbArRW1RYk/5l+Gy3azR+gUC17M6JN
+jrUYxn0zlAxDGFH7gACHUONwVekcuEffHzgu2lk7MyO1Y+lPnwabqjG0eWWHuU00
+hskJlXyhj7DeR12bwjYkyyjG62GvOH02g3OMvUgNGH+K321Dz539csCh/xwtg7Wt
+U3YAphU7htQ1dPDfk1IRs7DQo2L+ZTE57vmL5m0l6fTataEWBPUXkygfQFUJOM6Q
+yY76UEZww1OSDujNeY171NSTzXCVkUeAdAMXgjaHXWLK2QUQUoXbYX/Kr7Vvt9Fu
+Jh6eGjjp7dSjQ9+DW8CAB8vxd93gsQQGWYjmGu8khkEmx6OdZhmSbDbe915LQTb9
+sPhk2s5/Szsvr5W2JJ2321JI6KXBJMZvPC5jEBWmRzOYkRd2vloft+CSMfXF+Zfd
+nYtc6R3dvb9vcjo+a9wFtfcoDsO0MaPSM+9GB25MamdatmGX6iLOy9Re1UABwUi/
+VhTWNkP5uzqx0sDwHEIa2rYOwxpIZDwwjM3oOASCW1DDBQ0BI9KNjfIeL3ubx2mS
+2x8hFU9qSK4umoDNbzOqGPSlkdbiPcNjF2ZcSN1qQZiYdwLL5dw6APNyBVjxTN1J
+gkCdJ/HwAY+r93Lbl5g8gz8d0vJEyfn//34sn9u+toSTw55GcG9Ks1kSKIeDNh0h
+MiPm3HmJAh8EGAEIAAkFAl6tzaACGwwACgkQfYUety1zvaBV9hAAgliX36pXJ59g
+3I9/4R68e/fGg0FMM6D+01yCeiKApOYRrJ0cYKn7ITDYmHhlGGpBAie90UsqX12h
+hdLP7LoQx7sjTyzQt6JmpA8krIwi2ON7FKBkdYb8IYx4mE/5vKnYT4/SFnwTmnZY
+m+NzK2U/qmhq8JyO8gozdAKJUcgz49IVv2Ij0tQ4qaPbyPwQxIDyKnT758nJhB1
+jTqo+oWtER8q3okzIlqcArqn5rDaNJx+DRYL4E/IddyHQAiUWUka8usIUqeW5reu
+zoPUE2CCfOJSGArkqHQQqMx0WEzjQTwAPaHrQbera4SbiV/o4CLCV/u5p1Qnig+Q
+iUsakmlD299t//125LIQEa5qzd9hRC7u1uJS7VdW8eGIEcZ0/XT/sr+z23z0kpZH
+D3dXPX0BwM4IP9xu31CNg10x0rKwjbxy8VaskFEelpqpu+gpAnxqMd1evpeUHcOd
+r5RgPgkNFfba9Nbxf7uEX+HOmsOM+kdtSmdGIvsBZjVnW31nnoDMp49jG4OynjrH
+cRuoM9sxdr6UDqb22CZ3/e0YN4UaZM3YDWMVaP/QBVgvIFcdByqNWezpd9T4ZUII
+MZlaV1uRnHg6B/zTzhIdMM80AXz6Uv6kw4S+Lt7HlbrnMT7uKLuvzH7cle0hcIUa
+PejgXO0uIRolYQ3sz2tMGhx1MfBqH64=
+=WbwB
+-----END PGP PRIVATE KEY BLOCK-----`;
+
+jest.spyOn(context, 'defaultContext').mockImplementation((): string => {
+  return 'https://github.com/docker/build-push-action.git#refs/heads/test-jest';
+});
+
+jest.spyOn(context, 'tmpDir').mockImplementation((): string => {
+  const tmpDir = path.join('/tmp/.docker-build-push-jest').split(path.sep).join(path.posix.sep);
+  if (!fs.existsSync(tmpDir)) {
+    fs.mkdirSync(tmpDir, {recursive: true});
+  }
+  return tmpDir;
+});
+
+jest.spyOn(context, 'tmpNameSync').mockImplementation((): string => {
+  return path.join('/tmp/.docker-build-push-jest', '.tmpname-jest').split(path.sep).join(path.posix.sep);
+});
+
+jest.spyOn(buildx, 'satisfiesBuildKitVersion').mockResolvedValueOnce(true);
+
+describe('getArgs', () => {
+  beforeEach(() => {
+    process.env = Object.keys(process.env).reduce((object, key) => {
+      if (!key.startsWith('INPUT_')) {
+        object[key] = process.env[key];
+      }
+      return object;
+    }, {});
+  });
+
+  // prettier-ignore
+  test.each([
+    [
+      0,
+      '0.4.1',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '.'
+      ]
+    ],
+    [
+      1,
+      '0.4.2',
+      new Map<string, string>([
+        ['build-args', `MY_ARG=val1,val2,val3
+ARG=val
+"MULTILINE=aaaa
+bbbb
+ccc"`],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--build-arg', 'MY_ARG=val1,val2,val3',
+        '--build-arg', 'ARG=val',
+        '--build-arg', `MULTILINE=aaaa\nbbbb\nccc`,
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        'https://github.com/docker/build-push-action.git#refs/heads/test-jest'
+      ]
+    ],
+    [
+      2,
+      '0.4.2',
+      new Map<string, string>([
+        ['tags', 'name/app:7.4, name/app:latest'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '--tag', 'name/app:7.4',
+        '--tag', 'name/app:latest',
+        'https://github.com/docker/build-push-action.git#refs/heads/test-jest'
+      ]
+    ],
+    [
+      3,
+      '0.4.2',
+      new Map<string, string>([
+        ['context', '.'],
+        ['labels', 'org.opencontainers.image.title=buildkit\norg.opencontainers.image.description=concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit'],
+        ['outputs', 'type=local,dest=./release-out'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--label', 'org.opencontainers.image.title=buildkit',
+        '--label', 'org.opencontainers.image.description=concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit',
+        '--output', 'type=local,dest=./release-out',
+        '.'
+      ]
+    ],
+    [
+      4,
+      '0.4.1',
+      new Map<string, string>([
+        ['context', '.'],
+        ['platforms', 'linux/amd64,linux/arm64'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--platform', 'linux/amd64,linux/arm64',
+        '.'
+      ]
+    ],
+    [
+      5,
+      '0.4.1',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '.'
+      ]
+    ],
+    [
+      6,
+      '0.4.2',
+      new Map<string, string>([
+        ['context', '.'],
+        ['secrets', 'GIT_AUTH_TOKEN=abcdefghijklmno=0123456789'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '--secret', 'id=GIT_AUTH_TOKEN,src=/tmp/.docker-build-push-jest/.tmpname-jest',
+        '.'
