Merge pull request #760 from crazy-max/test-envs

test: move envs to jest config

.github/workflows/ci.yml

@@ -2,6 +2,15 @@ name: ci
 
 on:
   workflow_dispatch:
+    inputs:
+      buildx-version:
+        description: 'Buildx version or Git context'
+        default: 'latest'
+        required: false
+      buildkit-image:
+        description: 'BuildKit image'
+        default: 'moby/buildkit:buildx-stable-1'
+        required: false
   push:
     branches:
       - 'master'
@@ -9,6 +18,10 @@ on:
     branches:
       - 'master'
 
+env:
+  BUILDX_VERSION: latest
+  BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1
+
 jobs:
   minimal:
     runs-on: ubuntu-latest
@@ -20,7 +33,11 @@ jobs:
           path: action
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build
         uses: ./action
@@ -42,14 +59,16 @@ jobs:
           path: action
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: latest
-          driver-opts: network=host
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build and push
         id: docker_build
@@ -65,7 +84,7 @@ jobs:
       -
         name: Inspect
         run: |
-          docker buildx imagetools inspect localhost:5000/name/app:1.0.0
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
       -
         name: Check digest
         run: |
@@ -89,13 +108,16 @@ jobs:
           path: action
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          driver-opts: network=host
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build and push
         id: docker_build
@@ -121,7 +143,7 @@ jobs:
       -
         name: Inspect
         run: |
-          docker buildx imagetools inspect localhost:5000/name/app:1.0.0
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
       -
         name: Check digest
         run: |
@@ -132,12 +154,6 @@ jobs:
 
   path-context:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        buildx-version:
-          - ""
-          - latest
     services:
       registry:
         image: registry:2
@@ -149,14 +165,16 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: ${{ matrix.buildx-version }}
-          driver-opts: network=host
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build and push
         id: docker_build
@@ -172,7 +190,7 @@ jobs:
       -
         name: Inspect
         run: |
-          docker buildx imagetools inspect localhost:5000/name/app:1.0.0
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
       -
         name: Check digest
         run: |
@@ -216,10 +234,14 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build
         id: docker_build
@@ -280,6 +302,29 @@ jobs:
         run: |
           docker image inspect myimage:latest
 
+  secret:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: .
+          file: ./test/secret.Dockerfile
+          secrets: |
+            MYSECRET=foo
+            INVALID_SECRET=
+
   network:
     runs-on: ubuntu-latest
     steps:
@@ -288,7 +333,11 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: List networks
         run: docker network ls
@@ -308,11 +357,11 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: v0.7.0
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
-            image=moby/buildkit:master
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build
         uses: ./
@@ -330,11 +379,12 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: v0.7.0
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
-            image=moby/buildkit:master
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build
         uses: ./
@@ -354,11 +404,12 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: v0.7.0
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
-            image=moby/buildkit:master
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build
         uses: ./
@@ -376,7 +427,12 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build
         uses: ./
@@ -393,12 +449,14 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: v0.8.0
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build
         uses: ./
@@ -409,14 +467,161 @@ jobs:
             alpine=docker-image://debian:stable-slim
           tags: name/app:latest
 
+  no-cache-filters:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/nocachefilter.Dockerfile
+          no-cache-filters: build
+          tags: name/app:latest
+          cache-from: type=gha,scope=nocachefilter
+          cache-to: type=gha,scope=nocachefilter,mode=max
+
+  attests-compat:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - buildx: latest
+            buildkit: moby/buildkit:buildx-stable-1
+          - buildx: latest
+            buildkit: moby/buildkit:v0.10.6
+          - buildx: v0.9.1
+            buildkit: moby/buildkit:buildx-stable-1
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ matrix.buildx }}
+          driver-opts: |
+            network=host
+            image=${{ matrix.buildkit }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test/go
+          file: ./test/go/Dockerfile
+          outputs: type=cacheonly
+
+  provenance:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        attrs:
+          - ''
+          - mode=max
+          - builder-id=foo
+          - false
+          - true
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test/go
+          file: ./test/go/Dockerfile
+          target: binary
+          outputs: type=oci,dest=/tmp/build.tar
+          provenance: ${{ matrix.attrs }}
+          cache-from: type=gha,scope=provenance
+          cache-to: type=gha,scope=provenance,mode=max
+
+  sbom:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - target: image
+            output: type=image,name=localhost:5000/name/app:latest,push=true
+          - target: binary
+            output: /tmp/buildx-build
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test/go
+          file: ./test/go/Dockerfile
+          target: ${{ matrix.target }}
+          outputs: ${{ matrix.output }}
+          sbom: true
+          cache-from: type=gha,scope=attests-${{ matrix.target }}
+          cache-to: type=gha,scope=attests-${{ matrix.target }},mode=max
+      -
+        name: Inspect image
+        if: matrix.target == 'image'
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
+      -
+        name: Check output folder
+        if: matrix.target == 'binary'
+        run: |
+          tree /tmp/buildx-build
+      -
+        name: Print provenance
+        if: matrix.target == 'binary'
+        run: |
+          cat /tmp/buildx-build/provenance.json | jq
+      -
+        name: Print SBOM
+        if: matrix.target == 'binary'
+        run: |
+          cat /tmp/buildx-build/sbom.spdx.json | jq
+
   multi:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        buildx-version:
-          - ""
-          - latest
         dockerfile:
           - multi
           - multi-sudo
@@ -431,14 +636,16 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: ${{ matrix.buildx-version }}
-          driver-opts: network=host
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build and push
         id: docker_build
@@ -455,7 +662,7 @@ jobs:
       -
         name: Inspect
         run: |
-          docker buildx imagetools inspect localhost:5000/name/app:1.0.0
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
       -
         name: Check digest
         run: |
@@ -501,12 +708,12 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: v0.8.0
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver: ${{ matrix.driver }}
           driver-opts: |
             network=host
@@ -565,16 +772,17 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
             network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
-        name: Build and push (1)
+        name: Build and push
         id: docker_build
         uses: ./
         with:
@@ -588,110 +796,10 @@ jobs:
             localhost:5000/name/app:1.0.0
           cache-from: type=registry,ref=localhost:5000/name/app
           cache-to: type=inline
-      -
-        name: Inspect (1)
-        run: |
-          docker buildx imagetools inspect localhost:5000/name/app:latest
-      -
-        name: Check digest (1)
-        run: |
-          if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then
-            echo "::error::Digest should not be empty"
-            exit 1
-          fi
-      -
-        name: Prune
-        run: |
-          docker buildx prune -a -f --verbose
-      -
-        name: Build and push (2)
-        id: docker_build2
-        uses: ./
-        with:
-          context: ./test
-          file: ./test/multi.Dockerfile
-          builder: ${{ steps.buildx.outputs.name }}
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            localhost:5000/name/app:latest
-            localhost:5000/name/app:1.0.0
-          cache-from: type=registry,ref=localhost:5000/name/app
-          cache-to: type=inline
-      -
-        name: Inspect (2)
-        run: |
-          docker buildx imagetools inspect localhost:5000/name/app:latest
-      -
-        name: Check digest (2)
-        run: |
-          if [ -z "${{ steps.docker_build2.outputs.digest }}" ]; then
-            echo "::error::Digest should not be empty"
-            exit 1
-          fi
-      -
-        name: Compare digests
-        run: |
-          echo Compare "${{ steps.docker_build.outputs.digest }}" with "${{ steps.docker_build2.outputs.digest }}"
-          if [ "${{ steps.docker_build.outputs.digest }}" != "${{ steps.docker_build2.outputs.digest }}" ]; then
-            echo "::error::Digests should be identical"
-            exit 1
-          fi
-
-  local-cache-first:
-    runs-on: ubuntu-latest
-    outputs:
-      digest: ${{ steps.docker_build.outputs.digest }}
-    services:
-      registry:
-        image: registry:2
-        ports:
-          - 5000:5000
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v3
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          driver-opts: |
-            network=host
-      -
-        name: Cache Docker layers
-        uses: actions/cache@v3
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-local-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-ghcache-
-      -
-        name: Erase cache
-        run: |
-          rm -rf /tmp/.buildx-cache/*
-      -
-        name: Build and push
-        id: docker_build
-        uses: ./
-        with:
-          context: ./test
-          file: ./test/multi.Dockerfile
-          builder: ${{ steps.buildx.outputs.name }}
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            localhost:5000/name/app:latest
-            localhost:5000/name/app:1.0.0
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache
       -
         name: Inspect
         run: |
-          docker buildx imagetools inspect localhost:5000/name/app:1.0.0
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
       -
         name: Check digest
         run: |
@@ -700,83 +808,8 @@ jobs:
             exit 1
           fi
 
-  local-cache-hit:
-    runs-on: ubuntu-latest
-    needs: local-cache-first
-    services:
-      registry:
-        image: registry:2
-        ports:
-          - 5000:5000
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v3
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          driver-opts: |
-            network=host
-      -
-        name: Cache Docker layers
-        uses: actions/cache@v3
-        id: cache
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-local-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-ghcache-
-      -
-        name: Build and push
-        id: docker_build
-        uses: ./
-        with:
-          context: ./test
-          file: ./test/multi.Dockerfile
-          builder: ${{ steps.buildx.outputs.name }}
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            localhost:5000/name/app:latest
-            localhost:5000/name/app:1.0.0
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache
-      -
-        name: Inspect
-        run: |
-          docker buildx imagetools inspect localhost:5000/name/app:1.0.0
-      -
-        name: Check digest
-        run: |
-          if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then
-            echo "::error::Digest should not be empty"
-            exit 1
-          fi
-      -
-        name: Compare digests
-        run: |
-          echo Compare "${{ needs.local-cache-first.outputs.digest }}" with "${{ steps.docker_build.outputs.digest }}"
-          if [ "${{ needs.local-cache-first.outputs.digest }}" != "${{ steps.docker_build.outputs.digest }}" ]; then
-            echo "::error::Digests should be identical"
-            exit 1
-          fi
-      -
-        name: Cache hit
-        run: echo ${{ steps.cache.outputs.cache-hit }}
-
   github-cache:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        buildx_version:
-          - ""
-          - latest
     services:
       registry:
         image: registry:2
@@ -788,14 +821,15 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: ${{ matrix.buildx_version }}
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
             network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
           buildkitd-flags: --debug
       -
         name: Build and push
@@ -813,7 +847,7 @@ jobs:
       -
         name: Inspect
         run: |
-          docker buildx imagetools inspect localhost:5000/name/app:1.0.0
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
 
   standalone:
     runs-on: ubuntu-latest
@@ -827,7 +861,12 @@ jobs:
           sudo apt-get purge -y moby-cli moby-buildx
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build
         uses: ./

