Merge pull request #338 from crazy-max/network

Add network input

.dockerignore

@@ -1 +1,2 @@
-node_modules
+/coverage
+/node_modules

.github/CONTRIBUTING.md

@@ -2,33 +2,20 @@
 
 Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
 
-Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE).
+Contributions to this project are [released](https://docs.github.com/en/github/site-policy/github-terms-of-service#6-contributions-under-repository-license)
+to the public under the [project's open source license](LICENSE).
 
 ## Submitting a pull request
 
 1. [Fork](https://github.com/docker/build-push-action/fork) and clone the repository
 2. Configure and install the dependencies: `yarn install`
-3. Make sure the tests pass on your machine: `yarn run test`
+3. Create a new branch: `git checkout -b my-branch-name`
-4. Create a new branch: `git checkout -b my-branch-name`
+4. Make your changes
-5. Make your change, add tests, and make sure the tests still pass
+5. Make sure the tests pass: `docker buildx bake test`
-6. Run pre-checkin: `yarn run pre-checkin`
+6. Format code and build javascript artifacts: `docker buildx bake pre-checkin`
-7. Push to your fork and [submit a pull request](https://github.com/docker/build-push-action/compare)
+7. Validate all code has correctly formatted and built: `docker buildx bake validate`
-8. Pat your self on the back and wait for your pull request to be reviewed and merged.
+8. Push to your fork and [submit a pull request](https://github.com/docker/build-push-action/compare)
-
+9. Pat your self on the back and wait for your pull request to be reviewed and merged.
-## Container based developer flow
-
-If you don't want to maintain a Node developer environment that fits this project you can use containerized commands instead of invoking yarn directly.
-
-```
-# format code and build javascript artifacts
-docker buildx bake pre-checkin
-
-# validate all code has correctly formatted and built
-docker buildx bake validate
-
-# run tests
-docker buildx bake test
-```
 
 Here are a few things you can do that will increase the likelihood of your pull request being accepted:
 
@@ -40,5 +27,5 @@ Here are a few things you can do that will increase the likelihood of your pull
 ## Resources
 
 - [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
-- [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
+- [Using Pull Requests](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests)
-- [GitHub Help](https://help.github.com)
+- [GitHub Help](https://docs.github.com/en)

.github/ISSUE_TEMPLATE/bug_report.md

@@ -34,4 +34,4 @@ Before sumbitting a bug report please read the [Troubleshooting doc](https://git
 
 ### Logs
 
-> Download the [log file of your build](https://help.github.com/en/actions/configuring-and-managing-workflows/managing-a-workflow-run#downloading-logs) and [attach it](https://help.github.com/en/github/managing-your-work-on-github/file-attachments-on-issues-and-pull-requests) to this issue.
+> Download the [log file of your build](https://docs.github.com/en/actions/managing-workflow-runs/using-workflow-run-logs#downloading-logs) and [attach it](https://docs.github.com/en/github/managing-your-work-on-github/file-attachments-on-issues-and-pull-requests) to this issue.

.github/workflows/ci.yml

@@ -290,6 +290,30 @@ jobs:
         if: always()
         uses: crazy-max/ghaction-dump-context@v1
 
+  network:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: List networks
+        run: docker network ls
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          tags: name/app:latest
+          network: host
+      -
+        name: Dump context
+        if: always()
+        uses: crazy-max/ghaction-dump-context@v1
+
   multi:
     runs-on: ubuntu-latest
     strategy:
@@ -326,7 +350,7 @@ jobs:
         uses: ./
         with:
           context: ./test
-          file: ./test/Dockerfile-${{ matrix.dockerfile }}
+          file: ./test/${{ matrix.dockerfile }}.Dockerfile
           builder: ${{ steps.buildx.outputs.name }}
           platforms: linux/amd64,linux/arm64
           push: true
@@ -379,7 +403,7 @@ jobs:
         uses: ./
         with:
           context: ./test
-          file: ./test/Dockerfile-multi
+          file: ./test/multi.Dockerfile
           builder: ${{ steps.buildx.outputs.name }}
           platforms: linux/amd64,linux/arm64
           push: true
@@ -412,7 +436,7 @@ jobs:
         uses: ./
         with:
           context: ./test
-          file: ./test/Dockerfile-multi
+          file: ./test/multi.Dockerfile
           builder: ${{ steps.buildx.outputs.name }}
           platforms: linux/amd64,linux/arm64
           push: true
@@ -489,7 +513,7 @@ jobs:
         uses: ./
         with:
           context: ./test
-          file: ./test/Dockerfile-multi
+          file: ./test/multi.Dockerfile
           builder: ${{ steps.buildx.outputs.name }}
           platforms: linux/amd64,linux/arm64
           push: true
@@ -554,7 +578,7 @@ jobs:
         uses: ./
         with:
           context: ./test
-          file: ./test/Dockerfile-multi
+          file: ./test/multi.Dockerfile
           builder: ${{ steps.buildx.outputs.name }}
           platforms: linux/amd64,linux/arm64
           push: true

