Merge pull request #1128 from crazy-max/builder-info

show builder information before building

.dockerignore

@@ -1,2 +1,12 @@
 /coverage
-/node_modules
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# yarn v2
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.*

.eslintignore

@@ -0,0 +1,3 @@
+/dist/**
+/coverage/**
+/node_modules/**

.eslintrc.json

@@ -1,18 +1,19 @@
 {
   "env": {
     "node": true,
-    "es2021": true,
+    "es6": true,
     "jest": true
   },
   "extends": [
     "eslint:recommended",
+    "plugin:@typescript-eslint/eslint-recommended",
     "plugin:@typescript-eslint/recommended",
     "plugin:jest/recommended",
     "plugin:prettier/recommended"
   ],
   "parser": "@typescript-eslint/parser",
   "parserOptions": {
-    "ecmaVersion": "latest",
+    "ecmaVersion": 2023,
     "sourceType": "module"
   },
   "plugins": [

.gitattributes

@@ -1,2 +1,4 @@
+/.yarn/releases/** binary
+/.yarn/plugins/** binary
 /dist/** linguist-generated=true
 /lib/** linguist-generated=true

.github/CODEOWNERS

@@ -1 +0,0 @@
-*	@crazy-max

.github/CODE_OF_CONDUCT.md

@@ -0,0 +1,3 @@
+# Code of conduct
+
+- [Moby community guidelines](https://github.com/moby/moby/blob/master/CONTRIBUTING.md#moby-community-guidelines)

.github/ISSUE_TEMPLATE/bug.yml

@@ -0,0 +1,101 @@
+# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-githubs-form-schema
+name: Bug Report
+description: Report a bug
+labels:
+  - status/triage
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to report a bug!
+        If this is a security issue please report it to the [Docker Security team](mailto:security@docker.com).
+        Before submitting a bug report, check out the [Troubleshooting doc](https://github.com/docker/build-push-action/blob/master/TROUBLESHOOTING.md).
+
+  - type: checkboxes
+    attributes:
+      label: Contributing guidelines
+      description: >
+        Make sure you've read the contributing guidelines before proceeding.
+      options:
+        - label: I've read the [contributing guidelines](https://github.com/docker/build-push-action/blob/master/.github/CONTRIBUTING.md) and wholeheartedly agree
+          required: true
+
+  - type: checkboxes
+    attributes:
+      label: "I've found a bug, and:"
+      description: |
+        Make sure that your request fulfills all of the following requirements.
+        If one requirement cannot be satisfied, explain in detail why.
+      options:
+        - label: The documentation does not mention anything about my problem
+        - label: There are no open or closed issues that are related to my problem
+
+  - type: textarea
+    attributes:
+      label: Description
+      description: >
+        Provide a brief description of the bug in 1-2 sentences.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Expected behaviour
+      description: >
+        Describe precisely what you'd expect to happen.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Actual behaviour
+      description: >
+        Describe precisely what is actually happening.
+    validations:
+      required: true
+
+  - type: input
+    attributes:
+      label: Repository URL
+      description: >
+        Enter the URL of the repository where you are experiencing the
+        issue. If your repository is private, provide a link to a minimal
+        repository that reproduces the issue.
+
+  - type: input
+    attributes:
+      label: Workflow run URL
+      description: >
+        Enter the URL of the GitHub Action workflow run, if public.
+
+  - type: textarea
+    attributes:
+      label: YAML workflow
+      description: |
+        Provide the YAML of the workflow that's causing the issue.
+        Make sure to remove any sensitive information.
+      render: yaml
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Workflow logs
+      description: >
+        [Attach](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/attaching-files)
+        the [log file of your workflow run](https://docs.github.com/en/actions/managing-workflow-runs/using-workflow-run-logs#downloading-logs)
+        and make sure to remove any sensitive information.
+
+  - type: textarea
+    attributes:
+      label: BuildKit logs
+      description: >
+        If applicable, provide the [BuildKit container logs](https://docs.docker.com/build/ci/github-actions/configure-builder/#buildkit-container-logs)
+      render: text
+
+  - type: textarea
+    attributes:
+      label: Additional info
+      description: |
+        Provide any additional information that could be useful.

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,37 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
----
-
-### Troubleshooting
-
-Before submitting a bug report please read the [Troubleshooting doc](https://github.com/docker/build-push-action/blob/master/TROUBLESHOOTING.md).
-
-### Behaviour
-
-#### Steps to reproduce this issue
-
-1.
-2.
-3.
-
-#### Expected behaviour
-
-> Tell us what should happen
-
-#### Actual behaviour
-
-> Tell us what happens instead
-
-### Configuration
-
-* Repository URL (if public): 
-* Build URL (if public): 
-
-```yml
-# paste your YAML workflow file here and remove sensitive data
-```
-
-### Logs
-
-> Download the [log file of your build](https://docs.github.com/en/actions/managing-workflow-runs/using-workflow-run-logs#downloading-logs) and [attach it](https://docs.github.com/en/github/managing-your-work-on-github/file-attachments-on-issues-and-pull-requests) to this issue.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,9 @@
+# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository#configuring-the-template-chooser
+blank_issues_enabled: true
+contact_links:
+  - name: Questions and Discussions
+    url: https://github.com/docker/build-push-action/discussions/new
+    about: Use Github Discussions to ask questions and/or open discussion topics.
+  - name: Documentation
+    url: https://docs.docker.com/build/ci/github-actions/
+    about: Read the documentation.

.github/ISSUE_TEMPLATE/feature.yml

@@ -0,0 +1,15 @@
+# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-githubs-form-schema
+name: Feature request
+description: Missing functionality? Come tell us about it!
+labels:
+  - kind/enhancement
+  - status/triage
+
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: What is the feature you want to see?
+    validations:
+      required: true

.github/SECURITY.md

@@ -0,0 +1,12 @@
+# Reporting security issues
+
+The project maintainers take security seriously. If you discover a security
+issue, please bring it to their attention right away!
+
+**Please _DO NOT_ file a public issue**, instead send your report privately to
+[security@docker.com](mailto:security@docker.com).
+
+Security reports are greatly appreciated, and we will publicly thank you for it.
+We also like to send gifts—if you'd like Docker swag, make sure to let
+us know. We currently do not offer a paid security bounty program, but are not
+ruling it out in the future.

.github/SUPPORT.md

@@ -1,31 +0,0 @@
-# Support [![](https://isitmaintained.com/badge/resolution/docker/build-push-action.svg)](https://isitmaintained.com/project/docker/build-push-action)
-
-First, [be a good guy](https://github.com/kossnocorp/etiquette/blob/master/README.md).
-
-## Reporting an issue
-
-Please do a search in [open issues](https://github.com/docker/build-push-action/issues?utf8=%E2%9C%93&q=) to see if the issue or feature request has already been filed.
-
-If you find your issue already exists, make relevant comments and add your [reaction](https://github.com/blog/2119-add-reactions-to-pull-requests-issues-and-comments). Use a reaction in place of a "+1" comment.
-
-:+1: - upvote
-
-:-1: - downvote
-
-If you cannot find an existing issue that describes your bug or feature, submit an issue using the guidelines below.
-
-## Writing good bug reports and feature requests
-
-File a single issue per problem and feature request.
-
-* Do not enumerate multiple bugs or feature requests in the same issue.
-* Do not add your issue as a comment to an existing issue unless it's for the identical input. Many issues look similar, but have different causes.
-
-The more information you can provide, the more likely someone will be successful reproducing the issue and finding a fix.
-
-You are now ready to [create a new issue](https://github.com/docker/build-push-action/issues/new/choose)!
-
-## Closure policy
-
-* Issues that don't have the information requested above (when applicable) will be closed immediately and the poster directed to the support guidelines.
-* Issues that go a week without a response from original poster are subject to closure at our discretion.

.github/dependabot.yml

@@ -11,6 +11,7 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    versioning-strategy: "increase"
     allow:
       - dependency-type: "production"
     labels:

.github/workflows/.e2e-run.yml

@@ -0,0 +1,130 @@
+# reusable workflow
+name: .e2e-run
+
+on:
+  workflow_call:
+    inputs:
+      id:
+        required: false
+        type: string
+      type:
+        required: true
+        type: string
+      name:
+        required: true
+        type: string
+      registry:
+        required: false
+        type: string
+      slug:
+        required: false
+        type: string
+      username_secret:
+        required: false
+        type: string
+      password_secret:
+        required: false
+        type: string
+
+env:
+  HARBOR_VERSION: v2.7.0
+  NEXUS_VERSION: 3.47.1
+  DISTRIBUTION_VERSION: 2.8.1
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          -
+            buildx_version: latest
+            buildkit_image: moby/buildkit:buildx-stable-1
+          -
+            buildx_version: https://github.com/docker/buildx.git#master
+            buildkit_image: moby/buildkit:master
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up env
+        if: inputs.type == 'local'
+        run: |
+          cat ./.github/e2e/${{ inputs.id }}/env >> $GITHUB_ENV
+      -
+        name: Set up BuildKit config
+        run: |
+          touch /tmp/buildkitd.toml
+          if [ "${{ inputs.type }}" = "local" ]; then
+            echo -e "[registry.\"${{ env.REGISTRY_FQDN }}\"]\nhttp = true\ninsecure = true" > /tmp/buildkitd.toml
+          fi
+      -
+        name: Set up Docker daemon
+        if: inputs.type == 'local'
+        run: |
+          if [ ! -e /etc/docker/daemon.json ]; then
+            echo '{}' | tee /etc/docker/daemon.json >/dev/null
+          fi
+          DOCKERD_CONFIG=$(jq '.+{"insecure-registries":["http://${{ env.REGISTRY_FQDN }}"]}' /etc/docker/daemon.json)
+          sudo tee /etc/docker/daemon.json <<<"$DOCKERD_CONFIG" >/dev/null
+          sudo service docker restart
+      -
+        name: Install ${{ inputs.name }}
+        if: inputs.type == 'local'
+        run: |
+          sudo -E bash ./.github/e2e/${{ inputs.id }}/install.sh
+          sudo chown $(id -u):$(id -g) -R ~/.docker
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY_SLUG || inputs.slug }}
+          tags: |
+            type=ref,event=branch,enable=${{ matrix.buildx_version == 'latest' && matrix.buildkit_image == 'moby/buildkit:buildx-stable-1' }}
+            type=ref,event=tag,enable=${{ matrix.buildx_version == 'latest' && matrix.buildkit_image == 'moby/buildkit:buildx-stable-1' }}
+            type=raw,gh-runid-${{ github.run_id }}
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ matrix.buildx_version }}
+          buildkitd-config: /tmp/buildkitd.toml
+          buildkitd-flags: --debug --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host
+          driver-opts: |
+            image=${{ matrix.buildkit_image }}
+            network=host
+      -
+        name: Login to Registry
+        if: github.event_name != 'pull_request' && (env.REGISTRY_USER || inputs.username_secret) != ''
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY_FQDN || inputs.registry }}
+          username: ${{ env.REGISTRY_USER || secrets[inputs.username_secret] }}
+          password: ${{ env.REGISTRY_PASSWORD || secrets[inputs.password_secret] }}
+      -
+        name: Build and push
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/multi.Dockerfile
+          platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=registry,ref=${{ env.REGISTRY_SLUG || inputs.slug }}:master
+          cache-to: type=inline
+      -
+        name: Inspect image
+        run: |
+          docker pull ${{ env.REGISTRY_SLUG || inputs.slug }}:${{ steps.meta.outputs.version }}
+          docker image inspect ${{ env.REGISTRY_SLUG || inputs.slug }}:${{ steps.meta.outputs.version }}
+      -
+        name: Check manifest
+        run: |
+          docker buildx imagetools inspect ${{ env.REGISTRY_SLUG || inputs.slug }}:${{ steps.meta.outputs.version }} --format '{{json .}}'

.github/workflows/ci.yml

@@ -1,5 +1,9 @@
 name: ci
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   workflow_dispatch:
     inputs:
@@ -29,12 +33,12 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: action
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -55,16 +59,16 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: action
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -104,16 +108,16 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: action
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -163,14 +167,14 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -212,11 +216,11 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Docker meta
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.DOCKER_IMAGE }}
           tags: |
@@ -229,7 +233,7 @@ jobs:
             type=sha
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -268,11 +272,11 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Stop docker
         run: |
-          sudo systemctl stop docker
+          sudo systemctl stop docker docker.socket
       -
         name: Build
         id: docker_build
@@ -295,13 +299,13 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -336,7 +340,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Build
         id: docker_build
@@ -352,7 +356,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Build
         uses: ./
@@ -371,10 +375,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -389,15 +393,40 @@ jobs:
             MYSECRET=foo
             INVALID_SECRET=
 
+  secret-envs:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        env:
+          ENV_SECRET: foo
+        with:
+          context: .
+          file: ./test/secret.Dockerfile
+          secret-envs: |
+            MYSECRET=ENV_SECRET
+            INVALID_SECRET=
+
   network:
     runs-on: ubuntu-latest
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -418,10 +447,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -440,10 +469,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -465,10 +494,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -488,10 +517,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -513,10 +542,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -547,10 +576,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ matrix.buildx }}
           driver-opts: |
@@ -569,19 +598,31 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        attrs:
-          - ''
-          - mode=max
-          - builder-id=foo
-          - false
-          - true
+        include:
+          - target: image
+            output: type=image,name=localhost:5000/name/app:latest,push=true
+            attr: mode=max
+          - target: image
+            output: type=image,name=localhost:5000/name/app:latest,push=true
+            attr: ''
+          - target: binary
+            output: /tmp/buildx-build
+            attr: mode=max
+          - target: binary
+            output: /tmp/buildx-build
+            attr: ''
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -593,11 +634,24 @@ jobs:
         with:
           context: ./test/go
           file: ./test/go/Dockerfile
-          target: binary
-          outputs: type=oci,dest=/tmp/build.tar
-          provenance: ${{ matrix.attrs }}
-          cache-from: type=gha,scope=provenance
-          cache-to: type=gha,scope=provenance,mode=max
+          target: ${{ matrix.target }}
+          outputs: ${{ matrix.output }}
+          provenance: ${{ matrix.attr }}
+      -
+        name: Inspect Provenance
+        if: matrix.target == 'image'
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .Provenance}}'
+      -
+        name: Check output folder
+        if: matrix.target == 'binary'
+        run: |
+          tree /tmp/buildx-build
+      -
+        name: Print local Provenance
+        if: matrix.target == 'binary'
+        run: |
+          cat /tmp/buildx-build/provenance.json | jq
 
   sbom:
     runs-on: ubuntu-latest
@@ -617,10 +671,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -638,22 +692,17 @@ jobs:
           cache-from: type=gha,scope=attests-${{ matrix.target }}
           cache-to: type=gha,scope=attests-${{ matrix.target }},mode=max
       -
-        name: Inspect image
+        name: Inspect SBOM
         if: matrix.target == 'image'
         run: |
-          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .SBOM}}'
       -
         name: Check output folder
         if: matrix.target == 'binary'
         run: |
           tree /tmp/buildx-build
       -
-        name: Print provenance
-        if: matrix.target == 'binary'
-        run: |
-          cat /tmp/buildx-build/provenance.json | jq
-      -
-        name: Print SBOM
+        name: Print local SBOM
         if: matrix.target == 'binary'
         run: |
           cat /tmp/buildx-build/sbom.spdx.json | jq
@@ -674,14 +723,14 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -735,12 +784,6 @@ jobs:
           - driver: docker-container
             load: true
             push: true
-          - driver: docker
-            load: false
-            push: false
-          - driver: docker-container
-            load: false
-            push: false
     services:
       registry:
         image: registry:2
@@ -749,10 +792,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver: ${{ matrix.driver }}
@@ -774,9 +817,13 @@ jobs:
           docker image ls --no-trunc
       -
         name: Check digest
-        if: ${{ matrix.push }}
         run: |
-          if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then
+          if [[ "${{ matrix.driver }}" = "docker-container" ]] && [[ "${{ matrix.load }}" = "false" ]] && [[ "${{ matrix.push }}" = "false" ]]; then
+            if [ -n "${{ steps.docker_build.outputs.digest }}" ]; then
+              echo "::error::Digest should be empty"
+              exit 1
+            fi
+          elif [[ "${{ matrix.push }}" = "true" ]] && [[ -z "${{ steps.docker_build.outputs.digest }}" ]]; then
             echo "::error::Digest should not be empty"
             exit 1
           fi
@@ -789,7 +836,12 @@ jobs:
       -
         name: Check image ID
         run: |
-          if [ -z "${{ steps.docker_build.outputs.imageid }}" ]; then
+          if [[ "${{ matrix.driver }}" = "docker-container" ]] && [[ "${{ matrix.load }}" = "false" ]] && [[ "${{ matrix.push }}" = "false" ]]; then
+            if [ -n "${{ steps.docker_build.outputs.imageid }}" ]; then
+              echo "::error::Image ID should be empty"
+              exit 1
+            fi
+          elif [ -z "${{ steps.docker_build.outputs.imageid }}" ]; then
             echo "::error::Image ID should not be empty"
             exit 1
           fi
@@ -810,13 +862,13 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -859,13 +911,13 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -890,19 +942,80 @@ jobs:
         run: |
           docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
 
