docker/build-push-action
3
0
Fork 0
mirror of https://github.com/docker/build-push-action.git synced 2025-06-13 14:47:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: docker:v3.2.0
Branches Tags
docker:master docker:releases/v5 docker:releases/v4 docker:releases/v3 docker:releases/v2 docker:releases/v1
docker:v6.18.0 docker:v6 docker:v6.17.0 docker:v6.16.0 docker:v6.15.0 docker:v6.14.0 docker:v6.13.0 docker:v6.12.0 docker:v6.11.0 docker:v6.10.0 docker:v6.9.0 docker:v6.8.0 docker:v6.7.0 docker:v6.6.1 docker:v6.6.0 docker:v6.5.0 docker:v6.4.1 docker:v6.4.0 docker:v6.3.0 docker:v6.2.0 docker:v6.1.0 docker:v6.0.2 docker:v6.0.1 docker:v6.0.0 docker:v5.4.0 docker:v5 docker:v5.3.0 docker:v5.2.0 docker:v5.1.0 docker:v5.0.0 docker:v4 docker:v4.2.1 docker:v4.2.0 docker:v4.1.1 docker:v4.1.0 docker:v4.0.0 docker:v3.3.1 docker:v3 docker:v3.3.0 docker:v3.2.0 docker:v3.1.1 docker:v3.1.0 docker:v3.0.0 docker:v2 docker:v2.10.0 docker:v2.9.0 docker:v2.8.0 docker:v2.7.0 docker:v2.6.1 docker:v2.6.0 docker:v2.5.0 docker:v2.4.0 docker:v2.3.0 docker:v2.2.2 docker:v2.2.1 docker:v2.2.0 docker:v2.1.0 docker:v2.0.1 docker:v1 docker:v1.1.2 docker:v2.0.0 docker:v1.1.1 docker:v1.1.0 docker:v1.0.1 docker:v1.0 docker:v1.0.0
..
compare: docker:v3.3.1
Branches Tags
docker:master docker:releases/v5 docker:releases/v4 docker:releases/v3 docker:releases/v2 docker:releases/v1
docker:v6.18.0 docker:v6 docker:v6.17.0 docker:v6.16.0 docker:v6.15.0 docker:v6.14.0 docker:v6.13.0 docker:v6.12.0 docker:v6.11.0 docker:v6.10.0 docker:v6.9.0 docker:v6.8.0 docker:v6.7.0 docker:v6.6.1 docker:v6.6.0 docker:v6.5.0 docker:v6.4.1 docker:v6.4.0 docker:v6.3.0 docker:v6.2.0 docker:v6.1.0 docker:v6.0.2 docker:v6.0.1 docker:v6.0.0 docker:v5.4.0 docker:v5 docker:v5.3.0 docker:v5.2.0 docker:v5.1.0 docker:v5.0.0 docker:v4 docker:v4.2.1 docker:v4.2.0 docker:v4.1.1 docker:v4.1.0 docker:v4.0.0 docker:v3.3.1 docker:v3 docker:v3.3.0 docker:v3.2.0 docker:v3.1.1 docker:v3.1.0 docker:v3.0.0 docker:v2 docker:v2.10.0 docker:v2.9.0 docker:v2.8.0 docker:v2.7.0 docker:v2.6.1 docker:v2.6.0 docker:v2.5.0 docker:v2.4.0 docker:v2.3.0 docker:v2.2.2 docker:v2.2.1 docker:v2.2.0 docker:v2.1.0 docker:v2.0.1 docker:v1 docker:v1.1.2 docker:v2.0.0 docker:v1.1.1 docker:v1.1.0 docker:v1.0.1 docker:v1.0 docker:v1.0.0

41 Commits
v3.2.0 ... v3.3.1

Author SHA1 Message Date
CrazyMax
1104d47137 Merge pull request #781 from crazy-max/disable-provenance 
Disable provenance by default if not set
 2023-01-30 19:07:44 +01:00
CrazyMax
838bf90c88 update generated content 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-30 10:15:05 +01:00
CrazyMax
337a09d182 disable provenance by default if not set 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-30 10:15:05 +01:00
CrazyMax
37abcedcc1 Merge pull request #760 from crazy-max/test-envs 
test: move envs to jest config
 2023-01-13 13:27:37 +01:00
CrazyMax
67109bc4b2 test: move envs to jest config 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-13 13:23:43 +01:00
CrazyMax
d1b0eb0a29 Merge pull request #759 from crazy-max/fix-provenance-input 
Fix provenance input
 2023-01-13 13:06:45 +01:00
CrazyMax
a0635fe7cd update generated content 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-13 12:59:31 +01:00
CrazyMax
f834265449 tests for provenance 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-13 12:59:31 +01:00
CrazyMax
0191543e0b fix provenance input 
When `provenance: false`, we should not set the builder-id.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-13 12:59:31 +01:00
CrazyMax
2a16835223 Merge pull request #758 from crazy-max/revert-736 
Revert build-args newline split
 2023-01-13 11:35:45 +01:00
CrazyMax
9b96801525 Revert build-args newline split 
This reverts commit 6afac853c9, reversing
changes made to 1d910c8aa2.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-13 11:27:13 +01:00
CrazyMax
6afac853c9 Merge pull request #736 from ruslandoga/build-args-newline-split 
build-args newline split
 2023-01-13 10:03:35 +01:00
ruslandoga
3bfdd83cd7 pre-checkin 
Signed-off-by: ruslandoga <67764432+ruslandoga@users.noreply.github.com>
 2023-01-13 15:15:03 +07:00
ruslandoga
316d5eb8b3 build-args newline split 
Signed-off-by: ruslandoga <67764432+ruslandoga@users.noreply.github.com>
 2023-01-13 12:51:11 +07:00
CrazyMax
1d910c8aa2 Merge pull request #707 from crazy-max/gh-runtime-token-info 
Log GitHub Actions runtime token access controls
 2023-01-12 19:50:31 +01:00
CrazyMax
f9ccca010f log GitHub Actions runtime token access controls 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-12 19:44:24 +01:00
CrazyMax
c40bf0fdf6 Merge pull request #746 from crazy-max/attests-sbom-provenance-inputs 
add attests, provenance and sbom inputs
 2023-01-12 19:27:54 +01:00
CrazyMax
223ed1ebd4 ci: fix registry-cache job 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-11 15:56:26 +01:00
CrazyMax
fdafae777b update generated content 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-11 15:56:25 +01:00
CrazyMax
0cb700ffba do not set default provenance if user wants to load the image 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-11 15:56:25 +01:00
CrazyMax
ee7989df81 always set builder-id attribute for provenance 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-11 15:56:25 +01:00
CrazyMax
74f883a069 check BuildKit compatibility before setting default provenance opts 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-11 15:56:25 +01:00
CrazyMax
0149503e26 ci: inspect with json output 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-11 15:56:25 +01:00
CrazyMax
26ce4f3617 provenance: set mode max and builder-id for public repos by default 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-11 15:56:24 +01:00
CrazyMax
ed2672fc33 add attests, provenance and sbom inputs 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-11 15:56:24 +01:00
CrazyMax
472ccddef1 test: go project sample 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-01-11 15:56:24 +01:00
CrazyMax
d235d2d5ea Merge pull request #749 from docker/dependabot/npm_and_yarn/json5-2.2.3 
chore(deps): Bump json5 from 2.2.0 to 2.2.3
 2023-01-08 18:32:06 +01:00
dependabot[bot]
2f519a7883 chore(deps): Bump json5 from 2.2.0 to 2.2.3 
Bumps [json5](https://github.com/json5/json5) from 2.2.0 to 2.2.3.
- [Release notes](https://github.com/json5/json5/releases)
- [Changelog](https://github.com/json5/json5/blob/main/CHANGELOG.md)
- [Commits](https://github.com/json5/json5/compare/v2.2.0...v2.2.3)

