fix: harden docker build-image config script

Copilot · neilime · neilime · commit 86740f41c02e · 2026-03-12T13:13:11.000+01:00
Co-authored-by: neilime &lt;314088+neilime@users.noreply.github.com&gt;
Signed-off-by: Emilien Escalle &lt;emilien.escalle@escemi.com&gt;
diff --git a/.github/workflows/docker-build-images.yml b/.github/workflows/docker-build-images.yml
@@ -32,7 +32,7 @@ on: # yamllint disable-line rule:truthy
         description: |
           Username configuration used to log against OCI registries.
           Accepts either a single username string (default format) or a JSON object using the same keys as `oci-registry`.
-          JSON example: `{"pull:private":"my-user","push":"my-user"}`
+          JSON example: `{"pull:private":"$\{{ github.repository_owner }}","push":"$\{{ github.repository_owner }}"}`
           See https://github.com/docker/login-action#usage.
         type: string
         default: ${{ github.repository_owner }}
@@ -116,7 +116,7 @@ on: # yamllint disable-line rule:truthy
         description: |
           Password or GitHub token (`packages:read` and `packages:write` scopes) configuration used to log against OCI registries.
           Accepts either a single password/token string (default format) or a JSON object using the same keys as `oci-registry`.
-          JSON example: `{"pull:private":"my-token","push":"my-token"}`
+          JSON example: `{"pull:private":"$\{{ github.token }}","push":"$\{{ github.token }}"}`
           See https://github.com/docker/login-action#usage.
         required: true
       build-secrets:
diff --git a/actions/docker/build-image/action.yml b/actions/docker/build-image/action.yml
@@ -28,15 +28,16 @@ inputs:
     description: |
       Username configuration used to log against OCI registries.
       Accepts either a single username string (default format) or a JSON object using the same keys as `oci-registry`.
-      JSON example: `{"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}"}`
+      JSON example:
+      `{"pull:private":"$\{{ github.repository_owner }}","push":"$\{{ github.repository_owner }}"}`
       See https://github.com/docker/login-action#usage.
     default: ${{ github.repository_owner }}
     required: true
   oci-registry-password:
     description: |
       Password or personal access token configuration used to log against OCI registries.
       Accepts either a single password/token string (default format) or a JSON object using the same keys as `oci-registry`.
-      JSON example: `{"pull:private":"${{ github.token }}","push":"${{ github.token }}"}`
+      JSON example: `{"pull:private":"$\{{ github.token }}","push":"$\{{ github.token }}"}`
       Can be passed in using `secrets.GITHUB_TOKEN`.
       See https://github.com/docker/login-action#usage.
     default: ${{ github.token }}
@@ -168,15 +169,24 @@ runs:
 
     - id: get-docker-config
       uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      env:
+        CACHE_REGISTRY: ${{ steps.docker-setup.outputs.cache-registry }}
+        CACHE_TYPE_INPUT: ${{ inputs.cache-type }}
+        CONTEXT_INPUT: ${{ inputs.context }}
+        DOCKERFILE_INPUT: ${{ inputs.dockerfile }}
+        METADATA_IMAGE: ${{ steps.metadata.outputs.image }}
+        MULTI_PLATFORM_INPUT: ${{ inputs.multi-platform }}
+        PLATFORM_INPUT: ${{ inputs.platform }}
+        SLUGIFIED_PLATFORM: ${{ steps.slugify-platform.outputs.result }}
       with:
         script: |
           const fs = require('fs');
           const path = require('path');
 
           const workspace = process.env.GITHUB_WORKSPACE || process.cwd();
-          const rawContext = `${{ inputs.context }}`.trim();
+          const rawContext = (process.env.CONTEXT_INPUT || '').trim();
           const contextPath = rawContext.length > 0 ? rawContext : '.';
-          const rawDockerfile = `${{ inputs.dockerfile }}`.trim();
+          const rawDockerfile = (process.env.DOCKERFILE_INPUT || '').trim();
           const dockerfileName = rawDockerfile.length > 0 ? rawDockerfile : 'Dockerfile';
 
           const dockerfilePath = path.resolve(workspace, contextPath, dockerfileName);
@@ -188,13 +198,16 @@ runs:
           const resolvedDockerfilePath = fs.realpathSync(dockerfilePath);
           core.setOutput('dockerfile-path', resolvedDockerfilePath);
 
-          const slugifiedPlatform = `${{ steps.slugify-platform.outputs.result }}`;
+          const slugifiedPlatform = process.env.SLUGIFIED_PLATFORM || '';
           const tagSuffix = `-${slugifiedPlatform}`;
           core.setOutput('cache-flavor', `suffix=${tagSuffix}`);
 
