Skip to content

add registry-login input for optional registry auth before build #117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
crazy-max wants to merge 1 commit into
base: main
Choose a base branch
from
Open

add registry-login input for optional registry auth before build #117

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions .github/workflows/.test-bake.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -621,3 +621,25 @@ jobs:
- registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

bake-local-login:
uses: ./.github/workflows/bake.yml
if: ${{ github.event_name != 'pull_request' }}
permissions:
contents: read
id-token: write
with:
artifact-name: bake-login-output
artifact-upload: true
context: test
output: local
registry-login: true
sbom: true
sign: true
target: dhi
secrets:
registry-auths: |
- registry: dhi.io
username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
password: ${{ secrets.DOCKERPUBLICBOT_READ_PAT }}
scope: 'dhi.io@pull'
21 changes: 21 additions & 0 deletions .github/workflows/.test-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -640,3 +640,24 @@ jobs:
- registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

build-local-login:
uses: ./.github/workflows/build.yml
if: ${{ github.event_name != 'pull_request' }}
permissions:
contents: read
id-token: write
with:
artifact-name: build-login-output
artifact-upload: true
file: test/dhi.Dockerfile
output: local
registry-login: true
sbom: true
sign: true
secrets:
registry-auths: |
- registry: dhi.io
username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
password: ${{ secrets.DOCKERPUBLICBOT_READ_PAT }}
scope: 'dhi.io@pull'
28 changes: 23 additions & 5 deletions .github/workflows/bake.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,11 @@ on:
description: "Push image to the registry (for image output)"
required: false
default: false
registry-login:
type: string
description: "Login to registry before build (one of auto, true or false). Auto enables login only when output is image and push is true"
required: false
default: auto
sbom:
type: boolean
description: "Generate SBOM attestation for the build"
Expand Down Expand Up @@ -125,7 +130,7 @@ on:
required: false
secrets:
registry-auths:
description: "Raw authentication to registries, defined as YAML objects (for image output)"
description: "Raw authentication to registries, defined as YAML objects"
required: false
github-token:
description: "GitHub Token used to authenticate against the repository for Git context"
Expand Down Expand Up @@ -172,6 +177,7 @@ jobs:
includes: ${{ steps.set.outputs.includes }}
sign: ${{ steps.set.outputs.sign }}
ghaCacheSign: ${{ steps.set.outputs.ghaCacheSign }}
registryLogin: ${{ steps.set.outputs.registryLogin }}
steps:
-
name: Install dependencies
Expand Down Expand Up @@ -258,6 +264,7 @@ jobs:
INPUT_FILES: ${{ inputs.files }}
INPUT_OUTPUT: ${{ inputs.output }}
INPUT_PUSH: ${{ inputs.push }}
INPUT_REGISTRY-LOGIN: ${{ inputs.registry-login }}
INPUT_SBOM: ${{ inputs.sbom }}
INPUT_SET: ${{ inputs.set }}
INPUT_SIGN: ${{ inputs.sign }}
Expand All @@ -284,6 +291,7 @@ jobs:
const inpFiles = Util.getInputList('files');
const inpOutput = core.getInput('output');
const inpPush = core.getBooleanInput('push');
const inpRegistryLogin = core.getInput('registry-login');
const inpSbom = core.getBooleanInput('sbom');
const inpSet = Util.getInputList('set', {ignoreComma: true, quote: false});
const inpSign = core.getInput('sign');
Expand Down Expand Up @@ -314,12 +322,18 @@ jobs:
core.setFailed(`signing attestation manifests requires push to be enabled`);
return;
}

const bakeSource = await new Build().gitContext({subdir: inpContext});
await core.group(`Set bake source`, async () => {
core.info(bakeSource);
});

if (!['auto', 'true', 'false'].includes(inpRegistryLogin)) {
core.setFailed(`Invalid registry-login input: ${inpRegistryLogin}`);
return;
}
const registryLogin = inpRegistryLogin === 'auto' ? inpOutput === 'image' && inpPush : inpRegistryLogin === 'true';

const envs = Object.assign({},
inpVars ? inpVars.reduce((acc, curr) => {
const idx = curr.indexOf('=');
Expand All @@ -336,7 +350,7 @@ jobs:
await core.group(`Set envs`, async () => {
core.info(JSON.stringify(envs, null, 2));
});

let def;
let target;
try {
Expand Down Expand Up @@ -405,7 +419,7 @@ jobs:
core.setFailed(`Platforms to build exceed matrix size limit of ${inpMatrixSizeLimit}`);
return;
}

const privateRepo = GitHub.context.payload.repository?.private ?? false;
await core.group(`Set privateRepo output`, async () => {
core.info(`privateRepo: ${privateRepo}`);
Expand Down Expand Up @@ -440,6 +454,10 @@ jobs:
core.info(`ghaCacheSign: ${ghaCacheSign}`);
core.setOutput('ghaCacheSign', ghaCacheSign);
});
await core.group(`Set registryLogin output`, async () => {
core.info(`registryLogin: ${registryLogin}`);
core.setOutput('registryLogin', registryLogin);
});