+      ]
+    ],
+    [
+      7,
+      '0.4.2',
+      new Map<string, string>([
+        ['github-token', 'abcdefghijklmno0123456789'],
+        ['outputs', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--output', '.',
+        '--secret', 'id=GIT_AUTH_TOKEN,src=/tmp/.docker-build-push-jest/.tmpname-jest',
+        'https://github.com/docker/build-push-action.git#refs/heads/test-jest'
+      ]
+    ],
+    [
+      8,
+      '0.4.2',
+      new Map<string, string>([
+        ['context', 'https://github.com/docker/build-push-action.git#refs/heads/master'],
+        ['tag', 'localhost:5000/name/app:latest'],
+        ['platforms', 'linux/amd64,linux/arm64'],
+        ['secrets', 'GIT_AUTH_TOKEN=abcdefghijklmno=0123456789'],
+        ['file', './test/Dockerfile'],
+        ['builder', 'builder-git-context-2'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'true'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--file', './test/Dockerfile',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '--platform', 'linux/amd64,linux/arm64',
+        '--secret', 'id=GIT_AUTH_TOKEN,src=/tmp/.docker-build-push-jest/.tmpname-jest',
+        '--builder', 'builder-git-context-2',
+        '--push',
+        'https://github.com/docker/build-push-action.git#refs/heads/master'
+      ]
+    ],
+    [
+      9,
+      '0.4.2',
+      new Map<string, string>([
+        ['context', 'https://github.com/docker/build-push-action.git#refs/heads/master'],
+        ['tag', 'localhost:5000/name/app:latest'],
+        ['platforms', 'linux/amd64,linux/arm64'],
+        ['secrets', `GIT_AUTH_TOKEN=abcdefghi,jklmno=0123456789
+"MYSECRET=aaaaaaaa
+bbbbbbb
+ccccccccc"
+FOO=bar
+"EMPTYLINE=aaaa
+
+bbbb
+ccc"`],
+        ['file', './test/Dockerfile'],
+        ['builder', 'builder-git-context-2'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'true'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--file', './test/Dockerfile',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '--platform', 'linux/amd64,linux/arm64',
+        '--secret', 'id=GIT_AUTH_TOKEN,src=/tmp/.docker-build-push-jest/.tmpname-jest',
+        '--secret', 'id=MYSECRET,src=/tmp/.docker-build-push-jest/.tmpname-jest',
+        '--secret', 'id=FOO,src=/tmp/.docker-build-push-jest/.tmpname-jest',
+        '--secret', 'id=EMPTYLINE,src=/tmp/.docker-build-push-jest/.tmpname-jest',
+        '--builder', 'builder-git-context-2',
+        '--push',
+        'https://github.com/docker/build-push-action.git#refs/heads/master'
+      ]
+    ],
+    [
+      10,
+      '0.4.2',
+      new Map<string, string>([
+        ['context', 'https://github.com/docker/build-push-action.git#refs/heads/master'],
+        ['tag', 'localhost:5000/name/app:latest'],
+        ['platforms', 'linux/amd64,linux/arm64'],
+        ['secrets', `GIT_AUTH_TOKEN=abcdefghi,jklmno=0123456789
+MYSECRET=aaaaaaaa
+bbbbbbb
+ccccccccc
+FOO=bar
+EMPTYLINE=aaaa
+
+bbbb
+ccc`],
+        ['file', './test/Dockerfile'],
+        ['builder', 'builder-git-context-2'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'true'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--file', './test/Dockerfile',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '--platform', 'linux/amd64,linux/arm64',
+        '--secret', 'id=GIT_AUTH_TOKEN,src=/tmp/.docker-build-push-jest/.tmpname-jest',
+        '--secret', 'id=MYSECRET,src=/tmp/.docker-build-push-jest/.tmpname-jest',
+        '--secret', 'id=FOO,src=/tmp/.docker-build-push-jest/.tmpname-jest',
+        '--secret', 'id=EMPTYLINE,src=/tmp/.docker-build-push-jest/.tmpname-jest',
+        '--builder', 'builder-git-context-2',
+        '--push',
+        'https://github.com/docker/build-push-action.git#refs/heads/master'
+      ]
+    ],
+    [
+      11,
+      '0.5.1',
+      new Map<string, string>([
+        ['context', 'https://github.com/docker/build-push-action.git#refs/heads/master'],
+        ['tag', 'localhost:5000/name/app:latest'],
+        ['secret-files', `MY_SECRET=${path.join(__dirname, 'fixtures', 'secret.txt').split(path.sep).join(path.posix.sep)}`],
+        ['file', './test/Dockerfile'],
+        ['builder', 'builder-git-context-2'],
+        ['network', 'host'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'true'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--file', './test/Dockerfile',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '--secret', 'id=MY_SECRET,src=/tmp/.docker-build-push-jest/.tmpname-jest',
+        '--builder', 'builder-git-context-2',
+        '--network', 'host',
+        '--push',
+        'https://github.com/docker/build-push-action.git#refs/heads/master'
+      ]
+    ],
+    [
+      12,
+      '0.4.2',
+      new Map<string, string>([
+        ['context', '.'],
+        ['labels', 'org.opencontainers.image.title=filter_results_top_n\norg.opencontainers.image.description=Reference implementation of operation "filter results (top-n)"'],
+        ['outputs', 'type=local,dest=./release-out'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--label', 'org.opencontainers.image.title=filter_results_top_n',
+        '--label', 'org.opencontainers.image.description=Reference implementation of operation "filter results (top-n)"',
+        '--output', 'type=local,dest=./release-out',
+        '.'
+      ]
+    ],
+    [
+      13,
+      '0.6.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['tag', 'localhost:5000/name/app:latest'],
+        ['file', './test/Dockerfile'],
+        ['add-hosts', 'docker:10.180.0.1,foo:10.0.0.1'],
+        ['network', 'host'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'true'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--add-host', 'docker:10.180.0.1',
+        '--add-host', 'foo:10.0.0.1',
+        '--file', './test/Dockerfile',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '--network', 'host',
+        '--push',
+        '.'
+      ]
+    ],
+    [
+      14,
+      '0.7.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['file', './test/Dockerfile'],
+        ['add-hosts', 'docker:10.180.0.1\nfoo:10.0.0.1'],
+        ['cgroup-parent', 'foo'],
+        ['shm-size', '2g'],
+        ['ulimit', `nofile=1024:1024
+nproc=3`],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--add-host', 'docker:10.180.0.1',
+        '--add-host', 'foo:10.0.0.1',
+        '--cgroup-parent', 'foo',
+        '--file', './test/Dockerfile',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '--shm-size', '2g',
+        '--ulimit', 'nofile=1024:1024',
+        '--ulimit', 'nproc=3',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      15,
+      '0.7.0',
+      new Map<string, string>([
+        ['context', '{{defaultContext}}:docker'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        'https://github.com/docker/build-push-action.git#refs/heads/test-jest:docker'
+      ]
+    ],
+    [
+      16,
+      '0.8.2',
+      new Map<string, string>([
+        ['github-token', 'abcdefghijklmno0123456789'],
+        ['context', '{{defaultContext}}:subdir'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '--secret', 'id=GIT_AUTH_TOKEN,src=/tmp/.docker-build-push-jest/.tmpname-jest',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        'https://github.com/docker/build-push-action.git#refs/heads/test-jest:subdir'
+      ]
+    ],
+    [
+      17,
+      '0.8.2',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'true'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      18,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--provenance", 'false',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      19,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'true'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--provenance", `builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      20,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'mode=max'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--provenance", `mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      21,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--provenance", 'false',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      22,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'builder-id=foo'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--provenance", 'builder-id=foo',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      23,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['outputs', 'type=docker'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--output", 'type=docker',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      24,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'true'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--load",
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+  ])(
+    '[%d] given %p with %p as inputs, returns %p',
+    async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {
+      inputs.forEach((value: string, name: string) => {
+        setInput(name, value);
+      });
+      const defContext = context.defaultContext();
+      const inp = await context.getInputs(defContext);
+      const res = await context.getArgs(inp, defContext, buildxVersion);
+      expect(res).toEqual(expected);
+    }
+  );
+});
+
+describe('getInputList', () => {
+  it('single line correctly', async () => {
+    await setInput('foo', 'bar');
+    const res = await context.getInputList('foo');
+    expect(res).toEqual(['bar']);
+  });
+
+  it('multiline correctly', async () => {
+    setInput('foo', 'bar\nbaz');
+    const res = await context.getInputList('foo');
+    expect(res).toEqual(['bar', 'baz']);
+  });
+
+  it('empty lines correctly', async () => {
+    setInput('foo', 'bar\n\nbaz');
+    const res = await context.getInputList('foo');
+    expect(res).toEqual(['bar', 'baz']);
+  });
+
+  it('comma correctly', async () => {
+    setInput('foo', 'bar,baz');
+    const res = await context.getInputList('foo');
+    expect(res).toEqual(['bar', 'baz']);
+  });
+
+  it('empty result correctly', async () => {
+    setInput('foo', 'bar,baz,');
+    const res = await context.getInputList('foo');
+    expect(res).toEqual(['bar', 'baz']);
+  });
+
+  it('different new lines correctly', async () => {
+    setInput('foo', 'bar\r\nbaz');
+    const res = await context.getInputList('foo');
+    expect(res).toEqual(['bar', 'baz']);
+  });
+
+  it('different new lines and comma correctly', async () => {
