2020-08-16 23:18:08 +08:00
|
|
|
import * as core from '@actions/core';
|
2021-12-28 07:49:32 +08:00
|
|
|
import * as handlebars from 'handlebars';
|
2024-04-26 17:20:49 +08:00
|
|
|
|
|
|
|
import {Build} from '@docker/actions-toolkit/lib/buildx/build';
|
2023-02-20 18:11:15 +08:00
|
|
|
import {Context} from '@docker/actions-toolkit/lib/context';
|
|
|
|
import {GitHub} from '@docker/actions-toolkit/lib/github';
|
|
|
|
import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
|
|
|
|
import {Util} from '@docker/actions-toolkit/lib/util';
|
2020-10-21 08:46:41 +08:00
|
|
|
|
2020-08-16 23:18:08 +08:00
|
|
|
export interface Inputs {
|
2024-05-01 00:00:55 +08:00
|
|
|
'add-hosts': string[];
|
2021-04-06 19:54:58 +08:00
|
|
|
allow: string[];
|
2023-10-24 13:23:44 +08:00
|
|
|
annotations: string[];
|
2023-01-11 19:12:09 +08:00
|
|
|
attests: string[];
|
2024-05-01 00:00:55 +08:00
|
|
|
'build-args': string[];
|
|
|
|
'build-contexts': string[];
|
2021-04-06 19:54:58 +08:00
|
|
|
builder: string;
|
2024-05-01 00:00:55 +08:00
|
|
|
'cache-from': string[];
|
|
|
|
'cache-to': string[];
|
|
|
|
'cgroup-parent': string;
|
2020-08-16 23:18:08 +08:00
|
|
|
context: string;
|
|
|
|
file: string;
|
|
|
|
labels: string[];
|
2021-04-06 19:54:58 +08:00
|
|
|
load: boolean;
|
2021-04-06 20:49:15 +08:00
|
|
|
network: string;
|
2024-05-01 00:00:55 +08:00
|
|
|
'no-cache': boolean;
|
|
|
|
'no-cache-filters': string[];
|
2021-04-06 19:54:58 +08:00
|
|
|
outputs: string[];
|
2020-08-17 08:32:27 +08:00
|
|
|
platforms: string[];
|
2023-01-11 19:12:09 +08:00
|
|
|
provenance: string;
|
2021-04-06 19:54:58 +08:00
|
|
|
pull: boolean;
|
2020-08-16 23:18:08 +08:00
|
|
|
push: boolean;
|
2023-01-11 19:12:09 +08:00
|
|
|
sbom: string;
|
2020-09-02 16:07:11 +08:00
|
|
|
secrets: string[];
|
2024-05-01 00:00:55 +08:00
|
|
|
'secret-envs': string[];
|
|
|
|
'secret-files': string[];
|
|
|
|
'shm-size': string;
|
2020-09-11 07:23:49 +08:00
|
|
|
ssh: string[];
|
2021-04-06 19:54:58 +08:00
|
|
|
tags: string[];
|
|
|
|
target: string;
|
2021-11-16 14:19:27 +08:00
|
|
|
ulimit: string[];
|
2024-05-01 00:00:55 +08:00
|
|
|
'github-token': string;
|
2020-08-16 23:18:08 +08:00
|
|
|
}
|
|
|
|
|
2023-04-17 07:32:21 +08:00
|
|
|
export async function getInputs(): Promise<Inputs> {
|
2020-08-16 23:18:08 +08:00
|
|
|
return {
|
2024-05-01 00:00:55 +08:00
|
|
|
'add-hosts': Util.getInputList('add-hosts'),
|
2023-02-20 18:11:15 +08:00
|
|
|
allow: Util.getInputList('allow'),
|
2023-10-24 13:23:44 +08:00
|
|
|
annotations: Util.getInputList('annotations', {ignoreComma: true}),
|
2023-02-20 18:11:15 +08:00
|
|
|
attests: Util.getInputList('attests', {ignoreComma: true}),
|
2024-05-01 00:00:55 +08:00
|
|
|
'build-args': Util.getInputList('build-args', {ignoreComma: true}),
|
|
|
|
'build-contexts': Util.getInputList('build-contexts', {ignoreComma: true}),
|
2021-04-06 19:54:58 +08:00
|
|
|
builder: core.getInput('builder'),
|
2024-05-01 00:00:55 +08:00
|
|
|
'cache-from': Util.getInputList('cache-from', {ignoreComma: true}),
|
|
|
|
'cache-to': Util.getInputList('cache-to', {ignoreComma: true}),
|
|
|
|
'cgroup-parent': core.getInput('cgroup-parent'),
|
2023-02-20 18:11:15 +08:00
|
|
|
context: core.getInput('context') || Context.gitContext(),
