Skip to content

add registry-login input for optional registry auth before build #117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
crazy-max wants to merge 1 commit into
base: main
Choose a base branch
from
Open

add registry-login input for optional registry auth before build #117

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions .github/workflows/.test-bake.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -667,3 +667,25 @@ jobs:
- registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

bake-local-login:
uses: ./.github/workflows/bake.yml
if: ${{ github.event_name != 'pull_request' }}
permissions:
contents: read
id-token: write
with:
artifact-name: bake-login-output
artifact-upload: true
context: test
output: local
registry-login: true
sbom: true
sign: true
target: dhi
secrets:
registry-auths: |
- registry: dhi.io
username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
password: ${{ secrets.DOCKERPUBLICBOT_READ_PAT }}
scope: 'dhi.io@pull'
21 changes: 21 additions & 0 deletions .github/workflows/.test-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -685,3 +685,24 @@ jobs:
- registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

build-local-login:
uses: ./.github/workflows/build.yml
if: ${{ github.event_name != 'pull_request' }}
permissions:
contents: read
id-token: write
with:
artifact-name: build-login-output
artifact-upload: true
file: test/dhi.Dockerfile
output: local
registry-login: true
sbom: true
sign: true
secrets:
registry-auths: |
- registry: dhi.io
username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
password: ${{ secrets.DOCKERPUBLICBOT_READ_PAT }}
scope: 'dhi.io@pull'
26 changes: 22 additions & 4 deletions .github/workflows/bake.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,11 @@ on:
description: "Push image to the registry (for image output)"
required: false
default: false
registry-login:
type: string
description: "Login to registry before build (one of auto, true or false). Auto enables login only when output is image and push is true"
required: false
default: auto
sbom:
type: boolean
description: "Generate SBOM attestation for the build"
Expand Down Expand Up @@ -128,7 +133,7 @@ on:
required: false
secrets:
registry-auths:
description: "Raw authentication to registries, defined as YAML objects (for image output)"
description: "Raw authentication to registries, defined as YAML objects"
required: false
github-token:
description: "GitHub Token used to authenticate against the repository for Git context"
Expand Down Expand Up @@ -176,6 +181,7 @@ jobs:
metaImages: ${{ steps.set.outputs.metaImages }}
sign: ${{ steps.set.outputs.sign }}
ghaCacheSign: ${{ steps.set.outputs.ghaCacheSign }}
registryLogin: ${{ steps.set.outputs.registryLogin }}
steps:
-
name: Install dependencies
Expand Down Expand Up @@ -263,6 +269,7 @@ jobs:
INPUT_FILES: ${{ inputs.files }}
INPUT_OUTPUT: ${{ inputs.output }}
INPUT_PUSH: ${{ inputs.push }}
INPUT_REGISTRY-LOGIN: ${{ inputs.registry-login }}
INPUT_SBOM: ${{ inputs.sbom }}
INPUT_SET: ${{ inputs.set }}
INPUT_SIGN: ${{ inputs.sign }}
Expand Down Expand Up @@ -290,6 +297,7 @@ jobs:
const inpFiles = Util.getInputList('files');
const inpOutput = core.getInput('output');
const inpPush = core.getBooleanInput('push');
const inpRegistryLogin = core.getInput('registry-login');
const inpSbom = core.getBooleanInput('sbom');
const inpSet = Util.getInputList('set', {ignoreComma: true, quote: false});
const inpSign = core.getInput('sign');
Expand Down Expand Up @@ -418,7 +426,13 @@ jobs:
await core.group(`Set bake source`, async () => {
core.info(bakeSource);
});


if (!['auto', 'true', 'false'].includes(inpRegistryLogin)) {
core.setFailed(`Invalid registry-login input: ${inpRegistryLogin}`);
return;
}
const registryLogin = inpRegistryLogin === 'auto' ? inpOutput === 'image' && inpPush : inpRegistryLogin === 'true';

const envs = Object.assign({},
inpVars ? inpVars.reduce((acc, curr) => {
const idx = curr.indexOf('=');
Expand Down Expand Up @@ -504,7 +518,7 @@ jobs:
core.setFailed(error);
return;
}

const platforms = def.target[target].platforms || [];
if (inpDistribute && platforms.length > inpMatrixSizeLimit) {
core.setFailed(`Platforms to build exceed matrix size limit of ${inpMatrixSizeLimit}`);
Expand Down Expand Up @@ -545,6 +559,10 @@ jobs:
core.info(`ghaCacheSign: ${ghaCacheSign}`);
core.setOutput('ghaCacheSign', ghaCacheSign);
});
await core.group(`Set registryLogin output`, async () => {
core.info(`registryLogin: ${registryLogin}`);
core.setOutput('registryLogin', registryLogin);
});