+    setInput('foo', 'bar\r\nbaz,bat');
+    const res = await context.getInputList('foo');
+    expect(res).toEqual(['bar', 'baz', 'bat']);
+  });
+
+  it('multiline and ignoring comma correctly', async () => {
+    setInput('cache-from', 'user/app:cache\ntype=local,src=path/to/dir');
+    const res = await context.getInputList('cache-from', true);
+    expect(res).toEqual(['user/app:cache', 'type=local,src=path/to/dir']);
+  });
+
+  it('different new lines and ignoring comma correctly', async () => {
+    setInput('cache-from', 'user/app:cache\r\ntype=local,src=path/to/dir');
+    const res = await context.getInputList('cache-from', true);
+    expect(res).toEqual(['user/app:cache', 'type=local,src=path/to/dir']);
+  });
+
+  it('multiline values', async () => {
+    setInput(
+      'secrets',
+      `GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789
+"MYSECRET=aaaaaaaa
+bbbbbbb
+ccccccccc"
+FOO=bar`
+    );
+    const res = await context.getInputList('secrets', true);
+    expect(res).toEqual([
+      'GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789',
+      `MYSECRET=aaaaaaaa
+bbbbbbb
+ccccccccc`,
+      'FOO=bar'
+    ]);
+  });
+
+  it('multiline values with empty lines', async () => {
+    setInput(
+      'secrets',
+      `GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789
+"MYSECRET=aaaaaaaa
+bbbbbbb
+ccccccccc"
+FOO=bar
+"EMPTYLINE=aaaa
+
+bbbb
+ccc"`
+    );
+    const res = await context.getInputList('secrets', true);
+    expect(res).toEqual([
+      'GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789',
+      `MYSECRET=aaaaaaaa
+bbbbbbb
+ccccccccc`,
+      'FOO=bar',
+      `EMPTYLINE=aaaa
+
+bbbb
+ccc`
+    ]);
+  });
+
+  it('multiline values without quotes', async () => {
+    setInput(
+      'secrets',
+      `GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789
+MYSECRET=aaaaaaaa
+bbbbbbb
+ccccccccc
+FOO=bar`
+    );
+    const res = await context.getInputList('secrets', true);
+    expect(res).toEqual(['GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789', 'MYSECRET=aaaaaaaa', 'bbbbbbb', 'ccccccccc', 'FOO=bar']);
+  });
+
+  it('large multiline values', async () => {
+    setInput(
+      'secrets',
+      `"GPG_KEY=${pgp}"
+FOO=bar`
+    );
+    const res = await context.getInputList('secrets', true);
+    expect(res).toEqual([`GPG_KEY=${pgp}`, 'FOO=bar']);
+  });
+
+  it('multiline values escape quotes', async () => {
+    setInput(
+      'secrets',
+      `GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789
+"MYSECRET=aaaaaaaa
+bbbb""bbb
+ccccccccc"
+FOO=bar`
+    );
+    const res = await context.getInputList('secrets', true);
+    expect(res).toEqual([
+      'GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789',
+      `MYSECRET=aaaaaaaa
+bbbb"bbb
+ccccccccc`,
+      'FOO=bar'
+    ]);
+  });
+});
+
+describe('asyncForEach', () => {
+  it('executes async tasks sequentially', async () => {
+    const testValues = [1, 2, 3, 4, 5];
+    const results: number[] = [];
+
+    await context.asyncForEach(testValues, async value => {
+      results.push(value);
+    });
+
+    expect(results).toEqual(testValues);
+  });
+});
+
+// See: https://github.com/actions/toolkit/blob/a1b068ec31a042ff1e10a522d8fdf0b8869d53ca/packages/core/src/core.ts#L89
+function getInputName(name: string): string {
+  return `INPUT_${name.replace(/ /g, '_').toUpperCase()}`;
+}
+
+function setInput(name: string, value: string): void {
+  process.env[getInputName(name)] = value;
+}
--- a/tests/docker.test.ts
+++ b/tests/docker.test.ts
@ -0,0 +1,16 @@
+import {describe, expect, it, jest} from '@jest/globals';
+import * as docker from '../src/docker';
+import * as exec from '@actions/exec';
+
+describe('isAvailable', () => {
+  it('cli', () => {
+    const execSpy = jest.spyOn(exec, 'getExecOutput');
+    docker.isAvailable();
+
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(execSpy).toHaveBeenCalledWith(`docker`, undefined, {
+      silent: true,
+      ignoreReturnCode: true
+    });
+  });
+});
--- a/tests/fixtures/secret.txt
+++ b/tests/fixtures/secret.txt
@ -0,0 +1 @@
+bar
--- a/action.yml
+++ b/action.yml
@ -1,63 +1,117 @@
+# https://help.github.com/en/articles/metadata-syntax-for-github-actions
 name: Build and push Docker images
-description: Builds and pushes Docker images and will log in to a Docker registry if required
-author: Docker
+description: Build and push Docker images with Buildx
+author: docker
 branding:
  icon: 'anchor'
  color: 'blue'
-runs:
-  using: docker
-  image: docker://docker/github-actions:v1
-  args:
-    - build-push
+
 inputs:
-  username:
-    description: Username used to log in to a Docker registry. If not set then no login will occur
+  add-hosts:
+    description: "List of a customs host-to-IP mapping (e.g., docker:10.180.0.1)"
    required: false
-  password:
-    description: Password or personal access token used to log in to a Docker registry. If not set then no login will occur
+  allow:
+    description: "List of extra privileged entitlement (e.g., network.host,security.insecure)"
    required: false
-  registry:
-    description: Server address of Docker registry. If not set then will default to Docker Hub
+  attests:
+    description: "List of attestation parameters (e.g., type=sbom,generator=image)"
    required: false
-  repository:
-    description: Docker repository to tag the image with
-    required: true
-  tags:
-    description: Comma-delimited list of tags. These will be added to the registry/repository to form the image's tags
+  build-args:
+    description: "List of build-time variables"
    required: false
-  tag_with_ref:
-    description: Automatically tags the built image with the git reference as per the readme
+  build-contexts:
+    description: "List of additional build contexts (e.g., name=path)"
    required: false
-    default: false
-  tag_with_sha:
-    description: Automatically tags the built image with the git short SHA as per the readme
+  builder:
+    description: "Builder instance"
    required: false
-    default: false
-  path:
-    description: Path to the build context
+  cache-from:
+    description: "List of external cache sources for buildx (e.g., user/app:cache, type=local,src=path/to/dir)"
    required: false
-    default: "."
-  dockerfile:
-    description: Path to the Dockerfile (Default is '{path}/Dockerfile')
+  cache-to:
+    description: "List of cache export destinations for buildx (e.g., user/app:cache, type=local,dest=path/to/dir)"
    required: false
-  target:
-    description: Sets the target stage to build
+  cgroup-parent:
+    description: "Optional parent cgroup for the container used in the build"
    required: false
-  always_pull:
-    description: Always attempt to pull a newer version of the image
+  context:
+    description: "Build's context is the set of files located in the specified PATH or URL"
    required: false
-    default: false
-  build_args:
-    description: Comma-delimited list of build-time variables
+  file:
+    description: "Path to the Dockerfile"
    required: false
  labels:
-    description: Comma-delimited list of labels to add to the built image
+    description: "List of metadata for an image"
    required: false
-  add_git_labels:
-    description: Adds labels with git repository information to the built image
+  load:
+    description: "Load is a shorthand for --output=type=docker"
    required: false
-    default: false
+    default: 'false'
+  network:
+    description: "Set the networking mode for the RUN instructions during build"
+    required: false
+  no-cache:
+    description: "Do not use cache when building the image"
+    required: false
+    default: 'false'
+  no-cache-filters:
+    description: "Do not cache specified stages"
+    required: false
+  outputs:
+    description: "List of output destinations (format: type=local,dest=path)"
+    required: false
+  platforms:
+    description: "List of target platforms for build"
+    required: false
+  provenance:
+    description: "Generate provenance attestation for the build (shorthand for --attest=type=provenance)"
+    required: false
+  pull:
+    description: "Always attempt to pull all referenced images"
+    required: false
+    default: 'false'
  push:
-    description: Whether to push the image
+    description: "Push is a shorthand for --output=type=registry"
    required: false
-    default: true
+    default: 'false'
+  sbom:
+    description: "Generate SBOM attestation for the build (shorthand for --attest=type=sbom)"
+    required: false
+  secrets:
+    description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)"
+    required: false
+  secret-files:
+    description: "List of secret files to expose to the build (e.g., key=filename, MY_SECRET=./secret.txt)"
+    required: false
+  shm-size:
+    description: "Size of /dev/shm (e.g., 2g)"
+    required: false
+  ssh:
+    description: "List of SSH agent socket or keys to expose to the build"
+    required: false
+  tags:
+    description: "List of tags"
+    required: false
+  target:
+    description: "Sets the target stage to build"
+    required: false
+  ulimit:
+    description: "Ulimit options (e.g., nofile=1024:1024)"
+    required: false
+  github-token:
+    description: "GitHub Token used to authenticate against a repository for Git context"
+    default: ${{ github.token }}
+    required: false
+
+outputs:
+  imageid:
+    description: 'Image ID'
+  digest:
+    description: 'Image digest'
+  metadata:
+    description: 'Build result metadata'
+
+runs:
+  using: 'node16'
+  main: 'dist/index.js'
+  post: 'dist/index.js'
--- a/codecov.yml
+++ b/codecov.yml
@ -0,0 +1,3 @@
+comment: false
+github_checks:
+  annotations: false
--- a/dev.Dockerfile
+++ b/dev.Dockerfile
@ -0,0 +1,76 @@
+# syntax=docker/dockerfile:1
+
+ARG NODE_VERSION=16
+ARG DOCKER_VERSION=20.10.13
+ARG BUILDX_VERSION=0.8.0
+
+FROM node:${NODE_VERSION}-alpine AS base
+RUN apk add --no-cache cpio findutils git
+WORKDIR /src
+
+FROM base AS deps
+RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/node_modules \
+  yarn install && mkdir /vendor && cp yarn.lock /vendor
+
+FROM scratch AS vendor-update
+COPY --from=deps /vendor /
+
+FROM deps AS vendor-validate
+RUN --mount=type=bind,target=.,rw <<EOT
+set -e
+git add -A
+cp -rf /vendor/* .
