Merge pull request #200 from crazy-max/docker-pull

docker: parseRepoTag and pull methods

.github/buildx-releases.json

@@ -40,6 +40,47 @@
       "https://github.com/docker/buildx/releases/download/v0.13.1/checksums.txt"
     ]
   },
+  "v0.14.0-rc1": {
+    "id": 150784571,
+    "tag_name": "v0.14.0-rc1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.14.0-rc1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.darwin-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.darwin-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.darwin-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.darwin-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-arm-v6.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-arm-v6.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-arm-v7.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-arm-v7.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-ppc64le.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-ppc64le.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-riscv64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-riscv64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-s390x.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.linux-s390x.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.windows-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.windows-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.windows-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/buildx-v0.14.0-rc1.windows-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.14.0-rc1/checksums.txt"
+    ]
+  },
   "v0.13.1": {
     "id": 146098987,
     "tag_name": "v0.13.1",

.github/docker-releases.json

@@ -1,8 +1,38 @@
 {
   "latest": {
-    "id": 144022554,
-    "tag_name": "v25.0.4",
-    "html_url": "https://github.com/moby/moby/releases/tag/v25.0.4",
+    "id": 149921469,
+    "tag_name": "v26.0.1",
+    "html_url": "https://github.com/moby/moby/releases/tag/v26.0.1",
+    "assets": []
+  },
+  "v26.0.1": {
+    "id": 149921469,
+    "tag_name": "v26.0.1",
+    "html_url": "https://github.com/moby/moby/releases/tag/v26.0.1",
+    "assets": []
+  },
+  "v23.0.10": {
+    "id": 147776752,
+    "tag_name": "v23.0.10",
+    "html_url": "https://github.com/moby/moby/releases/tag/v23.0.10",
+    "assets": []
+  },
+  "v26.0.0": {
+    "id": 145844215,
+    "tag_name": "v26.0.0",
+    "html_url": "https://github.com/moby/moby/releases/tag/v26.0.0",
+    "assets": []
+  },
+  "v26.0.0-rc3": {
+    "id": 146688910,
+    "tag_name": "v26.0.0-rc3",
+    "html_url": "https://github.com/moby/moby/releases/tag/v26.0.0-rc3",
+    "assets": []
+  },
+  "v25.0.5": {
+    "id": 147202747,
+    "tag_name": "v25.0.5",
+    "html_url": "https://github.com/moby/moby/releases/tag/v25.0.5",
     "assets": []
   },
   "v26.0.0-rc2": {

.github/workflows/test.yml

@@ -15,6 +15,7 @@ on:
 
 env:
   NODE_VERSION: "20"
+  BUILDX_VERSION: "v0.14.0-rc1"
 
 jobs:
   test:
@@ -102,6 +103,13 @@ jobs:
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'yarn'
+      -
+        name: Set up Docker Buildx
+        if: startsWith(matrix.os, 'ubuntu')
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.BUILDX_VERSION }}
+          driver: docker
       -
         name: Install
         run: yarn install

__tests__/buildx/bake.test.itg.ts

@@ -29,17 +29,34 @@ beforeEach(() => {
   jest.clearAllMocks();
 });
 
-maybe('parseDefinitions', () => {
+maybe('getDefinition', () => {
   // prettier-ignore
   test.each([
     [
-      ['https://github.com/docker/buildx.git#v0.10.4'],
+      'https://github.com/docker/buildx.git#v0.10.4',
       ['binaries-cross'],
-      path.join(fixturesDir, 'bake-buildx-0.10.4-binaries-cross.json')
-    ]
-  ])('given %p', async (sources: string[], targets: string[], out: string) => {
+      path.join(fixturesDir, 'bake-buildx-0.10.4-binaries-cross.json'),
+      false,
+    ],
+    // TODO: uncomment this test case when we have access to the private repo using an access token
+    // [
+    //   'https://github.com/docker/test-docker-action.git#remote-private',
+    //   ['default'],
+    //   path.join(fixturesDir, 'bake-test-docker-action-remote-private.json'),
+    //   true,
+    // ]
+  ])('given %p', async (source: string, targets: string[], out: string, auth) => {
+    const gitAuthToken = process.env.GITHUB_TOKEN || '';
+    if (auth && !gitAuthToken) {
+      console.log(`Git auth token not available, skipping test`);
+      return;
+    }
     const bake = new Bake();
     const expectedDef = <BakeDefinition>JSON.parse(fs.readFileSync(out, {encoding: 'utf-8'}).trim())
-    expect(await bake.parseDefinitions(sources, targets)).toEqual(expectedDef);
+    expect(await bake.getDefinition({
+      source: source,
+      targets: targets,
+      githubToken: gitAuthToken,
+    })).toEqual(expectedDef);
   });
 });