-          const cacheType = `${{ inputs.cache-type }}`.trim();
-          const metadataImage = `${{ steps.metadata.outputs.image }}`;
-          const cacheRegistry = `${{ steps.docker-setup.outputs.cache-registry }}`.trim();
+          const cacheType = (process.env.CACHE_TYPE_INPUT || '').trim();
+          const metadataImage = process.env.METADATA_IMAGE || '';
+          const cacheRegistry = (process.env.CACHE_REGISTRY || '').trim();
+          if (cacheType === 'registry' && !cacheRegistry.length) {
+            return core.setFailed('Cache registry is required when cache-type is set to "registry".');
+          }
           const metadataImageWithoutRegistry = metadataImage.replace(/^[^\/]+\//, '');
           const cacheBaseImage = cacheRegistry.length ? `${cacheRegistry}/${metadataImageWithoutRegistry}` : metadataImage;
           const cacheImage = cacheType === 'registry' ? `${cacheBaseImage}/cache` : metadataImage;
@@ -207,14 +220,14 @@ runs:
             // docker not available on runner
           }
 
-          const multiplatformInput = `${{ inputs.multi-platform }}`.trim().toLowerCase();
+          const multiplatformInput = (process.env.MULTI_PLATFORM_INPUT || '').trim().toLowerCase();
           const isMultiplatform = !(multiplatformInput.length === 0 || multiplatformInput === 'false');
           if (isMultiplatform) {
             core.debug('Multi-platform build is enabled.');
             core.setOutput('multi-platform', true);
           }
 
-          const platform = `${{ inputs.platform }}`.trim();
+          const platform = (process.env.PLATFORM_INPUT || '').trim();
           if (platform.length === 0) {
             return core.setFailed('Input "platform" is required.');
           }
diff --git a/actions/docker/create-images-manifests/action.yml b/actions/docker/create-images-manifests/action.yml
@@ -27,15 +27,15 @@ inputs:
     description: |
       Username configuration used to log against OCI registries.
       Accepts either a single username string (default format) or a JSON object using the same keys as `oci-registry`.
-      JSON example: `{"pull:private":"${{ github.repository_owner }}","push":"${{ github.repository_owner }}"}`
+      JSON example: `{"pull:private":"$\{{ github.repository_owner }}","push":"$\{{ github.repository_owner }}"}`
       See https://github.com/docker/login-action#usage.
     default: ${{ github.repository_owner }}
     required: true
   oci-registry-password:
     description: |
       Password or personal access token configuration used to log against OCI registries.
       Accepts either a single password/token string (default format) or a JSON object using the same keys as `oci-registry`.
-      JSON example: `{"pull:private":"${{ github.token }}","push":"${{ github.token }}"}`
+      JSON example: `{"pull:private":"$\{{ github.token }}","push":"$\{{ github.token }}"}`
       Can be passed in using `secrets.GITHUB_TOKEN`.
       See https://github.com/docker/login-action#usage.
     default: ${{ github.token }}
diff --git a/actions/docker/setup/README.md b/actions/docker/setup/README.md
@@ -1,34 +1,124 @@
-# Docker setup
+<!-- header:start -->
 
-Shared action used by the repository Docker actions to:
+# ![Icon](data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIyIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiIGNsYXNzPSJmZWF0aGVyIGZlYXRoZXItcGFja2FnZSIgY29sb3I9ImJsdWUiPjxsaW5lIHgxPSIxNi41IiB5MT0iOS40IiB4Mj0iNy41IiB5Mj0iNC4yMSI+PC9saW5lPjxwYXRoIGQ9Ik0yMSAxNlY4YTIgMiAwIDAgMC0xLTEuNzNsLTctNGEyIDIgMCAwIDAtMiAwbC03IDRBMiAyIDAgMCAwIDMgOHY4YTIgMiAwIDAgMCAxIDEuNzNsNyA0YTIgMiAwIDAgMCAyIDBsNy00QTIgMiAwIDAgMCAyMSAxNnoiPjwvcGF0aD48cG9seWxpbmUgcG9pbnRzPSIzLjI3IDYuOTYgMTIgMTIuMDEgMjAuNzMgNi45NiI+PC9wb2x5bGluZT48bGluZSB4MT0iMTIiIHkxPSIyMi4wOCIgeDI9IjEyIiB5Mj0iMTIiPjwvbGluZT48L3N2Zz4=) GitHub Action: Docker - Setup
 