.github/workflows/e2e.yml

@@ -58,8 +58,8 @@ jobs:
         uses: actions/checkout@v2
       -
         name: Docker meta
-        id: docker_meta
+        id: meta
-        uses: crazy-max/ghaction-docker-meta@v1
+        uses: crazy-max/ghaction-docker-meta@v2
         with:
           images: ${{ matrix.slug }}
       -
@@ -81,24 +81,24 @@ jobs:
         uses: ./
         with:
           context: ./test
-          file: ./test/Dockerfile-multi
+          file: ./test/multi.Dockerfile
           platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.docker_meta.outputs.tags }}
+          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.docker_meta.outputs.labels }}
+          labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=registry,ref=${{ matrix.slug }}:master
           cache-to: type=inline
       -
         name: Inspect image
         if: github.event_name != 'pull_request'
         run: |
-          docker pull ${{ matrix.slug }}:${{ steps.docker_meta.outputs.version }}
+          docker pull ${{ matrix.slug }}:${{ steps.meta.outputs.version }}
-          docker image inspect ${{ matrix.slug }}:${{ steps.docker_meta.outputs.version }}
+          docker image inspect ${{ matrix.slug }}:${{ steps.meta.outputs.version }}
       -
         name: Check manifest
         if: github.event_name != 'pull_request'
         run: |
-          docker buildx imagetools inspect ${{ matrix.slug }}:${{ steps.docker_meta.outputs.version }}
+          docker buildx imagetools inspect ${{ matrix.slug }}:${{ steps.meta.outputs.version }}
       -
         name: Dump context
         if: always()

.github/workflows/example.yml

@@ -28,11 +28,18 @@ jobs:
         uses: actions/checkout@v2
       -
         name: Docker meta
-        id: docker_meta
+        id: meta
-        uses: crazy-max/ghaction-docker-meta@v1
+        uses: crazy-max/ghaction-docker-meta@v2
         with:
-          images: ${{ env.DOCKER_IMAGE }} # list of Docker images to use as base name for tags
+          images: ${{ env.DOCKER_IMAGE }}
-          tag-sha: true # add git short SHA as Docker tag
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
@@ -45,8 +52,8 @@ jobs:
           context: ./test
           file: ./test/Dockerfile
           load: true
-          tags: ${{ steps.docker_meta.outputs.tags }}
+          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.docker_meta.outputs.labels }}
+          labels: ${{ steps.meta.outputs.labels }}
       -
         name: Build and push to local registry
         uses: ./
@@ -54,17 +61,17 @@ jobs:
           context: ./test
           file: ./test/Dockerfile
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.docker_meta.outputs.tags }}
+          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.docker_meta.outputs.labels }}
+          labels: ${{ steps.meta.outputs.labels }}
       -
         name: Inspect image
         run: |
-          docker image inspect ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }}
+          docker image inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }}
       -
         name: Check manifest
         if: github.event_name != 'pull_request'
         run: |
-          docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }}
+          docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }}
       -
         name: Dump context
         if: always()

.github/workflows/test.yml

@@ -3,25 +3,12 @@ name: test
 on:
   push:
     branches:
-      - master
+      - 'master'
   pull_request:
     branches:
-      - master
+      - 'master'
 
 jobs:
-  test-containerized:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Validate
-        run: docker buildx bake validate
-      -
-        name: Test
-        run: docker buildx bake test
-
   test:
     runs-on: ubuntu-latest
     steps:
@@ -29,15 +16,17 @@ jobs:
         name: Checkout
         uses: actions/checkout@v2
       -
-        name: Install
+        name: Validate
-        run: yarn install
+        uses: docker/bake-action@v1
+        with:
+          targets: validate
       -
         name: Test
-        run: yarn run test
+        uses: docker/bake-action@v1
+        with:
+          targets: test
       -
         name: Upload coverage
         uses: codecov/codecov-action@v1
-        if: success()
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
           file: ./coverage/clover.xml

Dockerfile

@@ -1,52 +0,0 @@
-#syntax=docker/dockerfile:1.2
-
-FROM node:12 AS deps
-WORKDIR /src
-COPY package.json yarn.lock ./
-RUN --mount=type=cache,target=/usr/local/share/.cache/yarn \
-  yarn install
-
-FROM scratch AS update-yarn
-COPY --from=deps /src/yarn.lock /
-
-FROM deps AS validate-yarn
-COPY .git .git
-RUN status=$(git status --porcelain -- yarn.lock); if [ -n "$status" ]; then echo $status; exit 1; fi
-
-FROM deps AS base
-COPY . .
-
-FROM base AS build
-RUN yarn build
-
-FROM deps AS test
-COPY --from=docker /usr/local/bin/docker /usr/bin/
-ARG TARGETOS
-ARG TARGETARCH
-ARG BUILDX_VERSION=v0.5.1
-ENV RUNNER_TEMP=/tmp/github_runner
-ENV RUNNER_TOOL_CACHE=/tmp/github_tool_cache
-RUN mkdir -p /usr/local/lib/docker/cli-plugins && \
-  curl -fsSL https://github.com/docker/buildx/releases/download/$BUILDX_VERSION/buildx-$BUILDX_VERSION.$TARGETOS-$TARGETARCH > /usr/local/lib/docker/cli-plugins/docker-buildx && \
-  chmod +x /usr/local/lib/docker/cli-plugins/docker-buildx && \
-  docker buildx version
-COPY . .
-RUN yarn run test
-
-FROM base AS run-format
-RUN yarn run format
-
-FROM scratch AS format
-COPY --from=run-format /src/src/*.ts /src/
-
-FROM base AS validate-format
-RUN yarn run format-check
-
-FROM scratch AS dist
-COPY --from=build /src/dist/ /dist/
-
-FROM build AS validate-build
-RUN status=$(git status --porcelain -- dist); if [ -n "$status" ]; then echo $status; exit 1; fi
-
-FROM base AS dev
-ENTRYPOINT ["bash"]

README.md

@@ -19,11 +19,6 @@ GitHub Action to build and push Docker images with [Buildx](https://github.com/d
 features provided by [Moby BuildKit](https://github.com/moby/buildkit) builder toolkit. This includes multi-platform
 build, secrets, remote cache, etc. and different builder deployment/namespacing options.
 