---
updated-dependencies:
- dependency-name: json5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-01-07 04:56:41 +00:00
CrazyMax
4eb68bb2ac Merge pull request #729 from docker/dependabot/npm_and_yarn/csv-parse-5.3.3 
chore(deps): Bump csv-parse from 5.3.0 to 5.3.3
 2022-12-19 20:44:37 +01:00
CrazyMax
b4755849f0 update generated content 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2022-12-19 20:42:49 +01:00
dependabot[bot]
ade1a6afe3 chore(deps): Bump csv-parse from 5.3.0 to 5.3.3 
Bumps [csv-parse](https://github.com/adaltas/node-csv/tree/HEAD/packages/csv-parse) from 5.3.0 to 5.3.3.
- [Release notes](https://github.com/adaltas/node-csv/releases)
- [Changelog](https://github.com/adaltas/node-csv/blob/master/packages/csv-parse/CHANGELOG.md)
- [Commits](https://github.com/adaltas/node-csv/commits/csv-parse@5.3.3/packages/csv-parse)

---
updated-dependencies:
- dependency-name: csv-parse
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-12-19 19:37:51 +00:00
CrazyMax
21d6059e1e Merge pull request #732 from docker/dependabot/npm_and_yarn/minimatch-3.1.2 
chore(deps): Bump minimatch from 3.0.4 to 3.1.2
 2022-12-19 20:20:03 +01:00
CrazyMax
c2c50190db readme: fix badges 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2022-12-19 20:17:23 +01:00
CrazyMax
a154a68da0 Update generated content 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2022-12-19 20:15:46 +01:00
dependabot[bot]
4ac90f5dca chore(deps): Bump minimatch from 3.0.4 to 3.1.2 
Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.0.4 to 3.1.2.
- [Release notes](https://github.com/isaacs/minimatch/releases)
- [Commits](https://github.com/isaacs/minimatch/compare/v3.0.4...v3.1.2)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-11-29 17:55:45 +00:00
CrazyMax
175d02bffe Merge pull request #723 from crazy-max/docs-fix-link 
docs: fix link
 2022-11-10 18:25:38 +01:00
CrazyMax
546378e7fb docs: fix link 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2022-11-10 15:57:59 +01:00
CrazyMax
ffe65bfc27 Merge pull request #718 from crazy-max/moved-examples 
docs: examples moved to docs website
 2022-11-04 14:11:17 +01:00
CrazyMax
d4c14fd006 docs: examples moved to docs website 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2022-11-04 09:17:25 +01:00
CrazyMax
6e95f19fb8 Merge pull request #708 from kaznovac/patch-1 
[docs] test-before-push: push tested image as latest
 2022-10-20 21:05:58 +02:00
Marko Kaznovac
2a752d5a63 [docs] test-before-push: push tested image as latest 
also renamed image name from `myapp` -> `app`

Signed-off-by: Marko Kaznovac <kaznovac@users.noreply.github.com>
 2022-10-20 16:03:06 +02:00
34 changed files with 752 additions and 1040 deletions
Expand all files Collapse all files

178
.github/workflows/ci.yml vendored
View File

@ -84,7 +84,7 @@ jobs:
-
name: Inspect
run: |
docker buildx imagetools inspect localhost:5000/name/app:1.0.0
docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
-
name: Check digest
run: |
@ -143,7 +143,7 @@ jobs:
-
name: Inspect
run: |
docker buildx imagetools inspect localhost:5000/name/app:1.0.0
docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
-
name: Check digest
run: |
@ -190,7 +190,7 @@ jobs:
-
name: Inspect
run: |
docker buildx imagetools inspect localhost:5000/name/app:1.0.0
docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
-
name: Check digest
run: |
@ -491,6 +491,127 @@ jobs:
cache-from: type=gha,scope=nocachefilter
cache-to: type=gha,scope=nocachefilter,mode=max
attests-compat:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- buildx: latest
buildkit: moby/buildkit:buildx-stable-1
- buildx: latest
buildkit: moby/buildkit:v0.10.6
- buildx: v0.9.1
buildkit: moby/buildkit:buildx-stable-1
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
version: ${{ matrix.buildx }}
driver-opts: |
network=host
image=${{ matrix.buildkit }}
-
name: Build
uses: ./
with:
context: ./test/go
file: ./test/go/Dockerfile
outputs: type=cacheonly
provenance:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
attrs:
- ''
- mode=max
- builder-id=foo
- false
- true
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
driver-opts: |
network=host
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
-
name: Build
uses: ./
with:
context: ./test/go
file: ./test/go/Dockerfile
target: binary
outputs: type=oci,dest=/tmp/build.tar
provenance: ${{ matrix.attrs }}
cache-from: type=gha,scope=provenance
cache-to: type=gha,scope=provenance,mode=max
sbom:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- target: image
output: type=image,name=localhost:5000/name/app:latest,push=true
- target: binary
output: /tmp/buildx-build
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
driver-opts: |
network=host
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
-
name: Build
uses: ./
with:
context: ./test/go
file: ./test/go/Dockerfile
target: ${{ matrix.target }}
outputs: ${{ matrix.output }}
sbom: true
cache-from: type=gha,scope=attests-${{ matrix.target }}
cache-to: type=gha,scope=attests-${{ matrix.target }},mode=max
-
name: Inspect image
if: matrix.target == 'image'
run: |
docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
-
name: Check output folder
if: matrix.target == 'binary'
run: |
tree /tmp/buildx-build
-
name: Print SBOM
if: matrix.target == 'binary'
run: |
cat /tmp/buildx-build/sbom.spdx.json | jq
multi:
runs-on: ubuntu-latest
strategy:
@ -536,7 +657,7 @@ jobs:
-
name: Inspect
run: |
docker buildx imagetools inspect localhost:5000/name/app:1.0.0
docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
-
name: Check digest
run: |
@ -649,7 +770,6 @@ jobs:
uses: docker/setup-qemu-action@v2
-
name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
with:
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
@ -657,7 +777,7 @@ jobs:
network=host
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
-
name: Build and push (1)
name: Build and push
id: docker_build
uses: ./
with:
@ -672,54 +792,16 @@ jobs:
cache-from: type=registry,ref=localhost:5000/name/app
cache-to: type=inline
-
name: Inspect (1)
name: Inspect
run: |
docker buildx imagetools inspect localhost:5000/name/app:latest
docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
-
name: Check digest (1)
name: Check digest
run: |
if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then
echo "::error::Digest should not be empty"
exit 1
fi
-
name: Prune
run: |
docker buildx prune -a -f --verbose
-
name: Build and push (2)
id: docker_build2
uses: ./
with:
context: ./test
file: ./test/multi.Dockerfile
builder: ${{ steps.buildx.outputs.name }}
platforms: linux/amd64,linux/arm64
push: true
tags: |
localhost:5000/name/app:latest
localhost:5000/name/app:1.0.0
cache-from: type=registry,ref=localhost:5000/name/app
cache-to: type=inline
-
name: Inspect (2)
run: |
docker buildx imagetools inspect localhost:5000/name/app:latest
-
name: Check digest (2)
run: |
if [ -z "${{ steps.docker_build2.outputs.digest }}" ]; then
echo "::error::Digest should not be empty"
exit 1
fi
-
name: Compare digests
run: |
echo Compare "${{ steps.docker_build.outputs.digest }}" with "${{ steps.docker_build2.outputs.digest }}"
if [ "${{ steps.docker_build.outputs.digest }}" != "${{ steps.docker_build2.outputs.digest }}" ]; then
echo "::error::Digests should be identical"
exit 1
fi
github-cache:
runs-on: ubuntu-latest
@ -760,7 +842,7 @@ jobs:
-
name: Inspect
run: |
docker buildx imagetools inspect localhost:5000/name/app:1.0.0
docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
standalone:
runs-on: ubuntu-latest

2
.github/workflows/e2e.yml vendored
View File

@ -120,4 +120,4 @@ jobs:
name: Check manifest
if: github.event_name != 'pull_request'
run: |
docker buildx imagetools inspect ${{ matrix.slug }}:${{ steps.meta.outputs.version }}
docker buildx imagetools inspect ${{ matrix.slug }}:${{ steps.meta.outputs.version }} --format '{{json .}}'

2
.github/workflows/example.yml vendored
View File

@ -71,4 +71,4 @@ jobs:
name: Check manifest
if: github.event_name != 'pull_request'
run: |
docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }}
docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} --format '{{json .}}'

