Go to file
CrazyMax c40bf0fdf6
Merge pull request #746 from crazy-max/attests-sbom-provenance-inputs
add attests, provenance and sbom inputs
2023-01-12 19:27:54 +01:00
.github ci: fix registry-cache job 2023-01-11 15:56:26 +01:00
__tests__ Remove workaround for setOutput 2022-10-12 06:56:31 +02:00
dist update generated content 2023-01-11 15:56:25 +01:00
docs/advanced docs: fix link 2022-11-10 15:57:59 +01:00
src do not set default provenance if user wants to load the image 2023-01-11 15:56:25 +01:00
test test: go project sample 2023-01-11 15:56:24 +01:00
.dockerignore Enhance workflow 2021-03-28 16:43:57 +02:00
.editorconfig Move editorconfig 2020-08-11 21:05:57 +02:00
.eslintrc.json chore: update dev dependencies and workflow 2022-03-15 21:59:59 +01:00
.gitattributes Build push action v2 2020-08-16 00:36:41 +02:00
.gitignore Build push action v2 2020-08-16 00:36:41 +02:00
.prettierrc.json Handle git sha version of buildx 2021-07-01 15:29:36 +02:00
LICENSE Rename LICENCE to LICENSE 2020-03-17 18:43:10 -07:00
README.md add `attests`, `provenance` and `sbom` inputs 2023-01-11 15:56:24 +01:00
TROUBLESHOOTING.md docs: update links and layout 2022-10-07 19:28:55 +02:00
action.yml add `attests`, `provenance` and `sbom` inputs 2023-01-11 15:56:24 +01:00
codecov.yml Handle git sha version of buildx 2021-07-01 15:29:36 +02:00
dev.Dockerfile docs: update links and layout 2022-10-07 19:28:55 +02:00
docker-bake.hcl chore: update dev dependencies and workflow 2022-03-15 21:59:59 +01:00
jest.config.ts Fix csv-parse implementation since major update 2022-04-25 06:47:57 +02:00
package.json chore(deps): Bump csv-parse from 5.3.0 to 5.3.3 2022-12-19 19:37:51 +00:00
tsconfig.json chore: update dev dependencies and workflow 2022-03-15 21:59:59 +01:00
yarn.lock chore(deps): Bump json5 from 2.2.0 to 2.2.3 2023-01-07 04:56:41 +00:00

README.md

GitHub release GitHub marketplace CI workflow Test workflow Codecov

About

GitHub Action to build and push Docker images with Buildx with full support of the features provided by Moby BuildKit builder toolkit. This includes multi-platform build, secrets, remote cache, etc. and different builder deployment/namespacing options.

Screenshot


Usage

In the examples below we are also using 3 other actions:

  • setup-buildx action will create and boot a builder using by default the docker-container driver. This is not required but recommended using it to be able to build multi-platform images, export cache, etc.
  • setup-qemu action can be useful if you want to add emulation support with QEMU to be able to build against more platforms.
  • login action will take care to log in against a Docker registry.

Git context

By default, this action uses the Git context, so you don't need to use the actions/checkout action to check out the repository as this will be done directly by BuildKit.

The git reference will be based on the event that triggered your workflow and will result in the following context: https://github.com/<owner>/<repo>.git#<ref>.

name: ci

on:
  push:
    branches:
      - 'main'

jobs:
  docker:
    runs-on: ubuntu-latest
    steps:
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      -
        name: Login to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      -
        name: Build and push
        uses: docker/build-push-action@v3
        with:
          push: true
          tags: user/app:latest

Be careful because any file mutation in the steps that precede the build step will be ignored, including processing of the .dockerignore file since the context is based on the Git reference. However, you can use the Path context using the context input alongside the actions/checkout action to remove this restriction.