-> :bulb: See also:
-> * [login](https://github.com/docker/login-action) action
-> * [setup-buildx](https://github.com/docker/setup-buildx-action) action
-> * [setup-qemu](https://github.com/docker/setup-qemu-action) action
-
 ![Screenshot](.github/build-push-action.png)
 
 ___
@@ -65,11 +60,11 @@ this restriction.
 In the examples below we are using 3 other actions:
 
 * [`setup-buildx`](https://github.com/docker/setup-buildx-action) action will create and boot a builder using by 
-default the `docker-container` [builder driver](https://github.com/docker/buildx#--driver-driver). This is
+default the `docker-container` [builder driver](https://github.com/docker/buildx/blob/master/docs/reference/buildx_create.md#driver).
-**not required but recommended** using it to be able to build multi-platform images, export cache, etc.
+This is **not required but recommended** using it to be able to build multi-platform images, export cache, etc.
 * [`setup-qemu`](https://github.com/docker/setup-qemu-action) action can be useful if you want
 to add emulation support with QEMU to be able to build against more platforms. 
-* [`login`](https://github.com/docker/setup-qemu-action) action will take care to log in against a Docker registry.
+* [`login`](https://github.com/docker/login-action) action will take care to log in against a Docker registry.
 
 ### Git context
 
@@ -200,25 +195,26 @@ Following inputs can be used as `step.with` keys
 
 | Name                | Type     | Description                        |
 |---------------------|----------|------------------------------------|
+| `allow`             | List/CSV | List of [extra privileged entitlement](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#allow) (eg. `network.host,security.insecure`) |
 | `builder`           | String   | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action) |
+| `build-args`        | List     | List of build-time variables |
+| `cache-from`        | List     | List of [external cache sources](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#cache-from) (eg. `type=local,src=path/to/dir`) |
+| `cache-to`          | List     | List of [cache export destinations](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#cache-to) (eg. `type=local,dest=path/to/dir`) |
 | `context`           | String   | Build's context is the set of files located in the specified [`PATH` or `URL`](https://docs.docker.com/engine/reference/commandline/build/) (default [Git context](#git-context)) |
 | `file`              | String   | Path to the Dockerfile. (default `{context}/Dockerfile`) |
-| `build-args`        | List     | List of build-time variables |
 | `labels`            | List     | List of metadata for an image |
-| `tags`              | List/CSV | List of tags |
+| `load`              | Bool     | [Load](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#load) is a shorthand for `--output=type=docker` (default `false`) |
-| `pull`              | Bool     | Always attempt to pull a newer version of the image (default `false`) |
+| `network`           | String   | Set the networking mode for the `RUN` instructions during build |
-| `target`            | String   | Sets the target stage to build |
-| `allow`             | List/CSV | List of [extra privileged entitlement](https://github.com/docker/buildx#--allowentitlement) (eg. `network.host,security.insecure`) |
 | `no-cache`          | Bool     | Do not use cache when building the image (default `false`) |
-| `platforms`         | List/CSV | List of [target platforms](https://github.com/docker/buildx#---platformvaluevalue) for build |
+| `outputs`           | List     | List of [output destinations](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#output) (format: `type=local,dest=path`) |
-| `load`              | Bool     | [Load](https://github.com/docker/buildx#--load) is a shorthand for `--output=type=docker` (default `false`) |
+| `platforms`         | List/CSV | List of [target platforms](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#platform) for build |
-| `push`              | Bool     | [Push](https://github.com/docker/buildx#--push) is a shorthand for `--output=type=registry` (default `false`) |
+| `pull`              | Bool     | Always attempt to pull a newer version of the image (default `false`) |
-| `outputs`           | List     | List of [output destinations](https://github.com/docker/buildx#-o---outputpath-typetypekeyvalue) (format: `type=local,dest=path`) |
+| `push`              | Bool     | [Push](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#push) is a shorthand for `--output=type=registry` (default `false`) |
-| `cache-from`        | List     | List of [external cache sources](https://github.com/docker/buildx#--cache-fromnametypetypekeyvalue) (eg. `type=local,src=path/to/dir`) |
-| `cache-to`          | List     | List of [cache export destinations](https://github.com/docker/buildx#--cache-tonametypetypekeyvalue) (eg. `type=local,dest=path/to/dir`) |
 | `secrets`           | List     | List of secrets to expose to the build (eg. `key=string`, `GIT_AUTH_TOKEN=mytoken`) |
 | `secret-files`      | List     | List of secret files to expose to the build (eg. `key=filename`, `MY_SECRET=./secret.txt`) |
 | `ssh`               | List     | List of SSH agent socket or keys to expose to the build |
+| `tags`              | List/CSV | List of tags |
+| `target`            | String   | Sets the target stage to build |
 
 ### outputs
 

UPGRADE.md

@@ -7,12 +7,12 @@
 * Rename `dockerfile` input to `file` for consistency with other Docker build tools
 * Rename `always_pull` input to `pull` for consistency with other Docker build tools
 * Add `builder` input to be able to choose a builder instance through our [setup-buildx action](https://github.com/docker/setup-buildx-action)
-* Add [`platforms`](https://github.com/docker/buildx#---platformvaluevalue) input to support multi-platform builds
+* Add `platforms` input to support multi-platform builds
-* Add [`allow`](https://github.com/docker/buildx#--allowentitlement) input
+* Add `allow` input
-* Add [`load`](https://github.com/docker/buildx#--load) input
+* Add `load` input
-* Add [`outputs`](https://github.com/docker/buildx#-o---outputpath-typetypekeyvalue) input
+* Add `outputs` input
-* Add [`cache-from`](https://github.com/docker/buildx#--cache-fromnametypetypekeyvalue) input (`cache_froms` removed)
+* Add `cache-from` input (`cache_froms` removed)
-* Add [`cache-to`](https://github.com/docker/buildx#--cache-tonametypetypekeyvalue) input
+* Add `cache-to` input
 * Rename `build_args` input to `build-args` for consistency with other Docker build tools
 * Add `secrets` input
 * Review `tags` input