100
README.md
View File

@ -1,7 +1,7 @@
[![GitHub release](https://img.shields.io/github/release/docker/build-push-action.svg?style=flat-square)](https://github.com/docker/build-push-action/releases/latest)
[![GitHub marketplace](https://img.shields.io/badge/marketplace-build--and--push--docker--images-blue?logo=github&style=flat-square)](https://github.com/marketplace/actions/build-and-push-docker-images)
[![CI workflow](https://img.shields.io/github/workflow/status/docker/build-push-action/ci?label=ci&logo=github&style=flat-square)](https://github.com/docker/build-push-action/actions?workflow=ci)
[![Test workflow](https://img.shields.io/github/workflow/status/docker/build-push-action/test?label=test&logo=github&style=flat-square)](https://github.com/docker/build-push-action/actions?workflow=test)
[![CI workflow](https://img.shields.io/github/actions/workflow/status/docker/build-push-action/ci.yml?branch=master&label=ci&logo=github&style=flat-square)](https://github.com/docker/build-push-action/actions?workflow=ci)
[![Test workflow](https://img.shields.io/github/actions/workflow/status/docker/build-push-action/test.yml?branch=master&label=test&logo=github&style=flat-square)](https://github.com/docker/build-push-action/actions?workflow=test)
[![Codecov](https://img.shields.io/codecov/c/github/docker/build-push-action?logo=codecov&style=flat-square)](https://codecov.io/gh/docker/build-push-action)
## About
@ -18,20 +18,7 @@ ___
* [Usage](#usage)
* [Git context](#git-context)
* [Path context](#path-context)
* [Advanced usage](#advanced-usage)
* [Multi-platform image](docs/advanced/multi-platform.md)
* [Secrets](docs/advanced/secrets.md)
* [Isolated builders](docs/advanced/isolated-builders.md)
* [Push to multi-registries](docs/advanced/push-multi-registries.md)
* [Copy between registries](docs/advanced/copy-between-registries.md)
* [Cache](docs/advanced/cache.md)
* [Local registry](docs/advanced/local-registry.md)
* [Export image to Docker](docs/advanced/export-docker.md)
* [Share built image between jobs](docs/advanced/share-image-jobs.md)
* [Test your image before pushing it](docs/advanced/test-before-push.md)
* [Named contexts](docs/advanced/named-contexts.md)
* [Handle tags and labels](docs/advanced/tags-labels.md)
* [Update Docker Hub repo description](docs/advanced/dockerhub-desc.md)
* [Examples](#examples)
* [Customizing](#customizing)
* [inputs](#inputs)
* [outputs](#outputs)
@ -129,8 +116,8 @@ to the default Git context:
Building from the current repository automatically uses the [GitHub Token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication),
so it does not need to be passed. If you want to authenticate against another
private repository, you have to use a [secret](docs/advanced/secrets.md) named
`GIT_AUTH_TOKEN` to be able to authenticate against it with Buildx:
private repository, you have to use a [secret](https://docs.docker.com/build/ci/github-actions/examples/#secrets)
named `GIT_AUTH_TOKEN` to be able to authenticate against it with Buildx:
```yaml
-
@ -181,21 +168,9 @@ jobs:
tags: user/app:latest
```
## Advanced usage
## Examples
* [Multi-platform image](docs/advanced/multi-platform.md)
* [Secrets](docs/advanced/secrets.md)
* [Isolated builders](docs/advanced/isolated-builders.md)
* [Push to multi-registries](docs/advanced/push-multi-registries.md)
* [Copy between registries](docs/advanced/copy-between-registries.md)
* [Cache](docs/advanced/cache.md)
* [Local registry](docs/advanced/local-registry.md)
* [Export image to Docker](docs/advanced/export-docker.md)
* [Share built image between jobs](docs/advanced/share-image-jobs.md)
* [Test your image before pushing it](docs/advanced/test-before-push.md)
* [Named contexts](docs/advanced/named-contexts.md)
* [Handle tags and labels](docs/advanced/tags-labels.md)
* [Update Docker Hub repo description](docs/advanced/dockerhub-desc.md)
See https://docs.docker.com/build/ci/github-actions/examples/.
## Customizing
@ -215,35 +190,38 @@ Following inputs can be used as `step.with` keys
> tags: name/app:latest,name/app:1.0.0
> ```
| Name | Type | Description |
|--------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `add-hosts` | List/CSV | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`) |
| `allow` | List/CSV | List of [extra privileged entitlement](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow) (e.g., `network.host,security.insecure`) |
| `builder` | String | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action) |
| `build-args` | List | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg) |
| `build-contexts` | List | List of additional [build contexts](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context) (e.g., `name=path`) |
| `cache-from` | List | List of [external cache sources](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from) (e.g., `type=local,src=path/to/dir`) |
| `cache-to` | List | List of [cache export destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-to) (e.g., `type=local,dest=path/to/dir`) |
| `cgroup-parent` | String | Optional [parent cgroup](https://docs.docker.com/engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent) for the container used in the build |
| `context` | String | Build's context is the set of files located in the specified [`PATH` or `URL`](https://docs.docker.com/engine/reference/commandline/build/) (default [Git context](#git-context)) |
| `file` | String | Path to the Dockerfile. (default `{context}/Dockerfile`) |
| `labels` | List | List of metadata for an image |
| `load` | Bool | [Load](https://docs.docker.com/engine/reference/commandline/buildx_build/#load) is a shorthand for `--output=type=docker` (default `false`) |
| `network` | String | Set the networking mode for the `RUN` instructions during build |
| `no-cache` | Bool | Do not use cache when building the image (default `false`) |
| `no-cache-filters` | List/CSV | Do not cache specified stages |
| `outputs`¹ | List | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`) |
| `platforms` | List/CSV | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build |
| `pull` | Bool | Always attempt to pull all referenced images (default `false`) |
| `push` | Bool | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`) |
| `secrets` | List | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`) |
| `secret-files` | List | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`) |
| `shm-size` | String | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) |
| `ssh` | List | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build |
| `tags` | List/CSV | List of tags |
| `target` | String | Sets the target stage to build |
| `ulimit` | List | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`) |
| `github-token` | String | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`) |
| Name | Type | Description |
|--------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `add-hosts` | List/CSV | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`) |
| `allow` | List/CSV | List of [extra privileged entitlement](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow) (e.g., `network.host,security.insecure`) |
| `attests` | List | List of [attestation](https://docs.docker.com/build/attestations/) parameters (e.g., `type=sbom,generator=image`) |
| `builder` | String | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action) |
| `build-args` | List | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg) |
| `build-contexts` | List | List of additional [build contexts](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context) (e.g., `name=path`) |
| `cache-from` | List | List of [external cache sources](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from) (e.g., `type=local,src=path/to/dir`) |
| `cache-to` | List | List of [cache export destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-to) (e.g., `type=local,dest=path/to/dir`) |
| `cgroup-parent` | String | Optional [parent cgroup](https://docs.docker.com/engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent) for the container used in the build |
| `context` | String | Build's context is the set of files located in the specified [`PATH` or `URL`](https://docs.docker.com/engine/reference/commandline/build/) (default [Git context](#git-context)) |
| `file` | String | Path to the Dockerfile. (default `{context}/Dockerfile`) |
| `labels` | List | List of metadata for an image |
| `load` | Bool | [Load](https://docs.docker.com/engine/reference/commandline/buildx_build/#load) is a shorthand for `--output=type=docker` (default `false`) |
| `network` | String | Set the networking mode for the `RUN` instructions during build |
| `no-cache` | Bool | Do not use cache when building the image (default `false`) |
| `no-cache-filters` | List/CSV | Do not cache specified stages |
| `outputs`¹ | List | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`) |
| `platforms` | List/CSV | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build |
| `provenance` | Bool/String | Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build (shorthand for `--attest=type=provenance`) |
| `pull` | Bool | Always attempt to pull all referenced images (default `false`) |
| `push` | Bool | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`) |
| `sbom` | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`) |
| `secrets` | List | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`) |
| `secret-files` | List | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`) |
| `shm-size` | String | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) |
| `ssh` | List | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build |
| `tags` | List/CSV | List of tags |
| `target` | String | Sets the target stage to build |
| `ulimit` | List | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`) |
| `github-token` | String | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`) |
> **Note**
>