-- resolve OCI registry inputs
-- ensure Docker is available on the runner
-- configure Docker Buildx
-- authenticate to one or more OCI registries with `docker/login-action`
+<div align="center">
+  <img src="../../../.github/logo.svg" width="60px" align="center" alt="Docker - Setup" />
+</div>
+
+---
+
+<!-- header:end -->
+<!-- badges:start -->
+
+[![Marketplace](https://img.shields.io/badge/Marketplace-docker------setup-blue?logo=github-actions)](https://github.com/marketplace/actions/docker---setup)
+[![Release](https://img.shields.io/github/v/release/hoverkraft-tech/ci-github-container)](https://github.com/hoverkraft-tech/ci-github-container/releases)
+[![License](https://img.shields.io/github/license/hoverkraft-tech/ci-github-container)](http://choosealicense.com/licenses/mit/)
+[![Stars](https://img.shields.io/github/stars/hoverkraft-tech/ci-github-container?style=social)](https://img.shields.io/github/stars/hoverkraft-tech/ci-github-container?style=social)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](https://github.com/hoverkraft-tech/ci-github-container/blob/main/CONTRIBUTING.md)
+
+<!-- badges:end -->
+<!-- overview:start -->
+
+## Overview
+
+Shared action to configure Docker tooling and OCI registry authentication.
+
+<!-- overview:end -->
+<!-- usage:start -->
 
 ## Usage
 
 ```yaml
-- uses: hoverkraft-tech/ci-github-container/actions/docker/setup@main
+- uses: hoverkraft-tech/ci-github-container/actions/docker/setup@b6cc2773aa9e7d7362b9e16b9032fefd399e7df6 # copilot/add-multiple-registry-support
   with:
+    # OCI registry configuration used to pull, push and cache images.
+    # Accepts either a registry hostname string (default format) or a JSON object.
+    # JSON example: `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io"}`
+    #
+    # This input is required.
+    # Default: `ghcr.io`
     oci-registry: ghcr.io
-    oci-registry-username: ${{ github.repository_owner }}
-    oci-registry-password: ${{ github.token }}
+
+    # Username configuration used to log against OCI registries.
+    # Accepts either a single username string (default format) or a JSON object using the same keys as `oci-registry`.
+    oci-registry-username: ""
+
+    # Password or personal access token configuration used to log against OCI registries.
+    # Accepts either a single password/token string (default format) or a JSON object using the same keys as `oci-registry`.
+    oci-registry-password: ""
+
+    # Optional built images payload used to resolve manifest publication registries.
+    # When provided, registry authentication targets are inferred from the built image data.
+    built-images: ""
+
+    # Whether to install and configure Docker Buildx.
+    #
+    # Default: `true`
+    setup-buildx: true
 ```
 
+<!-- usage:end -->
+<!-- inputs:start -->
+
 ## Inputs
 
-- `oci-registry`: OCI registry configuration used to pull, push and cache images.
-- `oci-registry-username`: Username configuration used to log against OCI registries.
-- `oci-registry-password`: Password or personal access token configuration used to log against OCI registries.
-- `built-images`: Optional built images payload used to resolve manifest publication registries.
-- `setup-buildx`: Whether to install and configure Docker Buildx.
+| **Input**                   | **Description**                                                                                                        | **Required** | **Default** |
+| --------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------ | ----------- |
+| **`oci-registry`**          | OCI registry configuration used to pull, push and cache images.                                                        | **true**     | `ghcr.io`   |
+|                             | Accepts either a registry hostname string (default format) or a JSON object.                                           |              |             |
+|                             | JSON example: `{"pull":"docker.io","pull:private":"ghcr.io","push":"ghcr.io"}`                                         |              |             |
+| **`oci-registry-username`** | Username configuration used to log against OCI registries.                                                             | **false**    | -           |
+|                             | Accepts either a single username string (default format) or a JSON object using the same keys as `oci-registry`.       |              |             |
+| **`oci-registry-password`** | Password or personal access token configuration used to log against OCI registries.                                    | **false**    | -           |
+|                             | Accepts either a single password/token string (default format) or a JSON object using the same keys as `oci-registry`. |              |             |
+| **`built-images`**          | Optional built images payload used to resolve manifest publication registries.                                         | **false**    | -           |
+|                             | When provided, registry authentication targets are inferred from the built image data.                                 |              |             |
+| **`setup-buildx`**          | Whether to install and configure Docker Buildx.                                                                        | **false**    | `true`      |
+
+<!-- inputs:end -->
+<!-- secrets:start -->
+<!-- secrets:end -->
+<!-- outputs:start -->
 