build:
runs-on: ${{ matrix.runner }}
Expand Down Expand Up @@ -782,7 +800,7 @@ jobs:
});
-
name: Login to registry
if: ${{ inputs.push && inputs.output == 'image' }}
if: ${{ needs.prepare.outputs.registryLogin == 'true' }}
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry-auth: ${{ secrets.registry-auths }}
Expand Down
22 changes: 20 additions & 2 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,11 @@ on:
description: "Push image to the registry (for image output)"
required: false
default: false
registry-login:
type: string
description: "Login to registry before build (one of auto, true or false). Auto enables login only when output is image and push is true"
required: false
default: auto
sbom:
type: boolean
description: "Generate SBOM attestation for the build"
Expand Down Expand Up @@ -128,7 +133,7 @@ on:
required: false
secrets:
registry-auths:
description: "Raw authentication to registries, defined as YAML objects (for image output)"
description: "Raw authentication to registries, defined as YAML objects"
required: false
github-token:
description: "GitHub Token used to authenticate against the repository for Git context"
Expand Down Expand Up @@ -176,6 +181,7 @@ jobs:
sign: ${{ steps.set.outputs.sign }}
privateRepo: ${{ steps.set.outputs.privateRepo }}
ghaCacheSign: ${{ steps.set.outputs.ghaCacheSign }}
registryLogin: ${{ steps.set.outputs.registryLogin }}
steps:
-
name: Install dependencies
Expand Down Expand Up @@ -252,6 +258,7 @@ jobs:
INPUT_OUTPUT: ${{ inputs.output }}
INPUT_PLATFORMS: ${{ inputs.platforms }}
INPUT_PUSH: ${{ inputs.push }}
INPUT_REGISTRY-LOGIN: ${{ inputs.registry-login }}
INPUT_SIGN: ${{ inputs.sign }}
with:
script: |
Expand All @@ -267,6 +274,7 @@ jobs:
const inpPlatforms = Util.getInputList('platforms');
const inpOutput = core.getInput('output');
const inpPush = core.getBooleanInput('push');
const inpRegistryLogin = core.getInput('registry-login');
const inpSign = core.getInput('sign');

let runner = inpRunner;
Expand Down Expand Up @@ -294,6 +302,12 @@ jobs:
return;
}

if (!['auto', 'true', 'false'].includes(inpRegistryLogin)) {
core.setFailed(`Invalid registry-login input: ${inpRegistryLogin}`);
return;
}
const registryLogin = inpRegistryLogin === 'auto' ? inpOutput === 'image' && inpPush : inpRegistryLogin === 'true';

if (inpDistribute && inpPlatforms.length > inpMatrixSizeLimit) {
core.setFailed(`Platforms to build exceed matrix size limit of ${inpMatrixSizeLimit}`);
return;
Expand Down Expand Up @@ -333,6 +347,10 @@ jobs:
core.info(`ghaCacheSign: ${ghaCacheSign}`);
core.setOutput('ghaCacheSign', ghaCacheSign);
});
await core.group(`Set registryLogin output`, async () => {
core.info(`registryLogin: ${registryLogin}`);
core.setOutput('registryLogin', registryLogin);
});

build:
runs-on: ${{ matrix.runner }}
Expand Down Expand Up @@ -640,7 +658,7 @@ jobs:
}
-
name: Login to registry
if: ${{ inputs.push && inputs.output == 'image' }}
if: ${{ needs.prepare.outputs.registryLogin == 'true' }}
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry-auth: ${{ secrets.registry-auths }}
Expand Down
38 changes: 30 additions & 8 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,7 @@ jobs:
| `output` | String | | Build output destination (one of [`image`](https://docs.docker.com/build/exporters/image-registry/) or [`local`](https://docs.docker.com/build/exporters/local-tar/)). Unlike the `build-push-action`, it only accepts `image` or `local`. The reusable workflow takes care of setting the `outputs` attribute |
| `platforms` | List/CSV | | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) to build |
| `push` | Bool | `false` | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) image to the registry (for `image` output) |
| `registry-login` | String | `auto` | Login to registry before build (one of `auto`, `true` or `false`). `auto` enables login only when output is `image` and push is `true` |
| `sbom` | Bool | `false` | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build |
| `shm-size` | String | | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) |
| `sign` | String | `auto` | Sign attestation manifest for `image` output or artifacts for `local` output, can be one of `auto`, `true` or `false`. The `auto` mode will enable signing if `push` is enabled for pushing the `image` or if `artifact-upload` is enabled for uploading the `local` build output as GitHub Artifact |
Expand All @@ -250,6 +251,16 @@ jobs:
| `meta-tags` | List | | [List of tags](https://github.com/docker/metadata-action?tab=readme-ov-file#tags-input) as key-value pair attributes |
| `meta-flavor` | List | | [Flavor](https://github.com/docker/metadata-action?tab=readme-ov-file#flavor-input) defines a global behavior for `meta-tags` |