161
__tests__/context.test.ts
View File

@ -2,6 +2,7 @@ import {beforeEach, describe, expect, it, jest, test} from '@jest/globals';
import * as fs from 'fs';
import * as path from 'path';
import * as buildx from '../src/buildx';
import * as context from '../src/context';
const pgp = `-----BEGIN PGP PRIVATE KEY BLOCK-----
@ -127,6 +128,8 @@ jest.spyOn(context, 'tmpNameSync').mockImplementation((): string => {
return path.join('/tmp/.docker-build-push-jest', '.tmpname-jest').split(path.sep).join(path.posix.sep);
});
jest.spyOn(buildx, 'satisfiesBuildKitVersion').mockResolvedValueOnce(true);
describe('getArgs', () => {
beforeEach(() => {
process.env = Object.keys(process.env).reduce((object, key) => {
@ -159,7 +162,11 @@ describe('getArgs', () => {
1,
'0.4.2',
new Map<string, string>([
['build-args', 'MY_ARG=val1,val2,val3\nARG=val'],
['build-args', `MY_ARG=val1,val2,val3
ARG=val
"MULTILINE=aaaa
bbbb
ccc"`],
['load', 'false'],
['no-cache', 'false'],
['push', 'false'],
@ -169,6 +176,7 @@ describe('getArgs', () => {
'build',
'--build-arg', 'MY_ARG=val1,val2,val3',
'--build-arg', 'ARG=val',
'--build-arg', `MULTILINE=aaaa\nbbbb\nccc`,
'--iidfile', '/tmp/.docker-build-push-jest/iidfile',
'https://github.com/docker/build-push-action.git#refs/heads/test-jest'
]
@ -517,7 +525,156 @@ nproc=3`],
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
'https://github.com/docker/build-push-action.git#refs/heads/test-jest:subdir'
]
]
],
[
17,
'0.8.2',
new Map<string, string>([
['context', '.'],
['load', 'false'],
['no-cache', 'false'],
['push', 'false'],
['pull', 'false'],
['provenance', 'true'],
]),
[
'build',
'--iidfile', '/tmp/.docker-build-push-jest/iidfile',
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
'.'
]
],
[
18,
'0.10.0',
new Map<string, string>([
['context', '.'],
['load', 'false'],
['no-cache', 'false'],
['push', 'false'],
['pull', 'false'],
]),
[
'build',
'--iidfile', '/tmp/.docker-build-push-jest/iidfile',
"--provenance", 'false',
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
'.'
]
],
[
19,
'0.10.0',
new Map<string, string>([
['context', '.'],
['load', 'false'],
['no-cache', 'false'],
['push', 'false'],
['pull', 'false'],
['provenance', 'true'],
]),
[
'build',
'--iidfile', '/tmp/.docker-build-push-jest/iidfile',
"--provenance", `builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
'.'
]
],
[
20,
'0.10.0',
new Map<string, string>([
['context', '.'],
['load', 'false'],
['no-cache', 'false'],
['push', 'false'],
['pull', 'false'],
['provenance', 'mode=max'],
]),
[
'build',
'--iidfile', '/tmp/.docker-build-push-jest/iidfile',
"--provenance", `mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
'.'
]
],
[
21,
'0.10.0',
new Map<string, string>([
['context', '.'],
['load', 'false'],
['no-cache', 'false'],
['push', 'false'],
['pull', 'false'],
['provenance', 'false'],
]),
[
'build',
'--iidfile', '/tmp/.docker-build-push-jest/iidfile',
"--provenance", 'false',
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
'.'
]
],
[
22,
'0.10.0',
new Map<string, string>([
['context', '.'],
['load', 'false'],
['no-cache', 'false'],
['push', 'false'],
['pull', 'false'],
['provenance', 'builder-id=foo'],
]),
[
'build',
'--iidfile', '/tmp/.docker-build-push-jest/iidfile',
"--provenance", 'builder-id=foo',
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
'.'
]
],
[
23,
'0.10.0',
new Map<string, string>([
['context', '.'],
['load', 'false'],
['no-cache', 'false'],
['push', 'false'],
['pull', 'false'],
['outputs', 'type=docker'],
]),
[
'build',
'--iidfile', '/tmp/.docker-build-push-jest/iidfile',
"--output", 'type=docker',
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
'.'
]
],
[
24,
'0.10.0',
new Map<string, string>([
['context', '.'],
['load', 'true'],
['no-cache', 'false'],
['push', 'false'],
['pull', 'false'],
]),
[
'build',
'--iidfile', '/tmp/.docker-build-push-jest/iidfile',
"--load",
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
'.'
]
],
])(
'[%d] given %p with %p as inputs, returns %p',
async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {

9
action.yml
View File

@ -13,6 +13,9 @@ inputs:
allow:
description: "List of extra privileged entitlement (e.g., network.host,security.insecure)"
required: false
attests:
description: "List of attestation parameters (e.g., type=sbom,generator=image)"
required: false
build-args:
description: "List of build-time variables"
required: false
@ -60,6 +63,9 @@ inputs:
platforms:
description: "List of target platforms for build"
required: false
provenance:
description: "Generate provenance attestation for the build (shorthand for --attest=type=provenance)"
required: false
pull:
description: "Always attempt to pull all referenced images"
required: false
@ -68,6 +74,9 @@ inputs:
description: "Push is a shorthand for --output=type=registry"
required: false
default: 'false'
sbom:
description: "Generate SBOM attestation for the build (shorthand for --attest=type=sbom)"
required: false
secrets:
description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)"
required: false

2
dev.Dockerfile
View File

@ -66,8 +66,6 @@ FROM docker:${DOCKER_VERSION} as docker
FROM docker/buildx-bin:${BUILDX_VERSION} as buildx
FROM deps AS test
ENV RUNNER_TEMP=/tmp/github_runner
ENV RUNNER_TOOL_CACHE=/tmp/github_tool_cache
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/src/node_modules \
--mount=type=bind,from=docker,source=/usr/local/bin/docker,target=/usr/bin/docker \

8
dist/index.js generated vendored
View File

File diff suppressed because one or more lines are too long

2
dist/index.js.map generated vendored
View File

File diff suppressed because one or more lines are too long

25
dist/licenses.txt generated vendored
View File

@ -724,6 +724,31 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
jwt-decode
MIT
The MIT License (MIT)
Copyright (c) 2015 Auth0, Inc. <support@auth0.com> (http://auth0.com)
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
lru-cache
ISC
The ISC License