.github/workflows/e2e.yml

@@ -2,6 +2,15 @@ name: e2e
 
 on:
   workflow_dispatch:
+    inputs:
+      buildx-version:
+        description: 'Buildx version or Git context'
+        default: 'latest'
+        required: false
+      buildkit-image:
+        description: 'BuildKit image'
+        default: 'moby/buildkit:buildx-stable-1'
+        required: false
   schedule:
     - cron: '0 10 * * *'
   push:
@@ -10,6 +19,10 @@ on:
     tags:
       - v*
 
+env:
+  BUILDX_VERSION: latest
+  BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1
+
 jobs:
   docker:
     runs-on: ubuntu-latest
@@ -69,14 +82,18 @@ jobs:
           images: ${{ matrix.slug }}
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Login to Registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ${{ matrix.registry }}
           username: ${{ secrets[matrix.username_secret] }}
@@ -103,8 +120,4 @@ jobs:
         name: Check manifest
         if: github.event_name != 'pull_request'
         run: |
-          docker buildx imagetools inspect ${{ matrix.slug }}:${{ steps.meta.outputs.version }}
-      -
-        name: Dump context
-        if: always()
-        uses: crazy-max/ghaction-dump-context@v1
+          docker buildx imagetools inspect ${{ matrix.slug }}:${{ steps.meta.outputs.version }} --format '{{json .}}'

.github/workflows/example.yml

@@ -42,7 +42,7 @@ jobs:
             type=sha
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
           driver-opts: network=host
       -
@@ -71,8 +71,4 @@ jobs:
         name: Check manifest
         if: github.event_name != 'pull_request'
         run: |
-          docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }}
-      -
-        name: Dump context
-        if: always()
-        uses: crazy-max/ghaction-dump-context@v1
+          docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} --format '{{json .}}'

.github/workflows/test.yml

@@ -17,12 +17,12 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Validate
-        uses: docker/bake-action@v1
+        uses: docker/bake-action@v2
         with:
           targets: validate
       -
         name: Test
-        uses: docker/bake-action@v1
+        uses: docker/bake-action@v2
         with:
           targets: test
       -

.github/workflows/virtual-env.yml

@@ -4,6 +4,16 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 10 * * *'
+  push:
+    branches:
+      - 'master'
+    paths:
+      - '.github/workflows/virtual-env.yml'
+  pull_request:
+    branches:
+      - 'master'
+    paths:
+      - '.github/workflows/virtual-env.yml'
 
 jobs:
   os:
@@ -13,6 +23,7 @@ jobs:
       matrix:
         os:
           - ubuntu-latest
+          - ubuntu-22.04
           - ubuntu-20.04
           - ubuntu-18.04
     steps:

README.md

@@ -1,14 +1,15 @@
 [![GitHub release](https://img.shields.io/github/release/docker/build-push-action.svg?style=flat-square)](https://github.com/docker/build-push-action/releases/latest)
 [![GitHub marketplace](https://img.shields.io/badge/marketplace-build--and--push--docker--images-blue?logo=github&style=flat-square)](https://github.com/marketplace/actions/build-and-push-docker-images)
-[![CI workflow](https://img.shields.io/github/workflow/status/docker/build-push-action/ci?label=ci&logo=github&style=flat-square)](https://github.com/docker/build-push-action/actions?workflow=ci)
-[![Test workflow](https://img.shields.io/github/workflow/status/docker/build-push-action/test?label=test&logo=github&style=flat-square)](https://github.com/docker/build-push-action/actions?workflow=test)
+[![CI workflow](https://img.shields.io/github/actions/workflow/status/docker/build-push-action/ci.yml?branch=master&label=ci&logo=github&style=flat-square)](https://github.com/docker/build-push-action/actions?workflow=ci)
+[![Test workflow](https://img.shields.io/github/actions/workflow/status/docker/build-push-action/test.yml?branch=master&label=test&logo=github&style=flat-square)](https://github.com/docker/build-push-action/actions?workflow=test)
 [![Codecov](https://img.shields.io/codecov/c/github/docker/build-push-action?logo=codecov&style=flat-square)](https://codecov.io/gh/docker/build-push-action)
 
 ## About
 
-GitHub Action to build and push Docker images with [Buildx](https://github.com/docker/buildx) with full support of the
-features provided by [Moby BuildKit](https://github.com/moby/buildkit) builder toolkit. This includes multi-platform
-build, secrets, remote cache, etc. and different builder deployment/namespacing options.
+GitHub Action to build and push Docker images with [Buildx](https://github.com/docker/buildx)
+with full support of the features provided by [Moby BuildKit](https://github.com/moby/buildkit)
+builder toolkit. This includes multi-platform build, secrets, remote cache, etc.
+and different builder deployment/namespacing options.
 
 ![Screenshot](.github/build-push-action.png)
 
@@ -17,43 +18,34 @@ ___
 * [Usage](#usage)
   * [Git context](#git-context)
   * [Path context](#path-context)
-* [Advanced usage](#advanced-usage)
-  * [Multi-platform image](docs/advanced/multi-platform.md)
-  * [Secrets](docs/advanced/secrets.md)
-  * [Isolated builders](docs/advanced/isolated-builders.md)
-  * [Push to multi-registries](docs/advanced/push-multi-registries.md)
-  * [Copy between registries](docs/advanced/copy-between-registries.md)  
-  * [Cache](docs/advanced/cache.md)
-  * [Local registry](docs/advanced/local-registry.md)
-  * [Export image to Docker](docs/advanced/export-docker.md)
-  * [Share built image between jobs](docs/advanced/share-image-jobs.md)
-  * [Test your image before pushing it](docs/advanced/test-before-push.md)
-  * [Handle tags and labels](docs/advanced/tags-labels.md)
-  * [Update DockerHub repo description](docs/advanced/dockerhub-desc.md)
+* [Examples](#examples)
 * [Customizing](#customizing)
   * [inputs](#inputs)
   * [outputs](#outputs)
 * [Troubleshooting](#troubleshooting)
-* [Keep up-to-date with GitHub Dependabot](#keep-up-to-date-with-github-dependabot)
+* [Contributing](#contributing)
 
 ## Usage
 
 In the examples below we are also using 3 other actions:
 
-* [`setup-buildx`](https://github.com/docker/setup-buildx-action) action will create and boot a builder using by 
-default the `docker-container` [builder driver](https://github.com/docker/buildx/blob/master/docs/reference/buildx_create.md#driver).
-This is **not required but recommended** using it to be able to build multi-platform images, export cache, etc.
-* [`setup-qemu`](https://github.com/docker/setup-qemu-action) action can be useful if you want
-to add emulation support with QEMU to be able to build against more platforms. 
-* [`login`](https://github.com/docker/login-action) action will take care to log in against a Docker registry.
+* [`setup-buildx`](https://github.com/docker/setup-buildx-action) action will
+  create and boot a builder using by default the [`docker-container` driver](https://docs.docker.com/build/building/drivers/docker-container/).
+  This is **not required but recommended** using it to be able to build
+  multi-platform images, export cache, etc.
+* [`setup-qemu`](https://github.com/docker/setup-qemu-action) action can be
+  useful if you want to add emulation support with QEMU to be able to build
+  against more platforms. 
+* [`login`](https://github.com/docker/login-action) action will take care to
+  log in against a Docker registry.
 
 ### Git context
 
-By default, this action uses the [Git context](#git-context) so you don't need
-to use the [`actions/checkout`](https://github.com/actions/checkout/) action to
-check out the repository because this will be done directly by [BuildKit](https://github.com/moby/buildkit).
+By default, this action uses the [Git context](https://docs.docker.com/engine/reference/commandline/build/#git-repositories),
+so you don't need to use the [`actions/checkout`](https://github.com/actions/checkout/)
+action to check out the repository as this will be done directly by [BuildKit](https://github.com/moby/buildkit).
 
-The git reference will be based on the [event that triggered your workflow](https://docs.github.com/en/actions/reference/events-that-trigger-workflows)
+The git reference will be based on the [event that triggered your workflow](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows)
 and will result in the following context: `https://github.com/<owner>/<repo>.git#<ref>`.
 
 ```yaml
@@ -70,19 +62,19 @@ jobs:
     steps:
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
+        name: Login to Docker Hub
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Build and push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           push: true
           tags: user/app:latest
@@ -100,25 +92,37 @@ expression `{{defaultContext}}`. Here we can use it to provide a subdirectory
 to the default Git context:
 
 ```yaml
+      -
+        # Setting up Docker Buildx with docker-container driver is required
+        # at the moment to be able to use a subdirectory with Git context
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
       -
         name: Build and push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           context: "{{defaultContext}}:mysubdir"
           push: true
           tags: user/app:latest
 ```
-> :warning: Subdirectory for Git context is not yet available for the buildx [`docker` driver](https://github.com/docker/buildx/blob/master/docs/reference/buildx_create.md#driver).
 
-Building from the current repository automatically uses the [GitHub Token](https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token)
+> **Warning**
+>
+> Subdirectory for Git context is available from [BuildKit v0.9.0](https://github.com/moby/buildkit/releases/tag/v0.9.0).
+> If you're using the `docker` builder (default if `setup-buildx-action` not used),
+> then BuildKit in Docker Engine will be used. As Docker Engine < v22.x.x embeds
+> Buildkit 0.8.2 at the moment, it does not support this feature. It's therefore
+> required to use the `setup-buildx-action` at the moment.
+
+Building from the current repository automatically uses the [GitHub Token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication),
 so it does not need to be passed. If you want to authenticate against another
-private repository, you have to use a [secret](docs/advanced/secrets.md) named
-`GIT_AUTH_TOKEN` to be able to authenticate against it with buildx:
+private repository, you have to use a [secret](https://docs.docker.com/build/ci/github-actions/examples/#secrets)
+named `GIT_AUTH_TOKEN` to be able to authenticate against it with Buildx:
 