__tests__/buildx/bake.test.ts

@@ -19,6 +19,8 @@ import * as fs from 'fs';
 import * as path from 'path';
 
 import {Bake} from '../../src/buildx/bake';
+
+import {ExecOptions} from '@actions/exec';
 import {BakeDefinition} from '../../src/types/bake';
 
 const fixturesDir = path.join(__dirname, '..', 'fixtures');
@@ -27,31 +29,38 @@ beforeEach(() => {
   jest.clearAllMocks();
 });
 
-describe('parseDefinitions', () => {
+describe('getDefinition', () => {
   // prettier-ignore
   test.each([
     [
       [path.join(fixturesDir, 'bake-01.hcl')],
       ['validate'],
       [],
+      {silent: true},
       path.join(fixturesDir, 'bake-01-validate.json')
     ],
     [
       [path.join(fixturesDir, 'bake-02.hcl')],
       ['build'],
       [],
+      undefined,
       path.join(fixturesDir, 'bake-02-build.json')
     ],
     [
       [path.join(fixturesDir, 'bake-01.hcl')],
       ['image'],
       ['*.output=type=docker', '*.platform=linux/amd64'],
+      undefined,
       path.join(fixturesDir, 'bake-01-overrides.json')
     ]
-  ])('given %p', async (sources: string[], targets: string[], overrides: string[], out: string) => {
+  ])('given %p', async (files: string[], targets: string[], overrides: string[], execOptions: ExecOptions | undefined, out: string) => {
     const bake = new Bake();
     const expectedDef = <BakeDefinition>JSON.parse(fs.readFileSync(out, {encoding: 'utf-8'}).trim())
-    expect(await bake.parseDefinitions(sources, targets, overrides)).toEqual(expectedDef);
+    expect(await bake.getDefinition({
+      files: files,
+      targets: targets,
+      overrides: overrides
+    }, execOptions)).toEqual(expectedDef);
   });
 });
 

__tests__/buildx/inputs.test.ts

@@ -244,6 +244,41 @@ describe('hasDockerExporter', () => {
   });
 });
 
+describe('hasAttestationType', () => {
+  // prettier-ignore
+  test.each([
+    ['type=provenance,mode=min', 'provenance', true],
+    ['type=sbom,true', 'sbom', true],
+    ['type=foo,bar', 'provenance', false],
+  ])('given %p for %p returns %p', async (attrs: string, name: string, expected: boolean) => {
+    expect(Inputs.hasAttestationType(name, attrs)).toEqual(expected);
+  });
+});
+
+describe('resolveAttestationAttrs', () => {
+  // prettier-ignore
+  test.each([
+    [
+      'type=provenance,mode=min',
+      'type=provenance,mode=min'
+    ],
+    [
+      'type=provenance,true',
+      'type=provenance,disabled=false'
+    ],
+    [
+      'type=provenance,false',
+      'type=provenance,disabled=true'
+    ],
+    [
+      '',
+      ''
+    ],
+  ])('given %p', async (input: string, expected: string) => {
+    expect(Inputs.resolveAttestationAttrs(input)).toEqual(expected);
+  });
+});
+
 describe('hasGitAuthTokenSecret', () => {
   // prettier-ignore
   test.each([