+if [ -n "$(git status --porcelain -- yarn.lock)" ]; then
+  echo >&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor-update"'
+  git status --porcelain -- yarn.lock
+  exit 1
+fi
+EOT
+
+FROM deps AS build
+RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/node_modules \
+  yarn run build && mkdir /out && cp -Rf dist /out/
+
+FROM scratch AS build-update
+COPY --from=build /out /
+
+FROM build AS build-validate
+RUN --mount=type=bind,target=.,rw <<EOT
+set -e
+git add -A
+cp -rf /out/* .
+if [ -n "$(git status --porcelain -- dist)" ]; then
+  echo >&2 'ERROR: Build result differs. Please build first with "docker buildx bake build"'
+  git status --porcelain -- dist
+  exit 1
+fi
+EOT
+
+FROM deps AS format
+RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/node_modules \
+  yarn run format \
+  && mkdir /out && find . -name '*.ts' -not -path './node_modules/*' | cpio -pdm /out
+
+FROM scratch AS format-update
+COPY --from=format /out /
+
+FROM deps AS lint
+RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/node_modules \
+  yarn run lint
+
+FROM docker:${DOCKER_VERSION} as docker
+FROM docker/buildx-bin:${BUILDX_VERSION} as buildx
+
+FROM deps AS test
+RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/node_modules \
+  --mount=type=bind,from=docker,source=/usr/local/bin/docker,target=/usr/bin/docker \
+  --mount=type=bind,from=buildx,source=/buildx,target=/usr/libexec/docker/cli-plugins/docker-buildx \
+  yarn run test --coverageDirectory=/tmp/coverage
+
+FROM scratch AS test-coverage
+COPY --from=test /tmp/coverage /
--- a/dist/index.js
+++ b/dist/index.js
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/dist/licenses.txt
+++ b/dist/licenses.txt
--- a/dist/sourcemap-register.js
+++ b/dist/sourcemap-register.js
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@ -0,0 +1,53 @@
+group "default" {
+  targets = ["build"]
+}
+
+group "pre-checkin" {
+  targets = ["vendor-update", "format", "build"]
+}
+
+group "validate" {
+  targets = ["lint", "build-validate", "vendor-validate"]
+}
+
+target "build" {
+  dockerfile = "dev.Dockerfile"
+  target = "build-update"
+  output = ["."]
+}
+
+target "build-validate" {
+  dockerfile = "dev.Dockerfile"
+  target = "build-validate"
+  output = ["type=cacheonly"]
+}
+
+target "format" {
+  dockerfile = "dev.Dockerfile"
+  target = "format-update"
+  output = ["."]
+}
+
+target "lint" {
+  dockerfile = "dev.Dockerfile"
+  target = "lint"
+  output = ["type=cacheonly"]
+}
+
+target "vendor-update" {
+  dockerfile = "dev.Dockerfile"
+  target = "vendor-update"
+  output = ["."]
+}
+
+target "vendor-validate" {
+  dockerfile = "dev.Dockerfile"
+  target = "vendor-validate"
+  output = ["type=cacheonly"]
+}
+
+target "test" {
+  dockerfile = "dev.Dockerfile"
+  target = "test-coverage"
+  output = ["./coverage"]
+}
--- a/docs/advanced/cache.md
+++ b/docs/advanced/cache.md
@ -0,0 +1,3 @@
+# Cache
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#cache)
--- a/docs/advanced/copy-between-registries.md
+++ b/docs/advanced/copy-between-registries.md
@ -0,0 +1,3 @@
+# Copy images between registries
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#copy-images-between-registries)
--- a/docs/advanced/dockerhub-desc.md
+++ b/docs/advanced/dockerhub-desc.md
@ -0,0 +1,3 @@
+# Update Docker Hub repo description
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#update-docker-hub-repository-description)
--- a/docs/advanced/export-docker.md
+++ b/docs/advanced/export-docker.md
@ -0,0 +1,3 @@
+# Export image to Docker
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#export-image-to-docker)
--- a/docs/advanced/isolated-builders.md
+++ b/docs/advanced/isolated-builders.md
@ -0,0 +1,3 @@
+# Isolated builders
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/configure-builder/#isolated-builders)
--- a/docs/advanced/local-registry.md
+++ b/docs/advanced/local-registry.md
@ -0,0 +1,3 @@
+# Local registry
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#local-registry)
--- a/docs/advanced/multi-platform.md
+++ b/docs/advanced/multi-platform.md
@ -0,0 +1,3 @@
+# Multi-platform image
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#multi-platform-images)
--- a/docs/advanced/named-contexts.md
+++ b/docs/advanced/named-contexts.md
@ -0,0 +1,3 @@
+# Named contexts
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#named-contexts)
--- a/docs/advanced/push-multi-registries.md
+++ b/docs/advanced/push-multi-registries.md
@ -0,0 +1,3 @@
+# Push to multi-registries
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#push-to-multi-registries)
--- a/docs/advanced/secrets.md
+++ b/docs/advanced/secrets.md
@ -0,0 +1,3 @@
+# Secrets
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#secrets)
--- a/docs/advanced/share-image-jobs.md
+++ b/docs/advanced/share-image-jobs.md
@ -0,0 +1,3 @@
+# Share built image between jobs
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#share-built-image-between-jobs)
--- a/docs/advanced/tags-labels.md
+++ b/docs/advanced/tags-labels.md
@ -0,0 +1,3 @@
+# Handle tags and labels
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#manage-tags-and-labels)
--- a/docs/advanced/test-before-push.md
+++ b/docs/advanced/test-before-push.md
@ -0,0 +1,3 @@
+# Test your image before pushing it
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#test-your-image-before-pushing-it)
--- a/jest.config.ts
+++ b/jest.config.ts
@ -0,0 +1,23 @@
+process.env = Object.assign({}, process.env, {
+  RUNNER_TEMP: '/tmp/github_runner',
+  RUNNER_TOOL_CACHE: '/tmp/github_tool_cache',
+  GITHUB_REPOSITORY: 'docker/build-push-action',
+  GITHUB_RUN_ID: '123456789'
+}) as {
+  [key: string]: string;
+};
+
+module.exports = {
+  clearMocks: false,
+  testEnvironment: 'node',
+  moduleFileExtensions: ['js', 'ts'],
+  setupFiles: ['dotenv/config'],
+  testMatch: ['**/*.test.ts'],
+  transform: {
+    '^.+\\.ts$': 'ts-jest'
+  },
+  moduleNameMapper: {
+    '^csv-parse/sync': '<rootDir>/node_modules/csv-parse/dist/cjs/sync.cjs'
+  },
+  verbose: true
+};
--- a/package.json
+++ b/package.json
@ -0,0 +1,59 @@
+{
+  "name": "docker-build-push",
+  "description": "Build and push Docker images",
+  "main": "lib/main.js",
+  "scripts": {
+    "build": "ncc build src/main.ts --source-map --minify --license licenses.txt",
+    "lint": "eslint src/**/*.ts __tests__/**/*.ts",
+    "format": "eslint --fix src/**/*.ts __tests__/**/*.ts",
+    "test": "jest --coverage",
+    "all": "yarn run build && yarn run format && yarn test"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/docker/build-push-action.git"
+  },
+  "keywords": [
+    "actions",
+    "docker",
+    "build",
+    "push"
+  ],
+  "author": "Docker",
+  "contributors": [
+    {
+      "name": "CrazyMax",
+      "url": "https://crazymax.dev"
+    }
+  ],
+  "license": "Apache-2.0",
+  "dependencies": {
+    "@actions/core": "^1.10.0",
+    "@actions/exec": "^1.1.1",
+    "@actions/github": "^5.1.1",
+    "csv-parse": "^5.3.3",
+    "handlebars": "^4.7.7",
+    "jwt-decode": "^3.1.2",
+    "semver": "^7.3.7",
+    "tmp": "^0.2.1"
+  },
+  "devDependencies": {
+    "@types/csv-parse": "^1.2.2",
+    "@types/node": "^16.11.26",
+    "@types/semver": "^7.3.9",
+    "@types/tmp": "^0.2.3",
+    "@typescript-eslint/eslint-plugin": "^5.14.0",
+    "@typescript-eslint/parser": "^5.14.0",
+    "@vercel/ncc": "^0.33.3",
+    "dotenv": "^16.0.0",
+    "eslint": "^8.11.0",
+    "eslint-config-prettier": "^8.5.0",
+    "eslint-plugin-jest": "^26.1.1",