__tests__/context.test.ts

@@ -346,6 +346,7 @@ ccc`],
         ['secret-files', `MY_SECRET=${path.join(__dirname, 'fixtures', 'secret.txt').split(path.sep).join(path.posix.sep)}`],
         ['file', './test/Dockerfile'],
         ['builder', 'builder-git-context-2'],
+        ['network', 'host'],
         ['push', 'true']
       ]),
       [
@@ -355,6 +356,7 @@ ccc`],
         '--secret', 'id=MY_SECRET,src=/tmp/.docker-build-push-jest/.tmpname-jest',
         '--file', './test/Dockerfile',
         '--builder', 'builder-git-context-2',
+        '--network', 'host',
         '--push',
         'https://github.com/docker/build-push-action.git#heads/master'
       ]

action.yml

@@ -7,51 +7,14 @@ branding:
   color: 'blue'
 
 inputs:
-  builder:
+  allow:
-    description: "Builder instance"
+    description: "List of extra privileged entitlement (eg. network.host,security.insecure)"
-    required: false
-  context:
-    description: "Build's context is the set of files located in the specified PATH or URL"
-    required: false
-  file:
-    description: "Path to the Dockerfile"
     required: false
   build-args:
     description: "List of build-time variables"
     required: false
-  labels:
+  builder:
-    description: "List of metadata for an image"
+    description: "Builder instance"
-    required: false
-  tags:
-    description: "List of tags"
-    required: false
-  pull:
-    description: "Always attempt to pull a newer version of the image"
-    required: false
-    default: 'false'
-  target:
-    description: "Sets the target stage to build"
-    required: false
-  allow:
-    description: "List of extra privileged entitlement (eg. network.host,security.insecure)"
-    required: false
-  no-cache:
-    description: "Do not use cache when building the image"
-    required: false
-    default: 'false'
-  platforms:
-    description: "List of target platforms for build"
-    required: false
-  load:
-    description: "Load is a shorthand for --output=type=docker"
-    required: false
-    default: 'false'
-  push:
-    description: "Push is a shorthand for --output=type=registry"
-    required: false
-    default: 'false'
-  outputs:
-    description: "List of output destinations (format: type=local,dest=path)"
     required: false
   cache-from:
     description: "List of external cache sources for buildx (eg. user/app:cache, type=local,src=path/to/dir)"
@@ -59,6 +22,40 @@ inputs:
   cache-to:
     description: "List of cache export destinations for buildx (eg. user/app:cache, type=local,dest=path/to/dir)"
     required: false
+  context:
+    description: "Build's context is the set of files located in the specified PATH or URL"
+    required: false
+  file:
+    description: "Path to the Dockerfile"
+    required: false
+  labels:
+    description: "List of metadata for an image"
+    required: false
+  load:
+    description: "Load is a shorthand for --output=type=docker"
+    required: false
+    default: 'false'
+  network:
+    description: "Set the networking mode for the RUN instructions during build"
+    required: false
+  no-cache:
+    description: "Do not use cache when building the image"
+    required: false
+    default: 'false'
+  outputs:
+    description: "List of output destinations (format: type=local,dest=path)"
+    required: false
+  platforms:
+    description: "List of target platforms for build"
+    required: false
+  pull:
+    description: "Always attempt to pull a newer version of the image"
+    required: false
+    default: 'false'
+  push:
+    description: "Push is a shorthand for --output=type=registry"
+    required: false
+    default: 'false'
   secrets:
     description: "List of secrets to expose to the build (eg. key=string, GIT_AUTH_TOKEN=mytoken)"
     required: false
@@ -68,6 +65,12 @@ inputs:
   ssh:
     description: "List of SSH agent socket or keys to expose to the build"
     required: false
+  tags:
+    description: "List of tags"
+    required: false
+  target:
+    description: "Sets the target stage to build"
+    required: false
   github-token:
     description: "GitHub Token used to authenticate against a repository for Git context"
     default: ${{ github.token }}