|
2020-12-18 23:05:47 +08:00
|
|
|
file: core.getInput('file'),
|
2023-02-20 18:11:15 +08:00
|
|
|
labels: Util.getInputList('labels', {ignoreComma: true}),
|
2021-06-22 23:25:52 +08:00
|
|
|
load: core.getBooleanInput('load'),
|
2021-04-06 20:49:15 +08:00
|
|
|
network: core.getInput('network'),
|
2024-05-01 00:00:55 +08:00
|
|
|
'no-cache': core.getBooleanInput('no-cache'),
|
|
|
|
'no-cache-filters': Util.getInputList('no-cache-filters'),
|
2024-03-06 22:25:57 +08:00
|
|
|
outputs: Util.getInputList('outputs', {ignoreComma: true, quote: false}),
|
2023-02-20 18:11:15 +08:00
|
|
|
platforms: Util.getInputList('platforms'),
|
2024-04-26 17:20:49 +08:00
|
|
|
provenance: Build.getProvenanceInput('provenance'),
|
2021-06-22 23:25:52 +08:00
|
|
|
pull: core.getBooleanInput('pull'),
|
|
|
|
push: core.getBooleanInput('push'),
|
2023-01-11 19:12:09 +08:00
|
|
|
sbom: core.getInput('sbom'),
|
2023-02-20 18:11:15 +08:00
|
|
|
secrets: Util.getInputList('secrets', {ignoreComma: true}),
|
2024-05-01 00:00:55 +08:00
|
|
|
'secret-envs': Util.getInputList('secret-envs'),
|
|
|
|
'secret-files': Util.getInputList('secret-files', {ignoreComma: true}),
|
|
|
|
'shm-size': core.getInput('shm-size'),
|
2023-02-20 18:11:15 +08:00
|
|
|
ssh: Util.getInputList('ssh'),
|
|
|
|
tags: Util.getInputList('tags'),
|
2021-04-06 19:54:58 +08:00
|
|
|
target: core.getInput('target'),
|
2023-02-20 18:11:15 +08:00
|
|
|
ulimit: Util.getInputList('ulimit', {ignoreComma: true}),
|
2024-05-01 00:00:55 +08:00
|
|
|
'github-token': core.getInput('github-token')
|
2020-08-16 23:18:08 +08:00
|
|
|
};
|
|
|
|
}
|
|
|
|
|
2024-05-02 19:49:01 +08:00
|
|
|
export function sanitizeInputs(inputs: Inputs) {
|
|
|
|
const res = {};
|
|
|
|
for (const key of Object.keys(inputs)) {
|
|
|
|
if (key === 'github-token') {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
const value: string | string[] | boolean = inputs[key];
|
|
|
|
if (typeof value === 'boolean' && value === false) {
|
|
|
|
continue;
|
|
|
|
} else if (Array.isArray(value) && value.length === 0) {
|
|
|
|
continue;
|
|
|
|
} else if (!value) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
res[key] = value;
|
|
|
|
}
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
2023-02-20 18:11:15 +08:00
|
|
|
export async function getArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<string>> {
|
|
|
|
const context = handlebars.compile(inputs.context)({
|
|
|
|
defaultContext: Context.gitContext()
|
|
|
|
});
|
2022-03-16 04:59:52 +08:00
|
|
|
// prettier-ignore
|
|
|
|
return [
|
2023-02-20 18:11:15 +08:00
|
|
|
...await getBuildArgs(inputs, context, toolkit),
|
|
|
|
...await getCommonArgs(inputs, toolkit),
|
2022-08-03 20:38:56 +08:00
|
|
|
context
|
2022-03-16 04:59:52 +08:00
|
|
|
];
|
2020-08-16 23:18:08 +08:00
|
|
|
}
|
|
|
|
|
2023-02-20 18:11:15 +08:00
|
|
|
async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit): Promise<Array<string>> {
|
2022-03-16 04:59:52 +08:00
|
|
|
const args: Array<string> = ['build'];
|
2024-05-01 00:00:55 +08:00
|
|
|
await Util.asyncForEach(inputs['add-hosts'], async addHost => {
|
2022-01-31 18:47:45 +08:00
|
|
|
args.push('--add-host', addHost);
|
|
|
|
});
|
2021-11-16 12:19:44 +08:00