+    "eslint-plugin-prettier": "^4.0.0",
+    "jest": "^27.2.5",
+    "prettier": "^2.3.1",
+    "ts-jest": "^27.1.2",
+    "ts-node": "^10.7.0",
+    "typescript": "^4.4.4"
+  }
+}
--- a/src/buildx.ts
+++ b/src/buildx.ts
@ -0,0 +1,282 @@
+import {parse} from 'csv-parse/sync';
+import fs from 'fs';
+import path from 'path';
+import * as semver from 'semver';
+import * as exec from '@actions/exec';
+import * as context from './context';
+
+export type Builder = {
+  name?: string;
+  driver?: string;
+  nodes: Node[];
+};
+
+export type Node = {
+  name?: string;
+  endpoint?: string;
+  'driver-opts'?: Array<string>;
+  status?: string;
+  'buildkitd-flags'?: string;
+  buildkit?: string;
+  platforms?: string;
+};
+
+export async function getImageIDFile(): Promise<string> {
+  return path.join(context.tmpDir(), 'iidfile').split(path.sep).join(path.posix.sep);
+}
+
+export async function getImageID(): Promise<string | undefined> {
+  const iidFile = await getImageIDFile();
+  if (!fs.existsSync(iidFile)) {
+    return undefined;
+  }
+  return fs.readFileSync(iidFile, {encoding: 'utf-8'}).trim();
+}
+
+export async function getMetadataFile(): Promise<string> {
+  return path.join(context.tmpDir(), 'metadata-file').split(path.sep).join(path.posix.sep);
+}
+
+export async function getMetadata(): Promise<string | undefined> {
+  const metadataFile = await getMetadataFile();
+  if (!fs.existsSync(metadataFile)) {
+    return undefined;
+  }
+  const content = fs.readFileSync(metadataFile, {encoding: 'utf-8'}).trim();
+  if (content === 'null') {
+    return undefined;
+  }
+  return content;
+}
+
+export async function getDigest(metadata: string | undefined): Promise<string | undefined> {
+  if (metadata === undefined) {
+    return undefined;
+  }
+  const metadataJSON = JSON.parse(metadata);
+  if (metadataJSON['containerimage.digest']) {
+    return metadataJSON['containerimage.digest'];
+  }
+  return undefined;
+}
+
+export async function getSecretString(kvp: string): Promise<string> {
+  return getSecret(kvp, false);
+}
+
+export async function getSecretFile(kvp: string): Promise<string> {
+  return getSecret(kvp, true);
+}
+
+export async function getSecret(kvp: string, file: boolean): Promise<string> {
+  const delimiterIndex = kvp.indexOf('=');
+  const key = kvp.substring(0, delimiterIndex);
+  let value = kvp.substring(delimiterIndex + 1);
+  if (key.length == 0 || value.length == 0) {
+    throw new Error(`${kvp} is not a valid secret`);
+  }
+
+  if (file) {
+    if (!fs.existsSync(value)) {
+      throw new Error(`secret file ${value} not found`);
+    }
+    value = fs.readFileSync(value, {encoding: 'utf-8'});
+  }
+
+  const secretFile = context.tmpNameSync({
+    tmpdir: context.tmpDir()
+  });
+  fs.writeFileSync(secretFile, value);
+
+  return `id=${key},src=${secretFile}`;
+}
+
+export function isLocalOrTarExporter(outputs: string[]): boolean {
+  const records = parse(outputs.join(`\n`), {
+    delimiter: ',',
+    trim: true,
+    columns: false,
+    relaxColumnCount: true
+  });
+  for (const record of records) {
+    // Local if no type is defined
+    // https://github.com/docker/buildx/blob/d2bf42f8b4784d83fde17acb3ed84703ddc2156b/build/output.go#L29-L43
+    if (record.length == 1 && !record[0].startsWith('type=')) {
+      return true;
+    }
+    for (const [key, value] of record.map(chunk => chunk.split('=').map(item => item.trim()))) {
+      if (key == 'type' && (value == 'local' || value == 'tar')) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
+export function hasGitAuthToken(secrets: string[]): boolean {
+  for (const secret of secrets) {
+    if (secret.startsWith('GIT_AUTH_TOKEN=')) {
+      return true;
+    }
+  }
+  return false;
+}
+
+export async function isAvailable(standalone?: boolean): Promise<boolean> {
+  const cmd = getCommand([], standalone);
+  return await exec
+    .getExecOutput(cmd.command, cmd.args, {
+      ignoreReturnCode: true,
+      silent: true
+    })
+    .then(res => {
+      if (res.stderr.length > 0 && res.exitCode != 0) {
+        return false;
+      }
+      return res.exitCode == 0;
+    })
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    .catch(error => {
+      return false;
+    });
+}
+
+export async function satisfiesBuildKitVersion(builderName: string, range: string, standalone?: boolean): Promise<boolean> {
+  const builderInspect = await inspect(builderName, standalone);
+  for (const node of builderInspect.nodes) {
+    if (!node.buildkit) {
+      return false;
+    }
+    // BuildKit version reported by moby is in the format of `v0.11.0-moby`
+    if (builderInspect.driver == 'docker' && !node.buildkit.endsWith('-moby')) {
+      return false;
+    }
+    const version = node.buildkit.replace(/-moby$/, '');
+    if (!semver.satisfies(version, range)) {
+      return false;
+    }
+  }
+  return true;
+}
+
+async function inspect(name: string, standalone?: boolean): Promise<Builder> {
+  const cmd = getCommand(['inspect', name], standalone);
+  return await exec
+    .getExecOutput(cmd.command, cmd.args, {
+      ignoreReturnCode: true,
+      silent: true
+    })
+    .then(res => {
+      if (res.stderr.length > 0 && res.exitCode != 0) {
+        throw new Error(res.stderr.trim());
+      }
+      return parseInspect(res.stdout);
+    });
+}
+
+async function parseInspect(data: string): Promise<Builder> {
+  const builder: Builder = {
+    nodes: []
+  };
+  let node: Node = {};
+  for (const line of data.trim().split(`\n`)) {
+    const [key, ...rest] = line.split(':');
+    const value = rest.map(v => v.trim()).join(':');
+    if (key.length == 0 || value.length == 0) {
+      continue;
+    }
+    switch (key.toLowerCase()) {
+      case 'name': {
+        if (builder.name == undefined) {
+          builder.name = value;
+        } else {
+          if (Object.keys(node).length > 0) {
+            builder.nodes.push(node);
+            node = {};
+          }
+          node.name = value;
+        }
+        break;
+      }
+      case 'driver': {
+        builder.driver = value;
+        break;
+      }
+      case 'endpoint': {
+        node.endpoint = value;
+        break;
+      }
+      case 'driver options': {
+        node['driver-opts'] = (value.match(/(\w+)="([^"]*)"/g) || []).map(v => v.replace(/^(.*)="(.*)"$/g, '$1=$2'));
+        break;
+      }
+      case 'status': {
+        node.status = value;
+        break;
+      }
+      case 'flags': {
+        node['buildkitd-flags'] = value;
+        break;
+      }
+      case 'buildkit': {
+        node.buildkit = value;
+        break;
+      }
+      case 'platforms': {
+        let platforms: Array<string> = [];
+        // if a preferred platform is being set then use only these
+        // https://docs.docker.com/engine/reference/commandline/buildx_inspect/#get-information-about-a-builder-instance
+        if (value.includes('*')) {
+          for (const platform of value.split(', ')) {
+            if (platform.includes('*')) {
+              platforms.push(platform.replace('*', ''));
+            }
+          }
+        } else {
+          // otherwise set all platforms available
+          platforms = value.split(', ');
+        }
+        node.platforms = platforms.join(',');
+        break;
+      }
+    }
+  }
+  if (Object.keys(node).length > 0) {
+    builder.nodes.push(node);
+  }
+  return builder;
+}
+
+export async function getVersion(standalone?: boolean): Promise<string> {
+  const cmd = getCommand(['version'], standalone);