+  local-cache:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Cache Build
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-local-test-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-local-test-
+      -
+        name: Build and push
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/multi.Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            localhost:5000/name/app:latest
+            localhost:5000/name/app:1.0.0
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
+      -
+        name: Inspect
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
+      -
+        # Temp fix
+        # https://github.com/docker/build-push-action/issues/252
+        # https://github.com/moby/buildkit/issues/1896
+        name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+
   standalone:
     runs-on: ubuntu-latest
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
-        name: Uninstall moby cli
+        name: Uninstall docker cli
         run: |
-          sudo apt-get purge -y moby-cli moby-buildx
+          if dpkg -s "docker-ce" >/dev/null 2>&1; then
+            sudo dpkg -r --force-depends docker-ce-cli docker-buildx-plugin
+          else
+            sudo apt-get purge -y moby-cli moby-buildx
+          fi
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -920,10 +1033,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -942,10 +1055,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver: docker
@@ -976,10 +1089,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -1001,3 +1114,233 @@ jobs:
           file: ./test/named-context.Dockerfile
           build-contexts: |
             alpine=docker-image://localhost:5000/my-base-image:latest
+
+  docker-config-malformed:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set malformed docker config
+        run: |
+          mkdir -p ~/.docker
+          echo 'foo_bar' >> ~/.docker/config.json
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+
+  proxy-docker-config:
+    runs-on: ubuntu-latest
+    services:
+      squid-proxy:
+        image: ubuntu/squid:latest
+        ports:
+          - 3128:3128
+    steps:
+      -
+        name: Check proxy
+        run: |
+          netstat -aptn
+          curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy http://127.0.0.1:3128 -v --insecure --head https://www.google.com
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set proxy config
+        run: |
+          mkdir -p ~/.docker
+          echo '{"proxies":{"default":{"httpProxy":"http://127.0.0.1:3128","httpsProxy":"http://127.0.0.1:3128"}}}' > ~/.docker/config.json
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+            network=host
+          buildkitd-flags: --debug
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/proxy.Dockerfile
+
+  proxy-buildkitd:
+    runs-on: ubuntu-latest
+    services:
+      squid-proxy:
+        image: ubuntu/squid:latest
+        ports:
+          - 3128:3128
+    steps:
+      -
+        name: Check proxy
+        run: |
+          netstat -aptn
+          curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy http://127.0.0.1:3128 -v --insecure --head https://www.google.com
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+            network=host
+            env.http_proxy=http://127.0.0.1:3128
+            env.https_proxy=http://127.0.0.1:3128
+          buildkitd-flags: --debug
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/Dockerfile
+
+  annotations:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_IMAGE: localhost:5000/name/app
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.DOCKER_IMAGE }}
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build and push to local registry
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          annotations: |
+            index:com.example.key=value
+            index:com.example.key2=value2
+            manifest:com.example.key3=value3
+      -
+        name: Check manifest
+        run: |
+          docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} --format '{{json .}}'
+
+  multi-output:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/Dockerfile
+          outputs: |
+            type=image,name=localhost:5000/name/app:latest,push=true
+            type=docker,name=app:local
+            type=oci,dest=/tmp/oci.tar
+      -
+        name: Check registry
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
+      -
+        name: Check docker
+        run: |
+          docker image inspect app:local
+      -
+        name: Check oci
+        run: |
+          set -ex
+          mkdir -p /tmp/oci-out
+          tar xf /tmp/oci.tar -C /tmp/oci-out
+          tree -nh /tmp/oci-out
+
+  load-and-push:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/Dockerfile
+          load: true
+          push: true
+          tags: localhost:5000/name/app:latest
+      -
+        name: Check registry
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
+      -
+        name: Check docker
+        run: |
+          docker image inspect localhost:5000/name/app:latest

.github/workflows/e2e.yml

@@ -1,19 +1,11 @@
 name: e2e
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   workflow_dispatch:
-    inputs:
-      buildx-version:
-        description: 'Buildx version or Git context'
-        default: 'latest'
-        required: false
-      buildkit-image:
-        description: 'BuildKit image'
-        default: 'moby/buildkit:buildx-stable-1'
-        required: false
-      tag:
-        description: 'Additional tag to push'
-        required: false
   schedule:
     - cron: '0 10 * * *'
   push:
@@ -22,16 +14,9 @@ on:
     tags:
       - 'v*'
 
-env:
-  BUILDX_VERSION: latest
-  BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1
-  HARBOR_VERSION: v2.7.0
-  NEXUS_VERSION: 3.47.1
-  DISTRIBUTION_VERSION: 2.8.1
-
 jobs:
   build:
-    runs-on: ubuntu-latest
+    uses: ./.github/workflows/.e2e-run.yml
     strategy:
       fail-fast: false
       matrix:
@@ -105,8 +90,8 @@ jobs:
             type: remote
           -
             name: Artifactory
-            registry: buildkitghactiontests.jfrog.io
-            slug: buildkitghactiontests.jfrog.io/ghactiontest/test-docker-action
+            registry: infradock.jfrog.io
+            slug: infradock.jfrog.io/test-ghaction/build-push-action
             username_secret: ARTIFACTORY_USERNAME
             password_secret: ARTIFACTORY_TOKEN
             type: remote
@@ -118,86 +103,12 @@ jobs:
             name: Nexus
             id: nexus
             type: local
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v3
-      -
-        name: Set up env
-        if: matrix.type == 'local'
-        run: |
-          cat ./.github/e2e/${{ matrix.id }}/env >> $GITHUB_ENV
-      -
-        name: Set up BuildKit config
-        run: |
-          touch /tmp/buildkitd.toml
-          if [ "${{ matrix.type }}" = "local" ]; then
-            echo -e "[registry.\"${{ env.REGISTRY_FQDN }}\"]\nhttp = true\ninsecure = true" > /tmp/buildkitd.toml
-          fi
-      -
-        name: Set up Docker daemon
-        if: matrix.type == 'local'
-        run: |
-          if [ ! -e /etc/docker/daemon.json ]; then
-            echo '{}' | tee /etc/docker/daemon.json >/dev/null
-          fi
-          DOCKERD_CONFIG=$(jq '.+{"insecure-registries":["http://${{ env.REGISTRY_FQDN }}"]}' /etc/docker/daemon.json)
-          sudo tee /etc/docker/daemon.json <<<"$DOCKERD_CONFIG" >/dev/null
-          sudo service docker restart
-      -
-        name: Install ${{ matrix.name }}
-        if: matrix.type == 'local'
-        run: |
-          sudo -E bash ./.github/e2e/${{ matrix.id }}/install.sh
-      -
-        name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v4
-        with:
-          images: ${{ env.REGISTRY_SLUG || matrix.slug }}
-          tags: |
-            type=ref,event=branch
-            type=ref,event=tag
-            type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }}
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-        with:
-          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
-          config: /tmp/buildkitd.toml
-          buildkitd-flags: --debug --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host
-          driver-opts: |
-            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
-            network=host
-      -
-        name: Login to Registry
-        if: github.event_name != 'pull_request' && (env.REGISTRY_USER || matrix.username_secret) != ''
-        uses: docker/login-action@v2
-        with:
-          registry: ${{ env.REGISTRY_FQDN || matrix.registry }}
-          username: ${{ env.REGISTRY_USER || secrets[matrix.username_secret] }}
-          password: ${{ env.REGISTRY_PASSWORD || secrets[matrix.password_secret] }}
-      -
-        name: Build and push
-        uses: ./
-        with:
-          context: ./test
-          file: ./test/multi.Dockerfile
-          platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=registry,ref=${{ env.REGISTRY_SLUG || matrix.slug }}:master
-          cache-to: type=inline
-      -
-        name: Inspect image
-        run: |
-          docker pull ${{ env.REGISTRY_SLUG || matrix.slug }}:${{ steps.meta.outputs.version }}
-          docker image inspect ${{ env.REGISTRY_SLUG || matrix.slug }}:${{ steps.meta.outputs.version }}
-      -
-        name: Check manifest
-        run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY_SLUG || matrix.slug }}:${{ steps.meta.outputs.version }} --format '{{json .}}'
+    with:
+      id: ${{ matrix.id }}
+      type: ${{ matrix.type }}
+      name: ${{ matrix.name }}
+      registry: ${{ matrix.registry }}
+      slug: ${{ matrix.slug }}
+      username_secret: ${{ matrix.username_secret }}
+      password_secret: ${{ matrix.password_secret }}
+    secrets: inherit

.github/workflows/test.yml

@@ -1,5 +1,9 @@
 name: test
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   push:
     branches:
@@ -13,14 +17,15 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Test
-        uses: docker/bake-action@v3
+        uses: docker/bake-action@v4
         with:
           targets: test
       -
         name: Upload coverage
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           file: ./coverage/clover.xml
+          token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/validate.yml

@@ -1,5 +1,9 @@
 name: validate
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   push:
     branches:
@@ -15,7 +19,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Targets matrix
         id: targets
@@ -33,9 +37,9 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Validate
-        uses: docker/bake-action@v3
+        uses: docker/bake-action@v4
         with:
           targets: ${{ matrix.target }}

.gitignore

@@ -1,7 +1,5 @@
-node_modules
-lib
+# https://raw.githubusercontent.com/github/gitignore/main/Node.gitignore
 
-# Rest of the file pulled from https://github.com/github/gitignore/blob/master/Node.gitignore
 # Logs
 logs
 *.log
@@ -9,6 +7,7 @@ npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 lerna-debug.log*
+.pnpm-debug.log*
 
 # Diagnostic reports (https://nodejs.org/api/report.html)
 report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
@@ -19,34 +18,14 @@ pids
 *.seed
 *.pid.lock
 
-# Directory for instrumented libs generated by jscoverage/JSCover
-lib-cov
-
 # Coverage directory used by tools like istanbul
 coverage
 *.lcov
 
-# nyc test coverage
-.nyc_output
-
-# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
-.grunt
-
-# Bower dependency directory (https://bower.io/)
-bower_components
-
-# node-waf configuration
-.lock-wscript
-
-# Compiled binary addons (https://nodejs.org/api/addons.html)
-build/Release
-
 # Dependency directories
+node_modules/
 jspm_packages/
 
-# TypeScript v1 declaration files
-typings/
-
 # TypeScript cache
 *.tsbuildinfo
 
@@ -56,36 +35,19 @@ typings/
 # Optional eslint cache
 .eslintcache
 
-# Optional REPL history
-.node_repl_history
-
-# Output of 'npm pack'
-*.tgz
-
 # Yarn Integrity file
 .yarn-integrity
 
-# dotenv environment variables file
+# dotenv environment variable files
 .env
-.env.test
+.env.development.local
+.env.test.local
+.env.production.local
+.env.local
 