dist/index.js

@@ -13014,7 +13014,7 @@ let _defaultContext, _tmpDir;
 function defaultContext() {
     var _a, _b;
     if (!_defaultContext) {
-        _defaultContext = `https://github.com/${github.context.repo.owner}/${github.context.repo.repo}.git#${(_b = (_a = github.context) === null || _a === void 0 ? void 0 : _a.ref) === null || _b === void 0 ? void 0 : _b.replace(/^refs\//, '')}`;
+        _defaultContext = `${process.env.GITHUB_SERVER_URL || 'https://github.com'}/${github.context.repo.owner}/${github.context.repo.repo}.git#${(_b = (_a = github.context) === null || _a === void 0 ? void 0 : _a.ref) === null || _b === void 0 ? void 0 : _b.replace(/^refs\//, '')}`;
     }
     return _defaultContext;
 }
@@ -13033,26 +13033,27 @@ exports.tmpNameSync = tmpNameSync;
 function getInputs(defaultContext) {
     return __awaiter(this, void 0, void 0, function* () {
         return {
-            context: core.getInput('context') || defaultContext,
-            file: core.getInput('file'),
-            buildArgs: yield getInputList('build-args', true),
-            labels: yield getInputList('labels', true),
-            tags: yield getInputList('tags'),
-            pull: /true/i.test(core.getInput('pull')),
-            target: core.getInput('target'),
             allow: yield getInputList('allow'),
-            noCache: /true/i.test(core.getInput('no-cache')),
+            buildArgs: yield getInputList('build-args', true),
             builder: core.getInput('builder'),
-            platforms: yield getInputList('platforms'),
-            load: /true/i.test(core.getInput('load')),
-            push: /true/i.test(core.getInput('push')),
-            outputs: yield getInputList('outputs', true),
             cacheFrom: yield getInputList('cache-from', true),
             cacheTo: yield getInputList('cache-to', true),
+            context: core.getInput('context') || defaultContext,
+            file: core.getInput('file'),
+            labels: yield getInputList('labels', true),
+            load: /true/i.test(core.getInput('load')),
+            network: core.getInput('network'),
+            noCache: /true/i.test(core.getInput('no-cache')),
+            outputs: yield getInputList('outputs', true),
+            platforms: yield getInputList('platforms'),
+            pull: /true/i.test(core.getInput('pull')),
+            push: /true/i.test(core.getInput('push')),
             secrets: yield getInputList('secrets', true),
             secretFiles: yield getInputList('secret-files', true),
-            githubToken: core.getInput('github-token'),
+            ssh: yield getInputList('ssh'),
-            ssh: yield getInputList('ssh')
+            tags: yield getInputList('tags'),
+            target: core.getInput('target'),
+            githubToken: core.getInput('github-token')
         };
     });
 }
@@ -13144,6 +13145,9 @@ function getCommonArgs(inputs) {
         if (inputs.load) {
             args.push('--load');
         }
+        if (inputs.network) {
+            args.push('--network', inputs.network);
+        }
         if (inputs.push) {
             args.push('--push');
         }
@@ -13202,22 +13206,30 @@ module.exports = clean
 /***/ (function(module, __unusedexports, __webpack_require__) {
 
 const Range = __webpack_require__(828)
-const { ANY } = __webpack_require__(532)
+const Comparator = __webpack_require__(532)
+const { ANY } = Comparator
 const satisfies = __webpack_require__(55)
 const compare = __webpack_require__(309)
 
 // Complex range `r1 || r2 || ...` is a subset of `R1 || R2 || ...` iff:
-// - Every simple range `r1, r2, ...` is a subset of some `R1, R2, ...`
+// - Every simple range `r1, r2, ...` is a null set, OR
+// - Every simple range `r1, r2, ...` which is not a null set is a subset of
+//   some `R1, R2, ...`
 //
 // Simple range `c1 c2 ...` is a subset of simple range `C1 C2 ...` iff:
 // - If c is only the ANY comparator
 //   - If C is only the ANY comparator, return true
-//   - Else return false
+//   - Else if in prerelease mode, return false
+//   - else replace c with `[>=0.0.0]`
+// - If C is only the ANY comparator
+//   - if in prerelease mode, return true
+//   - else replace C with `[>=0.0.0]`
 // - Let EQ be the set of = comparators in c
 // - If EQ is more than one, return true (null set)
 // - Let GT be the highest > or >= comparator in c
 // - Let LT be the lowest < or <= comparator in c
 // - If GT and LT, and GT.semver > LT.semver, return true (null set)
+// - If any C is a = range, and GT or LT are set, return false
 // - If EQ
 //   - If GT, and EQ does not satisfy GT, return true (null set)
 //   - If LT, and EQ does not satisfy LT, return true (null set)
@@ -13226,13 +13238,16 @@ const compare = __webpack_require__(309)
 // - If GT
 //   - If GT.semver is lower than any > or >= comp in C, return false
 //   - If GT is >=, and GT.semver does not satisfy every C, return false
+//   - If GT.semver has a prerelease, and not in prerelease mode
+//     - If no C has a prerelease and the GT.semver tuple, return false
 // - If LT
 //   - If LT.semver is greater than any < or <= comp in C, return false
 //   - If LT is <=, and LT.semver does not satisfy every C, return false
-// - If any C is a = range, and GT or LT are set, return false
+//   - If GT.semver has a prerelease, and not in prerelease mode
+//     - If no C has a prerelease and the LT.semver tuple, return false
 // - Else return true
 
-const subset = (sub, dom, options) => {
+const subset = (sub, dom, options = {}) => {
   if (sub === dom)
     return true
 
@@ -13261,8 +13276,21 @@ const simpleSubset = (sub, dom, options) => {
   if (sub === dom)
     return true
 