|
|
|
if (inputs.allow.length > 0) {
|
|
|
|
args.push('--allow', inputs.allow.join(','));
|
|
|
|
}
|
2023-10-24 13:23:44 +08:00
|
|
|
if (await toolkit.buildx.versionSatisfies('>=0.12.0')) {
|
|
|
|
await Util.asyncForEach(inputs.annotations, async annotation => {
|
|
|
|
args.push('--annotation', annotation);
|
|
|
|
});
|
2023-12-01 20:57:05 +08:00
|
|
|
} else if (inputs.annotations.length > 0) {
|
|
|
|
core.warning("Annotations are only supported by buildx >= 0.12.0; the input 'annotations' is ignored.");
|
2023-10-24 13:23:44 +08:00
|
|
|
}
|
2024-05-01 00:00:55 +08:00
|
|
|
await Util.asyncForEach(inputs['build-args'], async buildArg => {
|
2020-08-16 23:18:08 +08:00
|
|
|
args.push('--build-arg', buildArg);
|
|
|
|
});
|
2023-02-20 18:11:15 +08:00
|
|
|
if (await toolkit.buildx.versionSatisfies('>=0.8.0')) {
|
2024-05-01 00:00:55 +08:00
|
|
|
await Util.asyncForEach(inputs['build-contexts'], async buildContext => {
|
2022-03-15 03:09:10 +08:00
|
|
|
args.push('--build-context', buildContext);
|
|
|
|
});
|
2024-05-01 00:00:55 +08:00
|
|
|
} else if (inputs['build-contexts'].length > 0) {
|
2023-12-01 20:57:05 +08:00
|
|
|
core.warning("Build contexts are only supported by buildx >= 0.8.0; the input 'build-contexts' is ignored.");
|
2022-03-15 03:09:10 +08:00
|
|
|
}
|
2024-05-01 00:00:55 +08:00
|
|
|
await Util.asyncForEach(inputs['cache-from'], async cacheFrom => {
|
2021-11-16 12:19:44 +08:00
|
|
|
args.push('--cache-from', cacheFrom);
|
2020-08-16 23:18:08 +08:00
|
|
|
});
|
2024-05-01 00:00:55 +08:00
|
|
|
await Util.asyncForEach(inputs['cache-to'], async cacheTo => {
|
2024-06-10 21:26:39 +08:00
|
|
|
args.push('--cache-to', Build.resolveCacheToAttrs(cacheTo, inputs['github-token']));
|
2020-08-16 23:18:08 +08:00
|
|
|
});
|
2024-05-01 00:00:55 +08:00
|
|
|
if (inputs['cgroup-parent']) {
|
|
|
|
args.push('--cgroup-parent', inputs['cgroup-parent']);
|
2021-11-16 14:19:27 +08:00
|
|
|
}
|
2024-05-01 00:00:55 +08:00
|
|
|
await Util.asyncForEach(inputs['secret-envs'], async secretEnv => {
|
2023-09-26 22:34:10 +08:00
|
|
|
try {
|
2024-04-26 17:20:49 +08:00
|
|
|
args.push('--secret', Build.resolveSecretEnv(secretEnv));
|
2023-09-26 22:34:10 +08:00
|
|
|
} catch (err) {
|
|
|
|
core.warning(err.message);
|
|
|
|
}
|
|
|
|
});
|
2021-11-16 12:19:44 +08:00
|
|
|
if (inputs.file) {
|
|
|
|
args.push('--file', inputs.file);
|
2020-08-23 09:31:38 +08:00
|
|
|
}
|
2024-04-26 17:20:49 +08:00
|
|
|
if (!Build.hasLocalExporter(inputs.outputs) && !Build.hasTarExporter(inputs.outputs) && (inputs.platforms.length == 0 || (await toolkit.buildx.versionSatisfies('>=0.4.2')))) {
|
2024-05-14 20:11:32 +08:00
|
|
|
args.push('--iidfile', toolkit.buildxBuild.getImageIDFilePath());
|
2020-10-20 03:17:06 +08:00
|
|
|
}
|
2023-02-20 18:11:15 +08:00
|
|
|
await Util.asyncForEach(inputs.labels, async label => {
|
2021-11-16 12:19:44 +08:00
|
|
|
args.push('--label', label);
|
2020-08-16 23:18:08 +08:00
|
|
|
});
|
2024-05-01 00:00:55 +08:00
|
|
|
await Util.asyncForEach(inputs['no-cache-filters'], async noCacheFilter => {
|
2022-07-18 23:24:11 +08:00
|
|
|
args.push('--no-cache-filter', noCacheFilter);
|
|
|
|
});
|
2023-02-20 18:11:15 +08:00
|
|
|
await Util.asyncForEach(inputs.outputs, async output => {