__tests__/cache.test.itg.ts

@@ -0,0 +1,40 @@
+/**
+ * Copyright 2024 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import path from 'path';
+import {describe, expect, it} from '@jest/globals';
+
+import {Cache} from '../src/cache';
+
+// prettier-ignore
+const tmpDir = path.join(process.env.TEMP || '/tmp', 'cache-jest');
+
+const fixturesDir = path.join(__dirname, 'fixtures');
+
+describe('cache', () => {
+  it('github-repo', async () => {
+    const r = (Math.random() + 1).toString(36).substring(7);
+    const htcName = `cache-test-github-repo-${r}`;
+    const c = new Cache({
+      htcName: htcName,
+      htcVersion: `v1.0.0+${r}`,
+      baseCacheDir: path.join(tmpDir, '.cache-test'),
+      cacheFile: 'github-repo.json'
+    });
+    expect(await c.save(path.join(fixturesDir, 'github-repo.json'))).not.toEqual('');
+    expect(await c.find()).not.toEqual('');
+  });
+});

__tests__/docker/docker.test.itg.ts

@@ -0,0 +1,56 @@
+/**
+ * Copyright 2024 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {describe, expect, test} from '@jest/globals';
+
+import {Docker} from '../../src/docker/docker';
+
+const maybe = !process.env.GITHUB_ACTIONS || (process.env.GITHUB_ACTIONS === 'true' && process.env.ImageOS && process.env.ImageOS.startsWith('ubuntu')) ? describe : describe.skip;
+
+maybe('pull', () => {
+  // prettier-ignore
+  test.each([
+    [
+      'busybox',
+      undefined,
+    ],
+    [
+      'busybox:1.36',
+      undefined,
+    ],
+    [
+      'busybox@sha256:7ae8447f3a7f5bccaa765926f25fc038e425cf1b2be6748727bbea9a13102094',
+      undefined,
+    ],
+    [
+      'doesnotexist:foo',
+      `pull access denied for doesnotexist`,
+    ],
+  ])('pulling %p', async (image: string, err: string | undefined) => {
+      try {
+        await Docker.pull(image, true);
+        if (err !== undefined) {
+          throw new Error('Expected an error to be thrown');
+        }
+      } catch (e) {
+        if (err === undefined) {
+          throw new Error(`Expected no error, but got: ${e.message}`);
+        }
+        // eslint-disable-next-line jest/no-conditional-expect
+        expect(e.message).toContain(err);
+      }
+    }, 600000);
+});

__tests__/fixtures/bake-test-docker-action-remote-private.json

@@ -0,0 +1,11 @@
+{
+  "target": {
+    "default": {
+      "context": "https://github.com/docker/test-docker-action.git#remote-private",
+      "dockerfile": "Dockerfile",
+      "tags": [
+        "foo"
+      ]
+    }
+  }
+}

__tests__/util.test.ts

@@ -279,6 +279,36 @@ describe('hash', () => {
   });
 });
 
+// https://github.com/golang/go/blob/f6b93a4c358b28b350dd8fe1780c1f78e520c09c/src/strconv/atob_test.go#L36-L58
+describe('parseBool', () => {
+  [
+    {input: '', expected: false, throwsError: true},
+    {input: 'asdf', expected: false, throwsError: true},
+    {input: '0', expected: false, throwsError: false},
+    {input: 'f', expected: false, throwsError: false},
+    {input: 'F', expected: false, throwsError: false},
+    {input: 'FALSE', expected: false, throwsError: false},
+    {input: 'false', expected: false, throwsError: false},
+    {input: 'False', expected: false, throwsError: false},
+    {input: '1', expected: true, throwsError: false},
+    {input: 't', expected: true, throwsError: false},
+    {input: 'T', expected: true, throwsError: false},
+    {input: 'TRUE', expected: true, throwsError: false},
+    {input: 'true', expected: true, throwsError: false},
+    {input: 'True', expected: true, throwsError: false}
+  ].forEach(({input, expected, throwsError}) => {
+    test(`parseBool("${input}")`, () => {
+      if (throwsError) {
+        // eslint-disable-next-line jest/no-conditional-expect
+        expect(() => Util.parseBool(input)).toThrow();
+      } else {
+        // eslint-disable-next-line jest/no-conditional-expect
+        expect(Util.parseBool(input)).toBe(expected);
+      }
+    });
+  });
+});
+
 // See: https://github.com/actions/toolkit/blob/a1b068ec31a042ff1e10a522d8fdf0b8869d53ca/packages/core/src/core.ts#L89
 function getInputName(name: string): string {
   return `INPUT_${name.replace(/ /g, '_').toUpperCase()}`;

dev.Dockerfile

@@ -15,8 +15,8 @@
 # limitations under the License.
 