-# parcel-bundler cache (https://parceljs.org/)
-.cache
-
-# next.js build output
-.next
-
-# nuxt.js build output
-.nuxt
-
-# vuepress build output
-.vuepress/dist
-
-# Serverless directories
-.serverless/
-
-# FuseBox cache
-.fusebox/
-
-# DynamoDB Local files
-.dynamodb/
+# yarn v2
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.*

.prettierignore

@@ -0,0 +1,6 @@
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# yarn v2
+.yarn/

.yarnrc.yml

@@ -0,0 +1,13 @@
+logFilters:
+  - code: YN0013
+    level: discard
+  - code: YN0019
+    level: discard
+  - code: YN0076
+    level: discard
+
+nodeLinker: node-modules
+
+plugins:
+  - path: .yarn/plugins/@yarnpkg/plugin-interactive-tools.cjs
+    spec: "@yarnpkg/plugin-interactive-tools"

README.md

@@ -31,6 +31,9 @@ ___
   * [Named contexts](https://docs.docker.com/build/ci/github-actions/named-contexts/)
   * [Copy image between registries](https://docs.docker.com/build/ci/github-actions/copy-image-registries/)
   * [Update Docker Hub repo description](https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/)
+  * [SBOM and provenance attestations](https://docs.docker.com/build/ci/github-actions/attestations/)
+  * [Annotations](https://docs.docker.com/build/ci/github-actions/annotations/)
+  * [Reproducible builds](https://docs.docker.com/build/ci/github-actions/reproducible-builds/)
 * [Customizing](#customizing)
   * [inputs](#inputs)
   * [outputs](#outputs)
@@ -74,19 +77,19 @@ jobs:
     steps:
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       -
         name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           push: true
           tags: user/app:latest
@@ -108,24 +111,16 @@ to the default Git context:
         # Setting up Docker Buildx with docker-container driver is required
         # at the moment to be able to use a subdirectory with Git context
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       -
         name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: "{{defaultContext}}:mysubdir"
           push: true
           tags: user/app:latest
 ```
 
-> **Warning**
->
-> Subdirectory for Git context is available from [BuildKit v0.9.0](https://github.com/moby/buildkit/releases/tag/v0.9.0).
-> If you're using the `docker` builder (default if `setup-buildx-action` not used),
-> then BuildKit in Docker Engine will be used. As Docker Engine < v22.x.x embeds
-> Buildkit 0.8.2 at the moment, it does not support this feature. It's therefore
-> required to use the `setup-buildx-action` at the moment.
-
 Building from the current repository automatically uses the [GitHub Token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication),
 so it does not need to be passed. If you want to authenticate against another
 private repository, you have to use a [secret](https://docs.docker.com/build/ci/github-actions/secrets)
@@ -134,7 +129,7 @@ named `GIT_AUTH_TOKEN` to be able to authenticate against it with Buildx:
 ```yaml
       -
         name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           push: true
           tags: user/app:latest
@@ -158,22 +153,22 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       -
         name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: true
@@ -194,6 +189,9 @@ jobs:
 * [Named contexts](https://docs.docker.com/build/ci/github-actions/named-contexts/)
 * [Copy image between registries](https://docs.docker.com/build/ci/github-actions/copy-image-registries/)
 * [Update Docker Hub repo description](https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/)
+* [SBOM and provenance attestations](https://docs.docker.com/build/ci/github-actions/attestations/)
+* [Annotations](https://docs.docker.com/build/ci/github-actions/annotations/)
+* [Reproducible builds](https://docs.docker.com/build/ci/github-actions/reproducible-builds/)
 
 ## Customizing
 
@@ -217,6 +215,7 @@ Following inputs can be used as `step.with` keys
 |--------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `add-hosts`        | List/CSV    | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`)      |
 | `allow`            | List/CSV    | List of [extra privileged entitlement](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow) (e.g., `network.host,security.insecure`)                         |
+| `annotations`      | List        | List of annotation to set to the image                                                                                                                                            |
 | `attests`          | List        | List of [attestation](https://docs.docker.com/build/attestations/) parameters (e.g., `type=sbom,generator=image`)                                                                 | 
 | `builder`          | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                                       |
 | `build-args`       | List        | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg)                                                                      |
@@ -231,13 +230,14 @@ Following inputs can be used as `step.with` keys
 | `network`          | String      | Set the networking mode for the `RUN` instructions during build                                                                                                                   |
 | `no-cache`         | Bool        | Do not use cache when building the image (default `false`)                                                                                                                        |
 | `no-cache-filters` | List/CSV    | Do not cache specified stages                                                                                                                                                     |
-| `outputs`¹         | List        | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`)                                         |
+| `outputs`          | List        | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`)                                         |
 | `platforms`        | List/CSV    | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build                                                                 |
 | `provenance`       | Bool/String | Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build (shorthand for `--attest=type=provenance`)                           |
 | `pull`             | Bool        | Always attempt to pull all referenced images (default `false`)                                                                                                                    |
 | `push`             | Bool        | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`)                                     |
 | `sbom`             | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`)                                                  |
 | `secrets`          | List        | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`)                |
+| `secret-envs`      | List/CSV    | List of [secret env vars](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=envname`, `MY_SECRET=MY_ENV_VAR`)         |
 | `secret-files`     | List        | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`)         |
 | `shm-size`         | String      | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`)                                                                    |
 | `ssh`              | List        | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build                                                 |
@@ -246,13 +246,9 @@ Following inputs can be used as `step.with` keys
 | `ulimit`           | List        | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`)                                                            |
 | `github-token`     | String      | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`)                                                            |
 
-> **Note**
->
-> * ¹ multiple `outputs` are [not yet supported](https://github.com/moby/buildkit/issues/1555)
-
 ### outputs
 
-Following outputs are available
+The following outputs are available:
 
 | Name       | Type    | Description           |
 |------------|---------|-----------------------|

TROUBLESHOOTING.md

@@ -4,6 +4,7 @@
   * [BuildKit container logs](#buildkit-container-logs)
   * [With containerd](#with-containerd)
 * [`repository name must be lowercase`](#repository-name-must-be-lowercase)
+* [Image not loaded](#image-not-loaded)
 
 ## Cannot push to a registry
 
@@ -44,13 +45,13 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           buildkitd-flags: --debug
       -
@@ -58,7 +59,7 @@ jobs:
         uses: crazy-max/ghaction-setup-containerd@v2
       -
         name: Build Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           platforms: linux/amd64,linux/arm64
@@ -111,7 +112,7 @@ to generate sanitized tags:
     tags: latest
 
 - name: Build and push
-  uses: docker/build-push-action@v4
+  uses: docker/build-push-action@v5
   with:
     context: .
     push: true
@@ -129,9 +130,35 @@ Or a dedicated step to sanitize the slug:
     script: return 'ghcr.io/${{ github.repository }}'.toLowerCase()
 