|
2021-11-16 12:19:44 +08:00
|
|
|
args.push('--output', output);
|
2020-08-16 23:18:08 +08:00
|
|
|
});
|
2021-11-16 12:19:44 +08:00
|
|
|
if (inputs.platforms.length > 0) {
|
|
|
|
args.push('--platform', inputs.platforms.join(','));
|
|
|
|
}
|
2023-02-20 18:11:15 +08:00
|
|
|
if (await toolkit.buildx.versionSatisfies('>=0.10.0')) {
|
2024-03-26 22:31:37 +08:00
|
|
|
args.push(...(await getAttestArgs(inputs, toolkit)));
|
|
|
|
} else {
|
|
|
|
core.warning("Attestations are only supported by buildx >= 0.10.0; the inputs 'attests', 'provenance' and 'sbom' are ignored.");
|
2023-01-11 19:12:09 +08:00
|
|
|
}
|
2023-02-20 18:11:15 +08:00
|
|
|
await Util.asyncForEach(inputs.secrets, async secret => {
|
2020-11-18 04:38:45 +08:00
|
|
|
try {
|
2024-04-26 17:20:49 +08:00
|
|
|
args.push('--secret', Build.resolveSecretString(secret));
|
2021-02-15 17:08:19 +08:00
|
|
|
} catch (err) {
|
|
|
|
core.warning(err.message);
|
|
|
|
}
|
|
|
|
});
|
2024-05-01 00:00:55 +08:00
|
|
|
await Util.asyncForEach(inputs['secret-files'], async secretFile => {
|
2021-02-15 17:08:19 +08:00
|
|
|
try {
|
2024-04-26 17:20:49 +08:00
|
|
|
args.push('--secret', Build.resolveSecretFile(secretFile));
|
2020-11-18 04:38:45 +08:00
|
|
|
} catch (err) {
|
|
|
|
core.warning(err.message);
|
|
|
|
}
|
2020-09-02 16:07:11 +08:00
|
|
|
});
|
2024-05-01 00:00:55 +08:00
|
|
|
if (inputs['github-token'] && !Build.hasGitAuthTokenSecret(inputs.secrets) && context.startsWith(Context.gitContext())) {
|
|
|
|
args.push('--secret', Build.resolveSecretString(`GIT_AUTH_TOKEN=${inputs['github-token']}`));
|
2020-09-23 02:49:18 +08:00
|
|
|
}
|
2024-05-01 00:00:55 +08:00
|
|
|
if (inputs['shm-size']) {
|
|
|
|
args.push('--shm-size', inputs['shm-size']);
|
2021-11-16 14:19:27 +08:00
|
|
|
}
|
2023-02-20 18:11:15 +08:00
|
|
|
await Util.asyncForEach(inputs.ssh, async ssh => {
|
2020-09-11 07:23:49 +08:00
|
|
|
args.push('--ssh', ssh);
|
|
|
|
});
|
2023-02-20 18:11:15 +08:00
|
|
|
await Util.asyncForEach(inputs.tags, async tag => {
|
2021-11-16 12:19:44 +08:00
|
|
|
args.push('--tag', tag);
|
|
|
|
});
|
|
|
|
if (inputs.target) {
|
|
|
|
args.push('--target', inputs.target);
|
2020-08-16 23:18:08 +08:00
|
|
|
}
|
2023-02-20 18:11:15 +08:00
|
|
|
await Util.asyncForEach(inputs.ulimit, async ulimit => {
|
2021-11-16 14:19:27 +08:00
|
|
|
args.push('--ulimit', ulimit);
|
|
|
|
});
|
2020-08-16 23:18:08 +08:00
|
|
|
return args;
|
|
|
|
}
|
|
|
|
|
2023-02-20 18:11:15 +08:00
|
|
|
async function getCommonArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<string>> {
|
2022-03-16 04:59:52 +08:00
|
|
|
const args: Array<string> = [];
|
2020-09-03 17:49:39 +08:00
|
|
|
if (inputs.builder) {
|
|
|
|
args.push('--builder', inputs.builder);
|
|
|
|
}
|
2020-08-18 04:18:15 +08:00
|
|
|
if (inputs.load) {
|
|
|
|
args.push('--load');
|
|
|
|
}
|
2023-02-20 18:11:15 +08:00
|
|
|
if (await toolkit.buildx.versionSatisfies('>=0.6.0')) {
|
2024-05-14 20:11:32 +08:00
|
|
|
args.push('--metadata-file', toolkit.buildxBuild.getMetadataFilePath());
|
2021-11-16 12:19:44 +08:00
|
|
|
}
|
2021-04-06 20:49:15 +08:00
|
|
|
if (inputs.network) {
|
|
|
|
args.push('--network', inputs.network);
|
|
|
|
}
|
2024-05-01 00:00:55 +08:00
|