 ARG NODE_VERSION=20
-ARG DOCKER_VERSION=24.0.5
-ARG BUILDX_VERSION=0.11.2
+ARG DOCKER_VERSION=26.0.0
+ARG BUILDX_VERSION=0.14.0-rc1
 
 FROM node:${NODE_VERSION}-alpine AS base
 RUN apk add --no-cache cpio findutils git

package.json

@@ -58,14 +58,14 @@
     "csv-parse": "^5.5.5",
     "handlebars": "^4.7.8",
     "jwt-decode": "^4.0.0",
-    "semver": "^7.5.4",
+    "semver": "^7.6.0",
     "tmp": "^0.2.3"
   },
   "devDependencies": {
     "@types/csv-parse": "^1.2.2",
     "@types/js-yaml": "^4.0.5",
     "@types/node": "^20.5.9",
-    "@types/semver": "^7.5.1",
+    "@types/semver": "^7.5.8",
     "@types/tmp": "^0.2.3",
     "@typescript-eslint/eslint-plugin": "^6.6.0",
     "@typescript-eslint/parser": "^6.6.0",

src/buildx/bake.ts

@@ -19,12 +19,27 @@ import {Exec} from '../exec';
 import {Inputs} from './inputs';
 import {Util} from '../util';
 
+import {ExecOptions} from '@actions/exec';
 import {BakeDefinition} from '../types/bake';
 
 export interface BakeOpts {
   buildx?: Buildx;
 }
 
+export interface BakeCmdOpts {
+  files?: Array<string>;
+  load?: boolean;
+  noCache?: boolean;
+  overrides?: Array<string>;
+  provenance?: string;
+  push?: boolean;
+  sbom?: string;
+  source?: string;
+  targets?: Array<string>;
+
+  githubToken?: string; // for auth with remote definitions on private repos
+}
+
 export class Bake {
   private readonly buildx: Buildx;
 
@@ -32,13 +47,24 @@ export class Bake {
     this.buildx = opts?.buildx || new Buildx();
   }
 
-  public async parseDefinitions(sources: Array<string>, targets?: Array<string>, overrides?: Array<string>, load?: boolean, push?: boolean, workdir?: string): Promise<BakeDefinition> {
+  public async getDefinition(cmdOpts: BakeCmdOpts, execOptions?: ExecOptions): Promise<BakeDefinition> {
+    execOptions = execOptions || {ignoreReturnCode: true};
+    execOptions.ignoreReturnCode = true;
+    if (cmdOpts.githubToken) {
+      execOptions.env = Object.assign({}, process.env, {
+        BUILDX_BAKE_GIT_AUTH_TOKEN: cmdOpts.githubToken
+      }) as {
+        [key: string]: string;
+      };
+    }
+
     const args = ['bake'];
 
-    let remoteDef;
+    let remoteDef: string | undefined;
     const files: Array<string> = [];
+    const sources = [...(cmdOpts.files || []), cmdOpts.source];
     if (sources) {
-      for (const source of sources.map(v => v.trim())) {
+      for (const source of sources.map(v => (v ? v.trim() : ''))) {
         if (source.length == 0) {
           continue;
         }
@@ -47,7 +73,7 @@ export class Bake {
           continue;
         }
         if (remoteDef) {
-          throw new Error(`Only one remote bake definition is allowed`);
+          throw new Error(`Only one remote bake definition can be defined`);
         }
         remoteDef = source;
       }
@@ -58,31 +84,40 @@ export class Bake {
     for (const file of files) {
       args.push('--file', file);
     }
-    if (overrides) {
-      for (const override of overrides) {
+    if (cmdOpts.overrides) {
+      for (const override of cmdOpts.overrides) {
         args.push('--set', override);
       }
     }
-    if (load) {
+    if (cmdOpts.load) {
       args.push('--load');
     }
-    if (push) {
+    if (cmdOpts.noCache) {
+      args.push('--no-cache');
+    }
+    if (cmdOpts.provenance) {
+      args.push('--provenance', cmdOpts.provenance);
+    }
+    if (cmdOpts.push) {
       args.push('--push');
     }
+    if (cmdOpts.sbom) {
+      args.push('--sbom', cmdOpts.sbom);
+    }
 