 ```yaml
       -
         name: Build and push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           push: true
           tags: user/app:latest
@@ -142,42 +146,31 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       -
-        name: Login to DockerHub
-        uses: docker/login-action@v1
+        name: Login to Docker Hub
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Build and push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           context: .
           push: true
           tags: user/app:latest
 ```
 
-## Advanced usage
+## Examples
 
-* [Multi-platform image](docs/advanced/multi-platform.md)
-* [Secrets](docs/advanced/secrets.md)
-* [Isolated builders](docs/advanced/isolated-builders.md)
-* [Push to multi-registries](docs/advanced/push-multi-registries.md)
-* [Copy between registries](docs/advanced/copy-between-registries.md)
-* [Cache](docs/advanced/cache.md)
-* [Local registry](docs/advanced/local-registry.md)
-* [Export image to Docker](docs/advanced/export-docker.md)
-* [Share built image between jobs](docs/advanced/share-image-jobs.md)
-* [Test your image before pushing it](docs/advanced/test-before-push.md)
-* [Handle tags and labels](docs/advanced/tags-labels.md)
-* [Update DockerHub repo description](docs/advanced/dockerhub-desc.md)
+See https://docs.docker.com/build/ci/github-actions/examples/.
 
 ## Customizing
 
@@ -197,61 +190,58 @@ Following inputs can be used as `step.with` keys
 > tags: name/app:latest,name/app:1.0.0
 > ```
 
-| Name                | Type     | Description                        |
-|---------------------|----------|------------------------------------|
-| `add-hosts`         | List/CSV | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`) |
-| `allow`             | List/CSV | List of [extra privileged entitlement](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#allow) (e.g., `network.host,security.insecure`) |
-| `builder`           | String   | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action) |
-| `build-args`        | List     | List of [build-time variables](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#build-arg) |
-| `build-contexts`    | List     | List of additional [build contexts](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#build-context) (e.g., `name=path`) |
-| `cache-from`        | List     | List of [external cache sources](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#cache-from) (e.g., `type=local,src=path/to/dir`) |
-| `cache-to`          | List     | List of [cache export destinations](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#cache-to) (e.g., `type=local,dest=path/to/dir`) |
-| `cgroup-parent`     | String   | Optional [parent cgroup](https://docs.docker.com/engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent) for the container used in the build |
-| `context`           | String   | Build's context is the set of files located in the specified [`PATH` or `URL`](https://docs.docker.com/engine/reference/commandline/build/) (default [Git context](#git-context)) |
-| `file`              | String   | Path to the Dockerfile. (default `{context}/Dockerfile`) |
-| `labels`            | List     | List of metadata for an image |
-| `load`              | Bool     | [Load](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#load) is a shorthand for `--output=type=docker` (default `false`) |
-| `network`           | String   | Set the networking mode for the `RUN` instructions during build |
-| `no-cache`          | Bool     | Do not use cache when building the image (default `false`) |
-| `outputs`           | List     | List of [output destinations](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#output) (format: `type=local,dest=path`) |
-| `platforms`         | List/CSV | List of [target platforms](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#platform) for build |
-| `pull`              | Bool     | Always attempt to pull all referenced images (default `false`) |
-| `push`              | Bool     | [Push](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#push) is a shorthand for `--output=type=registry` (default `false`) |
-| `secrets`           | List     | List of [secrets](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`) |
-| `secret-files`      | List     | List of [secret files](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`) |
-| `shm-size`          | String   | Size of [`/dev/shm`](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#-size-of-devshm---shm-size) (e.g., `2g`) |
-| `ssh`               | List     | List of [SSH agent socket or keys](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#ssh) to expose to the build |
-| `tags`              | List/CSV | List of tags |
-| `target`            | String   | Sets the target stage to build |
-| `ulimit`            | List     | [Ulimit](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#-set-ulimits---ulimit) options (e.g., `nofile=1024:1024`) |
-| `github-token`      | String   | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`) |
+| Name               | Type        | Description                                                                                                                                                                       |
+|--------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `add-hosts`        | List/CSV    | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`)      |
+| `allow`            | List/CSV    | List of [extra privileged entitlement](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow) (e.g., `network.host,security.insecure`)                         |
+| `attests`          | List        | List of [attestation](https://docs.docker.com/build/attestations/) parameters (e.g., `type=sbom,generator=image`)                                                                 | 
+| `builder`          | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                                       |
+| `build-args`       | List        | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg)                                                                      |
+| `build-contexts`   | List        | List of additional [build contexts](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context) (e.g., `name=path`)                                         |
+| `cache-from`       | List        | List of [external cache sources](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from) (e.g., `type=local,src=path/to/dir`)                              |
+| `cache-to`         | List        | List of [cache export destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-to) (e.g., `type=local,dest=path/to/dir`)                            |
+| `cgroup-parent`    | String      | Optional [parent cgroup](https://docs.docker.com/engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent) for the container used in the build              |
+| `context`          | String      | Build's context is the set of files located in the specified [`PATH` or `URL`](https://docs.docker.com/engine/reference/commandline/build/) (default [Git context](#git-context)) |
+| `file`             | String      | Path to the Dockerfile. (default `{context}/Dockerfile`)                                                                                                                          |
+| `labels`           | List        | List of metadata for an image                                                                                                                                                     |
+| `load`             | Bool        | [Load](https://docs.docker.com/engine/reference/commandline/buildx_build/#load) is a shorthand for `--output=type=docker` (default `false`)                                       |
+| `network`          | String      | Set the networking mode for the `RUN` instructions during build                                                                                                                   |
+| `no-cache`         | Bool        | Do not use cache when building the image (default `false`)                                                                                                                        |
+| `no-cache-filters` | List/CSV    | Do not cache specified stages                                                                                                                                                     |
+| `outputs`¹         | List        | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`)                                         |
+| `platforms`        | List/CSV    | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build                                                                 |
+| `provenance`       | Bool/String | Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build (shorthand for `--attest=type=provenance`)                           |
+| `pull`             | Bool        | Always attempt to pull all referenced images (default `false`)                                                                                                                    |
+| `push`             | Bool        | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`)                                     |
+| `sbom`             | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`)                                                  |
+| `secrets`          | List        | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`)                |
+| `secret-files`     | List        | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`)         |
+| `shm-size`         | String      | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`)                                                                    |
+| `ssh`              | List        | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build                                                 |
+| `tags`             | List/CSV    | List of tags                                                                                                                                                                      |
+| `target`           | String      | Sets the target stage to build                                                                                                                                                    |
+| `ulimit`           | List        | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`)                                                            |
+| `github-token`     | String      | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`)                                                            |
+
+> **Note**
+>
+> * ¹ multiple `outputs` are [not yet supported](https://github.com/moby/buildkit/issues/1555)
 
 ### outputs
 
 Following outputs are available
 
-| Name              | Type    | Description                           |
-|-------------------|---------|---------------------------------------|
-| `imageid`         | String  | Image ID |
-| `digest`          | String  | Image digest |
-| `metadata`        | JSON    | Build result metadata |
+| Name       | Type    | Description           |
+|------------|---------|-----------------------|
+| `imageid`  | String  | Image ID              |
+| `digest`   | String  | Image digest          |
+| `metadata` | JSON    | Build result metadata |
 
 ## Troubleshooting
 
 See [TROUBLESHOOTING.md](TROUBLESHOOTING.md)
 
-## Keep up-to-date with GitHub Dependabot
+## Contributing
 
-Since [Dependabot](https://docs.github.com/en/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot)
-has [native GitHub Actions support](https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates#package-ecosystem),
-to enable it on your GitHub repo all you need to do is add the `.github/dependabot.yml` file:
-
-```yaml
-version: 2
-updates:
-  # Maintain dependencies for GitHub Actions
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "daily"
-```
+Want to contribute? Awesome! You can find information about contributing to
+this project in the [CONTRIBUTING.md](/.github/CONTRIBUTING.md)

TROUBLESHOOTING.md

@@ -16,7 +16,7 @@ While pushing to a registry, you may encounter these kinds of issues:
 * `unexpected response: 401 Unauthorized`
 
 These issues are not directly related to this action but are rather linked to
-[buildx](https://github.com/docker/buildx), [buildkit](https://github.com/moby/buildkit),
+[Buildx](https://github.com/docker/buildx), [BuildKit](https://github.com/moby/buildkit),
 [containerd](https://github.com/containerd/containerd) or the registry on which
 you're pushing your image. The quality of error message depends on the registry
 and are usually not very informative.
@@ -29,7 +29,7 @@ action step and attach BuildKit container logs to your issue.
 ### With containerd
 
 Next you can test pushing with [containerd action](https://github.com/crazy-max/ghaction-setup-containerd)
-using the following workflow. If it works then open an issue on [buildkit](https://github.com/moby/buildkit)
+using the following workflow. If it works then open an issue on [BuildKit](https://github.com/moby/buildkit)
 repository.
 
 ```yaml
@@ -44,21 +44,21 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
           buildkitd-flags: --debug
       -
         name: Set up containerd
-        uses: crazy-max/ghaction-setup-containerd@v1
+        uses: crazy-max/ghaction-setup-containerd@v2
       -
         name: Build Docker image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           context: .
           platforms: linux/amd64,linux/arm64
@@ -105,13 +105,13 @@ to generate sanitized tags:
 ```yaml
 - name: Docker meta
   id: meta
-  uses: docker/metadata-action@v3
+  uses: docker/metadata-action@v4
   with:
     images: ghcr.io/${{ github.repository }}
     tags: latest
 
 - name: Build and push
-  uses: docker/build-push-action@v2
+  uses: docker/build-push-action@v3
   with:
     context: .
     push: true
@@ -122,14 +122,14 @@ Or a dedicated step to sanitize the slug:
 
 ```yaml
 - name: Sanitize repo slug
-  uses: actions/github-script@v4
+  uses: actions/github-script@v6
   id: repo_slug
   with:
     result-encoding: string
     script: return 'ghcr.io/${{ github.repository }}'.toLowerCase()
 
 - name: Build and push
-  uses: docker/build-push-action@v2
+  uses: docker/build-push-action@v3
   with:
     context: .
     push: true

