diff --git a/README.md b/README.md index 87205ff..b935b9a 100644 --- a/README.md +++ b/README.md @@ -117,6 +117,26 @@ to the default Git context: push: true ``` +Building from the current repository automatically uses the `GITHUB_TOKEN` +secret that GitHub [automatically creates for workflows](https://docs.github.com/en/actions/security-guides/automatic-token-authentication), +so you don't need to pass that manually. If you want to authenticate against +another private repository for remote definitions, you can set the +[`BUILDX_BAKE_GIT_AUTH_TOKEN` environment variable](https://docs.docker.com/build/building/variables/#buildx_bake_git_auth_token). + +> [!NOTE] +> Supported since Buildx 0.14.0 + +```yaml + - + name: Build and push + uses: docker/bake-action@v4 + with: + source: "${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}" + push: true + env: + BUILDX_BAKE_GIT_AUTH_TOKEN: ${{ secrets.MYTOKEN }} +``` + ## Customizing ### inputs @@ -138,20 +158,21 @@ The following inputs can be used as `step.with` keys > targets: default,release > ``` -| Name | Type | Description | -|--------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `builder` | String | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action) | -| `source` | String | Context to build from. Can be either local (`.`) or a [remote bake definition](https://docs.docker.com/build/customize/bake/file-definition/#remote-definition) | -| `files` | List/CSV | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/) | -| `workdir` | String | Working directory of execution | -| `targets` | List/CSV | List of bake targets (`default` target used if empty) | -| `no-cache` | Bool | Do not use cache when building the image (default `false`) | -| `pull` | Bool | Always attempt to pull a newer version of the image (default `false`) | -| `load` | Bool | Load is a shorthand for `--set=*.output=type=docker` (default `false`) | -| `provenance` | Bool/String | [Provenance](https://docs.docker.com/build/attestations/slsa-provenance/) is a shorthand for `--set=*.attest=type=provenance` | -| `push` | Bool | Push is a shorthand for `--set=*.output=type=registry` (default `false`) | -| `sbom` | Bool/String | [SBOM](https://docs.docker.com/build/attestations/sbom/) is a shorthand for `--set=*.attest=type=sbom` | -| `set` | List | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (eg: `targetpattern.key=value`) | +| Name | Type | Description | +|----------------|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `builder` | String | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action) | +| `source` | String | Context to build from. Can be either local (`.`) or a [remote bake definition](https://docs.docker.com/build/customize/bake/file-definition/#remote-definition) | +| `files` | List/CSV | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/) | +| `workdir` | String | Working directory of execution | +| `targets` | List/CSV | List of bake targets (`default` target used if empty) | +| `no-cache` | Bool | Do not use cache when building the image (default `false`) | +| `pull` | Bool | Always attempt to pull a newer version of the image (default `false`) | +| `load` | Bool | Load is a shorthand for `--set=*.output=type=docker` (default `false`) | +| `provenance` | Bool/String | [Provenance](https://docs.docker.com/build/attestations/slsa-provenance/) is a shorthand for `--set=*.attest=type=provenance` | +| `push` | Bool | Push is a shorthand for `--set=*.output=type=registry` (default `false`) | +| `sbom` | Bool/String | [SBOM](https://docs.docker.com/build/attestations/sbom/) is a shorthand for `--set=*.attest=type=sbom` | +| `set` | List | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (eg: `targetpattern.key=value`) | +| `github-token` | String | API token used to authenticate to a Git repository for [remote definitions](https://docs.docker.com/build/bake/remote-definition/) (default `${{ github.token }}`) | ### outputs diff --git a/action.yml b/action.yml index b3c29e4..88c24ca 100644 --- a/action.yml +++ b/action.yml @@ -48,6 +48,10 @@ inputs: set: description: "List of targets values to override (eg. targetpattern.key=value)" required: false + github-token: + description: "API token used to authenticate to a Git repository for remote definitions" + default: ${{ github.token }} + required: false outputs: metadata: diff --git a/src/context.ts b/src/context.ts index 4d4e157..cda78fb 100644 --- a/src/context.ts +++ b/src/context.ts @@ -21,6 +21,7 @@ export interface Inputs { sbom: string; set: string[]; source: string; + githubToken: string; } export async function getInputs(): Promise { @@ -36,7 +37,8 @@ export async function getInputs(): Promise { push: core.getBooleanInput('push'), sbom: core.getInput('sbom'), set: Util.getInputList('set', {ignoreComma: true, quote: false}), - source: getSourceInput('source') + source: getSourceInput('source'), + githubToken: core.getInput('github-token') }; } diff --git a/src/main.ts b/src/main.ts index 0757333..b6e93b0 100644 --- a/src/main.ts +++ b/src/main.ts @@ -19,6 +19,7 @@ actionsToolkit.run( async () => { const inputs: context.Inputs = await context.getInputs(); const toolkit = new Toolkit(); + const gitAuthToken = process.env.BUILDX_BAKE_GIT_AUTH_TOKEN ?? inputs.githubToken; await core.group(`GitHub Actions runtime token ACs`, async () => { try { @@ -85,7 +86,8 @@ actionsToolkit.run( push: inputs.push, sbom: inputs.sbom, source: inputs.source, - targets: inputs.targets + targets: inputs.targets, + githubToken: gitAuthToken }, { cwd: inputs.workdir @@ -98,15 +100,22 @@ actionsToolkit.run( const args: string[] = await context.getArgs(inputs, definition, toolkit); const buildCmd = await toolkit.buildx.getCommand(args); + const buildEnv = Object.assign({}, process.env, { + BUILDX_BAKE_GIT_AUTH_TOKEN: gitAuthToken + }) as { + [key: string]: string; + }; await core.group(`Bake definition`, async () => { await Exec.exec(buildCmd.command, [...buildCmd.args, '--print'], { - cwd: inputs.workdir + cwd: inputs.workdir, + env: buildEnv }); }); await Exec.getExecOutput(buildCmd.command, buildCmd.args, { cwd: inputs.workdir, + env: buildEnv, ignoreReturnCode: true }).then(res => { if (res.stderr.length > 0 && res.exitCode != 0) {