> [!NOTE]
> `registry-login: true` forces a pre-build login attempt and will fail if the
> resolved credentials are empty, for example, on forked pull requests where
> secrets are not exposed. Gate this input at the caller side if you need
> fork-safe behavior:
>
> ```yaml
> registry-login: ${{ github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork }}
> ```

> [!TIP]
> When `output=image`, following inputs support Handlebars templates rendered
> from selected `docker/metadata-action` outputs:
Expand All @@ -275,10 +286,10 @@ jobs:

#### Secrets

| Name | Default | Description |
|------------------|-----------------------|--------------------------------------------------------------------------------|
| `registry-auths` | | Raw authentication to registries, defined as YAML objects (for `image` output) |
| `github-token` | `${{ github.token }}` | GitHub Token used to authenticate against the repository for Git context |
| Name | Default | Description |
|------------------|-----------------------|----------------------------------------------------------------------------------------------------------------|
| `registry-auths` | | Raw authentication to registries, defined as YAML objects (used for push/signing and optional pre-build login) |
| `github-token` | `${{ github.token }}` | GitHub Token used to authenticate against the repository for Git context |

#### Outputs

Expand Down Expand Up @@ -384,6 +395,7 @@ jobs:
| `files` | List | `{context}/docker-bake.hcl` | List of bake definition files |
| `output` | String | | Build output destination (one of [`image`](https://docs.docker.com/build/exporters/image-registry/) or [`local`](https://docs.docker.com/build/exporters/local-tar/)). |
| `push` | Bool | `false` | Push image to the registry (for `image` output) |
| `registry-login` | String | `auto` | Login to registry before build (one of `auto`, `true` or `false`). `auto` enables login only when output is `image` and push is `true` |
| `sbom` | Bool | `false` | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build |
| `set` | List | | List of [target values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (e.g., `targetpattern.key=value`) |
| `sign` | String | `auto` | Sign attestation manifest for `image` output or artifacts for `local` output, can be one of `auto`, `true` or `false`. The `auto` mode will enable signing if `push` is enabled for pushing the `image` or if `artifact-upload` is enabled for uploading the `local` build output as GitHub Artifact |
Expand All @@ -397,6 +409,16 @@ jobs:
| `meta-annotations` | List | | [List of custom annotations](https://github.com/docker/metadata-action?tab=readme-ov-file#overwrite-labels-and-annotations) |
| `meta-flavor` | List | | [Flavor](https://github.com/docker/metadata-action?tab=readme-ov-file#flavor-input) defines a global behavior for `meta-tags` |

> [!NOTE]
> `registry-login: true` forces a pre-build login attempt and will fail if the
> resolved credentials are empty, for example, on forked pull requests where
> secrets are not exposed. Gate this input at the caller side if you need
> fork-safe behavior:
>
> ```yaml
> registry-login: ${{ github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork }}
> ```

> [!TIP]
> When `output=image`, the `set` input supports Handlebars templates rendered
> from selected `docker/metadata-action` outputs.
Expand All @@ -419,10 +441,10 @@ jobs:

#### Secrets

| Name | Default | Description |
|------------------|-----------------------|--------------------------------------------------------------------------------|
| `registry-auths` | | Raw authentication to registries, defined as YAML objects (for `image` output) |
| `github-token` | `${{ github.token }}` | GitHub Token used to authenticate against the repository for Git context |
| Name | Default | Description |
|------------------|-----------------------|----------------------------------------------------------------------------------------------------------------|
| `registry-auths` | | Raw authentication to registries, defined as YAML objects (used for push/signing and optional pre-build login) |
| `github-token` | `${{ github.token }}` | GitHub Token used to authenticate against the repository for Git context |

#### Outputs

Expand Down
9 changes: 9 additions & 0 deletions test/dhi.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# syntax=docker/dockerfile:1

FROM dhi.io/alpine-base:3.23 AS base
ARG TARGETPLATFORM
RUN echo "Hello, World! This is ${TARGETPLATFORM}" > /tmp/hello.txt
ARG BUILDKIT_SBOM_SCAN_STAGE=true

FROM scratch
COPY --from=base /tmp/hello.txt /
5 changes: 5 additions & 0 deletions test/docker-bake.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,3 +67,8 @@ target "generated-hello2" {
dockerfile = "hello.Dockerfile"
output = ["type=cacheonly"]
}

target "dhi" {
inherits = ["docker-metadata-action"]
dockerfile = "dhi.Dockerfile"
}
Loading