-    const printCmd = await this.buildx.getCommand([...args, '--print', ...(targets || [])]);
-    return await Exec.getExecOutput(printCmd.command, printCmd.args, {
-      cwd: workdir,
-      ignoreReturnCode: true,
-      silent: true
-    }).then(res => {
+    const printCmd = await this.buildx.getCommand([...args, '--print', ...(cmdOpts.targets || [])]);
+    return await Exec.getExecOutput(printCmd.command, printCmd.args, execOptions).then(res => {
       if (res.stderr.length > 0 && res.exitCode != 0) {
         throw new Error(`cannot parse bake definitions: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
       }
-      return <BakeDefinition>JSON.parse(res.stdout.trim());
+      return Bake.parseDefinition(res.stdout.trim());
     });
   }
 
+  public static parseDefinition(dt: string): BakeDefinition {
+    return <BakeDefinition>JSON.parse(dt);
+  }
+
   public static hasLocalExporter(def: BakeDefinition): boolean {
     return Inputs.hasExporterType('local', Bake.exporters(def));
   }

src/buildx/inputs.ts

@@ -21,6 +21,7 @@ import {parse} from 'csv-parse/sync';
 
 import {Context} from '../context';
 import {GitHub} from '../github';
+import {Util} from '../util';
 
 const parseKvp = (kvp: string): [string, string] => {
   const delimiterIndex = kvp.indexOf('=');
@@ -76,24 +77,23 @@ export class Inputs {
   }
 
   public static resolveBuildSecretString(kvp: string): string {
-    return Inputs.resolveBuildSecret(kvp, false);
+    const [key, file] = Inputs.resolveBuildSecret(kvp, false);
+    return `id=${key},src=${file}`;
   }
 
   public static resolveBuildSecretFile(kvp: string): string {
-    return Inputs.resolveBuildSecret(kvp, true);
+    const [key, file] = Inputs.resolveBuildSecret(kvp, true);
+    return `id=${key},src=${file}`;
   }
 
   public static resolveBuildSecretEnv(kvp: string): string {
     const [key, value] = parseKvp(kvp);
-
     return `id=${key},env=${value}`;
   }
 
-  public static resolveBuildSecret(kvp: string, file: boolean): string {
+  public static resolveBuildSecret(kvp: string, file: boolean): [string, string] {
     const [key, _value] = parseKvp(kvp);
-
     let value = _value;
-
     if (file) {
       if (!fs.existsSync(value)) {
         throw new Error(`secret file ${value} not found`);
@@ -102,7 +102,7 @@ export class Inputs {
     }
     const secretFile = Context.tmpName({tmpdir: Context.tmpDir()});
     fs.writeFileSync(secretFile, value);
-    return `id=${key},src=${secretFile}`;
+    return [key, secretFile];
   }
 
   public static getProvenanceInput(name: string): string {
@@ -176,6 +176,45 @@ export class Inputs {
     return false;
   }
 
+  public static hasAttestationType(name: string, attrs: string): boolean {
+    const records = parse(attrs, {
+      delimiter: ',',
+      trim: true,
+      columns: false,
+      relaxColumnCount: true
+    });
+    for (const record of records) {
+      for (const [key, value] of record.map((chunk: string) => chunk.split('=').map(item => item.trim()))) {
+        if (key == 'type' && value == name) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+
+  public static resolveAttestationAttrs(attrs: string): string {
+    const records = parse(attrs, {
+      delimiter: ',',
+      trim: true,
+      columns: false,
+      relaxColumnCount: true
+    });
+    const res: Array<string> = [];
+    for (const record of records) {
+      for (const attr of record) {
+        try {
+          // https://github.com/docker/buildx/blob/8abef5908705e49f7ba88ef8c957e1127b597a2a/util/buildflags/attests.go#L13-L21
+          const v = Util.parseBool(attr);
+          res.push(`disabled=${!v}`);
+        } catch (err) {
+          res.push(attr);
+        }
+      }
+    }
+    return res.join(',');
+  }
+
   public static hasGitAuthTokenSecret(secrets: string[]): boolean {
     for (const secret of secrets) {
       if (secret.startsWith('GIT_AUTH_TOKEN=')) {