 - name: Build and push
-  uses: docker/build-push-action@v4
+  uses: docker/build-push-action@v5
   with:
     context: .
     push: true
     tags: ${{ steps.repo_slug.outputs.result }}:latest
 ```
+
+## Image not loaded
+
+Sometimes when your workflows are heavy consumers of disk storage, it can happen that build-push-action declares that the built image is loaded, but then not found in the following workflow steps.
+
+- You can use the following solution as workaround, to free space on disk before building docker image using the following workflow step
+
+```yaml
+      # Free disk space
+      - name: Free Disk space
+        shell: bash
+        run: |
+          sudo rm -rf /usr/local/lib/android  # will release about 10 GB if you don't need Android
+          sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET
+```
+
+- Another workaround can be to call `docker/setup-buildx-action` with docker driver
+
+```yaml
+name: Set up Docker Buildx
+uses: docker/setup-buildx-action@v3
+with:
+  driver: docker
+```
+
+More details in the [related issue](https://github.com/docker/build-push-action/issues/321)

__tests__/context.test.ts

@@ -1,13 +1,16 @@
 import {beforeEach, describe, expect, jest, test} from '@jest/globals';
 import * as fs from 'fs';
 import * as path from 'path';
+
 import {Builder} from '@docker/actions-toolkit/lib/buildx/builder';
 import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx';
+import {Build} from '@docker/actions-toolkit/lib/buildx/build';
 import {Context} from '@docker/actions-toolkit/lib/context';
 import {Docker} from '@docker/actions-toolkit/lib/docker/docker';
 import {GitHub} from '@docker/actions-toolkit/lib/github';
 import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
-import {BuilderInfo} from '@docker/actions-toolkit/lib/types/builder';
+
+import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder';
 import {GitHubRepo} from '@docker/actions-toolkit/lib/types/github';
 
 import * as context from '../src/context';
@@ -35,6 +38,16 @@ jest.spyOn(Docker, 'isAvailable').mockImplementation(async (): Promise<boolean>
   return true;
 });
 
+const metadataJson = path.join(tmpDir, 'metadata.json');
+jest.spyOn(Build.prototype, 'getMetadataFilePath').mockImplementation((): string => {
+  return metadataJson;
+});
+
+const imageIDFilePath = path.join(tmpDir, 'iidfile.txt');
+jest.spyOn(Build.prototype, 'getImageIDFilePath').mockImplementation((): string => {
+  return imageIDFilePath;
+});
+
 jest.spyOn(Builder.prototype, 'inspect').mockImplementation(async (): Promise<BuilderInfo> => {
   return {
     name: 'builder2',
@@ -78,7 +91,7 @@ describe('getArgs', () => {
       ]),
       [
         'build',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--iidfile', imageIDFilePath,
         '.'
       ]
     ],
@@ -101,7 +114,7 @@ ccc"`],
         '--build-arg', 'MY_ARG=val1,val2,val3',
         '--build-arg', 'ARG=val',
         '--build-arg', `MULTILINE=aaaa\nbbbb\nccc`,
-        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--iidfile', imageIDFilePath,
         'https://github.com/docker/build-push-action.git#refs/heads/master'
       ]
     ],
@@ -117,7 +130,7 @@ ccc"`],
       ]),
       [
         'build',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--iidfile', imageIDFilePath,
         '--tag', 'name/app:7.4',
         '--tag', 'name/app:latest',
         'https://github.com/docker/build-push-action.git#refs/heads/master'
@@ -172,7 +185,7 @@ ccc"`],
       ]),
       [
         'build',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--iidfile', imageIDFilePath,
         '.'
       ]
     ],
@@ -189,7 +202,7 @@ ccc"`],
       ]),
       [
         'build',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--iidfile', imageIDFilePath,
         '--secret', `id=GIT_AUTH_TOKEN,src=${tmpName}`,
         '.'
       ]
@@ -230,7 +243,7 @@ ccc"`],
       [
         'build',
         '--file', './test/Dockerfile',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--iidfile', imageIDFilePath,
         '--platform', 'linux/amd64,linux/arm64',
         '--secret', `id=GIT_AUTH_TOKEN,src=${tmpName}`,
         '--builder', 'builder-git-context-2',
@@ -264,7 +277,7 @@ ccc"`],
       [
         'build',
         '--file', './test/Dockerfile',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--iidfile', imageIDFilePath,
         '--platform', 'linux/amd64,linux/arm64',
         '--secret', `id=GIT_AUTH_TOKEN,src=${tmpName}`,
         '--secret', `id=MYSECRET,src=${tmpName}`,
@@ -301,7 +314,7 @@ ccc`],
       [
         'build',
         '--file', './test/Dockerfile',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--iidfile', imageIDFilePath,
         '--platform', 'linux/amd64,linux/arm64',
         '--secret', `id=GIT_AUTH_TOKEN,src=${tmpName}`,
         '--secret', `id=MYSECRET,src=${tmpName}`,
@@ -330,7 +343,7 @@ ccc`],
       [
         'build',
         '--file', './test/Dockerfile',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--iidfile', imageIDFilePath,
         '--secret', `id=MY_SECRET,src=${tmpName}`,
         '--builder', 'builder-git-context-2',
         '--network', 'host',
@@ -377,8 +390,8 @@ ccc`],
         '--add-host', 'docker:10.180.0.1',
         '--add-host', 'foo:10.0.0.1',
         '--file', './test/Dockerfile',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '--iidfile', imageIDFilePath,
+        '--metadata-file', metadataJson,
         '--network', 'host',
         '--push',
         '.'
@@ -406,11 +419,11 @@ nproc=3`],
         '--add-host', 'foo:10.0.0.1',
         '--cgroup-parent', 'foo',
         '--file', './test/Dockerfile',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--iidfile', imageIDFilePath,
         '--shm-size', '2g',
         '--ulimit', 'nofile=1024:1024',
         '--ulimit', 'nproc=3',
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '--metadata-file', metadataJson,
         '.'
       ]
     ],
@@ -426,8 +439,8 @@ nproc=3`],
       ]),
       [
         'build',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '--iidfile', imageIDFilePath,
+        '--metadata-file', metadataJson,
         'https://github.com/docker/build-push-action.git#refs/heads/master:docker'
       ]
     ],
@@ -444,9 +457,9 @@ nproc=3`],
       ]),
       [
         'build',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--iidfile', imageIDFilePath,
         '--secret', `id=GIT_AUTH_TOKEN,src=${tmpName}`,
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '--metadata-file', metadataJson,
         'https://github.com/docker/build-push-action.git#refs/heads/master:subdir'
       ]
     ],
@@ -463,8 +476,8 @@ nproc=3`],
       ]),
       [
         'build',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '--iidfile', imageIDFilePath,
+        '--metadata-file', metadataJson,
         '.'
       ]
     ],
@@ -480,9 +493,9 @@ nproc=3`],
       ]),
       [
         'build',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
-        "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '--iidfile', imageIDFilePath,
+        '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', metadataJson,
         '.'
       ]
     ],
@@ -499,9 +512,9 @@ nproc=3`],
       ]),
       [
         'build',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
-        "--provenance", `builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '--iidfile', imageIDFilePath,
+        '--attest', `type=provenance,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', metadataJson,
         '.'
       ]
     ],
@@ -518,9 +531,9 @@ nproc=3`],
       ]),
       [
         'build',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
-        "--provenance", `mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '--iidfile', imageIDFilePath,
+        '--attest', `type=provenance,mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', metadataJson,
         '.'
       ]
     ],
@@ -537,9 +550,9 @@ nproc=3`],
       ]),
       [
         'build',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
-        "--provenance", 'false',
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '--iidfile', imageIDFilePath,
+        '--attest', 'type=provenance,disabled=true',
+        '--metadata-file', metadataJson,
         '.'
       ]
     ],
@@ -556,9 +569,9 @@ nproc=3`],
       ]),
       [
         'build',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
-        "--provenance", 'builder-id=foo',
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '--iidfile', imageIDFilePath,
+        '--attest', 'type=provenance,builder-id=foo',
+        '--metadata-file', metadataJson,
         '.'
       ]
     ],
@@ -575,9 +588,9 @@ nproc=3`],
       ]),
       [
         'build',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--iidfile', imageIDFilePath,
         "--output", 'type=docker',
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '--metadata-file', metadataJson,
         '.'
       ]
     ],
@@ -593,9 +606,9 @@ nproc=3`],
       ]),
       [
         'build',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--iidfile', imageIDFilePath,
         '--load',
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '--metadata-file', metadataJson,
         '.'
       ]
     ],
@@ -613,9 +626,176 @@ nproc=3`],
       [
         'build',
         '--build-arg', 'FOO=bar#baz',
-        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--iidfile', imageIDFilePath,
         '--load',
-        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '--metadata-file', metadataJson,
+        '.'
+      ]
+    ],
+    [
+      26,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['no-cache', 'false'],
+        ['load', 'true'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['secret-envs', `MY_SECRET=MY_SECRET_ENV
+ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
+      ]),
+      [
+        'build',