206
docs/advanced/cache.md
View File

@ -1,207 +1,3 @@
# Cache
* [Inline cache](#inline-cache)
* [Registry cache](#registry-cache)
* [GitHub cache](#github-cache)
* [Cache backend API](#cache-backend-api)
* [Local cache](#local-cache)
> **Note**
>
> See [our guide](https://github.com/docker/buildx/blob/master/docs/guides/cache/index.md)
> for more details about cache storage backends.
## Inline cache
In most cases you want to use the [`type=inline` cache exporter](https://github.com/docker/buildx/blob/master/docs/guides/cache/inline.md).
However, note that the `inline` cache exporter only supports `min` cache mode. To enable `max` cache mode, push the
image and the cache separately by using the `registry` cache exporter as shown in the [next example](#registry-cache).
```yaml
name: ci
on:
push:
branches:
- 'main'
jobs:
docker:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Build and push
uses: docker/build-push-action@v3
with:
context: .
push: true
tags: user/app:latest
cache-from: type=registry,ref=user/app:latest
cache-to: type=inline
```
## Registry cache
You can import/export cache from a cache manifest or (special) image configuration on the registry with the
[`type=registry` cache exporter](https://github.com/docker/buildx/blob/master/docs/guides/cache/registry.md).
```yaml
name: ci
on:
push:
branches:
- 'main'
jobs:
docker:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Build and push
uses: docker/build-push-action@v3
with:
context: .
push: true
tags: user/app:latest
cache-from: type=registry,ref=user/app:buildcache
cache-to: type=registry,ref=user/app:buildcache,mode=max
```
## GitHub cache
### Cache backend API
> **Warning**
>
> This cache exporter is considered EXPERIMENTAL until further notice. Please
> provide feedback on [BuildKit repository](https://github.com/moby/buildkit)
> if you encounter any issues.
[GitHub Actions cache exporter](https://github.com/docker/buildx/blob/master/docs/guides/cache/gha.md)
backend uses the [GitHub Cache API](https://github.com/tonistiigi/go-actions-cache/blob/master/api.md)
to fetch and upload cache blobs. That's why this type of cache should be
exclusively used in a GitHub Action workflow as the `url` (`$ACTIONS_CACHE_URL`)
and `token` (`$ACTIONS_RUNTIME_TOKEN`) attributes are populated when a workflow
is started.
```yaml
name: ci
on:
push:
branches:
- 'main'
jobs:
docker:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Build and push
uses: docker/build-push-action@v3
with:
context: .
push: true
tags: user/app:latest
cache-from: type=gha
cache-to: type=gha,mode=max
```
### Local cache
> **Warning**
>
> At the moment caches are copied over the existing cache, so it [keeps growing](https://github.com/docker/build-push-action/issues/252).
> The `Move cache` step is used as a workaround (see [moby/buildkit#1896](https://github.com/moby/buildkit/issues/1896) for more info).
You can also leverage [GitHub cache](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows)
using the [actions/cache](https://github.com/actions/cache) and [`type=local` cache exporter](https://github.com/docker/buildx/blob/master/docs/guides/cache/local.md)
with this action:
```yaml
name: ci
on:
push:
branches:
- 'main'
jobs:
docker:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Cache Docker layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
-
name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Build and push
uses: docker/build-push-action@v3
with:
context: .
push: true
tags: user/app:latest
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
-
# Temp fix
# https://github.com/docker/build-push-action/issues/252
# https://github.com/moby/buildkit/issues/1896
name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
```
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#cache)

57
docs/advanced/copy-between-registries.md
View File

@ -1,58 +1,3 @@
# Copy images between registries
[Multi-platform images](https://docs.docker.com/build/building/multi-platform/)
built using Buildx can be copied from one registry to another using the
[`imagetools create` command](https://docs.docker.com/engine/reference/commandline/buildx_imagetools_create/):
```yaml
name: ci
on:
push:
branches:
- 'main'
jobs:
docker:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up QEMU
uses: docker/setup-qemu-action@v2
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Build and push
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: |
user/app:latest
user/app:1.0.0
-
name: Push image to GHCR
run: |
docker buildx imagetools create \
--tag ghcr.io/user/app:latest \
--tag ghcr.io/user/app:1.0.0 \
user/app:latest
```
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#copy-images-between-registries)

47
docs/advanced/dockerhub-desc.md
View File

@ -1,48 +1,3 @@
# Update Docker Hub repo description
You can update the [Docker Hub repository description](https://docs.docker.com/docker-hub/repos/)
using a third party action called [Docker Hub Description](https://github.com/peter-evans/dockerhub-description)
with this action:
```yaml
name: ci
on:
push:
branches:
- 'main'
jobs:
docker:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up QEMU
uses: docker/setup-qemu-action@v2
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Build and push
uses: docker/build-push-action@v3
with:
context: .
push: true
tags: user/app:latest
-
name: Update repo description
uses: peter-evans/dockerhub-description@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
repository: user/app
```
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#update-docker-hub-repository-description)

34
docs/advanced/export-docker.md
View File

@ -1,35 +1,3 @@
# Export image to Docker
You may want your build result to be available in the Docker client through
`docker images` to be able to use it in another step of your workflow:
```yaml
name: ci
on:
push:
branches:
- 'main'
jobs:
docker:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Build
uses: docker/build-push-action@v3
with:
context: .
load: true
tags: myimage:latest
-
name: Inspect
run: |
docker image inspect myimage:latest
```
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#export-image-to-docker)

43
docs/advanced/isolated-builders.md
View File

@ -1,44 +1,3 @@
# Isolated builders
```yaml
name: ci
on:
push:
branches:
- 'main'
jobs:
docker:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
uses: docker/setup-buildx-action@v2
id: builder1
-
uses: docker/setup-buildx-action@v2
id: builder2
-
name: Builder 1 name
run: echo ${{ steps.builder1.outputs.name }}
-
name: Builder 2 name
run: echo ${{ steps.builder2.outputs.name }}
-
name: Build against builder1
uses: docker/build-push-action@v3
with:
builder: ${{ steps.builder1.outputs.name }}
context: .
target: mytarget1
-
name: Build against builder2
uses: docker/build-push-action@v3
with:
builder: ${{ steps.builder2.outputs.name }}
context: .
target: mytarget2
```
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/configure-builder/#isolated-builders)

44
docs/advanced/local-registry.md
View File

@ -1,45 +1,3 @@
# Local registry
For testing purposes you may need to create a [local registry](https://hub.docker.com/_/registry)
to push images into:
```yaml
name: ci
on:
push:
branches:
- 'main'
jobs:
docker:
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up QEMU
uses: docker/setup-qemu-action@v2
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
driver-opts: network=host
-
name: Build and push to local registry
uses: docker/build-push-action@v3
with:
context: .
push: true
tags: localhost:5000/name/app:latest
-
name: Inspect
run: |
docker buildx imagetools inspect localhost:5000/name/app:latest
```
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#local-registry)

47
docs/advanced/multi-platform.md
View File

@ -1,48 +1,3 @@
# Multi-platform image
You can build [multi-platform images](https://docs.docker.com/build/building/multi-platform/)
using the [`platforms` input](../../README.md#inputs) as described below.
> **Note**
>
> * List of available platforms will be displayed and available through our
> [setup-buildx](https://github.com/docker/setup-buildx-action#about) action.
> * If you want support for more platforms, you can use QEMU with our
> [setup-qemu](https://github.com/docker/setup-qemu-action) action.
```yaml
name: ci
on:
push:
branches:
- 'main'
jobs:
docker:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up QEMU
uses: docker/setup-qemu-action@v2
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Build and push
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: user/app:latest
```
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#multi-platform-images)

97
docs/advanced/named-contexts.md
View File

@ -1,98 +1,3 @@
# Named contexts
You can define [additional build contexts](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context)
that can be accessed in your Dockerfile with `FROM name` or `--from=name`. When
Dockerfile defines a stage with the same name it is overwritten.
This can be useful with GitHub Actions to reuse results from other builds or
pin an image to a spcific tag in your workflow.
* [Pin image to a specific tag](#pin-image-to-a-specific-tag)
* [Usage of the built image in other build steps](#usage-of-the-built-image-in-other-build-steps)
## Pin image to a specific tag
Replace `alpine:latest` with a pinned one:
```dockerfile
# syntax=docker/dockerfile:1
FROM alpine
RUN echo "Hello World"
```
```yaml
name: ci
on:
push:
branches:
- 'main'
jobs:
docker:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Build
uses: docker/build-push-action@v3
with:
context: .
build-contexts: |
alpine=docker-image://alpine:3.16
tags: myimage:latest
```
## Usage of the built image in other build steps
By default, the [`setup-buildx` action](https://github.com/docker/setup-buildx-action#about)
uses `docker-container` as a build driver, so built Docker images are not
available in the builder container.
With named contexts you can reuse the built image:
```dockerfile
# syntax=docker/dockerfile:1
FROM alpine
RUN echo "Hello World"
```
```yaml
name: ci
on:
push:
branches:
- 'main'
jobs:
docker:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Build base image
uses: docker/build-push-action@v3
with:
context: base
load: true
tags: my-base-image:latest
-
name: Build
uses: docker/build-push-action@v3
with:
context: .
build-contexts: |
alpine=docker-image://my-base-image:latest
tags: myimage:latest
```
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#named-contexts)

52
docs/advanced/push-multi-registries.md
View File

@ -1,53 +1,3 @@
# Push to multi-registries
The following workflow will connect you to [Docker Hub](https://github.com/docker/login-action#dockerhub)
and [GitHub Container Registry](https://github.com/docker/login-action#github-container-registry)
and push the image to these registries:
```yaml
name: ci
on:
push:
branches:
- 'main'
jobs:
docker:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up QEMU
uses: docker/setup-qemu-action@v2
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Build and push
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: |
user/app:latest
user/app:1.0.0
ghcr.io/user/app:latest
ghcr.io/user/app:1.0.0
```
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#push-to-multi-registries)