src/cache.ts

@@ -30,6 +30,11 @@ export interface CacheOpts {
   ghaNoCache?: boolean;
 }
 
+export interface CachePostState {
+  dir: string;
+  key: string;
+}
+
 export class Cache {
   private readonly opts: CacheOpts;
   private readonly ghaCacheKey: string;
@@ -37,6 +42,8 @@ export class Cache {
   private readonly cacheDir: string;
   private readonly cachePath: string;
 
+  private static readonly POST_CACHE_KEY = 'postCache';
+
   constructor(opts: CacheOpts) {
     this.opts = opts;
     this.ghaCacheKey = util.format('%s-%s-%s', this.opts.htcName, this.opts.htcVersion, this.platform());
@@ -56,8 +63,14 @@ export class Cache {
     core.debug(`Cache.save cached to hosted tool cache ${htcPath}`);
 
     if (!this.ghaNoCache && cache.isFeatureAvailable()) {
-      core.debug(`Cache.save caching ${this.ghaCacheKey} to GitHub Actions cache`);
-      await cache.saveCache([this.cacheDir], this.ghaCacheKey);
+      core.debug(`Cache.save sending ${this.ghaCacheKey} to post state`);
+      core.saveState(
+        Cache.POST_CACHE_KEY,
+        JSON.stringify({
+          dir: this.cacheDir,
+          key: this.ghaCacheKey
+        } as CachePostState)
+      );
     }
 
     return cachePath;
@@ -75,7 +88,7 @@ export class Cache {
       if (await cache.restoreCache([this.cacheDir], this.ghaCacheKey)) {
         core.info(`Restored ${this.ghaCacheKey} from GitHub Actions cache`);
         htcPath = await tc.cacheDir(this.cacheDir, this.opts.htcName, this.opts.htcVersion, this.platform());
-        core.info(`Restored to hosted tool cache ${htcPath}`);
+        core.info(`Cached to hosted tool cache ${htcPath}`);
         return this.copyToCache(`${htcPath}/${this.opts.cacheFile}`);
       }
     } else if (this.ghaNoCache) {
@@ -87,6 +100,26 @@ export class Cache {
     return '';
   }
 
+  public static async post(): Promise<CachePostState | undefined> {
+    const state = core.getState(Cache.POST_CACHE_KEY);
+    if (!state) {
+      core.info(`State not set`);
+      return Promise.resolve(undefined);
+    }
+    let cacheState: CachePostState;
+    try {
+      cacheState = <CachePostState>JSON.parse(state);
+    } catch (e) {
+      throw new Error(`Failed to parse cache post state: ${e}`);
+    }
+    if (!cacheState.dir || !cacheState.key) {
+      throw new Error(`Invalid cache post state: ${state}`);
+    }
+    core.info(`Caching ${cacheState.key} to GitHub Actions cache`);
+    await cache.saveCache([cacheState.dir], cacheState.key);
+    return cacheState;
+  }
+
   private copyToCache(file: string): string {
     core.debug(`Copying ${file} to ${this.cachePath}`);
     fs.copyFileSync(file, this.cachePath);

src/docker/docker.ts

@@ -20,7 +20,10 @@ import path from 'path';
 import * as core from '@actions/core';
 import * as io from '@actions/io';
 
+import {Context} from '../context';
+import {Cache} from '../cache';
 import {Exec} from '../exec';
+import {Util} from '../util';
 
 import {ConfigFile} from '../types/docker';
 