UPGRADE.md

@@ -1,133 +0,0 @@
-# Upgrade notes
-
-## v1 to v2
-
-* Input `path` is now called `context` for consistency with other Docker build tools
-* `path` defaults to current git repository so checkout action is not required in a workflow
-* Rename `dockerfile` input to `file` for consistency with other Docker build tools
-* Rename `always_pull` input to `pull` for consistency with other Docker build tools
-* Add `builder` input to be able to choose a builder instance through our [setup-buildx action](https://github.com/docker/setup-buildx-action)
-* Add `platforms` input to support multi-platform builds
-* Add `allow` input
-* Add `load` input
-* Add `outputs` input
-* Add `cache-from` input (`cache_froms` removed)
-* Add `cache-to` input
-* Rename `build_args` input to `build-args` for consistency with other Docker build tools
-* Add `secrets` input
-* Review `tags` input
-* Remove `repository` input. See [Simple workflow](#simple-workflow) for migration
-* Remove `username`, `password` and `registry` inputs. Login support moved to [docker/login-action](https://github.com/docker/login-action) repo
-* Remove `tag_with_sha`, `tag_with_ref`, `add_git_labels` inputs. See [Tags with ref and Git labels](#tags-with-ref-and-git-labels) for migration
-* Handle Git context
-* Add `digest` output
-
-### Simple workflow
-
-```yaml
-# v1
-steps:
-  -
-    name: Checkout
-    uses: actions/checkout@v2
-  -
-    name: Build and push Docker images
-    uses: docker/build-push-action@v1
-    with:
-      username: ${{ secrets.DOCKER_USERNAME }}
-      password: ${{ secrets.DOCKER_PASSWORD }}
-      repository: myorg/myrepository
-      always_pull: true
-      build_args: arg1=value1,arg2=value2
-      cache_froms: myorg/myrepository:latest
-      tags: latest
-```
-
-```yaml
-# v2
-steps:
-  -
-    name: Checkout
-    uses: actions/checkout@v2
-  -
-    name: Set up Docker Buildx
-    uses: docker/setup-buildx-action@v1
-  -
-    name: Login to DockerHub
-    uses: docker/login-action@v1
-    with:
-      username: ${{ secrets.DOCKER_USERNAME }}
-      password: ${{ secrets.DOCKER_PASSWORD }}
-  -
-    name: Build and push
-    uses: docker/build-push-action@v2
-    with:
-      context: .
-      pull: true
-      push: true
-      build-args: |
-        arg1=value1
-        arg2=value2
-      cache-from: type=registry,ref=myorg/myrepository:latest
-      cache-to: type=inline
-      tags: myorg/myrepository:latest
-```
-
-### Tags with ref and Git labels
-
-```yaml
-# v1
-steps:
-  -
-    name: Checkout
-    uses: actions/checkout@v2
-  -
-    name: Build and push Docker images
-    uses: docker/build-push-action@v1
-    with:
-      username: ${{ secrets.DOCKER_USERNAME }}
-      password: ${{ secrets.DOCKER_PASSWORD }}
-      repository: myorg/myrepository
-      push: ${{ github.event_name != 'pull_request' }}
-      tag_with_ref: true
-      tag_with_sha: true
-      add_git_labels: true
-```
-
-```yaml
-# v2
-steps:
-  -
-    name: Checkout
-    uses: actions/checkout@v2
-  -
-    name: Docker meta
-    id: meta
-    uses: docker/metadata-action@v3
-    with:
-      images: |
-        myorg/myrepository
-      tags: |
-        type=ref,event=branch
-        type=ref,event=pr
-        type=semver,pattern={{version}}
-        type=sha
-  -
-    name: Set up Docker Buildx
-    uses: docker/setup-buildx-action@v1
-  -
-    name: Login to DockerHub
-    if: github.event_name != 'pull_request'
-    uses: docker/login-action@v1 
-    with:
-      username: ${{ secrets.DOCKER_USERNAME }}
-      password: ${{ secrets.DOCKER_PASSWORD }}
-  -
-    name: Build and push
-    uses: docker/build-push-action@v2
-    with:
-      context: .
-      push: ${{ github.event_name != 'pull_request' }}
-      tags: ${{ steps.meta.outputs.tags }}
-      labels: ${{ steps.meta.outputs.labels }}
-```

__tests__/buildx.test.ts

@@ -137,8 +137,7 @@ describe('getSecret', () => {
       }
       expect(true).toBe(!invalid);
       expect(secret).toEqual(`id=${exKey},src=${tmpNameSync}`);
-      const secretValue = await fs.readFileSync(tmpNameSync, 'utf-8');
-      expect(secretValue).toEqual(exValue);
+      expect(fs.readFileSync(tmpNameSync, 'utf-8')).toEqual(exValue);
     } catch (err) {
       // eslint-disable-next-line jest/no-conditional-expect
       expect(true).toBe(invalid);

__tests__/context.test.ts

@@ -1,8 +1,8 @@
 import {beforeEach, describe, expect, it, jest, test} from '@jest/globals';
 import * as fs from 'fs';
-import * as os from 'os';
 import * as path from 'path';
 
+import * as buildx from '../src/buildx';
 import * as context from '../src/context';
 
 const pgp = `-----BEGIN PGP PRIVATE KEY BLOCK-----
@@ -128,6 +128,8 @@ jest.spyOn(context, 'tmpNameSync').mockImplementation((): string => {
   return path.join('/tmp/.docker-build-push-jest', '.tmpname-jest').split(path.sep).join(path.posix.sep);
 });
 
+jest.spyOn(buildx, 'satisfiesBuildKitVersion').mockResolvedValueOnce(true);
+
 describe('getArgs', () => {
   beforeEach(() => {
     process.env = Object.keys(process.env).reduce((object, key) => {
@@ -160,7 +162,11 @@ describe('getArgs', () => {
       1,
       '0.4.2',
       new Map<string, string>([
-        ['build-args', 'MY_ARG=val1,val2,val3\nARG=val'],
+        ['build-args', `MY_ARG=val1,val2,val3
+ARG=val
+"MULTILINE=aaaa
+bbbb
+ccc"`],
         ['load', 'false'],
         ['no-cache', 'false'],
         ['push', 'false'],
@@ -170,6 +176,7 @@ describe('getArgs', () => {
         'build',
         '--build-arg', 'MY_ARG=val1,val2,val3',
         '--build-arg', 'ARG=val',
+        '--build-arg', `MULTILINE=aaaa\nbbbb\nccc`,
         '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
         'https://github.com/docker/build-push-action.git#refs/heads/test-jest'
       ]
@@ -500,6 +507,137 @@ nproc=3`],
         'https://github.com/docker/build-push-action.git#refs/heads/test-jest:docker'
       ]
     ],
+    [
+      16,
+      '0.8.2',
+      new Map<string, string>([
+        ['github-token', 'abcdefghijklmno0123456789'],
+        ['context', '{{defaultContext}}:subdir'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '--secret', 'id=GIT_AUTH_TOKEN,src=/tmp/.docker-build-push-jest/.tmpname-jest',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        'https://github.com/docker/build-push-action.git#refs/heads/test-jest:subdir'
+      ]
+    ],
+    [
+      17,
+      '0.8.2',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'true'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      18,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      19,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'true'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--provenance", `builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      20,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'mode=max'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--provenance", `mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      21,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--provenance", 'false',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      22,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'builder-id=foo'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--provenance", 'builder-id=foo',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
   ])(
     '[%d] given %p with %p as inputs, returns %p',
     async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {
@@ -671,30 +809,6 @@ describe('asyncForEach', () => {
   });
 });
 
-describe('setOutput', () => {
-  beforeEach(() => {
-    process.stdout.write = jest.fn() as typeof process.stdout.write;
-  });
-
-  // eslint-disable-next-line jest/expect-expect
-  it('setOutput produces the correct command', () => {
-    context.setOutput('some output', 'some value');
-    assertWriteCalls([`::set-output name=some output::some value${os.EOL}`]);
-  });
-
-  // eslint-disable-next-line jest/expect-expect
-  it('setOutput handles bools', () => {
-    context.setOutput('some output', false);
-    assertWriteCalls([`::set-output name=some output::false${os.EOL}`]);
-  });
-
-  // eslint-disable-next-line jest/expect-expect
-  it('setOutput handles numbers', () => {
-    context.setOutput('some output', 1.01);
-    assertWriteCalls([`::set-output name=some output::1.01${os.EOL}`]);
-  });
-});
-
 // See: https://github.com/actions/toolkit/blob/a1b068ec31a042ff1e10a522d8fdf0b8869d53ca/packages/core/src/core.ts#L89
 function getInputName(name: string): string {
   return `INPUT_${name.replace(/ /g, '_').toUpperCase()}`;
@@ -703,11 +817,3 @@ function getInputName(name: string): string {
 function setInput(name: string, value: string): void {
   process.env[getInputName(name)] = value;
 }
-
-// Assert that process.stdout.write calls called only with the given arguments.
-function assertWriteCalls(calls: string[]): void {
-  expect(process.stdout.write).toHaveBeenCalledTimes(calls.length);
-  for (let i = 0; i < calls.length; i++) {
-    expect(process.stdout.write).toHaveBeenNthCalledWith(i + 1, calls[i]);
-  }
-}

action.yml

@@ -13,6 +13,9 @@ inputs:
   allow:
     description: "List of extra privileged entitlement (e.g., network.host,security.insecure)"
     required: false
+  attests:
+    description: "List of attestation parameters (e.g., type=sbom,generator=image)"
+    required: false
   build-args:
     description: "List of build-time variables"
     required: false
@@ -51,12 +54,18 @@ inputs:
     description: "Do not use cache when building the image"
     required: false
     default: 'false'
+  no-cache-filters:
+    description: "Do not cache specified stages"
+    required: false
   outputs:
     description: "List of output destinations (format: type=local,dest=path)"
     required: false
   platforms:
     description: "List of target platforms for build"
     required: false
+  provenance:
+    description: "Generate provenance attestation for the build (shorthand for --attest=type=provenance)"
+    required: false
   pull:
     description: "Always attempt to pull all referenced images"
     required: false
@@ -65,6 +74,9 @@ inputs:
     description: "Push is a shorthand for --output=type=registry"
     required: false
     default: 'false'
+  sbom:
+    description: "Generate SBOM attestation for the build (shorthand for --attest=type=sbom)"
+    required: false
   secrets:
     description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)"
     required: false

dev.Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1
 
 ARG NODE_VERSION=16
 ARG DOCKER_VERSION=20.10.13
@@ -66,8 +66,6 @@ FROM docker:${DOCKER_VERSION} as docker
 FROM docker/buildx-bin:${BUILDX_VERSION} as buildx
 
