From 932b78563b572e02e419d29c016432436d342b0e Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Fri, 10 Jan 2025 11:29:03 +0100
Subject: [PATCH] set GIT_AUTH_TOKEN secret if Git context used

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/ci.yml |  1 +
 src/context.ts           | 13 +++++++++++++
 src/main.ts              |  2 +-
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f2fb79a..7c30261 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -729,6 +729,7 @@ jobs:
         name: Build
         uses: ./
         with:
+          source: .
           files: |
             ./test/config.hcl
           allow: network.host
diff --git a/src/context.ts b/src/context.ts
index 0131234..d502cc3 100644
--- a/src/context.ts
+++ b/src/context.ts
@@ -68,6 +68,10 @@ export function sanitizeInputs(inputs: Inputs) {
   return res;
 }
 
+export function getGitAuthToken(inputs: Inputs): string {
+  return process.env.BUILDX_BAKE_GIT_AUTH_TOKEN ?? inputs['github-token'];
+}
+
 export async function getArgs(inputs: Inputs, definition: BakeDefinition, toolkit: Toolkit): Promise<Array<string>> {
   // prettier-ignore
   return [
@@ -97,6 +101,15 @@ async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit:
   await Util.asyncForEach(inputs.set, async set => {
     args.push('--set', set);
   });
+  if (await toolkit.buildx.versionSatisfies('<0.20.0')) {
+    // For buildx versions < 0.20.0, we need to set GIT_AUTH_TOKEN secret as it
+    // doesn't infer BUILDX_BAKE_GIT_AUTH_TOKEN environment variable for build
+    // request: https://github.com/docker/buildx/pull/2905
+    const gitAuthToken = getGitAuthToken(inputs);
+    if (gitAuthToken && !Bake.hasGitAuthTokenSecret(definition) && inputs.source.startsWith(Context.gitContext())) {
+      args.push('--set', `*.secrets=${Build.resolveSecretString(`GIT_AUTH_TOKEN=${gitAuthToken}`)}`);
+    }
+  }
   if (await toolkit.buildx.versionSatisfies('>=0.6.0')) {
     args.push('--metadata-file', toolkit.buildxBake.getMetadataFilePath());
   }
diff --git a/src/main.ts b/src/main.ts
index 1335cfc..63e9a88 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -30,7 +30,7 @@ actionsToolkit.run(
     stateHelper.setInputs(inputs);
 
     const toolkit = new Toolkit();
-    const gitAuthToken = process.env.BUILDX_BAKE_GIT_AUTH_TOKEN ?? inputs['github-token'];
+    const gitAuthToken = context.getGitAuthToken(inputs);
 
     await core.group(`GitHub Actions runtime token ACs`, async () => {
       try {