@@ -73,4 +76,89 @@ export class Docker {
   public static async printInfo(): Promise<void> {
     await Exec.exec('docker', ['info']);
   }
+
+  public static parseRepoTag(image: string): {repository: string; tag: string} {
+    let sepPos: number;
+    const digestPos = image.indexOf('@');
+    const colonPos = image.lastIndexOf(':');
+    if (digestPos >= 0) {
+      // priority on digest
+      sepPos = digestPos;
+    } else if (colonPos >= 0) {
+      sepPos = colonPos;
+    } else {
+      return {
+        repository: image,
+        tag: 'latest'
+      };
+    }
+    const tag = image.slice(sepPos + 1);
+    if (tag.indexOf('/') === -1) {
+      return {
+        repository: image.slice(0, sepPos),
+        tag: tag
+      };
+    }
+    return {
+      repository: image,
+      tag: 'latest'
+    };
+  }
+
+  public static async pull(image: string, cache?: boolean): Promise<void> {
+    const parsedImage = Docker.parseRepoTag(image);
+    const repoSanitized = parsedImage.repository.replace(/[^a-zA-Z0-9.]+/g, '--');
+    const tagSanitized = parsedImage.tag.replace(/[^a-zA-Z0-9.]+/g, '--');
+
+    const imageCache = new Cache({
+      htcName: repoSanitized,
+      htcVersion: tagSanitized,
+      baseCacheDir: path.join(Docker.configDir, '.cache', 'images', repoSanitized),
+      cacheFile: 'image.tar'
+    });
+
+    let cacheFoundPath: string | undefined;
+    if (cache) {
+      cacheFoundPath = await imageCache.find();
+      if (cacheFoundPath) {
+        core.info(`Image found from cache in ${cacheFoundPath}`);
+        await Exec.getExecOutput(`docker`, ['load', '-i', cacheFoundPath], {
+          ignoreReturnCode: true
+        }).then(res => {
+          if (res.stderr.length > 0 && res.exitCode != 0) {
+            core.warning(`Failed to load image from cache: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
+          }
+        });
+      }
+    }
+
+    let pulled = true;
+    await Exec.getExecOutput(`docker`, ['pull', image], {
+      ignoreReturnCode: true
+    }).then(res => {
+      pulled = false;
+      if (res.stderr.length > 0 && res.exitCode != 0) {
+        const err = res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error';
+        if (cacheFoundPath) {
+          core.warning(`Failed to pull image, using one from cache: ${err}`);
+        } else {
+          throw new Error(err);
+        }
+      }
+    });
+
+    if (cache && pulled) {
+      const imageTarPath = path.join(Context.tmpDir(), `${Util.hash(image)}.tar`);
+      await Exec.getExecOutput(`docker`, ['save', '-o', imageTarPath, image], {
+        ignoreReturnCode: true
+      }).then(async res => {
+        if (res.stderr.length > 0 && res.exitCode != 0) {
+          core.warning(`Failed to save image: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
+        } else {
+          const cachePath = await imageCache.save(imageTarPath);
+          core.info(`Image cached to ${cachePath}`);
+        }
+      });
+    }
+  }
 }

src/index.ts

@@ -16,6 +16,8 @@
 
 import * as core from '@actions/core';
 
+import {Cache} from './cache';
+
 const isPost = !!process.env['STATE_isPost'];
 if (!isPost) {
   core.saveState('isPost', 'true');
@@ -36,7 +38,12 @@ export async function run(main: () => Promise<void>, post?: () => Promise<void>)
     } catch (e) {
       core.setFailed(e.message);
     }
-  } else if (post) {
-    await post();
+  } else {
+    if (post) {
+      await post();
+    }
+    await core.group(`Post cache`, async () => {
+      await Cache.post();
+    });
   }
 }

src/types/bake.ts

@@ -39,7 +39,9 @@ export interface Target {
   platforms?: Array<string>;
   pull?: boolean;
   secret?: Array<string>;
+  'shm-size'?: string;
   ssh?: Array<string>;
   tags?: Array<string>;
   target?: string;
+  ulimits?: Array<string>;
 }

src/util.ts

@@ -144,4 +144,26 @@ export class Util {
   public static hash(input: string): string {
     return crypto.createHash('sha256').update(input).digest('hex');
   }
+
+  // https://github.com/golang/go/blob/f6b93a4c358b28b350dd8fe1780c1f78e520c09c/src/strconv/atob.go#L7-L18
+  public static parseBool(str: string): boolean {
+    switch (str) {
+      case '1':
+      case 't':
+      case 'T':
+      case 'true':
+      case 'TRUE':
+      case 'True':
+        return true;
+      case '0':
+      case 'f':
+      case 'F':
+      case 'false':
+      case 'FALSE':
+      case 'False':
+        return false;
+      default:
+        throw new Error(`parseBool syntax error: ${str}`);
+    }
+  }
 }

