diff --git a/.github/workflows/.test-bake.yml b/.github/workflows/.test-bake.yml index f329baa..54b14b6 100644 --- a/.github/workflows/.test-bake.yml +++ b/.github/workflows/.test-bake.yml @@ -179,6 +179,55 @@ jobs: const builderOutputs = JSON.parse(core.getInput('builder-outputs')); core.info(JSON.stringify(builderOutputs, null, 2)); + bake-dockerhub-stage: + uses: ./.github/workflows/bake.yml + permissions: + contents: read + id-token: write + with: + context: test + output: image + push: ${{ github.event_name != 'pull_request' }} + sbom: true + target: hello-cross + meta-images: | + registry-1-stage.docker.io/docker/github-builder-test + meta-tags: | + type=raw,value=bake-ghbuilder-${{ github.run_id }} + secrets: + registry-auths: | + - registry: registry-1-stage.docker.io + username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} + password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} + + bake-dockerhub-stage-verify: + uses: ./.github/workflows/verify.yml + if: ${{ github.event_name != 'pull_request' }} + needs: + - bake-dockerhub-stage + with: + builder-outputs: ${{ toJSON(needs.bake-dockerhub-stage.outputs) }} + secrets: + registry-auths: | + - registry: registry-1-stage.docker.io + username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} + password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} + + bake-dockerhub-stage-outputs: + runs-on: ubuntu-24.04 + needs: + - bake-dockerhub-stage + steps: + - + name: Builder outputs + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-dockerhub-stage.outputs) }} + with: + script: | + const builderOutputs = JSON.parse(core.getInput('builder-outputs')); + core.info(JSON.stringify(builderOutputs, null, 2)); + bake-ghcr-and-aws: uses: ./.github/workflows/bake.yml permissions: @@ -461,3 +510,38 @@ jobs: target: go vars: | XX_VERSION=1.9.0 + + bake-auth-scope: + uses: ./.github/workflows/bake.yml + permissions: + contents: read + id-token: write + with: + context: test + output: image + push: ${{ github.event_name != 'pull_request' }} + sbom: true + target: hello-cross + meta-images: | + registry-1-stage.docker.io/docker/github-builder-test + meta-tags: | + type=raw,value=bake-ghbuilder-scope-${{ github.run_id }} + secrets: + registry-auths: | + - registry: registry-1-stage.docker.io + username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} + password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} + scope: '@push' + + bake-auth-scope-verify: + uses: ./.github/workflows/verify.yml + if: ${{ github.event_name != 'pull_request' }} + needs: + - bake-auth-scope + with: + builder-outputs: ${{ toJSON(needs.bake-auth-scope.outputs) }} + secrets: + registry-auths: | + - registry: registry-1-stage.docker.io + username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} + password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} diff --git a/.github/workflows/.test-build.yml b/.github/workflows/.test-build.yml index f2733bd..e2b4503 100644 --- a/.github/workflows/.test-build.yml +++ b/.github/workflows/.test-build.yml @@ -542,3 +542,37 @@ jobs: platforms: linux/amd64,linux/arm64 sbom: true sign: ${{ github.event_name != 'pull_request' }} + + build-auth-scope: + uses: ./.github/workflows/build.yml + permissions: + contents: read + id-token: write + with: + file: test/hello.Dockerfile + output: image + platforms: linux/amd64,linux/arm64 + push: ${{ github.event_name != 'pull_request' }} + sbom: true + meta-images: registry-1-stage.docker.io/docker/github-builder-test + meta-tags: | + type=raw,value=build-scope-${{ github.run_id }} + secrets: + registry-auths: | + - registry: registry-1-stage.docker.io + username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} + password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} + scope: '@push' + + build-auth-scope-verify: + uses: ./.github/workflows/verify.yml + if: ${{ github.event_name != 'pull_request' }} + needs: + - build-auth-scope + with: + builder-outputs: ${{ toJSON(needs.build-auth-scope.outputs) }} + secrets: + registry-auths: | + - registry: registry-1-stage.docker.io + username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} + password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml index 51722a9..ea06661 100644 --- a/.github/workflows/bake.yml +++ b/.github/workflows/bake.yml @@ -677,7 +677,7 @@ jobs: - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry-auth: ${{ secrets.registry-auths }} - @@ -706,6 +706,14 @@ jobs: const imageDigest = inpMetadata[inpTarget]['containerimage.digest']; core.info(imageDigest); core.setOutput('digest', imageDigest); + - + name: Login to registry for signing + if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }} + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + registry-auth: ${{ secrets.registry-auths }} + env: + DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login - name: Signing attestation manifests id: signing-attestation-manifests @@ -855,9 +863,11 @@ jobs: - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry-auth: ${{ secrets.registry-auths }} + env: + DOCKER_LOGIN_SCOPE_DISABLED: true # FIXME: scope feature is not yet supported by Buildx imagetools command - name: Set up Docker Buildx if: ${{ inputs.push && inputs.output == 'image' }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0d831e0..a8837c1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -545,7 +545,7 @@ jobs: - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry-auth: ${{ secrets.registry-auths }} - @@ -571,6 +571,14 @@ jobs: env: BUILDKIT_MULTI_PLATFORM: 1 GIT_AUTH_TOKEN: ${{ secrets.github-token || github.token }} + - + name: Login to registry for signing + if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }} + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + registry-auth: ${{ secrets.registry-auths }} + env: + DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login - name: Signing attestation manifests id: signing-attestation-manifests @@ -719,9 +727,11 @@ jobs: - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry-auth: ${{ secrets.registry-auths }} + env: + DOCKER_LOGIN_SCOPE_DISABLED: true # FIXME: scope feature is not yet supported by Buildx imagetools command - name: Set up Docker Buildx if: ${{ inputs.push && inputs.output == 'image' }} diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index d44f862..1274d44 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -84,6 +84,8 @@ jobs: uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry-auth: ${{ secrets.registry-auths }} + env: + DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login - name: Download artifacts if: ${{ steps.vars.outputs.signed == 'true' && steps.vars.outputs.output-type == 'local' }}