+        '--secret', 'id=MY_SECRET,env=MY_SECRET_ENV',
+        '--secret', 'id=ANOTHER_SECRET,env=ANOTHER_SECRET_ENV',
+        '--iidfile', imageIDFilePath,
+        '--load',
+        '--metadata-file', metadataJson,
+        '.'
+      ]
+    ],
+    [
+      27,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['no-cache', 'false'],
+        ['load', 'true'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['secret-envs', 'MY_SECRET=MY_SECRET_ENV,ANOTHER_SECRET=ANOTHER_SECRET_ENV']
+      ]),
+      [
+        'build',
+        '--secret', 'id=MY_SECRET,env=MY_SECRET_ENV',
+        '--secret', 'id=ANOTHER_SECRET,env=ANOTHER_SECRET_ENV',
+        '--iidfile', imageIDFilePath,
+        '--load',
+        '--metadata-file', metadataJson,
+        '.'
+      ]
+    ],
+    [
+      28,
+      '0.11.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['annotations', 'example1=www\nindex:example2=xxx\nmanifest:example3=yyy\nmanifest-descriptor[linux/amd64]:example4=zzz'],
+        ['outputs', 'type=local,dest=./release-out'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--output', 'type=local,dest=./release-out',
+        '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', metadataJson,
+        '.'
+      ]
+    ],
+    [
+      29,
+      '0.12.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['annotations', 'example1=www\nindex:example2=xxx\nmanifest:example3=yyy\nmanifest-descriptor[linux/amd64]:example4=zzz'],
+        ['outputs', 'type=local,dest=./release-out'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--annotation', 'example1=www',
+        '--annotation', 'index:example2=xxx',
+        '--annotation', 'manifest:example3=yyy',
+        '--annotation', 'manifest-descriptor[linux/amd64]:example4=zzz',
+        '--output', 'type=local,dest=./release-out',
+        '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', metadataJson,
+        '.'
+      ]
+    ],
+    [
+      30,
+      '0.12.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['outputs', `type=image,"name=localhost:5000/name/app:latest,localhost:5000/name/app:foo",push-by-digest=true,name-canonical=true,push=true`],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', imageIDFilePath,
+        "--output", `type=image,"name=localhost:5000/name/app:latest,localhost:5000/name/app:foo",push-by-digest=true,name-canonical=true,push=true`,
+        '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', metadataJson,
+        '.'
+      ]
+    ],
+    [
+      31,
+      '0.13.1',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'mode=max'],
+        ['sbom', 'true'],
+      ]),
+      [
+        'build',
+        '--iidfile', imageIDFilePath,
+        '--attest', `type=provenance,mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--attest', `type=sbom,disabled=false`,
+        '--metadata-file', metadataJson,
+        '.'
+      ]
+    ],
+    [
+      32,
+      '0.13.1',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['attests', 'type=provenance,mode=min'],
+        ['provenance', 'mode=max'],
+      ]),
+      [
+        'build',
+        '--iidfile', imageIDFilePath,
+        '--attest', `type=provenance,mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', metadataJson,
+        '.'
+      ]
+    ],
+    [
+      33,
+      '0.13.1',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['attests', 'type=provenance,mode=min'],
+      ]),
+      [
+        'build',
+        '--iidfile', imageIDFilePath,
+        '--attest', `type=provenance,mode=min,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', metadataJson,
         '.'
       ]
     ],

action.yml

@@ -13,6 +13,9 @@ inputs:
   allow:
     description: "List of extra privileged entitlement (e.g., network.host,security.insecure)"
     required: false
+  annotations:
+    description: "List of annotation to set to the image"
+    required: false
   attests:
     description: "List of attestation parameters (e.g., type=sbom,generator=image)"
     required: false
@@ -80,6 +83,9 @@ inputs:
   secrets:
     description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)"
     required: false
+  secret-envs:
+    description: "List of secret env vars to expose to the build (e.g., key=envname, MY_SECRET=MY_ENV_VAR)"
+    required: false
   secret-files:
     description: "List of secret files to expose to the build (e.g., key=filename, MY_SECRET=./secret.txt)"
     required: false
@@ -112,6 +118,6 @@ outputs:
     description: 'Build result metadata'
 
 runs:
-  using: 'node16'
+  using: 'node20'
   main: 'dist/index.js'
   post: 'dist/index.js'

dev.Dockerfile

@@ -1,15 +1,20 @@
 # syntax=docker/dockerfile:1
 
-ARG NODE_VERSION=16
-ARG DOCKER_VERSION=20.10.13
-ARG BUILDX_VERSION=0.8.0
+ARG NODE_VERSION=20
 
 FROM node:${NODE_VERSION}-alpine AS base
 RUN apk add --no-cache cpio findutils git
 WORKDIR /src
+RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache <<EOT
+  corepack enable
+  yarn --version
+  yarn config set --home enableTelemetry 0
+EOT
 
 FROM base AS deps
 RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache \
   --mount=type=cache,target=/src/node_modules \
   yarn install && mkdir /vendor && cp yarn.lock /vendor
 
@@ -18,18 +23,19 @@ COPY --from=deps /vendor /
 
 FROM deps AS vendor-validate
 RUN --mount=type=bind,target=.,rw <<EOT
-set -e
-git add -A
-cp -rf /vendor/* .
-if [ -n "$(git status --porcelain -- yarn.lock)" ]; then
-  echo >&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor-update"'
-  git status --porcelain -- yarn.lock
-  exit 1
-fi
+  set -e
+  git add -A
+  cp -rf /vendor/* .
+  if [ -n "$(git status --porcelain -- yarn.lock)" ]; then
+    echo >&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor-update"'
+    git status --porcelain -- yarn.lock
+    exit 1
+  fi
 EOT
 
 FROM deps AS build
 RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache \
   --mount=type=cache,target=/src/node_modules \
   yarn run build && mkdir /out && cp -Rf dist /out/
 
@@ -38,39 +44,37 @@ COPY --from=build /out /
 
 FROM build AS build-validate
 RUN --mount=type=bind,target=.,rw <<EOT
-set -e
-git add -A
-cp -rf /out/* .
-if [ -n "$(git status --porcelain -- dist)" ]; then
-  echo >&2 'ERROR: Build result differs. Please build first with "docker buildx bake build"'
-  git status --porcelain -- dist
-  exit 1
-fi
+  set -e
+  git add -A
+  cp -rf /out/* .
+  if [ -n "$(git status --porcelain -- dist)" ]; then
+    echo >&2 'ERROR: Build result differs. Please build first with "docker buildx bake build"'
+    git status --porcelain -- dist
+    exit 1
+  fi
 EOT
 
 FROM deps AS format
 RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache \
   --mount=type=cache,target=/src/node_modules \
   yarn run format \
-  && mkdir /out && find . -name '*.ts' -not -path './node_modules/*' | cpio -pdm /out
+  && mkdir /out && find . -name '*.ts' -not -path './node_modules/*' -not -path './.yarn/*' | cpio -pdm /out
 
 FROM scratch AS format-update
 COPY --from=format /out /
 
 FROM deps AS lint
 RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache \
   --mount=type=cache,target=/src/node_modules \
   yarn run lint
 
-FROM docker:${DOCKER_VERSION} as docker
-FROM docker/buildx-bin:${BUILDX_VERSION} as buildx
-
 FROM deps AS test
 RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/src/.yarn/cache \
   --mount=type=cache,target=/src/node_modules \
-  --mount=type=bind,from=docker,source=/usr/local/bin/docker,target=/usr/bin/docker \
-  --mount=type=bind,from=buildx,source=/buildx,target=/usr/libexec/docker/cli-plugins/docker-buildx \
-  yarn run test --coverageDirectory=/tmp/coverage
+  yarn run test --coverage --coverageDirectory=/tmp/coverage
 
 FROM scratch AS test-coverage
 COPY --from=test /tmp/coverage /

docker-bake.hcl

@@ -3,7 +3,7 @@ group "default" {
 }
 
 group "pre-checkin" {
-  targets = ["vendor-update", "format", "build"]
+  targets = ["vendor", "format", "build"]
 }
 
 group "validate" {
@@ -34,7 +34,7 @@ target "lint" {
   output = ["type=cacheonly"]
 }
 
-target "vendor-update" {
+target "vendor" {
   dockerfile = "dev.Dockerfile"
   target = "vendor-update"
   output = ["."]

docs/advanced/cache.md

@@ -1,3 +0,0 @@
-# Cache
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/cache/)

docs/advanced/copy-between-registries.md

@@ -1,3 +0,0 @@
-# Copy images between registries
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/copy-image-registries/)

docs/advanced/dockerhub-desc.md

@@ -1,3 +0,0 @@
-# Update Docker Hub repo description
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/)

docs/advanced/export-docker.md

@@ -1,3 +0,0 @@
-# Export image to Docker
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/export-docker/)

docs/advanced/isolated-builders.md

@@ -1,3 +0,0 @@
-# Isolated builders
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/configure-builder/#isolated-builders)

docs/advanced/local-registry.md

@@ -1,3 +0,0 @@
-# Local registry
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/local-registry/)

docs/advanced/multi-platform.md

@@ -1,3 +0,0 @@
-# Multi-platform image
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/multi-platform/)

docs/advanced/named-contexts.md

@@ -1,3 +0,0 @@
-# Named contexts
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/named-contexts/)

docs/advanced/push-multi-registries.md

@@ -1,3 +0,0 @@
-# Push to multi-registries
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/push-multi-registries/)

docs/advanced/secrets.md

@@ -1,3 +0,0 @@
-# Secrets
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/secrets/)

docs/advanced/share-image-jobs.md

@@ -1,3 +0,0 @@
-# Share built image between jobs
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/share-image-jobs/)

docs/advanced/tags-labels.md

@@ -1,3 +0,0 @@
-# Handle tags and labels
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/manage-tags-labels/)

docs/advanced/test-before-push.md