 FROM deps AS test
-ENV RUNNER_TEMP=/tmp/github_runner
-ENV RUNNER_TOOL_CACHE=/tmp/github_tool_cache
 RUN --mount=type=bind,target=.,rw \
   --mount=type=cache,target=/src/node_modules \
   --mount=type=bind,from=docker,source=/usr/local/bin/docker,target=/usr/bin/docker \

dist/licenses.txt

@@ -724,6 +724,31 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 
 
+jwt-decode
+MIT
+The MIT License (MIT)
+ 
+Copyright (c) 2015 Auth0, Inc. <support@auth0.com> (http://auth0.com)
+ 
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+ 
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+ 
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
 lru-cache
 ISC
 The ISC License
@@ -966,6 +991,19 @@ Permission to use, copy, modify, and/or distribute this software for any purpose
 THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 
+uuid
+MIT
+The MIT License (MIT)
+
+Copyright (c) 2010-2020 Robert Kieffer and other contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
 webidl-conversions
 BSD-2-Clause
 # The BSD 2-Clause License

docs/advanced/cache.md

@@ -1,200 +1,3 @@
 # Cache
 
-* [Inline cache](#inline-cache)
-* [Registry cache](#registry-cache)
-* [GitHub cache](#github-cache)
-  * [Cache backend API](#cache-backend-api)
-  * [Local cache](#local-cache)
-
-> More info about cache on [BuildKit](https://github.com/moby/buildkit#export-cache) and [Buildx](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#cache-from) repositories.
-
-## Inline cache
-
-In most cases you want to use the [`type=inline` cache exporter](https://github.com/moby/buildkit#inline-push-image-and-cache-together).
-However, note that the `inline` cache exporter only supports `min` cache mode. To enable `max` cache mode, push the
-image and the cache separately by using the `registry` cache exporter as shown in the [next example](#registry-cache).
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          push: true
-          tags: user/app:latest
-          cache-from: type=registry,ref=user/app:latest
-          cache-to: type=inline
-```
-
-## Registry cache
-
-You can import/export cache from a cache manifest or (special) image configuration on the registry with the
-[`type=registry` cache exporter](https://github.com/moby/buildkit/tree/master#registry-push-image-and-cache-separately).
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          push: true
-          tags: user/app:latest
-          cache-from: type=registry,ref=user/app:buildcache
-          cache-to: type=registry,ref=user/app:buildcache,mode=max
-```
-
-## GitHub cache
-
-### Cache backend API
-
-> :test_tube: This cache exporter is considered EXPERIMENTAL until further notice. Please provide feedback on
-> [BuildKit repository](https://github.com/moby/buildkit) if you encounter any issues.
-
-Since [buildx 0.6.0](https://github.com/docker/buildx/releases/tag/v0.6.0) and [BuildKit 0.9.0](https://github.com/moby/buildkit/releases/tag/v0.9.0),
-you can use the [`type=gha` cache exporter](https://github.com/moby/buildkit/tree/master#github-actions-cache-experimental).
-
-GitHub Actions cache exporter backend uses the [GitHub Cache API](https://github.com/tonistiigi/go-actions-cache/blob/master/api.md)
-to fetch and upload cache blobs. That's why this type of cache should be exclusively used in a GitHub Action workflow
-as the `url` (`$ACTIONS_CACHE_URL`) and `token` (`$ACTIONS_RUNTIME_TOKEN`) attributes are populated when a workflow
-is started.
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          push: true
-          tags: user/app:latest
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-```
-
-### Local cache
-
-> :warning: At the moment caches are copied over the existing cache so it [keeps growing](https://github.com/docker/build-push-action/issues/252).
-> The `Move cache` step is used as a temporary fix (see https://github.com/moby/buildkit/issues/1896).
-
-You can also leverage [GitHub cache](https://docs.github.com/en/actions/configuring-and-managing-workflows/caching-dependencies-to-speed-up-workflows)
-using [actions/cache](https://github.com/actions/cache) and [`type=local` cache exporter](https://github.com/moby/buildkit#local-directory-1)
-with this action:
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          push: true
-          tags: user/app:latest
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
-      -
-        # Temp fix
-        # https://github.com/docker/build-push-action/issues/252
-        # https://github.com/moby/buildkit/issues/1896
-        name: Move cache
-        run: |
-          rm -rf /tmp/.buildx-cache
-          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#cache)

docs/advanced/copy-between-registries.md

@@ -1,73 +1,3 @@
 # Copy images between registries
 
-Multi-platform images built using buildx can be copied from one registry to another without
-changing the image SHA using the [tag-push-action](https://github.com/akhilerm/tag-push-action).
-
-The following workflow will first push the image to dockerhub, run some tests using the images
-and then push to quay and ghcr
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      - 
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - # quay and ghcr logins for pushing image after testing
-        name: Login to Quay Registry
-        uses: docker/login-action@v1 
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_USERNAME }}
-          password: ${{ secrets.QUAY_TOKEN }}
-      -
-        name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            user/app:latest
-            user/app:1.0.0
-      - # run tests using image from docker hub
-        name: Run Tests
-        run: make tests
-      - # copy multiplatform image from dockerhub to quay and ghcr
-        name: Push Image to multiple registries
-        uses: akhilerm/tag-push-action@v2.0.0
-        with:
-          src: docker.io/user/app:1.0.0
-          dst: |
-            quay.io/user/app:latest
-            quay.io/user/app:1.0.0
-            ghcr.io/user/app:latest
-            ghcr.io/user/app:1.0.0
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#copy-images-between-registries)

docs/advanced/dockerhub-desc.md

@@ -1,48 +1,3 @@
-# Update DockerHub repo description
+# Update Docker Hub repo description
 
-You can update the [DockerHub repository description](https://docs.docker.com/docker-hub/repos/) using
-a third party action called [DockerHub Description](https://github.com/peter-evans/dockerhub-description)
-with this action:
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          push: true
-          tags: user/app:latest
-      -
-        name: Update repo description
-        uses: peter-evans/dockerhub-description@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PASSWORD }}
-          repository: user/app
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#update-docker-hub-repository-description)

docs/advanced/export-docker.md

@@ -1,35 +1,3 @@
 # Export image to Docker
 
-You may want your build result to be available in the Docker client through `docker images` to be able to use it
-in another step of your workflow:
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Build
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          load: true
-          tags: myimage:latest
-      -
-        name: Inspect
-        run: |
-          docker image inspect myimage:latest
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#export-image-to-docker)

docs/advanced/isolated-builders.md

@@ -1,44 +1,3 @@
 # Isolated builders
 
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        uses: docker/setup-buildx-action@v1
-        id: builder1
-      -
-        uses: docker/setup-buildx-action@v1
-        id: builder2
-      -
-        name: Builder 1 name
-        run: echo ${{ steps.builder1.outputs.name }}
-      -
-        name: Builder 2 name
-        run: echo ${{ steps.builder2.outputs.name }}
-      -
-        name: Build against builder1
-        uses: docker/build-push-action@v2
-        with:
-          builder: ${{ steps.builder1.outputs.name }}
-          context: .
-          target: mytarget1
-      -
-        name: Build against builder2
-        uses: docker/build-push-action@v2
-        with:
-          builder: ${{ steps.builder2.outputs.name }}
-          context: .
-          target: mytarget2
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/configure-builder/#isolated-builders)

docs/advanced/local-registry.md

@@ -1,44 +1,3 @@
 # Local registry
 
-For testing purposes you may need to create a [local registry](https://hub.docker.com/_/registry) to push images into:
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    services:
-      registry:
-        image: registry:2
-        ports:
-          - 5000:5000
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          driver-opts: network=host
-      -
-        name: Build and push to local registry
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          push: true
-          tags: localhost:5000/name/app:latest
-      -
-        name: Inspect
-        run: |
-          docker buildx imagetools inspect localhost:5000/name/app:latest
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#local-registry)

docs/advanced/multi-platform.md

@@ -1,44 +1,3 @@
 # Multi-platform image
 
-You can build multi-platform images using the [`platforms` input](../../README.md#inputs) as described below.
-
-> :bulb: List of available platforms will be displayed and available through our [setup-buildx](https://github.com/docker/setup-buildx-action#about) action.
-
-> :bulb: If you want support for more platforms, you can use QEMU with our [setup-qemu](https://github.com/docker/setup-qemu-action) action.
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: user/app:latest
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#multi-platform-images)

docs/advanced/named-contexts.md

@@ -0,0 +1,3 @@
+# Named contexts
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#named-contexts)

docs/advanced/push-multi-registries.md

@@ -1,57 +1,3 @@
 # Push to multi-registries
 
-* [Docker Hub and GHCR](#docker-hub-and-ghcr)
-
-## Docker Hub and GHCR
-
-The following workflow will connect you to [DockerHub](https://github.com/docker/login-action#dockerhub)
-and [GitHub Container Registry](https://github.com/docker/login-action#github-container-registry) and push the
-image to these registries.
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Login to GitHub Container Registry
-        uses: docker/login-action@v1 
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            user/app:latest
-            user/app:1.0.0
-            ghcr.io/user/app:latest
-            ghcr.io/user/app:1.0.0
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#push-to-multi-registries)

docs/advanced/secrets.md

@@ -1,84 +1,3 @@
 # Secrets
 
-In the following example we will expose and use the [GITHUB_TOKEN secret](https://docs.github.com/en/actions/reference/authentication-in-a-workflow#about-the-github_token-secret)
-as provided by GitHub in your workflow.
-
-First let's create our `Dockerfile` to use our secret:
-
-```Dockerfile
-#syntax=docker/dockerfile:1.2
-
-FROM alpine
-RUN --mount=type=secret,id=github_token \
-  cat /run/secrets/github_token
-```
-
-As you can see we have named our secret `github_token`. Here is the workflow you can use to expose this secret using
-the [`secrets` input](../../README.md#inputs):
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Build
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          tags: user/app:latest
-          secrets: |
-            "github_token=${{ secrets.GITHUB_TOKEN }}"
-```
-
-> :bulb: You can also expose a secret file to the build with [`secret-files`](../../README.md#inputs) input:
-> ```yaml
-> secret-files: |
->   "MY_SECRET=./secret.txt"
-> ```
-
-If you're using [GitHub secrets](https://docs.github.com/en/actions/reference/encrypted-secrets) and need to handle
-multi-line value, you will need to place the key-value pair between quotes:
-
-```yaml
-secrets: |
-  "MYSECRET=${{ secrets.GPG_KEY }}"
-  GIT_AUTH_TOKEN=abcdefghi,jklmno=0123456789
-  "MYSECRET=aaaaaaaa
-  bbbbbbb
-  ccccccccc"
-  FOO=bar
-  "EMPTYLINE=aaaa
-  
-  bbbb
-  ccc"
-  "JSON_SECRET={""key1"":""value1"",""key2"":""value2""}"
-```
-
-| Key                | Value                                            |
-|--------------------|--------------------------------------------------|
-| `MYSECRET`         | `***********************` |
-| `GIT_AUTH_TOKEN`   | `abcdefghi,jklmno=0123456789` |
-| `MYSECRET`         | `aaaaaaaa\nbbbbbbb\nccccccccc` |
-| `FOO`              | `bar` |
-| `EMPTYLINE`        | `aaaa\n\nbbbb\nccc` |
-| `JSON_SECRET`      | `{"key1":"value1","key2":"value2"}` |
-
-> :bulb: All quote signs need to be doubled for escaping.
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#secrets)

docs/advanced/share-image-jobs.md

@@ -1,58 +1,3 @@
 # Share built image between jobs
 
-As each job is isolated in its own runner you cannot use your built image between jobs (except for [self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners)).
-However, you can [pass data between jobs in a workflow](https://docs.github.com/en/actions/guides/storing-workflow-data-as-artifacts#passing-data-between-jobs-in-a-workflow)
-using the [actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/download-artifact](https://github.com/actions/download-artifact)
-actions:
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Build and export
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          tags: myimage:latest
-          outputs: type=docker,dest=/tmp/myimage.tar
-      -
-        name: Upload artifact
-        uses: actions/upload-artifact@v2
-        with:
-          name: myimage
-          path: /tmp/myimage.tar
-
-  use:
-    runs-on: ubuntu-latest
-    needs: build
-    steps:
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Download artifact
-        uses: actions/download-artifact@v2
-        with:
-          name: myimage
-          path: /tmp
-      -
-        name: Load image
-        run: |
-          docker load --input /tmp/myimage.tar
-          docker image ls -a
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#share-built-image-between-jobs)