87
docs/advanced/secrets.md
View File

@ -1,88 +1,3 @@
# Secrets
In the following example we will expose and use the [GITHUB_TOKEN secret](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret)
as provided by GitHub in your workflow.
First let's create our `Dockerfile` to use our secret:
```dockerfile
# syntax=docker/dockerfile:1
FROM alpine
RUN --mount=type=secret,id=github_token \
cat /run/secrets/github_token
```
As you can see we have named our secret `github_token`. Here is the workflow
you can use to expose this secret using the [`secrets` input](../../README.md#inputs):
```yaml
name: ci
on:
push:
branches:
- 'main'
jobs:
docker:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up QEMU
uses: docker/setup-qemu-action@v2
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Build
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/amd64,linux/arm64
tags: user/app:latest
secrets: |
"github_token=${{ secrets.GITHUB_TOKEN }}"
```
> **Note**
>
> You can also expose a secret file to the build with the [`secret-files`](../../README.md#inputs) input:
> ```yaml
> secret-files: |
> "MY_SECRET=./secret.txt"
> ```
If you're using [GitHub secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets)
and need to handle multi-line value, you will need to place the key-value pair
between quotes:
```yaml
secrets: |
"MYSECRET=${{ secrets.GPG_KEY }}"
GIT_AUTH_TOKEN=abcdefghi,jklmno=0123456789
"MYSECRET=aaaaaaaa
bbbbbbb
ccccccccc"
FOO=bar
"EMPTYLINE=aaaa
bbbb
ccc"
"JSON_SECRET={""key1"":""value1"",""key2"":""value2""}"
```
| Key | Value |
|--------------------|-------------------------------------|
| `MYSECRET` | `***********************` |
| `GIT_AUTH_TOKEN` | `abcdefghi,jklmno=0123456789` |
| `MYSECRET` | `aaaaaaaa\nbbbbbbb\nccccccccc` |
| `FOO` | `bar` |
| `EMPTYLINE` | `aaaa\n\nbbbb\nccc` |
| `JSON_SECRET` | `{"key1":"value1","key2":"value2"}` |
> **Note**
>
> All quote signs need to be doubled for escaping.
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#secrets)

59
docs/advanced/share-image-jobs.md
View File

@ -1,60 +1,3 @@
# Share built image between jobs
As each job is isolated in its own runner you cannot use your built image
between jobs (except for [self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners)).
However, you can [pass data between jobs in a workflow](https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts#passing-data-between-jobs-in-a-workflow)
using the [actions/upload-artifact](https://github.com/actions/upload-artifact)
and [actions/download-artifact](https://github.com/actions/download-artifact)
actions:
```yaml
name: ci
on:
push:
branches:
- 'main'
jobs:
build:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Build and export
uses: docker/build-push-action@v3
with:
context: .
tags: myimage:latest
outputs: type=docker,dest=/tmp/myimage.tar
-
name: Upload artifact
uses: actions/upload-artifact@v3
with:
name: myimage
path: /tmp/myimage.tar
use:
runs-on: ubuntu-latest
needs: build
steps:
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Download artifact
uses: actions/download-artifact@v3
with:
name: myimage
path: /tmp
-
name: Load image
run: |
docker load --input /tmp/myimage.tar
docker image ls -a
```
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#share-built-image-between-jobs)

76
docs/advanced/tags-labels.md
View File

@ -1,77 +1,3 @@
# Handle tags and labels
If you want an "automatic" tag management and [OCI Image Format Specification](https://github.com/opencontainers/image-spec/blob/master/annotations.md)
for labels, you can do it in a dedicated step. The following workflow will use
the [Docker metadata action](https://github.com/docker/metadata-action) to
handle tags and labels based on GitHub actions events and Git metadata:
```yaml
name: ci
on:
schedule:
- cron: '0 10 * * *'
push:
branches:
- '**'
tags:
- 'v*.*.*'
pull_request:
branches:
- 'main'
jobs:
docker:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
# list of Docker images to use as base name for tags
images: |
name/app
ghcr.io/username/app
# generate Docker tags based on the following events/attributes
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
-
name: Set up QEMU
uses: docker/setup-qemu-action@v2
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Login to Docker Hub
if: github.event_name != 'pull_request'
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Login to GHCR
if: github.event_name != 'pull_request'
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Build and push
uses: docker/build-push-action@v3
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
```
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#manage-tags-and-labels)

65
docs/advanced/test-before-push.md
View File

@ -1,66 +1,3 @@
# Test your image before pushing it
In some cases, you might want to validate that the image works as expected
before pushing it.
The workflow below will be composed of several steps to achieve this:
* Build and export the image to Docker
* Test your image
* Multi-platform build and push the image
```yaml
name: ci
on:
push:
branches:
- 'main'
env:
TEST_TAG: user/myapp:test
jobs:
docker:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up QEMU
uses: docker/setup-qemu-action@v2
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Build and export to Docker
uses: docker/build-push-action@v3
with:
context: .
load: true
tags: ${{ env.TEST_TAG }}
-
name: Test
run: |
docker run --rm ${{ env.TEST_TAG }}
-
name: Build and push
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ env.TEST_TAG }}
```
> **Note**
>
> Build time will not be increased with this workflow because internal cache
> for `linux/amd64` will be used from previous step on `Build and push` step
> so only `linux/arm64` will be actually built.
This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#test-your-image-before-pushing-it)

10
jest.config.ts
View File

@ -1,5 +1,15 @@
process.env = Object.assign({}, process.env, {
RUNNER_TEMP: '/tmp/github_runner',
RUNNER_TOOL_CACHE: '/tmp/github_tool_cache',
GITHUB_REPOSITORY: 'docker/build-push-action',
GITHUB_RUN_ID: '123456789'
}) as {
[key: string]: string;
};
module.exports = {
clearMocks: false,
testEnvironment: 'node',
moduleFileExtensions: ['js', 'ts'],
setupFiles: ['dotenv/config'],
testMatch: ['**/*.test.ts'],

3
package.json
View File

@ -31,8 +31,9 @@
"@actions/core": "^1.10.0",
"@actions/exec": "^1.1.1",
"@actions/github": "^5.1.1",
"csv-parse": "^5.3.0",
"csv-parse": "^5.3.3",
"handlebars": "^4.7.7",
"jwt-decode": "^3.1.2",
"semver": "^7.3.7",
"tmp": "^0.2.1"
},