+  return await exec
+    .getExecOutput(cmd.command, cmd.args, {
+      ignoreReturnCode: true,
+      silent: true
+    })
+    .then(res => {
+      if (res.stderr.length > 0 && res.exitCode != 0) {
+        throw new Error(res.stderr.trim());
+      }
+      return parseVersion(res.stdout.trim());
+    });
+}
+
+export function parseVersion(stdout: string): string {
+  const matches = /\sv?([0-9a-f]{7}|[0-9.]+)/.exec(stdout);
+  if (!matches) {
+    throw new Error(`Cannot parse buildx version`);
+  }
+  return matches[1];
+}
+
+export function satisfies(version: string, range: string): boolean {
+  return semver.satisfies(version, range) || /^[0-9a-f]{7}$/.exec(version) !== null;
+}
+
+export function getCommand(args: Array<string>, standalone?: boolean) {
+  return {
+    command: standalone ? 'buildx' : 'docker',
+    args: standalone ? args : ['buildx', ...args]
+  };
+}
--- a/src/context.ts
+++ b/src/context.ts
@ -0,0 +1,340 @@
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import * as tmp from 'tmp';
+import * as buildx from './buildx';
+import * as core from '@actions/core';
+import * as github from '@actions/github';
+import {parse} from 'csv-parse/sync';
+import * as handlebars from 'handlebars';
+
+let _defaultContext, _tmpDir: string;
+
+export interface Inputs {
+  addHosts: string[];
+  allow: string[];
+  attests: string[];
+  buildArgs: string[];
+  buildContexts: string[];
+  builder: string;
+  cacheFrom: string[];
+  cacheTo: string[];
+  cgroupParent: string;
+  context: string;
+  file: string;
+  labels: string[];
+  load: boolean;
+  network: string;
+  noCache: boolean;
+  noCacheFilters: string[];
+  outputs: string[];
+  platforms: string[];
+  provenance: string;
+  pull: boolean;
+  push: boolean;
+  sbom: string;
+  secrets: string[];
+  secretFiles: string[];
+  shmSize: string;
+  ssh: string[];
+  tags: string[];
+  target: string;
+  ulimit: string[];
+  githubToken: string;
+}
+
+export function defaultContext(): string {
+  if (!_defaultContext) {
+    let ref = github.context.ref;
+    if (github.context.sha && ref && !ref.startsWith('refs/')) {
+      ref = `refs/heads/${github.context.ref}`;
+    }
+    if (github.context.sha && !ref.startsWith(`refs/pull/`)) {
+      ref = github.context.sha;
+    }
+    _defaultContext = `${process.env.GITHUB_SERVER_URL || 'https://github.com'}/${github.context.repo.owner}/${github.context.repo.repo}.git#${ref}`;
+  }
+  return _defaultContext;
+}
+
+export function tmpDir(): string {
+  if (!_tmpDir) {
+    _tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'docker-build-push-')).split(path.sep).join(path.posix.sep);
+  }
+  return _tmpDir;
+}
+
+export function tmpNameSync(options?: tmp.TmpNameOptions): string {
+  return tmp.tmpNameSync(options);
+}
+
+export function provenanceBuilderID(): string {
+  return `${process.env.GITHUB_SERVER_URL || 'https://github.com'}/${github.context.repo.owner}/${github.context.repo.repo}/actions/runs/${github.context.runId}`;
+}
+
+export async function getInputs(defaultContext: string): Promise<Inputs> {
+  return {
+    addHosts: await getInputList('add-hosts'),
+    allow: await getInputList('allow'),
+    attests: await getInputList('attests', true),
+    buildArgs: await getInputList('build-args', true),
+    buildContexts: await getInputList('build-contexts', true),
+    builder: core.getInput('builder'),
+    cacheFrom: await getInputList('cache-from', true),
+    cacheTo: await getInputList('cache-to', true),
+    cgroupParent: core.getInput('cgroup-parent'),
+    context: core.getInput('context') || defaultContext,
+    file: core.getInput('file'),
+    labels: await getInputList('labels', true),
+    load: core.getBooleanInput('load'),
+    network: core.getInput('network'),
+    noCache: core.getBooleanInput('no-cache'),
+    noCacheFilters: await getInputList('no-cache-filters'),
+    outputs: await getInputList('outputs', true),
+    platforms: await getInputList('platforms'),
+    provenance: getProvenanceInput('provenance'),
+    pull: core.getBooleanInput('pull'),
+    push: core.getBooleanInput('push'),
+    sbom: core.getInput('sbom'),
+    secrets: await getInputList('secrets', true),
+    secretFiles: await getInputList('secret-files', true),
+    shmSize: core.getInput('shm-size'),
+    ssh: await getInputList('ssh'),
+    tags: await getInputList('tags'),
+    target: core.getInput('target'),
+    ulimit: await getInputList('ulimit', true),
+    githubToken: core.getInput('github-token')
+  };
+}
+
+export async function getArgs(inputs: Inputs, defaultContext: string, buildxVersion: string, standalone?: boolean): Promise<Array<string>> {
+  const context = handlebars.compile(inputs.context)({defaultContext});
+  // prettier-ignore
+  return [
+    ...await getBuildArgs(inputs, defaultContext, context, buildxVersion, standalone),
+    ...await getCommonArgs(inputs, buildxVersion),
+    context
+  ];
+}
+
+async function getBuildArgs(inputs: Inputs, defaultContext: string, context: string, buildxVersion: string, standalone?: boolean): Promise<Array<string>> {
+  const args: Array<string> = ['build'];
+  await asyncForEach(inputs.addHosts, async addHost => {
+    args.push('--add-host', addHost);
+  });
+  if (inputs.allow.length > 0) {
+    args.push('--allow', inputs.allow.join(','));
+  }
+  if (buildx.satisfies(buildxVersion, '>=0.10.0')) {
+    await asyncForEach(inputs.attests, async attest => {
+      args.push('--attest', attest);
+    });
+  }
+  await asyncForEach(inputs.buildArgs, async buildArg => {
+    args.push('--build-arg', buildArg);
+  });
+  if (buildx.satisfies(buildxVersion, '>=0.8.0')) {
+    await asyncForEach(inputs.buildContexts, async buildContext => {
+      args.push('--build-context', buildContext);
+    });
+  }
+  await asyncForEach(inputs.cacheFrom, async cacheFrom => {
+    args.push('--cache-from', cacheFrom);
+  });
+  await asyncForEach(inputs.cacheTo, async cacheTo => {
+    args.push('--cache-to', cacheTo);
+  });
+  if (inputs.cgroupParent) {
+    args.push('--cgroup-parent', inputs.cgroupParent);
+  }
+  if (inputs.file) {
+    args.push('--file', inputs.file);
+  }
+  if (!buildx.isLocalOrTarExporter(inputs.outputs) && (inputs.platforms.length == 0 || buildx.satisfies(buildxVersion, '>=0.4.2'))) {
+    args.push('--iidfile', await buildx.getImageIDFile());
+  }
+  await asyncForEach(inputs.labels, async label => {
+    args.push('--label', label);
+  });
+  await asyncForEach(inputs.noCacheFilters, async noCacheFilter => {
+    args.push('--no-cache-filter', noCacheFilter);
+  });
+  await asyncForEach(inputs.outputs, async output => {
+    args.push('--output', output);
+  });
+  if (inputs.platforms.length > 0) {
+    args.push('--platform', inputs.platforms.join(','));
+  }
+  if (buildx.satisfies(buildxVersion, '>=0.10.0')) {
+    if (inputs.provenance) {
+      args.push('--provenance', inputs.provenance);
+    } else if ((await buildx.satisfiesBuildKitVersion(inputs.builder, '>=0.11.0', standalone)) && !hasDockerExport(inputs)) {
+      // If provenance not specified but BuildKit version compatible for
+      // attestation, disable provenance anyway. Also needs to make sure user
+      // doesn't want to explicitly load the image to docker.
+      // While this action successfully pushes OCI compliant images to
+      // well-known registries, some runtimes (e.g. Google Cloud Run and AWS
+      // Lambda) are not able to pull resulting image from their own registry...