docs/advanced/tags-labels.md

@@ -1,76 +1,3 @@
 # Handle tags and labels
 
-If you want an "automatic" tag management and [OCI Image Format Specification](https://github.com/opencontainers/image-spec/blob/master/annotations.md)
-for labels, you can do it in a dedicated step. The following workflow will use the [Docker metadata action](https://github.com/docker/metadata-action)
-to handle tags and labels based on GitHub actions events and Git metadata.
-
-```yaml
-name: ci
-
-on:
-  schedule:
-    - cron: '0 10 * * *'
-  push:
-    branches:
-      - '**'
-    tags:
-      - 'v*.*.*'
-  pull_request:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            name/app
-            ghcr.io/username/app
-          # generate Docker tags based on the following events/attributes
-          tags: |
-            type=schedule
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Login to DockerHub
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Login to GHCR
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#manage-tags-and-labels)

docs/advanced/test-before-push.md

@@ -1,64 +1,3 @@
 # Test your image before pushing it
 
-In some cases, you might want to validate that the image works as expected
-before pushing it.
-
-The workflow below will be composed of several steps to achieve this:
-* Build and export the image to Docker
-* Test your image
-* Multi-platform build and push the image
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-env:
-  TEST_TAG: user/myapp:test
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and export to Docker
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          load: true
-          tags: ${{ env.TEST_TAG }}
-      -
-        name: Test
-        run: |
-          docker run --rm ${{ env.TEST_TAG }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: user/app:latest
-```
-
-> :bulb: Build time will not be increased with this workflow because internal
-> cache for `linux/amd64` will be used from previous step on `Build and push`
-> step so only `linux/arm64` will be actually built.
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#test-your-image-before-pushing-it)

jest.config.ts

@@ -1,5 +1,15 @@
+process.env = Object.assign({}, process.env, {
+  RUNNER_TEMP: '/tmp/github_runner',
+  RUNNER_TOOL_CACHE: '/tmp/github_tool_cache',
+  GITHUB_REPOSITORY: 'docker/build-push-action',
+  GITHUB_RUN_ID: '123456789'
+}) as {
+  [key: string]: string;
+};
+
 module.exports = {
   clearMocks: false,
+  testEnvironment: 'node',
   moduleFileExtensions: ['js', 'ts'],
   setupFiles: ['dotenv/config'],
   testMatch: ['**/*.test.ts'],

package.json

@@ -28,11 +28,12 @@
   ],
   "license": "Apache-2.0",
   "dependencies": {
-    "@actions/core": "^1.6.0",
+    "@actions/core": "^1.10.0",
     "@actions/exec": "^1.1.1",
-    "@actions/github": "^5.0.1",
-    "csv-parse": "^5.0.4",
+    "@actions/github": "^5.1.1",
+    "csv-parse": "^5.3.3",
     "handlebars": "^4.7.7",
+    "jwt-decode": "^3.1.2",
     "semver": "^7.3.7",
     "tmp": "^0.2.1"
   },

src/buildx.ts

@@ -3,9 +3,24 @@ import fs from 'fs';
 import path from 'path';
 import * as semver from 'semver';
 import * as exec from '@actions/exec';
-
 import * as context from './context';
 
+export type Builder = {
+  name?: string;
+  driver?: string;
+  nodes: Node[];
+};
+
+export type Node = {
+  name?: string;
+  endpoint?: string;
+  'driver-opts'?: Array<string>;
+  status?: string;
+  'buildkitd-flags'?: string;
+  buildkit?: string;
+  platforms?: string;
+};
+
 export async function getImageIDFile(): Promise<string> {
   return path.join(context.tmpDir(), 'iidfile').split(path.sep).join(path.posix.sep);
 }
@@ -126,6 +141,112 @@ export async function isAvailable(standalone?: boolean): Promise<boolean> {
     });
 }
 
+export async function satisfiesBuildKitVersion(builderName: string, range: string, standalone?: boolean): Promise<boolean> {
+  const builderInspect = await inspect(builderName, standalone);
+  for (const node of builderInspect.nodes) {
+    if (!node.buildkit) {
+      return false;
+    }
+    // BuildKit version reported by moby is in the format of `v0.11.0-moby`
+    if (builderInspect.driver == 'docker' && !node.buildkit.endsWith('-moby')) {
+      return false;
+    }
+    const version = node.buildkit.replace(/-moby$/, '');
+    if (!semver.satisfies(version, range)) {
+      return false;
+    }
+  }
+  return true;
+}
+
+async function inspect(name: string, standalone?: boolean): Promise<Builder> {
+  const cmd = getCommand(['inspect', name], standalone);
+  return await exec
+    .getExecOutput(cmd.command, cmd.args, {
+      ignoreReturnCode: true,
+      silent: true
+    })
+    .then(res => {
+      if (res.stderr.length > 0 && res.exitCode != 0) {
+        throw new Error(res.stderr.trim());
+      }
+      return parseInspect(res.stdout);
+    });
+}
+
+async function parseInspect(data: string): Promise<Builder> {
+  const builder: Builder = {
+    nodes: []
+  };
+  let node: Node = {};
+  for (const line of data.trim().split(`\n`)) {
+    const [key, ...rest] = line.split(':');
+    const value = rest.map(v => v.trim()).join(':');
+    if (key.length == 0 || value.length == 0) {
+      continue;
+    }
+    switch (key.toLowerCase()) {
+      case 'name': {
+        if (builder.name == undefined) {
+          builder.name = value;
+        } else {
+          if (Object.keys(node).length > 0) {
+            builder.nodes.push(node);
+            node = {};
+          }
+          node.name = value;
+        }
+        break;
+      }
+      case 'driver': {
+        builder.driver = value;
+        break;
+      }
+      case 'endpoint': {
+        node.endpoint = value;
+        break;
+      }
+      case 'driver options': {
+        node['driver-opts'] = (value.match(/(\w+)="([^"]*)"/g) || []).map(v => v.replace(/^(.*)="(.*)"$/g, '$1=$2'));
+        break;
+      }
+      case 'status': {
+        node.status = value;
+        break;
+      }
+      case 'flags': {
+        node['buildkitd-flags'] = value;
+        break;
+      }
+      case 'buildkit': {
+        node.buildkit = value;
+        break;
+      }
+      case 'platforms': {
+        let platforms: Array<string> = [];
+        // if a preferred platform is being set then use only these
+        // https://docs.docker.com/engine/reference/commandline/buildx_inspect/#get-information-about-a-builder-instance
+        if (value.includes('*')) {
+          for (const platform of value.split(', ')) {
+            if (platform.includes('*')) {
+              platforms.push(platform.replace('*', ''));
+            }
+          }
+        } else {
+          // otherwise set all platforms available
+          platforms = value.split(', ');
+        }
+        node.platforms = platforms.join(',');
+        break;
+      }
+    }
+  }
+  if (Object.keys(node).length > 0) {
+    builder.nodes.push(node);
+  }
+  return builder;
+}
+
 export async function getVersion(standalone?: boolean): Promise<string> {
   const cmd = getCommand(['version'], standalone);
   return await exec

src/context.ts

@@ -1,14 +1,11 @@
-import {parse} from 'csv-parse/sync';
 import * as fs from 'fs';
 import * as os from 'os';
 import * as path from 'path';
 import * as tmp from 'tmp';
-
-import * as core from '@actions/core';
-import {issueCommand} from '@actions/core/lib/command';
-import * as github from '@actions/github';
-
 import * as buildx from './buildx';
+import * as core from '@actions/core';
+import * as github from '@actions/github';
+import {parse} from 'csv-parse/sync';
 import * as handlebars from 'handlebars';
 
 let _defaultContext, _tmpDir: string;
@@ -16,6 +13,7 @@ let _defaultContext, _tmpDir: string;
 export interface Inputs {
   addHosts: string[];
   allow: string[];
+  attests: string[];
   buildArgs: string[];
   buildContexts: string[];
   builder: string;
@@ -28,10 +26,13 @@ export interface Inputs {
   load: boolean;
   network: string;
   noCache: boolean;
+  noCacheFilters: string[];
   outputs: string[];
   platforms: string[];
+  provenance: string;
   pull: boolean;
   push: boolean;
+  sbom: string;
   secrets: string[];
   secretFiles: string[];
   shmSize: string;
@@ -67,10 +68,15 @@ export function tmpNameSync(options?: tmp.TmpNameOptions): string {
   return tmp.tmpNameSync(options);
 }
 
+export function provenanceBuilderID(): string {
+  return `${process.env.GITHUB_SERVER_URL || 'https://github.com'}/${github.context.repo.owner}/${github.context.repo.repo}/actions/runs/${github.context.runId}`;
+}
+
 export async function getInputs(defaultContext: string): Promise<Inputs> {
   return {
     addHosts: await getInputList('add-hosts'),
     allow: await getInputList('allow'),
+    attests: await getInputList('attests', true),
     buildArgs: await getInputList('build-args', true),
     buildContexts: await getInputList('build-contexts', true),
     builder: core.getInput('builder'),
@@ -83,10 +89,13 @@ export async function getInputs(defaultContext: string): Promise<Inputs> {
     load: core.getBooleanInput('load'),
     network: core.getInput('network'),
     noCache: core.getBooleanInput('no-cache'),
+    noCacheFilters: await getInputList('no-cache-filters'),
     outputs: await getInputList('outputs', true),
     platforms: await getInputList('platforms'),
+    provenance: getProvenanceInput('provenance'),
     pull: core.getBooleanInput('pull'),
     push: core.getBooleanInput('push'),
+    sbom: core.getInput('sbom'),
     secrets: await getInputList('secrets', true),
     secretFiles: await getInputList('secret-files', true),
     shmSize: core.getInput('shm-size'),
@@ -98,16 +107,17 @@ export async function getInputs(defaultContext: string): Promise<Inputs> {
   };
 }
 