-  if (sub.length === 1 && sub[0].semver === ANY)
+  if (sub.length === 1 && sub[0].semver === ANY) {
-    return dom.length === 1 && dom[0].semver === ANY
+    if (dom.length === 1 && dom[0].semver === ANY)
+      return true
+    else if (options.includePrerelease)
+      sub = [ new Comparator('>=0.0.0-0') ]
+    else
+      sub = [ new Comparator('>=0.0.0') ]
+  }
+
+  if (dom.length === 1 && dom[0].semver === ANY) {
+    if (options.includePrerelease)
+      return true
+    else
+      dom = [ new Comparator('>=0.0.0') ]
+  }
 
   const eqSet = new Set()
   let gt, lt
@@ -13305,10 +13333,32 @@ const simpleSubset = (sub, dom, options) => {
 
   let higher, lower
   let hasDomLT, hasDomGT
+  // if the subset has a prerelease, we need a comparator in the superset
+  // with the same tuple and a prerelease, or it's not a subset
+  let needDomLTPre = lt &&
+    !options.includePrerelease &&
+    lt.semver.prerelease.length ? lt.semver : false
+  let needDomGTPre = gt &&
+    !options.includePrerelease &&
+    gt.semver.prerelease.length ? gt.semver : false
+  // exception: <1.2.3-0 is the same as <1.2.3
+  if (needDomLTPre && needDomLTPre.prerelease.length === 1 &&
+      lt.operator === '<' && needDomLTPre.prerelease[0] === 0) {
+    needDomLTPre = false
+  }
+
   for (const c of dom) {
     hasDomGT = hasDomGT || c.operator === '>' || c.operator === '>='
     hasDomLT = hasDomLT || c.operator === '<' || c.operator === '<='
     if (gt) {
+      if (needDomGTPre) {
+        if (c.semver.prerelease && c.semver.prerelease.length &&
+            c.semver.major === needDomGTPre.major &&
+            c.semver.minor === needDomGTPre.minor &&
+            c.semver.patch === needDomGTPre.patch) {
+          needDomGTPre = false
+        }
+      }
       if (c.operator === '>' || c.operator === '>=') {
         higher = higherGT(gt, c, options)
         if (higher === c && higher !== gt)
@@ -13317,6 +13367,14 @@ const simpleSubset = (sub, dom, options) => {
         return false
     }
     if (lt) {
+      if (needDomLTPre) {
+        if (c.semver.prerelease && c.semver.prerelease.length &&
+            c.semver.major === needDomLTPre.major &&
+            c.semver.minor === needDomLTPre.minor &&
+            c.semver.patch === needDomLTPre.patch) {
+          needDomLTPre = false
+        }
+      }
       if (c.operator === '<' || c.operator === '<=') {
         lower = lowerLT(lt, c, options)
         if (lower === c && lower !== lt)
@@ -13337,6 +13395,12 @@ const simpleSubset = (sub, dom, options) => {
   if (lt && hasDomGT && !gt && gtltComp !== 0)
     return false
 
+  // we needed a prerelease range in a specific tuple, but didn't get one
+  // then this isn't a subset.  eg >=1.2.3-pre is not a subset of >=1.0.0,
+  // because it includes prereleases in the 1.2.3 tuple
+  if (needDomGTPre || needDomLTPre)
+    return false
+
   return true
 }
 

docker-bake.hcl

@@ -1,42 +1,67 @@
+variable "NODE_VERSION" {
+  default = "12"
+}
+
+target "node-version" {
+  args = {
+    NODE_VERSION = NODE_VERSION
+  }
+}
+
 group "default" {
   targets = ["build"]
 }
 
 group "pre-checkin" {
-  targets = ["update-yarn", "format", "build"]
+  targets = ["vendor-update", "format", "build"]
 }
 
 group "validate" {
-	targets = ["validate-format", "validate-build", "validate-yarn"]
+  targets = ["format-validate", "build-validate", "vendor-validate"]
-}
-
-target "update-yarn" {
-  target = "update-yarn"
-  output = ["."]
 }
 
 target "build" {
-  target = "dist"
+  inherits = ["node-version"]
+  dockerfile = "./hack/build.Dockerfile"
+  target = "build-update"
   output = ["."]
 }
 
-target "test" {
+target "build-validate" {
-  target = "test"
+  inherits = ["node-version"]
+  dockerfile = "./hack/build.Dockerfile"
+  target = "build-validate"
 }
 
 target "format" {
-  target = "format"
+  inherits = ["node-version"]
+  dockerfile = "./hack/build.Dockerfile"
+  target = "format-update"
   output = ["."]
 }
 
-target "validate-format" {
+target "format-validate" {
-  target = "validate-format"
+  inherits = ["node-version"]
+  dockerfile = "./hack/build.Dockerfile"
+  target = "format-validate"
 }
 
-target "validate-build" {
+target "vendor-update" {
-  target = "validate-build"
+  inherits = ["node-version"]
+  dockerfile = "./hack/vendor.Dockerfile"
+  target = "update"
+  output = ["."]
 }
 
-target "validate-yarn" {
+target "vendor-validate" {
-	target = "validate-yarn"
+  inherits = ["node-version"]
+  dockerfile = "./hack/vendor.Dockerfile"
+  target = "validate"
+}
+
+target "test" {
+  inherits = ["node-version"]
+  dockerfile = "./hack/test.Dockerfile"
+  target = "test-coverage"
+  output = ["./coverage"]
 }

docs/advanced/cache.md

@@ -3,7 +3,7 @@
 * [Registry cache](#registry-cache)
 * [GitHub cache](#github-cache)
 
-> More info about buildx cache: https://github.com/docker/buildx#--cache-fromnametypetypekeyvalue
+> More info about buildx cache: https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#cache-from
 