+      // See also https://github.com/docker/buildx/issues/1533
+      args.push('--provenance', 'false');
+    }
+    if (inputs.sbom) {
+      args.push('--sbom', inputs.sbom);
+    }
+  }
+  await asyncForEach(inputs.secrets, async secret => {
+    try {
+      args.push('--secret', await buildx.getSecretString(secret));
+    } catch (err) {
+      core.warning(err.message);
+    }
+  });
+  await asyncForEach(inputs.secretFiles, async secretFile => {
+    try {
+      args.push('--secret', await buildx.getSecretFile(secretFile));
+    } catch (err) {
+      core.warning(err.message);
+    }
+  });
+  if (inputs.githubToken && !buildx.hasGitAuthToken(inputs.secrets) && context.startsWith(defaultContext)) {
+    args.push('--secret', await buildx.getSecretString(`GIT_AUTH_TOKEN=${inputs.githubToken}`));
+  }
+  if (inputs.shmSize) {
+    args.push('--shm-size', inputs.shmSize);
+  }
+  await asyncForEach(inputs.ssh, async ssh => {
+    args.push('--ssh', ssh);
+  });
+  await asyncForEach(inputs.tags, async tag => {
+    args.push('--tag', tag);
+  });
+  if (inputs.target) {
+    args.push('--target', inputs.target);
+  }
+  await asyncForEach(inputs.ulimit, async ulimit => {
+    args.push('--ulimit', ulimit);
+  });
+  return args;
+}
+
+async function getCommonArgs(inputs: Inputs, buildxVersion: string): Promise<Array<string>> {
+  const args: Array<string> = [];
+  if (inputs.builder) {
+    args.push('--builder', inputs.builder);
+  }
+  if (inputs.load) {
+    args.push('--load');
+  }
+  if (buildx.satisfies(buildxVersion, '>=0.6.0')) {
+    args.push('--metadata-file', await buildx.getMetadataFile());
+  }
+  if (inputs.network) {
+    args.push('--network', inputs.network);
+  }
+  if (inputs.noCache) {
+    args.push('--no-cache');
+  }
+  if (inputs.pull) {
+    args.push('--pull');
+  }
+  if (inputs.push) {
+    args.push('--push');
+  }
+  return args;
+}
+
+export async function getInputList(name: string, ignoreComma?: boolean): Promise<string[]> {
+  const res: Array<string> = [];
+
+  const items = core.getInput(name);
+  if (items == '') {
+    return res;
+  }
+
+  const records = await parse(items, {
+    columns: false,
+    relaxQuotes: true,
+    relaxColumnCount: true,
+    skipEmptyLines: true
+  });
+
+  for (const record of records as Array<string[]>) {
+    if (record.length == 1) {
+      res.push(record[0]);
+      continue;
+    } else if (!ignoreComma) {
+      res.push(...record);
+      continue;
+    }
+    res.push(record.join(','));
+  }
+
+  return res.filter(item => item).map(pat => pat.trim());
+}
+
+export const asyncForEach = async (array, callback) => {
+  for (let index = 0; index < array.length; index++) {
+    await callback(array[index], index, array);
+  }
+};
+
+function getProvenanceInput(name: string): string {
+  const input = core.getInput(name);
+  if (!input) {
+    // if input is not set, default values will be set later.
+    return input;
+  }
+  const builderID = provenanceBuilderID();
+  try {
+    return core.getBooleanInput(name) ? `builder-id=${builderID}` : 'false';
+  } catch (err) {
+    // not a valid boolean, so we assume it's a string
+    return getProvenanceAttrs(input);
+  }
+}
+
+function getProvenanceAttrs(input: string): string {
+  const builderID = provenanceBuilderID();
+  // parse attributes from input
+  const fields = parse(input, {
+    relaxColumnCount: true,
+    skipEmptyLines: true
+  })[0];
+  // check if builder-id attribute exists in the input
+  for (const field of fields) {
+    const parts = field
+      .toString()
+      .split(/(?<=^[^=]+?)=/)
+      .map(item => item.trim());
+    if (parts[0] == 'builder-id') {
+      return input;
+    }
+  }
+  // if not add builder-id attribute
+  return `${input},builder-id=${builderID}`;
+}
+
+function hasDockerExport(inputs: Inputs): boolean {
+  if (inputs.load) {
+    return true;
+  }
+  for (const output of inputs.outputs) {
+    const fields = parse(output, {
+      relaxColumnCount: true,
+      skipEmptyLines: true
+    })[0];
+    for (const field of fields) {
+      const parts = field
+        .toString()
+        .split(/(?<=^[^=]+?)=/)
+        .map(item => item.trim());
+      if (parts.length != 2) {
+        continue;
+      }
+      if (parts[0] == 'type' && parts[1] == 'docker') {
+        return true;
+      }
+    }
+  }
+  return false;
+}
--- a/src/docker.ts
+++ b/src/docker.ts
@ -0,0 +1,19 @@
+import * as exec from '@actions/exec';
+
+export async function isAvailable(): Promise<boolean> {
+  return await exec
+    .getExecOutput('docker', undefined, {
+      ignoreReturnCode: true,
+      silent: true
+    })
+    .then(res => {
+      if (res.stderr.length > 0 && res.exitCode != 0) {
+        return false;
+      }
+      return res.exitCode == 0;
+    })
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    .catch(error => {
+      return false;
+    });
+}
--- a/src/github.ts
+++ b/src/github.ts
@ -0,0 +1,9 @@
+import jwt_decode, {JwtPayload} from 'jwt-decode';
+
+interface Jwt extends JwtPayload {
+  ac?: string;
+}
+
+export const parseRuntimeToken = (token: string): Jwt => {
+  return jwt_decode<Jwt>(token);
+};
--- a/src/main.ts
+++ b/src/main.ts
@ -0,0 +1,105 @@
+import * as fs from 'fs';
+import * as buildx from './buildx';
+import * as context from './context';
+import * as docker from './docker';
+import * as github from './github';
+import * as stateHelper from './state-helper';
+import * as core from '@actions/core';
+import * as exec from '@actions/exec';
+
+async function run(): Promise<void> {
+  try {
+    const defContext = context.defaultContext();
+    const inputs: context.Inputs = await context.getInputs(defContext);
+
+    // standalone if docker cli not available
+    const standalone = !(await docker.isAvailable());
+
+    await core.group(`GitHub Actions runtime token access controls`, async () => {
+      const actionsRuntimeToken = process.env['ACTIONS_RUNTIME_TOKEN'];
+      if (actionsRuntimeToken) {
+        core.info(JSON.stringify(JSON.parse(github.parseRuntimeToken(actionsRuntimeToken).ac as string), undefined, 2));
+      } else {
+        core.info(`ACTIONS_RUNTIME_TOKEN not set`);
+      }
+    });
+
+    core.startGroup(`Docker info`);
+    if (standalone) {
+      core.info(`Docker info skipped in standalone mode`);
+    } else {
+      await exec.exec('docker', ['version'], {
+        failOnStdErr: false
+      });
+      await exec.exec('docker', ['info'], {
+        failOnStdErr: false
+      });
+    }
+    core.endGroup();
+
+    if (!(await buildx.isAvailable(standalone))) {
+      core.setFailed(`Docker buildx is required. See https://github.com/docker/setup-buildx-action to set up buildx.`);
+      return;
+    }
+    stateHelper.setTmpDir(context.tmpDir());
+
+    const buildxVersion = await buildx.getVersion(standalone);
+    await core.group(`Buildx version`, async () => {
+      const versionCmd = buildx.getCommand(['version'], standalone);
+      await exec.exec(versionCmd.command, versionCmd.args, {
+        failOnStdErr: false
+      });
+    });
+
+    const args: string[] = await context.getArgs(inputs, defContext, buildxVersion, standalone);
+    const buildCmd = buildx.getCommand(args, standalone);
+    await exec
+      .getExecOutput(buildCmd.command, buildCmd.args, {
+        ignoreReturnCode: true
+      })
+      .then(res => {
+        if (res.stderr.length > 0 && res.exitCode != 0) {
+          throw new Error(`buildx failed with: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
+        }
+      });
+
+    const imageID = await buildx.getImageID();
+    const metadata = await buildx.getMetadata();
+    const digest = await buildx.getDigest(metadata);
+
+    if (imageID) {
+      await core.group(`ImageID`, async () => {
+        core.info(imageID);
+        core.setOutput('imageid', imageID);
+      });
+    }
+    if (digest) {
+      await core.group(`Digest`, async () => {
+        core.info(digest);
+        core.setOutput('digest', digest);
+      });
+    }
+    if (metadata) {
+      await core.group(`Metadata`, async () => {
+        core.info(metadata);
+        core.setOutput('metadata', metadata);
+      });
+    }
+  } catch (error) {
+    core.setFailed(error.message);
+  }
+}
+
+async function cleanup(): Promise<void> {
+  if (stateHelper.tmpDir.length > 0) {
+    core.startGroup(`Removing temp folder ${stateHelper.tmpDir}`);
+    fs.rmSync(stateHelper.tmpDir, {recursive: true});
+    core.endGroup();
+  }
+}
+
+if (!stateHelper.IsPost) {
+  run();
+} else {
+  cleanup();
+}
--- a/src/state-helper.ts
+++ b/src/state-helper.ts
@ -0,0 +1,12 @@
+import * as core from '@actions/core';
+
+export const IsPost = !!process.env['STATE_isPost'];
+export const tmpDir = process.env['STATE_tmpDir'] || '';
+
+export function setTmpDir(tmpDir: string) {
+  core.saveState('tmpDir', tmpDir);
+}
+
+if (!IsPost) {
+  core.saveState('isPost', 'true');
+}
--- a/test/Dockerfile
+++ b/test/Dockerfile
@ -0,0 +1,3 @@
+# syntax=docker/dockerfile:1
+FROM alpine
+RUN echo "Hello world!"