Default Git context can also be provided using the Handlebars template expression {{defaultContext}}. Here we can use it to provide a subdirectory to the default Git context:

      -
        # Setting up Docker Buildx with docker-container driver is required
        # at the moment to be able to use a subdirectory with Git context
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      -
        name: Build and push
        uses: docker/build-push-action@v3
        with:
          context: "{{defaultContext}}:mysubdir"
          push: true
          tags: user/app:latest

Warning

Subdirectory for Git context is available from BuildKit v0.9.0. If you're using the docker builder (default if setup-buildx-action not used), then BuildKit in Docker Engine will be used. As Docker Engine < v22.x.x embeds Buildkit 0.8.2 at the moment, it does not support this feature. It's therefore required to use the setup-buildx-action at the moment.

Building from the current repository automatically uses the GitHub Token, so it does not need to be passed. If you want to authenticate against another private repository, you have to use a secret named GIT_AUTH_TOKEN to be able to authenticate against it with Buildx:

      -
        name: Build and push
        uses: docker/build-push-action@v3
        with:
          push: true
          tags: user/app:latest
          secrets: |
            GIT_AUTH_TOKEN=${{ secrets.MYTOKEN }}            

Path context

name: ci

on:
  push:
    branches:
      - 'main'

jobs:
  docker:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v3
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      -
        name: Login to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      -
        name: Build and push
        uses: docker/build-push-action@v3
        with:
          context: .
          push: true
          tags: user/app:latest

Examples

See https://docs.docker.com/build/ci/github-actions/examples/.

Customizing

inputs

Following inputs can be used as step.with keys

List type is a newline-delimited string

cache-from: |
  user/app:cache
  type=local,src=path/to/dir  

CSV type is a comma-delimited string

tags: name/app:latest,name/app:1.0.0
Name Type Description
add-hosts List/CSV List of customs host-to-IP mapping (e.g., docker:10.180.0.1)
allow List/CSV List of extra privileged entitlement (e.g., network.host,security.insecure)
attests List List of attestation parameters (e.g., type=sbom,generator=image)
builder String Builder instance (see setup-buildx action)
build-args List List of build-time variables
build-contexts List List of additional build contexts (e.g., name=path)
cache-from List List of external cache sources (e.g., type=local,src=path/to/dir)
cache-to List List of cache export destinations (e.g., type=local,dest=path/to/dir)
cgroup-parent String Optional parent cgroup for the container used in the build
context String Build's context is the set of files located in the specified PATH or URL (default Git context)
file String Path to the Dockerfile. (default {context}/Dockerfile)
labels List List of metadata for an image
load Bool Load is a shorthand for --output=type=docker (default false)
network String Set the networking mode for the RUN instructions during build
no-cache Bool Do not use cache when building the image (default false)
no-cache-filters List/CSV Do not cache specified stages
outputs¹ List List of output destinations (format: type=local,dest=path)
platforms List/CSV List of target platforms for build
provenance Bool/String Generate provenance attestation for the build (shorthand for --attest=type=provenance)
pull Bool Always attempt to pull all referenced images (default false)
push Bool Push is a shorthand for --output=type=registry (default false)
sbom Bool/String Generate SBOM attestation for the build (shorthand for --attest=type=sbom)
secrets List List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)
secret-files List List of secret files to expose to the build (e.g., key=filename, MY_SECRET=./secret.txt)
shm-size String Size of /dev/shm (e.g., 2g)
ssh List List of SSH agent socket or keys to expose to the build
tags List/CSV List of tags
target String Sets the target stage to build
ulimit List Ulimit options (e.g., nofile=1024:1024)
github-token String GitHub Token used to authenticate against a repository for Git context (default ${{ github.token }})

Note

outputs

Following outputs are available

Name Type Description
imageid String Image ID
digest String Image digest
metadata JSON Build result metadata

Troubleshooting

See TROUBLESHOOTING.md

Contributing

Want to contribute? Awesome! You can find information about contributing to this project in the CONTRIBUTING.md