-export async function getArgs(inputs: Inputs, defaultContext: string, buildxVersion: string): Promise<Array<string>> {
+export async function getArgs(inputs: Inputs, defaultContext: string, buildxVersion: string, standalone?: boolean): Promise<Array<string>> {
+  const context = handlebars.compile(inputs.context)({defaultContext});
   // prettier-ignore
   return [
-    ...await getBuildArgs(inputs, defaultContext, buildxVersion),
+    ...await getBuildArgs(inputs, defaultContext, context, buildxVersion, standalone),
     ...await getCommonArgs(inputs, buildxVersion),
-    handlebars.compile(inputs.context)({defaultContext})
+    context
   ];
 }
 
-async function getBuildArgs(inputs: Inputs, defaultContext: string, buildxVersion: string): Promise<Array<string>> {
+async function getBuildArgs(inputs: Inputs, defaultContext: string, context: string, buildxVersion: string, standalone?: boolean): Promise<Array<string>> {
   const args: Array<string> = ['build'];
   await asyncForEach(inputs.addHosts, async addHost => {
     args.push('--add-host', addHost);
@@ -115,6 +125,11 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, buildxVersio
   if (inputs.allow.length > 0) {
     args.push('--allow', inputs.allow.join(','));
   }
+  if (buildx.satisfies(buildxVersion, '>=0.10.0')) {
+    await asyncForEach(inputs.attests, async attest => {
+      args.push('--attest', attest);
+    });
+  }
   await asyncForEach(inputs.buildArgs, async buildArg => {
     args.push('--build-arg', buildArg);
   });
@@ -141,12 +156,35 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, buildxVersio
   await asyncForEach(inputs.labels, async label => {
     args.push('--label', label);
   });
+  await asyncForEach(inputs.noCacheFilters, async noCacheFilter => {
+    args.push('--no-cache-filter', noCacheFilter);
+  });
   await asyncForEach(inputs.outputs, async output => {
     args.push('--output', output);
   });
   if (inputs.platforms.length > 0) {
     args.push('--platform', inputs.platforms.join(','));
   }
+  if (buildx.satisfies(buildxVersion, '>=0.10.0')) {
+    if (inputs.provenance) {
+      args.push('--provenance', inputs.provenance);
+    } else if ((await buildx.satisfiesBuildKitVersion(inputs.builder, '>=0.11.0', standalone)) && !hasDockerExport(inputs)) {
+      // if provenance not specified and BuildKit version compatible for
+      // attestation, set default provenance. Also needs to make sure user
+      // doesn't want to explicitly load the image to docker.
+      if (fromPayload('repository.private') !== false) {
+        // if this is a private repository, we set the default provenance
+        // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
+        args.push('--provenance', getProvenanceAttrs(`mode=min,inline-only=true`));
+      } else {
+        // for a public repository, we set max provenance mode.
+        args.push('--provenance', getProvenanceAttrs(`mode=max`));
+      }
+    }
+    if (inputs.sbom) {
+      args.push('--sbom', inputs.sbom);
+    }
+  }
   await asyncForEach(inputs.secrets, async secret => {
     try {
       args.push('--secret', await buildx.getSecretString(secret));
@@ -161,7 +199,7 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, buildxVersio
       core.warning(err.message);
     }
   });
-  if (inputs.githubToken && !buildx.hasGitAuthToken(inputs.secrets) && inputs.context == defaultContext) {
+  if (inputs.githubToken && !buildx.hasGitAuthToken(inputs.secrets) && context.startsWith(defaultContext)) {
     args.push('--secret', await buildx.getSecretString(`GIT_AUTH_TOKEN=${inputs.githubToken}`));
   }
   if (inputs.shmSize) {
@@ -243,7 +281,81 @@ export const asyncForEach = async (array, callback) => {
   }
 };
 
-// FIXME: Temp fix https://github.com/actions/toolkit/issues/777
-export function setOutput(name: string, value: unknown): void {
-  issueCommand('set-output', {name}, value);
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function fromPayload(path: string): any {
+  return select(github.context.payload, path);
+}
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function select(obj: any, path: string): any {
+  if (!obj) {
+    return undefined;
+  }
+  const i = path.indexOf('.');
+  if (i < 0) {
+    return obj[path];
+  }
+  const key = path.slice(0, i);
+  return select(obj[key], path.slice(i + 1));
+}
+
+function getProvenanceInput(name: string): string {
+  const input = core.getInput(name);
+  if (!input) {
+    // if input is not set, default values will be set later.
+    return input;
+  }
+  const builderID = provenanceBuilderID();
+  try {
+    return core.getBooleanInput(name) ? `builder-id=${builderID}` : 'false';
+  } catch (err) {
+    // not a valid boolean, so we assume it's a string
+    return getProvenanceAttrs(input);
+  }
+}
+
+function getProvenanceAttrs(input: string): string {
+  const builderID = provenanceBuilderID();
+  // parse attributes from input
+  const fields = parse(input, {
+    relaxColumnCount: true,
+    skipEmptyLines: true
+  })[0];
+  // check if builder-id attribute exists in the input
+  for (const field of fields) {
+    const parts = field
+      .toString()
+      .split(/(?<=^[^=]+?)=/)
+      .map(item => item.trim());
+    if (parts[0] == 'builder-id') {
+      return input;
+    }
+  }
+  // if not add builder-id attribute
+  return `${input},builder-id=${builderID}`;
+}
+
+function hasDockerExport(inputs: Inputs): boolean {
+  if (inputs.load) {
+    return true;
+  }
+  for (const output of inputs.outputs) {
+    const fields = parse(output, {
+      relaxColumnCount: true,
+      skipEmptyLines: true
+    })[0];
+    for (const field of fields) {
+      const parts = field
+        .toString()
+        .split(/(?<=^[^=]+?)=/)
+        .map(item => item.trim());
+      if (parts.length != 2) {
+        continue;
+      }
+      if (parts[0] == 'type' && parts[1] == 'docker') {
+        return true;
+      }
+    }
+  }
+  return false;
 }

src/github.ts

@@ -0,0 +1,9 @@
+import jwt_decode, {JwtPayload} from 'jwt-decode';
+
+interface Jwt extends JwtPayload {
+  ac?: string;
+}
+
+export const parseRuntimeToken = (token: string): Jwt => {
+  return jwt_decode<Jwt>(token);
+};

src/main.ts

@@ -2,6 +2,7 @@ import * as fs from 'fs';
 import * as buildx from './buildx';
 import * as context from './context';
 import * as docker from './docker';
+import * as github from './github';
 import * as stateHelper from './state-helper';
 import * as core from '@actions/core';
 import * as exec from '@actions/exec';
@@ -14,6 +15,15 @@ async function run(): Promise<void> {
     // standalone if docker cli not available
     const standalone = !(await docker.isAvailable());
 
+    await core.group(`GitHub Actions runtime token access controls`, async () => {
+      const actionsRuntimeToken = process.env['ACTIONS_RUNTIME_TOKEN'];
+      if (actionsRuntimeToken) {
+        core.info(JSON.stringify(JSON.parse(github.parseRuntimeToken(actionsRuntimeToken).ac as string), undefined, 2));
+      } else {
+        core.info(`ACTIONS_RUNTIME_TOKEN not set`);
+      }
+    });
+
     core.startGroup(`Docker info`);
     if (standalone) {
       core.info(`Docker info skipped in standalone mode`);
@@ -41,7 +51,7 @@ async function run(): Promise<void> {
       });
     });
 
-    const args: string[] = await context.getArgs(inputs, defContext, buildxVersion);
+    const args: string[] = await context.getArgs(inputs, defContext, buildxVersion, standalone);
     const buildCmd = buildx.getCommand(args, standalone);
     await exec
       .getExecOutput(buildCmd.command, buildCmd.args, {
@@ -60,19 +70,19 @@ async function run(): Promise<void> {
     if (imageID) {
       await core.group(`ImageID`, async () => {
         core.info(imageID);
-        context.setOutput('imageid', imageID);
+        core.setOutput('imageid', imageID);
       });
     }
     if (digest) {
       await core.group(`Digest`, async () => {
         core.info(digest);
-        context.setOutput('digest', digest);
+        core.setOutput('digest', digest);
       });
     }
     if (metadata) {
       await core.group(`Metadata`, async () => {
         core.info(metadata);
-        context.setOutput('metadata', metadata);
+        core.setOutput('metadata', metadata);
       });
     }
   } catch (error) {
@@ -83,7 +93,7 @@ async function run(): Promise<void> {
 async function cleanup(): Promise<void> {
   if (stateHelper.tmpDir.length > 0) {
     core.startGroup(`Removing temp folder ${stateHelper.tmpDir}`);
-    fs.rmdirSync(stateHelper.tmpDir, {recursive: true});
+    fs.rmSync(stateHelper.tmpDir, {recursive: true});
     core.endGroup();
   }
 }

test/Dockerfile

@@ -1,3 +1,3 @@
+# syntax=docker/dockerfile:1
 FROM alpine
-
 RUN echo "Hello world!"

test/addhost.Dockerfile

@@ -1,2 +1,3 @@
+# syntax=docker/dockerfile:1
 FROM busybox
 RUN cat /etc/hosts

test/buildcontext.Dockerfile

@@ -1,3 +1,3 @@
-# syntax=docker/dockerfile-upstream:master
+# syntax=docker/dockerfile:1
 FROM alpine
 RUN cat /etc/*release

test/cgroup.Dockerfile

@@ -1,2 +1,3 @@
+# syntax=docker/dockerfile:1
 FROM alpine
 RUN cat /proc/self/cgroup

test/go/Dockerfile

@@ -0,0 +1,16 @@
+FROM golang:1.19-alpine AS base
+ENV CGO_ENABLED=0
+RUN apk add --no-cache file git
+WORKDIR /src
+
+FROM base as build
+COPY go.mod go.sum ./
+RUN go mod download -x
+COPY . .
+RUN go build -ldflags "-s -w" -o /usr/bin/app .
+
+FROM scratch AS binary
+COPY --from=build /usr/bin/app /bin/app
+
+FROM alpine:3.17 AS image
+COPY --from=build /usr/bin/app /bin/app

test/go/go.mod

@@ -0,0 +1,19 @@
+module github.com/docker/build-push-action/test/go
+
+go 1.18
+
+require github.com/labstack/echo/v4 v4.9.1
+
+require (
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
+	github.com/labstack/gommon v0.4.0 // indirect
+	github.com/mattn/go-colorable v0.1.11 // indirect
+	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/valyala/fasttemplate v1.2.1 // indirect
+	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect
+	golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f // indirect
+	golang.org/x/sys v0.0.0-20211103235746-7861aae1554b // indirect
+	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 // indirect
+)