 ## Registry cache
 

docs/advanced/push-multi-registries.md

@@ -41,7 +41,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.CR_PAT }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Build and push
         uses: docker/build-push-action@v2

docs/advanced/tags-labels.md

@@ -29,15 +29,22 @@ jobs:
         uses: actions/checkout@v2
       -
         name: Docker meta
-        id: docker_meta
+        id: meta
-        uses: crazy-max/ghaction-docker-meta@v1
+        uses: crazy-max/ghaction-docker-meta@v2
         with:
           # list of Docker images to use as base name for tags
           images: |
             name/app
             ghcr.io/username/app
-          # add git short SHA as Docker tag
+          # generate Docker tags based on the following events/attributes
-          tag-sha: true
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v1
@@ -57,14 +64,14 @@ jobs:
         uses: docker/login-action@v1
         with:
           registry: ghcr.io
-          username: ${{ secrets.GHCR_USERNAME }}
+          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GHCR_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Build and push
         uses: docker/build-push-action@v2
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.docker_meta.outputs.tags }}
+          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.docker_meta.outputs.labels }}
+          labels: ${{ steps.meta.outputs.labels }}
 ```

hack/build.Dockerfile

@@ -0,0 +1,42 @@
+# syntax=docker/dockerfile:1.2
+ARG NODE_VERSION
+
+FROM node:${NODE_VERSION}-alpine AS base
+RUN apk add --no-cache cpio findutils git
+WORKDIR /src
+
+FROM base AS deps
+RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/node_modules \
+  yarn install
+
+FROM deps AS build
+RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/node_modules \
+  yarn run build && mkdir /out && cp -Rf dist /out/
+
+FROM scratch AS build-update
+COPY --from=build /out /
+
+FROM build AS build-validate
+RUN --mount=type=bind,target=.,rw \
+  git add -A && cp -rf /out/* .; \
+  if [ -n "$(git status --porcelain -- dist)" ]; then \
+    echo >&2 'ERROR: Build result differs. Please build first with "docker buildx bake build"'; \
+    git status --porcelain -- dist; \
+    exit 1; \
+  fi
+
+FROM deps AS format
+RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/node_modules \
+  yarn run format \
+  && mkdir /out && find . -name '*.ts' -not -path './node_modules/*' | cpio -pdm /out
+
+FROM scratch AS format-update
+COPY --from=format /out /
+
+FROM deps AS format-validate
+RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/node_modules \
+  yarn run format-check \

hack/test.Dockerfile

@@ -0,0 +1,23 @@
+# syntax=docker/dockerfile:1.2
+ARG NODE_VERSION
+
+FROM node:${NODE_VERSION}-alpine AS base
+RUN apk add --no-cache git
+WORKDIR /src
+
+FROM base AS deps
+RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/node_modules \
+  yarn install
+
+FROM deps AS test
+ENV RUNNER_TEMP=/tmp/github_runner
+ENV RUNNER_TOOL_CACHE=/tmp/github_tool_cache
+RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/node_modules \
+  --mount=type=bind,from=crazymax/docker,source=/usr/libexec/docker/cli-plugins/docker-buildx,target=/usr/libexec/docker/cli-plugins/docker-buildx \
+  --mount=type=bind,from=crazymax/docker,source=/usr/local/bin/docker,target=/usr/bin/docker \
+  yarn run test --coverageDirectory=/tmp/coverage
+
+FROM scratch AS test-coverage
+COPY --from=test /tmp/coverage /

hack/vendor.Dockerfile

@@ -0,0 +1,23 @@
+# syntax=docker/dockerfile:1.2
+ARG NODE_VERSION
+
+FROM node:${NODE_VERSION}-alpine AS base
+RUN apk add --no-cache git
+WORKDIR /src
+
+FROM base AS vendored
+RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/node_modules \
+  yarn install && mkdir /out && cp yarn.lock /out
+
+FROM scratch AS update
+COPY --from=vendored /out /
+
+FROM vendored AS validate
+RUN --mount=type=bind,target=.,rw \
+  git add -A && cp -rf /out/* .; \
+  if [ -n "$(git status --porcelain -- yarn.lock)" ]; then \
+    echo >&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor-update"'; \
+    git status --porcelain -- yarn.lock; \
+    exit 1; \
+  fi

package.json

@@ -31,8 +31,8 @@
     "@actions/core": "^1.2.6",
     "@actions/exec": "^1.0.4",
     "@actions/github": "^4.0.0",
-    "csv-parse": "^4.15.1",
+    "csv-parse": "^4.15.3",
-    "semver": "^7.3.4",
+    "semver": "^7.3.5",
     "tmp": "^0.2.1"
   },
   "devDependencies": {

src/context.ts

@@ -13,31 +13,32 @@ import * as buildx from './buildx';
 let _defaultContext, _tmpDir: string;
 
 export interface Inputs {
-  context: string;
-  file: string;
-  buildArgs: string[];
-  labels: string[];
-  tags: string[];
-  pull: boolean;
-  target: string;
   allow: string[];
-  noCache: boolean;
+  buildArgs: string[];
   builder: string;
-  platforms: string[];
-  load: boolean;
-  push: boolean;
-  outputs: string[];
   cacheFrom: string[];
   cacheTo: string[];