@@ -1,3 +0,0 @@
-# Test your image before pushing it
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/test-before-push/)

package.json

@@ -1,13 +1,16 @@
 {
   "name": "docker-build-push",
   "description": "Build and push Docker images",
-  "main": "lib/main.js",
+  "main": "src/main.ts",
   "scripts": {
-    "build": "ncc build src/main.ts --source-map --minify --license licenses.txt",
-    "lint": "eslint src/**/*.ts __tests__/**/*.ts",
-    "format": "eslint --fix src/**/*.ts __tests__/**/*.ts",
-    "test": "jest --coverage",
-    "all": "yarn run build && yarn run format && yarn test"
+    "build": "ncc build --source-map --minify --license licenses.txt",
+    "lint": "yarn run prettier && yarn run eslint",
+    "format": "yarn run prettier:fix && yarn run eslint:fix",
+    "eslint": "eslint --max-warnings=0 .",
+    "eslint:fix": "eslint --fix .",
+    "prettier": "prettier --check \"./**/*.ts\"",
+    "prettier:fix": "prettier --write \"./**/*.ts\"",
+    "test": "jest"
   },
   "repository": {
     "type": "git",
@@ -19,33 +22,27 @@
     "build",
     "push"
   ],
-  "author": "Docker",
-  "contributors": [
-    {
-      "name": "CrazyMax",
-      "url": "https://crazymax.dev"
-    }
-  ],
+  "author": "Docker Inc.",
   "license": "Apache-2.0",
+  "packageManager": "yarn@3.6.3",
   "dependencies": {
-    "@actions/core": "^1.10.0",
-    "@docker/actions-toolkit": "^0.5.0",
+    "@actions/core": "^1.10.1",
+    "@docker/actions-toolkit": "0.24.0",
     "handlebars": "^4.7.7"
   },
   "devDependencies": {
-    "@types/csv-parse": "^1.2.2",
-    "@types/node": "^16.18.21",
-    "@typescript-eslint/eslint-plugin": "^5.56.0",
-    "@typescript-eslint/parser": "^5.56.0",
-    "@vercel/ncc": "^0.36.1",
-    "eslint": "^8.36.0",
-    "eslint-config-prettier": "^8.8.0",
-    "eslint-plugin-jest": "^27.2.1",
-    "eslint-plugin-prettier": "^4.2.1",
-    "jest": "^29.5.0",
-    "prettier": "^2.8.7",
-    "ts-jest": "^29.0.5",
-    "ts-node": "^10.9.1",
-    "typescript": "^4.9.5"
+    "@types/node": "^20.12.12",
+    "@typescript-eslint/eslint-plugin": "^7.9.0",
+    "@typescript-eslint/parser": "^7.9.0",
+    "@vercel/ncc": "^0.38.1",
+    "eslint": "^8.57.0",
+    "eslint-config-prettier": "^9.1.0",
+    "eslint-plugin-jest": "^28.5.0",
+    "eslint-plugin-prettier": "^5.1.3",
+    "jest": "^29.7.0",
+    "prettier": "^3.2.5",
+    "ts-jest": "^29.1.2",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.4.5"
   }
 }

src/context.ts

@@ -1,28 +1,30 @@
 import * as core from '@actions/core';
 import * as handlebars from 'handlebars';
+
+import {Build} from '@docker/actions-toolkit/lib/buildx/build';
 import {Context} from '@docker/actions-toolkit/lib/context';
 import {GitHub} from '@docker/actions-toolkit/lib/github';
-import {Inputs as BuildxInputs} from '@docker/actions-toolkit/lib/buildx/inputs';
 import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
 import {Util} from '@docker/actions-toolkit/lib/util';
 
 export interface Inputs {
-  addHosts: string[];
+  'add-hosts': string[];
   allow: string[];
+  annotations: string[];
   attests: string[];
-  buildArgs: string[];
-  buildContexts: string[];
+  'build-args': string[];
+  'build-contexts': string[];
   builder: string;
-  cacheFrom: string[];
-  cacheTo: string[];
-  cgroupParent: string;
+  'cache-from': string[];
+  'cache-to': string[];
+  'cgroup-parent': string;
   context: string;
   file: string;
   labels: string[];
   load: boolean;
   network: string;
-  noCache: boolean;
-  noCacheFilters: string[];
+  'no-cache': boolean;
+  'no-cache-filters': string[];
   outputs: string[];
   platforms: string[];
   provenance: string;
@@ -30,47 +32,50 @@ export interface Inputs {
   push: boolean;
   sbom: string;
   secrets: string[];
-  secretFiles: string[];
-  shmSize: string;
+  'secret-envs': string[];
+  'secret-files': string[];
+  'shm-size': string;
   ssh: string[];
   tags: string[];
   target: string;
   ulimit: string[];
-  githubToken: string;
+  'github-token': string;
 }
 
 export async function getInputs(): Promise<Inputs> {
   return {
-    addHosts: Util.getInputList('add-hosts'),
+    'add-hosts': Util.getInputList('add-hosts'),
     allow: Util.getInputList('allow'),
+    annotations: Util.getInputList('annotations', {ignoreComma: true}),
     attests: Util.getInputList('attests', {ignoreComma: true}),
-    buildArgs: Util.getInputList('build-args', {ignoreComma: true}),
-    buildContexts: Util.getInputList('build-contexts', {ignoreComma: true}),
+    'build-args': Util.getInputList('build-args', {ignoreComma: true}),
+    'build-contexts': Util.getInputList('build-contexts', {ignoreComma: true}),
     builder: core.getInput('builder'),
-    cacheFrom: Util.getInputList('cache-from', {ignoreComma: true}),
-    cacheTo: Util.getInputList('cache-to', {ignoreComma: true}),
-    cgroupParent: core.getInput('cgroup-parent'),
+    'cache-from': Util.getInputList('cache-from', {ignoreComma: true}),
+    'cache-to': Util.getInputList('cache-to', {ignoreComma: true}),
+    'cgroup-parent': core.getInput('cgroup-parent'),
     context: core.getInput('context') || Context.gitContext(),
     file: core.getInput('file'),
     labels: Util.getInputList('labels', {ignoreComma: true}),
     load: core.getBooleanInput('load'),
     network: core.getInput('network'),
-    noCache: core.getBooleanInput('no-cache'),
-    noCacheFilters: Util.getInputList('no-cache-filters'),
-    outputs: Util.getInputList('outputs', {ignoreComma: true}),
+    'no-cache': core.getBooleanInput('no-cache'),
+    'no-cache-filters': Util.getInputList('no-cache-filters'),
+    outputs: Util.getInputList('outputs', {ignoreComma: true, quote: false}),
     platforms: Util.getInputList('platforms'),
-    provenance: BuildxInputs.getProvenanceInput('provenance'),
+    provenance: Build.getProvenanceInput('provenance'),
     pull: core.getBooleanInput('pull'),
     push: core.getBooleanInput('push'),
     sbom: core.getInput('sbom'),
     secrets: Util.getInputList('secrets', {ignoreComma: true}),
-    secretFiles: Util.getInputList('secret-files', {ignoreComma: true}),
-    shmSize: core.getInput('shm-size'),
+    'secret-envs': Util.getInputList('secret-envs'),
+    'secret-files': Util.getInputList('secret-files', {ignoreComma: true}),
+    'shm-size': core.getInput('shm-size'),
     ssh: Util.getInputList('ssh'),
     tags: Util.getInputList('tags'),
     target: core.getInput('target'),
     ulimit: Util.getInputList('ulimit', {ignoreComma: true}),
-    githubToken: core.getInput('github-token')
+    'github-token': core.getInput('github-token')
   };
 }
 
@@ -88,44 +93,55 @@ export async function getArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<s
 
 async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit): Promise<Array<string>> {
   const args: Array<string> = ['build'];
-  await Util.asyncForEach(inputs.addHosts, async addHost => {
+  await Util.asyncForEach(inputs['add-hosts'], async addHost => {
     args.push('--add-host', addHost);
   });
   if (inputs.allow.length > 0) {
     args.push('--allow', inputs.allow.join(','));
   }
-  if (await toolkit.buildx.versionSatisfies('>=0.10.0')) {
-    await Util.asyncForEach(inputs.attests, async attest => {
-      args.push('--attest', attest);
+  if (await toolkit.buildx.versionSatisfies('>=0.12.0')) {
+    await Util.asyncForEach(inputs.annotations, async annotation => {
+      args.push('--annotation', annotation);
     });
+  } else if (inputs.annotations.length > 0) {
+    core.warning("Annotations are only supported by buildx >= 0.12.0; the input 'annotations' is ignored.");
   }
-  await Util.asyncForEach(inputs.buildArgs, async buildArg => {
+  await Util.asyncForEach(inputs['build-args'], async buildArg => {
     args.push('--build-arg', buildArg);
   });
   if (await toolkit.buildx.versionSatisfies('>=0.8.0')) {
-    await Util.asyncForEach(inputs.buildContexts, async buildContext => {
+    await Util.asyncForEach(inputs['build-contexts'], async buildContext => {
       args.push('--build-context', buildContext);
     });
+  } else if (inputs['build-contexts'].length > 0) {
+    core.warning("Build contexts are only supported by buildx >= 0.8.0; the input 'build-contexts' is ignored.");
   }
-  await Util.asyncForEach(inputs.cacheFrom, async cacheFrom => {
+  await Util.asyncForEach(inputs['cache-from'], async cacheFrom => {
     args.push('--cache-from', cacheFrom);
   });
-  await Util.asyncForEach(inputs.cacheTo, async cacheTo => {
+  await Util.asyncForEach(inputs['cache-to'], async cacheTo => {
     args.push('--cache-to', cacheTo);
   });
-  if (inputs.cgroupParent) {
-    args.push('--cgroup-parent', inputs.cgroupParent);
+  if (inputs['cgroup-parent']) {
+    args.push('--cgroup-parent', inputs['cgroup-parent']);
   }
+  await Util.asyncForEach(inputs['secret-envs'], async secretEnv => {
+    try {
+      args.push('--secret', Build.resolveSecretEnv(secretEnv));
+    } catch (err) {
+      core.warning(err.message);
+    }
+  });
   if (inputs.file) {
     args.push('--file', inputs.file);
   }
-  if (!BuildxInputs.hasLocalExporter(inputs.outputs) && !BuildxInputs.hasTarExporter(inputs.outputs) && (inputs.platforms.length == 0 || (await toolkit.buildx.versionSatisfies('>=0.4.2')))) {
-    args.push('--iidfile', BuildxInputs.getBuildImageIDFilePath());
+  if (!Build.hasLocalExporter(inputs.outputs) && !Build.hasTarExporter(inputs.outputs) && (inputs.platforms.length == 0 || (await toolkit.buildx.versionSatisfies('>=0.4.2')))) {
+    args.push('--iidfile', toolkit.buildxBuild.getImageIDFilePath());
   }
   await Util.asyncForEach(inputs.labels, async label => {
     args.push('--label', label);
   });
-  await Util.asyncForEach(inputs.noCacheFilters, async noCacheFilter => {
+  await Util.asyncForEach(inputs['no-cache-filters'], async noCacheFilter => {
     args.push('--no-cache-filter', noCacheFilter);