build:
runs-on: ${{ matrix.runner }}
Expand Down Expand Up @@ -909,7 +927,7 @@ jobs:
});
-
name: Login to registry
if: ${{ inputs.push && inputs.output == 'image' }}
if: ${{ needs.prepare.outputs.registryLogin == 'true' }}
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry-auth: ${{ secrets.registry-auths }}
Expand Down
24 changes: 21 additions & 3 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,11 @@ on:
description: "Push image to the registry (for image output)"
required: false
default: false
registry-login:
type: string
description: "Login to registry before build (one of auto, true or false). Auto enables login only when output is image and push is true"
required: false
default: auto
sbom:
type: boolean
description: "Generate SBOM attestation for the build"
Expand Down Expand Up @@ -131,7 +136,7 @@ on:
required: false
secrets:
registry-auths:
description: "Raw authentication to registries, defined as YAML objects (for image output)"
description: "Raw authentication to registries, defined as YAML objects"
required: false
github-token:
description: "GitHub Token used to authenticate against the repository for Git context"
Expand Down Expand Up @@ -180,6 +185,7 @@ jobs:
sign: ${{ steps.set.outputs.sign }}
privateRepo: ${{ steps.set.outputs.privateRepo }}
ghaCacheSign: ${{ steps.set.outputs.ghaCacheSign }}
registryLogin: ${{ steps.set.outputs.registryLogin }}
steps:
-
name: Install dependencies
Expand Down Expand Up @@ -257,6 +263,7 @@ jobs:
INPUT_OUTPUT: ${{ inputs.output }}
INPUT_PLATFORMS: ${{ inputs.platforms }}
INPUT_PUSH: ${{ inputs.push }}
INPUT_REGISTRY-LOGIN: ${{ inputs.registry-login }}
INPUT_SIGN: ${{ inputs.sign }}
with:
script: |
Expand All @@ -273,6 +280,7 @@ jobs:
const inpPlatforms = Util.getInputList('platforms');
const inpOutput = core.getInput('output');
const inpPush = core.getBooleanInput('push');
const inpRegistryLogin = core.getInput('registry-login');
const inpSign = core.getInput('sign');

const parseRunnerConfig = value => {
Expand Down Expand Up @@ -392,7 +400,13 @@ jobs:
core.setFailed(`signing attestation manifests requires push to be enabled`);
return;
}


if (!['auto', 'true', 'false'].includes(inpRegistryLogin)) {
core.setFailed(`Invalid registry-login input: ${inpRegistryLogin}`);
return;
}
const registryLogin = inpRegistryLogin === 'auto' ? inpOutput === 'image' && inpPush : inpRegistryLogin === 'true';

if (inpDistribute && inpPlatforms.length > inpMatrixSizeLimit) {
core.setFailed(`Platforms to build exceed matrix size limit of ${inpMatrixSizeLimit}`);
return;
Expand Down Expand Up @@ -438,6 +452,10 @@ jobs:
core.info(`ghaCacheSign: ${ghaCacheSign}`);
core.setOutput('ghaCacheSign', ghaCacheSign);
});
await core.group(`Set registryLogin output`, async () => {
core.info(`registryLogin: ${registryLogin}`);
core.setOutput('registryLogin', registryLogin);
});

build:
runs-on: ${{ matrix.runner }}
Expand Down Expand Up @@ -768,7 +786,7 @@ jobs:
}
-
name: Login to registry
if: ${{ inputs.push && inputs.output == 'image' }}
if: ${{ needs.prepare.outputs.registryLogin == 'true' }}
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry-auth: ${{ secrets.registry-auths }}
Expand Down
36 changes: 27 additions & 9 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ ___
* [Outputs](#outputs-1)
* [Notes](#notes)
* [Runner mapping](#runner-mapping)
* [Registry login](#registry-login)
* [Metadata templates](#metadata-templates)

## Overview
Expand Down Expand Up @@ -223,6 +224,7 @@ jobs:
| `output` | String | | Build output destination (one of [`image`](https://docs.docker.com/build/exporters/image-registry/) or [`local`](https://docs.docker.com/build/exporters/local-tar/)). Unlike the `build-push-action`, it only accepts `image` or `local`. The reusable workflow takes care of setting the `outputs` attribute |
| `platforms` | List/CSV | | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) to build |
| `push` | Bool | `false` | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) image to the registry (for `image` output) |
| `registry-login` | String | `auto` | [Login to registry](#registry-login) before build (one of `auto`, `true` or `false`) |
| `sbom` | Bool | `false` | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build |
| `shm-size` | String | | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) |
| `sign` | String | `auto` | Sign attestation manifest for `image` output or artifacts for `local` output, can be one of `auto`, `true` or `false`. The `auto` mode will enable signing if `push` is enabled for pushing the `image` or if `artifact-upload` is enabled for uploading the `local` build output as GitHub Artifact |
Expand All @@ -236,10 +238,10 @@ jobs:

### Secrets

| Name | Default | Description |
|------------------|-----------------------|--------------------------------------------------------------------------------|
| `registry-auths` | | Raw authentication to registries, defined as YAML objects (for `image` output) |
| `github-token` | `${{ github.token }}` | GitHub Token used to authenticate against the repository for Git context |
| Name | Default | Description |
|------------------|-----------------------|--------------------------------------------------------------------------|
| `registry-auths` | | Raw authentication to registries, defined as YAML objects |
| `github-token` | `${{ github.token }}` | GitHub Token used to authenticate against the repository for Git context |

### Outputs

Expand Down Expand Up @@ -328,8 +330,9 @@ jobs:
| `cache-mode` | String | `min` | [Cache layers to export](https://docs.docker.com/build/cache/backends/#cache-mode) if cache enabled (`min` or `max`). In `min` cache mode, only layers that are exported into the resulting image are cached, while in `max` cache mode, all layers are cached, even those of intermediate steps |
| `context` | String | `.` | Context to build from in the Git working tree |
| `files` | List | `{context}/docker-bake.hcl` | List of bake definition files |
| `output` | String | | Build output destination (one of [`image`](https://docs.docker.com/build/exporters/image-registry/) or [`local`](https://docs.docker.com/build/exporters/local-tar/)). |
| `output` | String | | Build output destination (one of [`image`](https://docs.docker.com/build/exporters/image-registry/) or [`local`](https://docs.docker.com/build/exporters/local-tar/)) |
| `push` | Bool | `false` | Push image to the registry (for `image` output) |
| `registry-login` | String | `auto` | [Login to registry](#registry-login) before build (one of `auto`, `true` or `false`) |
| `sbom` | Bool | `false` | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build |
| `set` | List | | List of [target values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (e.g., `targetpattern.key=value`) |
| `sign` | String | `auto` | Sign attestation manifest for `image` output or artifacts for `local` output, can be one of `auto`, `true` or `false`. The `auto` mode will enable signing if `push` is enabled for pushing the `image` or if `artifact-upload` is enabled for uploading the `local` build output as GitHub Artifact |
Expand All @@ -345,10 +348,10 @@ jobs:

### Secrets

| Name | Default | Description |
|------------------|-----------------------|--------------------------------------------------------------------------------|
| `registry-auths` | | Raw authentication to registries, defined as YAML objects (for `image` output) |
| `github-token` | `${{ github.token }}` | GitHub Token used to authenticate against the repository for Git context |
| Name | Default | Description |
|------------------|-----------------------|--------------------------------------------------------------------------|
| `registry-auths` | | Raw authentication to registries, defined as YAML objects |
| `github-token` | `${{ github.token }}` | GitHub Token used to authenticate against the repository for Git context |

### Outputs

Expand Down Expand Up @@ -399,6 +402,21 @@ runner: |
For example, `linux` matches all Linux platforms, `linux/arm` matches variants
such as `linux/arm/v7`, and `linux/arm64` is separate from `linux/arm`.

### Registry login

The `registry-login` input controls whether the workflows run a registry login
before the build step. `auto` preserves the existing behavior and enables login
only when `output=image` and `push=true`.

When `registry-login=true`, the workflow always attempts pre-build login. If
credentials resolve to empty values, for example on forked pull requests where
secrets are not exposed, login fails. Gate the input at the caller side for
fork-safe workflows:

```yaml
registry-login: ${{ github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork }}
```

### Metadata templates

When `output=image`, some inputs support Handlebars templates rendered from
Expand Down
9 changes: 9 additions & 0 deletions test/dhi.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# syntax=docker/dockerfile:1

FROM dhi.io/alpine-base:3.23 AS base
ARG TARGETPLATFORM
RUN echo "Hello, World! This is ${TARGETPLATFORM}" > /tmp/hello.txt
ARG BUILDKIT_SBOM_SCAN_STAGE=true

FROM scratch
COPY --from=base /tmp/hello.txt /
5 changes: 5 additions & 0 deletions test/docker-bake.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,3 +67,8 @@ target "generated-hello2" {
dockerfile = "hello.Dockerfile"
output = ["type=cacheonly"]
}

target "dhi" {
inherits = ["docker-metadata-action"]
dockerfile = "dhi.Dockerfile"
}
Loading