yarn.lock

@@ -1061,7 +1061,7 @@ __metadata:
     "@types/csv-parse": ^1.2.2
     "@types/js-yaml": ^4.0.5
     "@types/node": ^20.5.9
-    "@types/semver": ^7.5.1
+    "@types/semver": ^7.5.8
     "@types/tmp": ^0.2.3
     "@typescript-eslint/eslint-plugin": ^6.6.0
     "@typescript-eslint/parser": ^6.6.0
@@ -1078,7 +1078,7 @@ __metadata:
     jwt-decode: ^4.0.0
     prettier: ^3.0.3
     rimraf: ^5.0.1
-    semver: ^7.5.4
+    semver: ^7.6.0
     tmp: ^0.2.3
     ts-jest: ^29.1.1
     ts-node: ^10.9.1
@@ -2013,10 +2013,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@types/semver@npm:^7.5.1":
-  version: 7.5.1
-  resolution: "@types/semver@npm:7.5.1"
-  checksum: 2fffe938c7ac168711f245a16e1856a3578d77161ca17e29a05c3e02c7be3e9c5beefa29a3350f6c1bd982fb70aa28cc52e4845eb7d36246bcdc0377170d584d
+"@types/semver@npm:^7.5.8":
+  version: 7.5.8
+  resolution: "@types/semver@npm:7.5.8"
+  checksum: ea6f5276f5b84c55921785a3a27a3cd37afee0111dfe2bcb3e03c31819c197c782598f17f0b150a69d453c9584cd14c4c4d7b9a55d2c5e6cacd4d66fdb3b3663
   languageName: node
   linkType: hard
 
@@ -4465,9 +4465,9 @@ __metadata:
   linkType: hard
 
 "ip@npm:^2.0.0":
-  version: 2.0.0
-  resolution: "ip@npm:2.0.0"
-  checksum: cfcfac6b873b701996d71ec82a7dd27ba92450afdb421e356f44044ed688df04567344c36cbacea7d01b1c39a4c732dc012570ebe9bebfb06f27314bca625349
+  version: 2.0.1
+  resolution: "ip@npm:2.0.1"
+  checksum: d765c9fd212b8a99023a4cde6a558a054c298d640fec1020567494d257afd78ca77e37126b1a3ef0e053646ced79a816bf50621d38d5e768cdde0431fa3b0d35
   languageName: node
   linkType: hard
 
@@ -6502,6 +6502,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"semver@npm:^7.6.0":
+  version: 7.6.0
+  resolution: "semver@npm:7.6.0"
+  dependencies:
+    lru-cache: ^6.0.0
+  bin:
+    semver: bin/semver.js
+  checksum: 7427f05b70786c696640edc29fdd4bc33b2acf3bbe1740b955029044f80575fc664e1a512e4113c3af21e767154a94b4aa214bf6cd6e42a1f6dba5914e0b208c
+  languageName: node
+  linkType: hard
+
 "set-blocking@npm:^2.0.0":
   version: 2.0.0
   resolution: "set-blocking@npm:2.0.0"
@@ -7169,11 +7180,11 @@ __metadata:
   linkType: hard
 
 "undici@npm:^5.25.4":
-  version: 5.27.0
-  resolution: "undici@npm:5.27.0"
+  version: 5.28.4
+  resolution: "undici@npm:5.28.4"
   dependencies:
     "@fastify/busboy": ^2.0.0
-  checksum: 3acad25bfe5957aa5edc24eb160b5da7a9c67a5061e2e001929bef4bafed07d93a2accb36d407179c35b3ae56adbe89b49e1dd80d8cea9fdc44dca2037174330
+  checksum: a8193132d84540e4dc1895ecc8dbaa176e8a49d26084d6fbe48a292e28397cd19ec5d13bc13e604484e76f94f6e334b2bdc740d5f06a6e50c44072818d0c19f9
   languageName: node
   linkType: hard