 ## Outputs
 
-- `push-registry`: Registry used for published images/manifests.
-- `cache-registry`: Registry used for registry-backed build cache.
-- `pull-registries`: JSON array of registries used to pull base images.
-- `registry-auth`: JSON object suitable for Docker login registry auth.
-- `buildx-name`: Docker Buildx builder name.
+| **Output**            | **Description**                                    |
+| --------------------- | -------------------------------------------------- |
+| **`push-registry`**   | Registry used for published images/manifests.      |
+| **`cache-registry`**  | Registry used for registry-backed build cache.     |
+| **`pull-registries`** | JSON array of registries used to pull base images. |
+| **`buildx-name`**     | Docker Buildx builder name.                        |
+
+<!-- outputs:end -->
+<!-- examples:start -->
+<!-- examples:end -->
+<!-- contributing:start -->
+
+## Contributing
+
+Contributions are welcome! Please see the [contributing guidelines](https://github.com/hoverkraft-tech/ci-github-container/blob/main/CONTRIBUTING.md) for more details.
+
+<!-- contributing:end -->
+<!-- security:start -->
+<!-- security:end -->
+<!-- license:start -->
+
+## License
+
+This project is licensed under the MIT License.
+
+SPDX-License-Identifier: MIT
+
+Copyright © 2026 hoverkraft
+
+For more details, see the [license](http://choosealicense.com/licenses/mit/).
+
+<!-- license:end -->
+<!-- generated:start -->
+
+---
+
+This documentation was automatically generated by [CI Dokumentor](https://github.com/hoverkraft-tech/ci-dokumentor).
+
+<!-- generated:end -->
diff --git a/actions/docker/setup/action.yml b/actions/docker/setup/action.yml
@@ -46,9 +46,6 @@ outputs:
   pull-registries:
     description: "JSON array of registries used to pull base images."
     value: ${{ steps.resolve-oci-registries.outputs.pull-registries }}
-  registry-auth:
-    description: "JSON object suitable for docker/login-action registry-auth."
-    value: ${{ steps.resolve-oci-registries.outputs.registry-auth }}
   buildx-name:
     description: "Docker Buildx builder name."
     value: ${{ steps.setup-buildx.outputs.name }}
@@ -180,8 +177,8 @@ runs:
             return '';
           }
 
-          function createRegistryAuthMap(registryLogins) {
-            return registryLogins.reduce((registryAuth, registryLogin) => {
+          function createRegistryAuthList(registryLogins) {
+            return registryLogins.reduce((registryAuthList, registryLogin) => {
               const { registry, username, password, required } = registryLogin;
 
               if ((username && !password) || (!username && password)) {
@@ -194,24 +191,39 @@ runs:
                 }
 
                 core.info(`Skipping Docker login for optional registry "${registry}" because no credentials were provided.`);
-                return registryAuth;
+                return registryAuthList;
               }
 
-              registryAuth[registry] = {
+              registryAuthList.push({
+                registry,
                 username,
                 password,
-              };
+              });
 
-              return registryAuth;
-            }, {});
+              return registryAuthList;
+            }, []);
+          }
+
+          function toRegistryAuthYaml(registryAuthList) {
+            return registryAuthList
+              .map(registryAuth => {
+                const lines = [
+                  `- registry: ${JSON.stringify(registryAuth.registry)}`,
+                  `  username: ${JSON.stringify(registryAuth.username)}`,
+                  `  password: ${JSON.stringify(registryAuth.password)}`,
+                ];
+
+                return lines.join('\n');
+              })
+              .join('\n');
           }
 
-          function setOutputs({ pushRegistry = '', cacheRegistry = '', pullRegistries = [], registryAuth = {} }) {
+          function setOutputs({ pushRegistry = '', cacheRegistry = '', pullRegistries = [], registryAuth = [] }) {
             core.setOutput('push-registry', pushRegistry);
             core.setOutput('cache-registry', cacheRegistry);
             core.setOutput('pull-registries', JSON.stringify(pullRegistries));
-            core.setOutput('registry-auth', JSON.stringify(registryAuth));
-            core.setOutput('has-registry-auth', Object.keys(registryAuth).length ? 'true' : 'false');
+            core.setOutput('registry-auth', toRegistryAuthYaml(registryAuth));
+            core.setOutput('has-registry-auth', registryAuth.length ? 'true' : 'false');
           }
 
           const registryInputName = ['oci', 'registry'].join('-');
@@ -255,7 +267,7 @@ runs:
             const username = resolvePushCredential(usernameByRole);
             const password = resolvePushCredential(passwordByRole);
 
-            const registryAuth = createRegistryAuthMap(
+            const registryAuth = createRegistryAuthList(
               registries.map(registry => ({
                 registry,
                 username,
@@ -348,7 +360,7 @@ runs:
             });
           }
 
-          const registryAuth = createRegistryAuthMap([...registryLoginsByRegistry.values()]);
+          const registryAuth = createRegistryAuthList([...registryLoginsByRegistry.values()]);
           setOutputs({
             pushRegistry,
             cacheRegistry,
diff --git a/actions/helm/generate-docs/package-lock.json b/actions/helm/generate-docs/package-lock.json