123
src/buildx.ts
View File

@ -3,9 +3,24 @@ import fs from 'fs';
import path from 'path';
import * as semver from 'semver';
import * as exec from '@actions/exec';
import * as context from './context';
export type Builder = {
name?: string;
driver?: string;
nodes: Node[];
};
export type Node = {
name?: string;
endpoint?: string;
'driver-opts'?: Array<string>;
status?: string;
'buildkitd-flags'?: string;
buildkit?: string;
platforms?: string;
};
export async function getImageIDFile(): Promise<string> {
return path.join(context.tmpDir(), 'iidfile').split(path.sep).join(path.posix.sep);
}
@ -126,6 +141,112 @@ export async function isAvailable(standalone?: boolean): Promise<boolean> {
});
}
export async function satisfiesBuildKitVersion(builderName: string, range: string, standalone?: boolean): Promise<boolean> {
const builderInspect = await inspect(builderName, standalone);
for (const node of builderInspect.nodes) {
if (!node.buildkit) {
return false;
}
// BuildKit version reported by moby is in the format of `v0.11.0-moby`
if (builderInspect.driver == 'docker' && !node.buildkit.endsWith('-moby')) {
return false;
}
const version = node.buildkit.replace(/-moby$/, '');
if (!semver.satisfies(version, range)) {
return false;
}
}
return true;
}
async function inspect(name: string, standalone?: boolean): Promise<Builder> {
const cmd = getCommand(['inspect', name], standalone);
return await exec
.getExecOutput(cmd.command, cmd.args, {
ignoreReturnCode: true,
silent: true
})
.then(res => {
if (res.stderr.length > 0 && res.exitCode != 0) {
throw new Error(res.stderr.trim());
}
return parseInspect(res.stdout);
});
}
async function parseInspect(data: string): Promise<Builder> {
const builder: Builder = {
nodes: []
};
let node: Node = {};
for (const line of data.trim().split(`\n`)) {
const [key, ...rest] = line.split(':');
const value = rest.map(v => v.trim()).join(':');
if (key.length == 0 || value.length == 0) {
continue;
}
switch (key.toLowerCase()) {
case 'name': {
if (builder.name == undefined) {
builder.name = value;
} else {
if (Object.keys(node).length > 0) {
builder.nodes.push(node);
node = {};
}
node.name = value;
}
break;
}
case 'driver': {
builder.driver = value;
break;
}
case 'endpoint': {
node.endpoint = value;
break;
}
case 'driver options': {
node['driver-opts'] = (value.match(/(\w+)="([^"]*)"/g) || []).map(v => v.replace(/^(.*)="(.*)"$/g, '$1=$2'));
break;
}
case 'status': {
node.status = value;
break;
}
case 'flags': {
node['buildkitd-flags'] = value;
break;
}
case 'buildkit': {
node.buildkit = value;
break;
}
case 'platforms': {
let platforms: Array<string> = [];
// if a preferred platform is being set then use only these
// https://docs.docker.com/engine/reference/commandline/buildx_inspect/#get-information-about-a-builder-instance
if (value.includes('*')) {
for (const platform of value.split(', ')) {
if (platform.includes('*')) {
platforms.push(platform.replace('*', ''));
}
}
} else {
// otherwise set all platforms available
platforms = value.split(', ');
}
node.platforms = platforms.join(',');
break;
}
}
}
if (Object.keys(node).length > 0) {
builder.nodes.push(node);
}
return builder;
}
export async function getVersion(standalone?: boolean): Promise<string> {
const cmd = getCommand(['version'], standalone);
return await exec

99
src/context.ts
View File

@ -13,6 +13,7 @@ let _defaultContext, _tmpDir: string;
export interface Inputs {
addHosts: string[];
allow: string[];
attests: string[];
buildArgs: string[];
buildContexts: string[];
builder: string;
@ -28,8 +29,10 @@ export interface Inputs {
noCacheFilters: string[];
outputs: string[];
platforms: string[];
provenance: string;
pull: boolean;
push: boolean;
sbom: string;
secrets: string[];
secretFiles: string[];
shmSize: string;
@ -65,10 +68,15 @@ export function tmpNameSync(options?: tmp.TmpNameOptions): string {
return tmp.tmpNameSync(options);
}
export function provenanceBuilderID(): string {
return `${process.env.GITHUB_SERVER_URL || 'https://github.com'}/${github.context.repo.owner}/${github.context.repo.repo}/actions/runs/${github.context.runId}`;
}
export async function getInputs(defaultContext: string): Promise<Inputs> {
return {
addHosts: await getInputList('add-hosts'),
allow: await getInputList('allow'),
attests: await getInputList('attests', true),
buildArgs: await getInputList('build-args', true),
buildContexts: await getInputList('build-contexts', true),
builder: core.getInput('builder'),
@ -84,8 +92,10 @@ export async function getInputs(defaultContext: string): Promise<Inputs> {
noCacheFilters: await getInputList('no-cache-filters'),
outputs: await getInputList('outputs', true),
platforms: await getInputList('platforms'),
provenance: getProvenanceInput('provenance'),
pull: core.getBooleanInput('pull'),
push: core.getBooleanInput('push'),
sbom: core.getInput('sbom'),
secrets: await getInputList('secrets', true),
secretFiles: await getInputList('secret-files', true),
shmSize: core.getInput('shm-size'),
@ -97,17 +107,17 @@ export async function getInputs(defaultContext: string): Promise<Inputs> {
};
}
export async function getArgs(inputs: Inputs, defaultContext: string, buildxVersion: string): Promise<Array<string>> {
export async function getArgs(inputs: Inputs, defaultContext: string, buildxVersion: string, standalone?: boolean): Promise<Array<string>> {
const context = handlebars.compile(inputs.context)({defaultContext});
// prettier-ignore
return [
...await getBuildArgs(inputs, defaultContext, context, buildxVersion),
...await getBuildArgs(inputs, defaultContext, context, buildxVersion, standalone),
...await getCommonArgs(inputs, buildxVersion),
context
];
}
async function getBuildArgs(inputs: Inputs, defaultContext: string, context: string, buildxVersion: string): Promise<Array<string>> {
async function getBuildArgs(inputs: Inputs, defaultContext: string, context: string, buildxVersion: string, standalone?: boolean): Promise<Array<string>> {
const args: Array<string> = ['build'];
await asyncForEach(inputs.addHosts, async addHost => {
args.push('--add-host', addHost);
@ -115,6 +125,11 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, context: str
if (inputs.allow.length > 0) {
args.push('--allow', inputs.allow.join(','));
}
if (buildx.satisfies(buildxVersion, '>=0.10.0')) {
await asyncForEach(inputs.attests, async attest => {
args.push('--attest', attest);
});
}
await asyncForEach(inputs.buildArgs, async buildArg => {
args.push('--build-arg', buildArg);
});
@ -150,6 +165,23 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, context: str
if (inputs.platforms.length > 0) {
args.push('--platform', inputs.platforms.join(','));
}
if (buildx.satisfies(buildxVersion, '>=0.10.0')) {
if (inputs.provenance) {
args.push('--provenance', inputs.provenance);
} else if ((await buildx.satisfiesBuildKitVersion(inputs.builder, '>=0.11.0', standalone)) && !hasDockerExport(inputs)) {
// If provenance not specified but BuildKit version compatible for
// attestation, disable provenance anyway. Also needs to make sure user
// doesn't want to explicitly load the image to docker.
// While this action successfully pushes OCI compliant images to
// well-known registries, some runtimes (e.g. Google Cloud Run and AWS
// Lambda) are not able to pull resulting image from their own registry...
// See also https://github.com/docker/buildx/issues/1533
args.push('--provenance', 'false');
}
if (inputs.sbom) {
args.push('--sbom', inputs.sbom);
}
}
await asyncForEach(inputs.secrets, async secret => {
try {
args.push('--secret', await buildx.getSecretString(secret));
@ -245,3 +277,64 @@ export const asyncForEach = async (array, callback) => {
await callback(array[index], index, array);
}
};
function getProvenanceInput(name: string): string {
const input = core.getInput(name);
if (!input) {
// if input is not set, default values will be set later.
return input;
}
const builderID = provenanceBuilderID();
try {
return core.getBooleanInput(name) ? `builder-id=${builderID}` : 'false';
} catch (err) {
// not a valid boolean, so we assume it's a string
return getProvenanceAttrs(input);
}
}
function getProvenanceAttrs(input: string): string {
const builderID = provenanceBuilderID();
// parse attributes from input
const fields = parse(input, {
relaxColumnCount: true,
skipEmptyLines: true
})[0];
// check if builder-id attribute exists in the input
for (const field of fields) {
const parts = field
.toString()
.split(/(?<=^[^=]+?)=/)
.map(item => item.trim());
if (parts[0] == 'builder-id') {
return input;
}
}
// if not add builder-id attribute
return `${input},builder-id=${builderID}`;
}
function hasDockerExport(inputs: Inputs): boolean {
if (inputs.load) {
return true;
}
for (const output of inputs.outputs) {
const fields = parse(output, {
relaxColumnCount: true,
skipEmptyLines: true
})[0];
for (const field of fields) {
const parts = field
.toString()
.split(/(?<=^[^=]+?)=/)
.map(item => item.trim());
if (parts.length != 2) {
continue;
}
if (parts[0] == 'type' && parts[1] == 'docker') {
return true;
}
}
}
return false;
}

9
src/github.ts Normal file
View File

@ -0,0 +1,9 @@
import jwt_decode, {JwtPayload} from 'jwt-decode';
interface Jwt extends JwtPayload {
ac?: string;
}
export const parseRuntimeToken = (token: string): Jwt => {
return jwt_decode<Jwt>(token);
};