test/go/go.sum

@@ -0,0 +1,38 @@
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/labstack/echo/v4 v4.9.1 h1:GliPYSpzGKlyOhqIbG8nmHBo3i1saKWFOgh41AN3b+Y=
+github.com/labstack/echo/v4 v4.9.1/go.mod h1:Pop5HLc+xoc4qhTZ1ip6C0RtP7Z+4VzRLWZZFKqbbjo=
+github.com/labstack/gommon v0.4.0 h1:y7cvthEAEbU0yHOf4axH8ZG2NH8knB9iNSoTO8dyIk8=
+github.com/labstack/gommon v0.4.0/go.mod h1:uW6kP17uPlLJsD3ijUYn3/M5bAxtlZhMI6m3MFxTMTM=
+github.com/mattn/go-colorable v0.1.11 h1:nQ+aFkoE2TMGc0b68U2OKSexC+eq46+XwZzWXHRmPYs=
+github.com/mattn/go-colorable v0.1.11/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
+github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
+github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
+github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
+github.com/valyala/fasttemplate v1.2.1 h1:TVEnxayobAdVkhQfrfes2IzOB6o+z4roRkPF52WA1u4=
+github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f h1:OfiFi4JbukWwe3lzw+xunroH1mnC1e2Gy5cxNJApiSY=
+golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211103235746-7861aae1554b h1:1VkfZQv42XQlA/jchYumAnv1UPo6RgF9rJFkTgZIxO4=
+golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 h1:Hir2P/De0WpUhtrKGGjvSb2YxUgyZ7EFOSLIcSSpiwE=
+golang.org/x/time v0.0.0-20201208040808-7e3f01d25324/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

test/go/main.go

@@ -0,0 +1,31 @@
+package main
+
+import (
+	"net/http"
+	"os"
+
+	"github.com/labstack/echo/v4"
+	"github.com/labstack/echo/v4/middleware"
+)
+
+func main() {
+	e := echo.New()
+
+	e.Use(middleware.Logger())
+	e.Use(middleware.Recover())
+
+	e.GET("/", func(c echo.Context) error {
+		return c.HTML(http.StatusOK, "Hello World")
+	})
+
+	e.GET("/ping", func(c echo.Context) error {
+		return c.JSON(http.StatusOK, struct{ Status string }{Status: "OK"})
+	})
+
+	httpPort := os.Getenv("HTTP_PORT")
+	if httpPort == "" {
+		httpPort = "8080"
+	}
+
+	e.Logger.Fatal(e.Start(":" + httpPort))
+}

test/multi-sudo.Dockerfile

@@ -1,9 +1,8 @@
+# syntax=docker/dockerfile:1
 FROM --platform=$BUILDPLATFORM golang:alpine AS build
-
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
 RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM" > /log
-
 RUN apk --update --no-cache add \
     shadow \
     sudo \
@@ -17,6 +16,5 @@ RUN sudo chown buildx. /log
 USER root
 
 FROM alpine
-
 COPY --from=build /log /log
 RUN ls -al /log

test/multi.Dockerfile

@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1
 FROM --platform=$BUILDPLATFORM golang:alpine AS build
 
 ARG TARGETPLATFORM

test/nocachefilter.Dockerfile

@@ -0,0 +1,9 @@
+# syntax=docker/dockerfile:1
+FROM busybox AS base
+RUN echo "Hello world!" > /hello
+
+FROM alpine AS build
+COPY --from=base /hello /hello
+RUN uname -a
+
+FROM build

test/secret.Dockerfile

@@ -0,0 +1,4 @@
+# syntax=docker/dockerfile:1
+FROM busybox
+RUN --mount=type=secret,id=MYSECRET \
+  echo "MYSECRET=$(cat /run/secrets/MYSECRET)"

test/shmsize.Dockerfile

@@ -1,2 +1,3 @@
+# syntax=docker/dockerfile:1
 FROM busybox
 RUN mount | grep /dev/shm

test/ulimit.Dockerfile

@@ -1,2 +1,3 @@
+# syntax=docker/dockerfile:1
 FROM busybox
 RUN ulimit -a

yarn.lock

@@ -2,12 +2,13 @@
 # yarn lockfile v1
 
 
-"@actions/core@^1.6.0":
-  version "1.6.0"
-  resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.6.0.tgz#0568e47039bfb6a9170393a73f3b7eb3b22462cb"
-  integrity sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==
+"@actions/core@^1.10.0":
+  version "1.10.0"
+  resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.10.0.tgz#44551c3c71163949a2f06e94d9ca2157a0cfac4f"
+  integrity sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==
   dependencies:
-    "@actions/http-client" "^1.0.11"
+    "@actions/http-client" "^2.0.1"
+    uuid "^8.3.2"
 
 "@actions/exec@^1.1.1":
   version "1.1.1"
@@ -16,22 +17,22 @@
   dependencies:
     "@actions/io" "^1.0.1"
 
-"@actions/github@^5.0.1":
-  version "5.0.1"
-  resolved "https://registry.yarnpkg.com/@actions/github/-/github-5.0.1.tgz#5fdbe371d9a592038668be95d12421361585fba1"
-  integrity sha512-JZGyPM9ektb8NVTTI/2gfJ9DL7Rk98tQ7OVyTlgTuaQroariRBsOnzjy0I2EarX4xUZpK88YyO503fhmjFdyAg==
+"@actions/github@^5.1.1":
+  version "5.1.1"
+  resolved "https://registry.yarnpkg.com/@actions/github/-/github-5.1.1.tgz#40b9b9e1323a5efcf4ff7dadd33d8ea51651bbcb"
+  integrity sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==
   dependencies:
-    "@actions/http-client" "^1.0.11"
+    "@actions/http-client" "^2.0.1"
     "@octokit/core" "^3.6.0"
     "@octokit/plugin-paginate-rest" "^2.17.0"
     "@octokit/plugin-rest-endpoint-methods" "^5.13.0"
 
-"@actions/http-client@^1.0.11":
-  version "1.0.11"
-  resolved "https://registry.yarnpkg.com/@actions/http-client/-/http-client-1.0.11.tgz#c58b12e9aa8b159ee39e7dd6cbd0e91d905633c0"
-  integrity sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==
+"@actions/http-client@^2.0.1":
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/@actions/http-client/-/http-client-2.0.1.tgz#873f4ca98fe32f6839462a6f046332677322f99c"
+  integrity sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==
   dependencies:
-    tunnel "0.0.6"
+    tunnel "^0.0.6"
 
 "@actions/io@^1.0.1":
   version "1.0.2"
@@ -1561,7 +1562,7 @@ combined-stream@^1.0.8:
 concat-map@0.0.1:
   version "0.0.1"
   resolved "https://registry.yarnpkg.com/concat-map/-/concat-map-0.0.1.tgz#d8a96bd77fd68df7793a73036a3ba0d5405d477b"
-  integrity sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=
+  integrity sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==
 
 convert-source-map@^1.4.0, convert-source-map@^1.6.0, convert-source-map@^1.7.0:
   version "1.8.0"
@@ -1601,10 +1602,10 @@ cssstyle@^2.3.0:
   dependencies:
     cssom "~0.3.6"
 
-csv-parse@*, csv-parse@^5.0.4:
-  version "5.0.4"
-  resolved "https://registry.yarnpkg.com/csv-parse/-/csv-parse-5.0.4.tgz#97e5e654413bcf95f2714ce09bcb2be6de0eb8e3"
-  integrity sha512-5AIdl8l6n3iYQYxan5djB5eKDa+vBnhfWZtRpJTcrETWfVLYN0WSj3L9RwvgYt+psoO77juUr8TG8qpfGZifVQ==
+csv-parse@*, csv-parse@^5.3.3:
+  version "5.3.3"
+  resolved "https://registry.yarnpkg.com/csv-parse/-/csv-parse-5.3.3.tgz#3b75d2279e2edb550cbc54c65b25cbbf3d0033ad"
+  integrity sha512-kEWkAPleNEdhFNkHQpFHu9RYPogsFj3dx6bCxL847fsiLgidzWg0z/O0B1kVWMJUc5ky64zGp18LX2T3DQrOfw==
 
 data-urls@^2.0.0:
   version "2.0.0"
@@ -2823,11 +2824,14 @@ json-stable-stringify-without-jsonify@^1.0.1:
   integrity sha1-nbe1lJatPzz+8wp1FC0tkwrXJlE=
 
 json5@2.x, json5@^2.1.2:
-  version "2.2.0"
-  resolved "https://registry.yarnpkg.com/json5/-/json5-2.2.0.tgz#2dfefe720c6ba525d9ebd909950f0515316c89a3"
-  integrity sha512-f+8cldu7X/y7RAJurMEJmdoKXGB/X550w2Nr3tTbezL6RwEE/iMcm+tZnXeoZtKuOq6ft8+CqzEkrIgx1fPoQA==
-  dependencies:
-    minimist "^1.2.5"
+  version "2.2.3"
+  resolved "https://registry.yarnpkg.com/json5/-/json5-2.2.3.tgz#78cd6f1a19bdc12b73db5ad0c61efd66c1e29283"
+  integrity sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==
+
+jwt-decode@^3.1.2:
+  version "3.1.2"
+  resolved "https://registry.yarnpkg.com/jwt-decode/-/jwt-decode-3.1.2.tgz#3fb319f3675a2df0c2895c8f5e9fa4b67b04ed59"
+  integrity sha512-UfpWE/VZn0iP50d8cz9NrZLM9lSWhcJ+0Gt/nm4by88UL+J1SiKN8/5dkjMmbEzwL2CAe+67GsegCbIKtbp75A==
 
 kleur@^3.0.3:
   version "3.0.3"
@@ -2944,9 +2948,9 @@ mimic-fn@^2.1.0:
   integrity sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg==
 
 minimatch@^3.0.4:
-  version "3.0.4"
-  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083"
-  integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==
+  version "3.1.2"
+  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
+  integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==
   dependencies:
     brace-expansion "^1.1.7"
 
@@ -3552,7 +3556,7 @@ tsutils@^3.21.0:
   dependencies:
     tslib "^1.8.1"
 
-tunnel@0.0.6:
+tunnel@^0.0.6:
   version "0.0.6"
   resolved "https://registry.yarnpkg.com/tunnel/-/tunnel-0.0.6.tgz#72f1314b34a5b192db012324df2cc587ca47f92c"
   integrity sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==
@@ -3620,6 +3624,11 @@ uri-js@^4.2.2:
   dependencies:
     punycode "^2.1.0"
 
+uuid@^8.3.2:
+  version "8.3.2"
+  resolved "https://registry.yarnpkg.com/uuid/-/uuid-8.3.2.tgz#80d5b5ced271bb9af6c445f21a1a04c606cefbe2"
+  integrity sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==
+
 v8-compile-cache-lib@^3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/v8-compile-cache-lib/-/v8-compile-cache-lib-3.0.0.tgz#0582bcb1c74f3a2ee46487ceecf372e46bce53e8"