+  context: string;
+  file: string;
+  labels: string[];
+  load: boolean;
+  network: string;
+  noCache: boolean;
+  outputs: string[];
+  platforms: string[];
+  pull: boolean;
+  push: boolean;
   secrets: string[];
   secretFiles: string[];
-  githubToken: string;
   ssh: string[];
+  tags: string[];
+  target: string;
+  githubToken: string;
 }
 
 export function defaultContext(): string {
   if (!_defaultContext) {
-    _defaultContext = `https://github.com/${github.context.repo.owner}/${
+    _defaultContext = `${process.env.GITHUB_SERVER_URL || 'https://github.com'}/${github.context.repo.owner}/${
       github.context.repo.repo
     }.git#${github.context?.ref?.replace(/^refs\//, '')}`;
   }
@@ -57,26 +58,27 @@ export function tmpNameSync(options?: tmp.TmpNameOptions): string {
 
 export async function getInputs(defaultContext: string): Promise<Inputs> {
   return {
-    context: core.getInput('context') || defaultContext,
-    file: core.getInput('file'),
-    buildArgs: await getInputList('build-args', true),
-    labels: await getInputList('labels', true),
-    tags: await getInputList('tags'),
-    pull: /true/i.test(core.getInput('pull')),
-    target: core.getInput('target'),
     allow: await getInputList('allow'),
-    noCache: /true/i.test(core.getInput('no-cache')),
+    buildArgs: await getInputList('build-args', true),
     builder: core.getInput('builder'),
-    platforms: await getInputList('platforms'),
-    load: /true/i.test(core.getInput('load')),
-    push: /true/i.test(core.getInput('push')),
-    outputs: await getInputList('outputs', true),
     cacheFrom: await getInputList('cache-from', true),
     cacheTo: await getInputList('cache-to', true),
+    context: core.getInput('context') || defaultContext,
+    file: core.getInput('file'),
+    labels: await getInputList('labels', true),
+    load: /true/i.test(core.getInput('load')),
+    network: core.getInput('network'),
+    noCache: /true/i.test(core.getInput('no-cache')),
+    outputs: await getInputList('outputs', true),
+    platforms: await getInputList('platforms'),
+    pull: /true/i.test(core.getInput('pull')),
+    push: /true/i.test(core.getInput('push')),
     secrets: await getInputList('secrets', true),
     secretFiles: await getInputList('secret-files', true),
-    githubToken: core.getInput('github-token'),
+    ssh: await getInputList('ssh'),
-    ssh: await getInputList('ssh')
+    tags: await getInputList('tags'),
+    target: core.getInput('target'),
+    githubToken: core.getInput('github-token')
   };
 }
 
@@ -163,6 +165,9 @@ async function getCommonArgs(inputs: Inputs): Promise<Array<string>> {
   if (inputs.load) {
     args.push('--load');
   }
+  if (inputs.network) {
+    args.push('--network', inputs.network);
+  }
   if (inputs.push) {
     args.push('--push');
   }

yarn.lock

@@ -1236,10 +1236,10 @@ cssstyle@^2.2.0:
   dependencies:
     cssom "~0.3.6"
 
-csv-parse@*, csv-parse@^4.15.1:
+csv-parse@*, csv-parse@^4.15.3:
-  version "4.15.1"
+  version "4.15.3"
-  resolved "https://registry.yarnpkg.com/csv-parse/-/csv-parse-4.15.1.tgz#fc5a0a1b24eaa6d4c24892daa387c46f7f92f8d2"
+  resolved "https://registry.yarnpkg.com/csv-parse/-/csv-parse-4.15.3.tgz#8a62759617a920c328cb31c351b05053b8f92b10"
-  integrity sha512-TXIvRtNp0fqMJbk3yPR35bQIDzMH4khDwduElzE7Fl1wgnl25mnWYLSLqd/wS5GsDoX1rWtysivEYMNsz5jKwQ==
+  integrity sha512-jlTqDvLdHnYMSr08ynNfk4IAUSJgJjTKy2U5CQBSu4cN9vQOJonLVZP4Qo4gKKrIgIQ5dr07UwOJdi+lRqT12w==
 
 dashdash@^1.12.0:
   version "1.14.1"
@@ -3243,10 +3243,10 @@ saxes@^5.0.0:
   resolved "https://registry.yarnpkg.com/semver/-/semver-5.7.1.tgz#a954f931aeba508d307bbf069eff0c01c96116f7"
   integrity sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==
 
-semver@7.x, semver@^7.3.2, semver@^7.3.4:
+semver@7.x, semver@^7.3.2, semver@^7.3.5:
-  version "7.3.4"
+  version "7.3.5"
-  resolved "https://registry.yarnpkg.com/semver/-/semver-7.3.4.tgz#27aaa7d2e4ca76452f98d3add093a72c943edc97"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-7.3.5.tgz#0b621c879348d8998e4b0e4be94b3f12e6018ef7"
-  integrity sha512-tCfb2WLjqFAtXn4KEdxIhalnRtoKFN7nAwj0B3ZXCbQloV2tq5eDbcTmT68JJD3nRJq24/XgxtQKFIpQdtvmVw==
+  integrity sha512-PoeGJYh8HK4BTO/a9Tf6ZG3veo/A7ZVsYrSA6J8ny9nb3B1VrpkuN+z9OE5wfE5p6H4LchYZsegiQgbJD94ZFQ==
   dependencies:
     lru-cache "^6.0.0"
 
@@ -3895,9 +3895,9 @@ xmlchars@^2.2.0:
   integrity sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==
 
 y18n@^4.0.0:
-  version "4.0.0"
+  version "4.0.1"
-  resolved "https://registry.yarnpkg.com/y18n/-/y18n-4.0.0.tgz#95ef94f85ecc81d007c264e190a120f0a3c8566b"
+  resolved "https://registry.yarnpkg.com/y18n/-/y18n-4.0.1.tgz#8db2b83c31c5d75099bb890b23f3094891e247d4"
-  integrity sha512-r9S/ZyXu/Xu9q1tYlpsLIsa3EeLXXk0VwlxqTcFRfg9EhMW+17kbt9G0NrgCmhGb5vT2hyhJZLfDGx+7+5Uj/w==
+  integrity sha512-wNcy4NvjMYL8gogWWYAO7ZFWFfHcbdbE57tZO8e4cbpj8tfUcwrwqSl3ad8HxpYWCdXcJUCeKKZS62Av1affwQ==
 
 yallist@^2.1.2:
   version "2.1.2"