|
|
if (inputs['no-cache']) {
|
2021-11-16 12:19:44 +08:00
|
|
|
args.push('--no-cache');
|
|
|
|
}
|
|
|
|
if (inputs.pull) {
|
|
|
|
args.push('--pull');
|
|
|
|
}
|
2020-08-18 04:18:15 +08:00
|
|
|
if (inputs.push) {
|
|
|
|
args.push('--push');
|
|
|
|
}
|
|
|
|
return args;
|
|
|
|
}
|
2024-03-26 22:31:37 +08:00
|
|
|
|
|
|
|
async function getAttestArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<string>> {
|
|
|
|
const args: Array<string> = [];
|
|
|
|
|
|
|
|
// check if provenance attestation is set in attests input
|
|
|
|
let hasAttestProvenance = false;
|
|
|
|
await Util.asyncForEach(inputs.attests, async (attest: string) => {
|
2024-04-26 17:20:49 +08:00
|
|
|
if (Build.hasAttestationType('provenance', attest)) {
|
2024-03-26 22:31:37 +08:00
|
|
|
hasAttestProvenance = true;
|
|
|
|
}
|
|
|
|
});
|
|
|
|
|
|
|
|
let provenanceSet = false;
|
|
|
|
let sbomSet = false;
|
|
|
|
if (inputs.provenance) {
|
2024-04-26 17:20:49 +08:00
|
|
|
args.push('--attest', Build.resolveAttestationAttrs(`type=provenance,${inputs.provenance}`));
|
2024-03-26 22:31:37 +08:00
|
|
|
provenanceSet = true;
|
2024-04-26 17:20:49 +08:00
|
|
|
} else if (!hasAttestProvenance && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Build.hasDockerExporter(inputs.outputs, inputs.load)) {
|
2024-03-26 22:31:37 +08:00
|
|
|
// if provenance not specified in provenance or attests inputs and BuildKit
|
|
|
|
// version compatible for attestation, set default provenance. Also needs
|
|
|
|
// to make sure user doesn't want to explicitly load the image to docker.
|
|
|
|
if (GitHub.context.payload.repository?.private ?? false) {
|
|
|
|
// if this is a private repository, we set the default provenance
|
|
|
|
// attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
|
2024-04-26 17:20:49 +08:00
|
|
|
args.push('--attest', `type=provenance,${Build.resolveProvenanceAttrs(`mode=min,inline-only=true`)}`);
|
2024-03-26 22:31:37 +08:00
|
|
|
} else {
|
|
|
|
// for a public repository, we set max provenance mode.
|
2024-04-26 17:20:49 +08:00
|
|
|
args.push('--attest', `type=provenance,${Build.resolveProvenanceAttrs(`mode=max`)}`);
|
2024-03-26 22:31:37 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
if (inputs.sbom) {
|
2024-04-26 17:20:49 +08:00
|
|
|
args.push('--attest', Build.resolveAttestationAttrs(`type=sbom,${inputs.sbom}`));
|
2024-03-26 22:31:37 +08:00
|
|
|
sbomSet = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
// set attests but check if provenance or sbom types already set as
|
|
|
|
// provenance and sbom inputs take precedence over attests input.
|
|
|
|
await Util.asyncForEach(inputs.attests, async (attest: string) => {
|
2024-04-26 17:20:49 +08:00
|
|
|
if (!Build.hasAttestationType('provenance', attest) && !Build.hasAttestationType('sbom', attest)) {
|
|
|
|
args.push('--attest', Build.resolveAttestationAttrs(attest));
|
|
|
|
} else if (!provenanceSet && Build.hasAttestationType('provenance', attest)) {
|
|
|
|
args.push('--attest', Build.resolveProvenanceAttrs(attest));
|
|
|
|
} else if (!sbomSet && Build.hasAttestationType('sbom', attest)) {
|
2024-03-26 22:31:37 +08:00
|
|
|
args.push('--attest', attest);
|
|
|
|
}
|
|
|
|
});
|
|
|
|
|
|
|
|
return args;
|
|
|
|
}
|