12
src/main.ts
View File

@ -2,6 +2,7 @@ import * as fs from 'fs';
import * as buildx from './buildx';
import * as context from './context';
import * as docker from './docker';
import * as github from './github';
import * as stateHelper from './state-helper';
import * as core from '@actions/core';
import * as exec from '@actions/exec';
@ -14,6 +15,15 @@ async function run(): Promise<void> {
// standalone if docker cli not available
const standalone = !(await docker.isAvailable());
await core.group(`GitHub Actions runtime token access controls`, async () => {
const actionsRuntimeToken = process.env['ACTIONS_RUNTIME_TOKEN'];
if (actionsRuntimeToken) {
core.info(JSON.stringify(JSON.parse(github.parseRuntimeToken(actionsRuntimeToken).ac as string), undefined, 2));
} else {
core.info(`ACTIONS_RUNTIME_TOKEN not set`);
}
});
core.startGroup(`Docker info`);
if (standalone) {
core.info(`Docker info skipped in standalone mode`);
@ -41,7 +51,7 @@ async function run(): Promise<void> {
});
});
const args: string[] = await context.getArgs(inputs, defContext, buildxVersion);
const args: string[] = await context.getArgs(inputs, defContext, buildxVersion, standalone);
const buildCmd = buildx.getCommand(args, standalone);
await exec
.getExecOutput(buildCmd.command, buildCmd.args, {

16
test/go/Dockerfile Normal file
View File

@ -0,0 +1,16 @@
FROM golang:1.19-alpine AS base
ENV CGO_ENABLED=0
RUN apk add --no-cache file git
WORKDIR /src
FROM base as build
COPY go.mod go.sum ./
RUN go mod download -x
COPY . .
RUN go build -ldflags "-s -w" -o /usr/bin/app .
FROM scratch AS binary
COPY --from=build /usr/bin/app /bin/app
FROM alpine:3.17 AS image
COPY --from=build /usr/bin/app /bin/app

19
test/go/go.mod Normal file
View File

@ -0,0 +1,19 @@
module github.com/docker/build-push-action/test/go
go 1.18
require github.com/labstack/echo/v4 v4.9.1
require (
github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
github.com/labstack/gommon v0.4.0 // indirect
github.com/mattn/go-colorable v0.1.11 // indirect
github.com/mattn/go-isatty v0.0.14 // indirect
github.com/valyala/bytebufferpool v1.0.0 // indirect
github.com/valyala/fasttemplate v1.2.1 // indirect
golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect
golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f // indirect
golang.org/x/sys v0.0.0-20211103235746-7861aae1554b // indirect
golang.org/x/text v0.3.7 // indirect
golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 // indirect
)

38
test/go/go.sum Normal file
View File

@ -0,0 +1,38 @@
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
github.com/labstack/echo/v4 v4.9.1 h1:GliPYSpzGKlyOhqIbG8nmHBo3i1saKWFOgh41AN3b+Y=
github.com/labstack/echo/v4 v4.9.1/go.mod h1:Pop5HLc+xoc4qhTZ1ip6C0RtP7Z+4VzRLWZZFKqbbjo=
github.com/labstack/gommon v0.4.0 h1:y7cvthEAEbU0yHOf4axH8ZG2NH8knB9iNSoTO8dyIk8=
github.com/labstack/gommon v0.4.0/go.mod h1:uW6kP17uPlLJsD3ijUYn3/M5bAxtlZhMI6m3MFxTMTM=
github.com/mattn/go-colorable v0.1.11 h1:nQ+aFkoE2TMGc0b68U2OKSexC+eq46+XwZzWXHRmPYs=
github.com/mattn/go-colorable v0.1.11/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
github.com/valyala/fasttemplate v1.2.1 h1:TVEnxayobAdVkhQfrfes2IzOB6o+z4roRkPF52WA1u4=
github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=
golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ=
golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f h1:OfiFi4JbukWwe3lzw+xunroH1mnC1e2Gy5cxNJApiSY=
golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20211103235746-7861aae1554b h1:1VkfZQv42XQlA/jchYumAnv1UPo6RgF9rJFkTgZIxO4=
golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 h1:Hir2P/De0WpUhtrKGGjvSb2YxUgyZ7EFOSLIcSSpiwE=
golang.org/x/time v0.0.0-20201208040808-7e3f01d25324/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

31
test/go/main.go Normal file
View File

@ -0,0 +1,31 @@
package main
import (
"net/http"
"os"
"github.com/labstack/echo/v4"
"github.com/labstack/echo/v4/middleware"
)
func main() {
e := echo.New()
e.Use(middleware.Logger())
e.Use(middleware.Recover())
e.GET("/", func(c echo.Context) error {
return c.HTML(http.StatusOK, "Hello World")
})
e.GET("/ping", func(c echo.Context) error {
return c.JSON(http.StatusOK, struct{ Status string }{Status: "OK"})
})
httpPort := os.Getenv("HTTP_PORT")
if httpPort == "" {
httpPort = "8080"
}
e.Logger.Fatal(e.Start(":" + httpPort))
}

29
yarn.lock
View File

@ -1562,7 +1562,7 @@ combined-stream@^1.0.8:
concat-map@0.0.1:
version "0.0.1"
resolved "https://registry.yarnpkg.com/concat-map/-/concat-map-0.0.1.tgz#d8a96bd77fd68df7793a73036a3ba0d5405d477b"
integrity sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=
integrity sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==
convert-source-map@^1.4.0, convert-source-map@^1.6.0, convert-source-map@^1.7.0:
version "1.8.0"
@ -1602,10 +1602,10 @@ cssstyle@^2.3.0:
dependencies:
cssom "~0.3.6"
csv-parse@*, csv-parse@^5.3.0:
version "5.3.0"
resolved "https://registry.yarnpkg.com/csv-parse/-/csv-parse-5.3.0.tgz#85cc02fc9d1c89bd1b02e69069c960f8b8064322"
integrity sha512-UXJCGwvJ2fep39purtAn27OUYmxB1JQto+zhZ4QlJpzsirtSFbzLvip1aIgziqNdZp/TptvsKEV5BZSxe10/DQ==
csv-parse@*, csv-parse@^5.3.3:
version "5.3.3"
resolved "https://registry.yarnpkg.com/csv-parse/-/csv-parse-5.3.3.tgz#3b75d2279e2edb550cbc54c65b25cbbf3d0033ad"
integrity sha512-kEWkAPleNEdhFNkHQpFHu9RYPogsFj3dx6bCxL847fsiLgidzWg0z/O0B1kVWMJUc5ky64zGp18LX2T3DQrOfw==
data-urls@^2.0.0:
version "2.0.0"
@ -2824,11 +2824,14 @@ json-stable-stringify-without-jsonify@^1.0.1:
integrity sha1-nbe1lJatPzz+8wp1FC0tkwrXJlE=
json5@2.x, json5@^2.1.2:
version "2.2.0"
resolved "https://registry.yarnpkg.com/json5/-/json5-2.2.0.tgz#2dfefe720c6ba525d9ebd909950f0515316c89a3"
integrity sha512-f+8cldu7X/y7RAJurMEJmdoKXGB/X550w2Nr3tTbezL6RwEE/iMcm+tZnXeoZtKuOq6ft8+CqzEkrIgx1fPoQA==
dependencies:
minimist "^1.2.5"
version "2.2.3"
resolved "https://registry.yarnpkg.com/json5/-/json5-2.2.3.tgz#78cd6f1a19bdc12b73db5ad0c61efd66c1e29283"
integrity sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==
jwt-decode@^3.1.2:
version "3.1.2"
resolved "https://registry.yarnpkg.com/jwt-decode/-/jwt-decode-3.1.2.tgz#3fb319f3675a2df0c2895c8f5e9fa4b67b04ed59"
integrity sha512-UfpWE/VZn0iP50d8cz9NrZLM9lSWhcJ+0Gt/nm4by88UL+J1SiKN8/5dkjMmbEzwL2CAe+67GsegCbIKtbp75A==
kleur@^3.0.3:
version "3.0.3"
@ -2945,9 +2948,9 @@ mimic-fn@^2.1.0:
integrity sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg==
minimatch@^3.0.4:
version "3.0.4"
resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083"
integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==
version "3.1.2"
resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==
dependencies:
brace-expansion "^1.1.7"