--- a/test/addhost.Dockerfile
+++ b/test/addhost.Dockerfile
@ -0,0 +1,3 @@
+# syntax=docker/dockerfile:1
+FROM busybox
+RUN cat /etc/hosts
--- a/test/buildcontext.Dockerfile
+++ b/test/buildcontext.Dockerfile
@ -0,0 +1,3 @@
+# syntax=docker/dockerfile:1
+FROM alpine
+RUN cat /etc/*release
--- a/test/cgroup.Dockerfile
+++ b/test/cgroup.Dockerfile
@ -0,0 +1,3 @@
+# syntax=docker/dockerfile:1
+FROM alpine
+RUN cat /proc/self/cgroup
--- a/test/go/Dockerfile
+++ b/test/go/Dockerfile
@ -0,0 +1,16 @@
+FROM golang:1.19-alpine AS base
+ENV CGO_ENABLED=0
+RUN apk add --no-cache file git
+WORKDIR /src
+
+FROM base as build
+COPY go.mod go.sum ./
+RUN go mod download -x
+COPY . .
+RUN go build -ldflags "-s -w" -o /usr/bin/app .
+
+FROM scratch AS binary
+COPY --from=build /usr/bin/app /bin/app
+
+FROM alpine:3.17 AS image
+COPY --from=build /usr/bin/app /bin/app
--- a/test/go/go.mod
+++ b/test/go/go.mod
@ -0,0 +1,19 @@
+module github.com/docker/build-push-action/test/go
+
+go 1.18
+
+require github.com/labstack/echo/v4 v4.9.1
+
+require (
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
+	github.com/labstack/gommon v0.4.0 // indirect
+	github.com/mattn/go-colorable v0.1.11 // indirect
+	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/valyala/fasttemplate v1.2.1 // indirect
+	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect
+	golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f // indirect
+	golang.org/x/sys v0.0.0-20211103235746-7861aae1554b // indirect
+	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 // indirect
+)
--- a/test/go/go.sum
+++ b/test/go/go.sum
@ -0,0 +1,38 @@
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/labstack/echo/v4 v4.9.1 h1:GliPYSpzGKlyOhqIbG8nmHBo3i1saKWFOgh41AN3b+Y=
+github.com/labstack/echo/v4 v4.9.1/go.mod h1:Pop5HLc+xoc4qhTZ1ip6C0RtP7Z+4VzRLWZZFKqbbjo=
+github.com/labstack/gommon v0.4.0 h1:y7cvthEAEbU0yHOf4axH8ZG2NH8knB9iNSoTO8dyIk8=
+github.com/labstack/gommon v0.4.0/go.mod h1:uW6kP17uPlLJsD3ijUYn3/M5bAxtlZhMI6m3MFxTMTM=
+github.com/mattn/go-colorable v0.1.11 h1:nQ+aFkoE2TMGc0b68U2OKSexC+eq46+XwZzWXHRmPYs=
+github.com/mattn/go-colorable v0.1.11/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
+github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
+github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
+github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
+github.com/valyala/fasttemplate v1.2.1 h1:TVEnxayobAdVkhQfrfes2IzOB6o+z4roRkPF52WA1u4=
+github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f h1:OfiFi4JbukWwe3lzw+xunroH1mnC1e2Gy5cxNJApiSY=
+golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211103235746-7861aae1554b h1:1VkfZQv42XQlA/jchYumAnv1UPo6RgF9rJFkTgZIxO4=
+golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 h1:Hir2P/De0WpUhtrKGGjvSb2YxUgyZ7EFOSLIcSSpiwE=
+golang.org/x/time v0.0.0-20201208040808-7e3f01d25324/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/test/go/main.go
+++ b/test/go/main.go
@ -0,0 +1,31 @@
+package main
+
+import (
+	"net/http"
+	"os"
+
+	"github.com/labstack/echo/v4"
+	"github.com/labstack/echo/v4/middleware"
+)
+
+func main() {
+	e := echo.New()
+
+	e.Use(middleware.Logger())
+	e.Use(middleware.Recover())
+
+	e.GET("/", func(c echo.Context) error {
+		return c.HTML(http.StatusOK, "Hello World")
+	})
+
+	e.GET("/ping", func(c echo.Context) error {
+		return c.JSON(http.StatusOK, struct{ Status string }{Status: "OK"})
+	})
+
+	httpPort := os.Getenv("HTTP_PORT")
+	if httpPort == "" {
+		httpPort = "8080"
+	}
+
+	e.Logger.Fatal(e.Start(":" + httpPort))
+}
--- a/test/multi-sudo.Dockerfile
+++ b/test/multi-sudo.Dockerfile
@ -0,0 +1,20 @@
+# syntax=docker/dockerfile:1
+FROM --platform=$BUILDPLATFORM golang:alpine AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM" > /log
+RUN apk --update --no-cache add \
+    shadow \
+    sudo \
+  && addgroup -g 1200 buildx \
+  && adduser -u 1200 -G buildx -s /sbin/nologin -D buildx \
+  && echo 'buildx ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers \
+  && rm -rf /tmp/* /var/cache/apk/*
+
+USER buildx
+RUN sudo chown buildx. /log
+USER root
+
+FROM alpine
+COPY --from=build /log /log
+RUN ls -al /log
--- a/test/multi.Dockerfile
+++ b/test/multi.Dockerfile
@ -0,0 +1,9 @@
+# syntax=docker/dockerfile:1
+FROM --platform=$BUILDPLATFORM golang:alpine AS build
+
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM" > /log
+
+FROM alpine
+COPY --from=build /log /log
--- a/test/nocachefilter.Dockerfile
+++ b/test/nocachefilter.Dockerfile
@ -0,0 +1,9 @@
+# syntax=docker/dockerfile:1
+FROM busybox AS base
+RUN echo "Hello world!" > /hello
+
+FROM alpine AS build
+COPY --from=base /hello /hello
+RUN uname -a
+
+FROM build
--- a/test/secret.Dockerfile
+++ b/test/secret.Dockerfile
@ -0,0 +1,4 @@
+# syntax=docker/dockerfile:1
+FROM busybox
+RUN --mount=type=secret,id=MYSECRET \
+  echo "MYSECRET=$(cat /run/secrets/MYSECRET)"
--- a/test/shmsize.Dockerfile
+++ b/test/shmsize.Dockerfile
@ -0,0 +1,3 @@
+# syntax=docker/dockerfile:1
+FROM busybox
+RUN mount | grep /dev/shm
--- a/test/ulimit.Dockerfile
+++ b/test/ulimit.Dockerfile
@ -0,0 +1,3 @@
+# syntax=docker/dockerfile:1
+FROM busybox
+RUN ulimit -a
--- a/tsconfig.json
+++ b/tsconfig.json
@ -0,0 +1,19 @@
+{
+  "compilerOptions": {
+    "target": "es6",
+    "module": "commonjs",
+    "newLine": "lf",
+    "outDir": "./lib",
+    "rootDir": "./src",
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+    "strict": true,
+    "noImplicitAny": false,
+    "useUnknownInCatchVariables": false,
+  },
+  "exclude": [
+    "node_modules",
+    "**/*.test.ts",
+    "jest.config.ts"
+  ]
+}
--- a/yarn.lock
+++ b/yarn.lock