   });
   await Util.asyncForEach(inputs.outputs, async output => {
@@ -135,44 +151,29 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
     args.push('--platform', inputs.platforms.join(','));
   }
   if (await toolkit.buildx.versionSatisfies('>=0.10.0')) {
-    if (inputs.provenance) {
-      args.push('--provenance', inputs.provenance);
-    } else if ((await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !BuildxInputs.hasDockerExporter(inputs.outputs, inputs.load)) {
-      // if provenance not specified and BuildKit version compatible for
-      // attestation, set default provenance. Also needs to make sure user
-      // doesn't want to explicitly load the image to docker.
-      if (GitHub.context.payload.repository?.private ?? false) {
-        // if this is a private repository, we set the default provenance
-        // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
-        args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=min,inline-only=true`));
-      } else {
-        // for a public repository, we set max provenance mode.
-        args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=max`));
-      }
-    }
-    if (inputs.sbom) {
-      args.push('--sbom', inputs.sbom);
-    }
+    args.push(...(await getAttestArgs(inputs, toolkit)));
+  } else {
+    core.warning("Attestations are only supported by buildx >= 0.10.0; the inputs 'attests', 'provenance' and 'sbom' are ignored.");
   }
   await Util.asyncForEach(inputs.secrets, async secret => {
     try {
-      args.push('--secret', BuildxInputs.resolveBuildSecretString(secret));
+      args.push('--secret', Build.resolveSecretString(secret));
     } catch (err) {
       core.warning(err.message);
     }
   });
-  await Util.asyncForEach(inputs.secretFiles, async secretFile => {
+  await Util.asyncForEach(inputs['secret-files'], async secretFile => {
     try {
-      args.push('--secret', BuildxInputs.resolveBuildSecretFile(secretFile));
+      args.push('--secret', Build.resolveSecretFile(secretFile));
     } catch (err) {
       core.warning(err.message);
     }
   });
-  if (inputs.githubToken && !BuildxInputs.hasGitAuthTokenSecret(inputs.secrets) && context.startsWith(Context.gitContext())) {
-    args.push('--secret', BuildxInputs.resolveBuildSecretString(`GIT_AUTH_TOKEN=${inputs.githubToken}`));
+  if (inputs['github-token'] && !Build.hasGitAuthTokenSecret(inputs.secrets) && context.startsWith(Context.gitContext())) {
+    args.push('--secret', Build.resolveSecretString(`GIT_AUTH_TOKEN=${inputs['github-token']}`));
   }
-  if (inputs.shmSize) {
-    args.push('--shm-size', inputs.shmSize);
+  if (inputs['shm-size']) {
+    args.push('--shm-size', inputs['shm-size']);
   }
   await Util.asyncForEach(inputs.ssh, async ssh => {
     args.push('--ssh', ssh);
@@ -198,12 +199,12 @@ async function getCommonArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<st
     args.push('--load');
   }
   if (await toolkit.buildx.versionSatisfies('>=0.6.0')) {
-    args.push('--metadata-file', BuildxInputs.getBuildMetadataFilePath());
+    args.push('--metadata-file', toolkit.buildxBuild.getMetadataFilePath());
   }
   if (inputs.network) {
     args.push('--network', inputs.network);
   }
-  if (inputs.noCache) {
+  if (inputs['no-cache']) {
     args.push('--no-cache');
   }
   if (inputs.pull) {
@@ -214,3 +215,52 @@ async function getCommonArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<st
   }
   return args;
 }
+
+async function getAttestArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<string>> {
+  const args: Array<string> = [];
+
+  // check if provenance attestation is set in attests input
+  let hasAttestProvenance = false;
+  await Util.asyncForEach(inputs.attests, async (attest: string) => {
+    if (Build.hasAttestationType('provenance', attest)) {
+      hasAttestProvenance = true;
+    }
+  });
+
+  let provenanceSet = false;
+  let sbomSet = false;
+  if (inputs.provenance) {
+    args.push('--attest', Build.resolveAttestationAttrs(`type=provenance,${inputs.provenance}`));
+    provenanceSet = true;
+  } else if (!hasAttestProvenance && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Build.hasDockerExporter(inputs.outputs, inputs.load)) {
+    // if provenance not specified in provenance or attests inputs and BuildKit
+    // version compatible for attestation, set default provenance. Also needs
+    // to make sure user doesn't want to explicitly load the image to docker.
+    if (GitHub.context.payload.repository?.private ?? false) {
+      // if this is a private repository, we set the default provenance
+      // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
+      args.push('--attest', `type=provenance,${Build.resolveProvenanceAttrs(`mode=min,inline-only=true`)}`);
+    } else {
+      // for a public repository, we set max provenance mode.
+      args.push('--attest', `type=provenance,${Build.resolveProvenanceAttrs(`mode=max`)}`);
+    }
+  }
+  if (inputs.sbom) {
+    args.push('--attest', Build.resolveAttestationAttrs(`type=sbom,${inputs.sbom}`));
+    sbomSet = true;
+  }
+
+  // set attests but check if provenance or sbom types already set as
+  // provenance and sbom inputs take precedence over attests input.
+  await Util.asyncForEach(inputs.attests, async (attest: string) => {
+    if (!Build.hasAttestationType('provenance', attest) && !Build.hasAttestationType('sbom', attest)) {
+      args.push('--attest', Build.resolveAttestationAttrs(attest));
+    } else if (!provenanceSet && Build.hasAttestationType('provenance', attest)) {
+      args.push('--attest', Build.resolveProvenanceAttrs(attest));
+    } else if (!sbomSet && Build.hasAttestationType('sbom', attest)) {
+      args.push('--attest', attest);
+    }
+  });
+
+  return args;
+}

src/main.ts

@@ -1,20 +1,25 @@
 import * as fs from 'fs';
+import * as path from 'path';
 import * as stateHelper from './state-helper';
 import * as core from '@actions/core';
 import * as actionsToolkit from '@docker/actions-toolkit';
+
 import {Context} from '@docker/actions-toolkit/lib/context';
 import {Docker} from '@docker/actions-toolkit/lib/docker/docker';
 import {Exec} from '@docker/actions-toolkit/lib/exec';
 import {GitHub} from '@docker/actions-toolkit/lib/github';
-import {Inputs as BuildxInputs} from '@docker/actions-toolkit/lib/buildx/inputs';
 import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
 
+import {ConfigFile} from '@docker/actions-toolkit/lib/types/docker/docker';
+
 import * as context from './context';
 
 actionsToolkit.run(
   // main
   async () => {
     const inputs: context.Inputs = await context.getInputs();
+    core.debug(`inputs: ${JSON.stringify(inputs)}`);
+
     const toolkit = new Toolkit();
 
     await core.group(`GitHub Actions runtime token ACs`, async () => {
@@ -34,6 +39,31 @@ actionsToolkit.run(
       }
     });
 
+    await core.group(`Proxy configuration`, async () => {
+      let dockerConfig: ConfigFile | undefined;
+      let dockerConfigMalformed = false;
+      try {
+        dockerConfig = await Docker.configFile();
+      } catch (e) {
+        dockerConfigMalformed = true;
+        core.warning(`Unable to parse config file ${path.join(Docker.configDir, 'config.json')}: ${e}`);
+      }
+      if (dockerConfig && dockerConfig.proxies) {
+        for (const host in dockerConfig.proxies) {
+          let prefix = '';
+          if (Object.keys(dockerConfig.proxies).length > 1) {
+            prefix = '  ';
+            core.info(host);
+          }
+          for (const key in dockerConfig.proxies[host]) {
+            core.info(`${prefix}${key}: ${dockerConfig.proxies[host][key]}`);
+          }
+        }
+      } else if (!dockerConfigMalformed) {
+        core.info('No proxy configuration found');
+      }
+    });
+
     if (!(await toolkit.buildx.isAvailable())) {
       core.setFailed(`Docker buildx is required. See https://github.com/docker/setup-buildx-action to set up buildx.`);
       return;
@@ -45,8 +75,18 @@ actionsToolkit.run(
       await toolkit.buildx.printVersion();
     });
 
+    await core.group(`Builder info`, async () => {
+      const builder = await toolkit.builder.inspect(inputs.builder);
+      core.info(JSON.stringify(builder, null, 2));
+    });
+
     const args: string[] = await context.getArgs(inputs, toolkit);
+    core.debug(`context.getArgs: ${JSON.stringify(args)}`);
+
     const buildCmd = await toolkit.buildx.getCommand(args);
+    core.debug(`buildCmd.command: ${buildCmd.command}`);
+    core.debug(`buildCmd.args: ${JSON.stringify(buildCmd.args)}`);
+
     await Exec.getExecOutput(buildCmd.command, buildCmd.args, {
       ignoreReturnCode: true
     }).then(res => {
@@ -55,9 +95,9 @@ actionsToolkit.run(
       }
     });
 
-    const imageID = BuildxInputs.resolveBuildImageID();
-    const metadata = BuildxInputs.resolveBuildMetadata();
-    const digest = BuildxInputs.resolveDigest();
+    const imageID = toolkit.buildxBuild.resolveImageID();
+    const metadata = toolkit.buildxBuild.resolveMetadata();
+    const digest = toolkit.buildxBuild.resolveDigest();
 
     if (imageID) {
       await core.group(`ImageID`, async () => {
@@ -73,8 +113,9 @@ actionsToolkit.run(
     }
     if (metadata) {
       await core.group(`Metadata`, async () => {
-        core.info(metadata);
-        core.setOutput('metadata', metadata);
+        const metadatadt = JSON.stringify(metadata, null, 2);
+        core.info(metadatadt);
+        core.setOutput('metadata', metadatadt);
       });
     }
   },

test/proxy.Dockerfile

@@ -0,0 +1,9 @@
+# syntax=docker/dockerfile:1
+FROM alpine
+RUN apk add --no-cache curl net-tools
+ARG HTTP_PROXY
+ARG HTTPS_PROXY
+RUN printenv HTTP_PROXY
+RUN printenv HTTPS_PROXY
+RUN netstat -aptn
+RUN curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy $HTTP_PROXY -v --insecure --head https://www.google.com