Skip to content

authentication token scopes support #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
crazy-max merged 1 commit into from
Jan 28, 2026
+144 −4
Merged

authentication token scopes support #73

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 84 additions & 0 deletions .github/workflows/.test-bake.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,55 @@ jobs:
const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
core.info(JSON.stringify(builderOutputs, null, 2));

bake-dockerhub-stage:
uses: ./.github/workflows/bake.yml
permissions:
contents: read
id-token: write
with:
context: test
output: image
push: ${{ github.event_name != 'pull_request' }}
sbom: true
target: hello-cross
meta-images: |
registry-1-stage.docker.io/docker/github-builder-test
meta-tags: |
type=raw,value=bake-ghbuilder-${{ github.run_id }}
secrets:
registry-auths: |
- registry: registry-1-stage.docker.io
username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}

bake-dockerhub-stage-verify:
uses: ./.github/workflows/verify.yml
if: ${{ github.event_name != 'pull_request' }}
needs:
- bake-dockerhub-stage
with:
builder-outputs: ${{ toJSON(needs.bake-dockerhub-stage.outputs) }}
secrets:
registry-auths: |
- registry: registry-1-stage.docker.io
username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}

bake-dockerhub-stage-outputs:
runs-on: ubuntu-24.04
needs:
- bake-dockerhub-stage
steps:
-
name: Builder outputs
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-dockerhub-stage.outputs) }}
with:
script: |
const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
core.info(JSON.stringify(builderOutputs, null, 2));

bake-ghcr-and-aws:
uses: ./.github/workflows/bake.yml
permissions:
Expand Down Expand Up @@ -461,3 +510,38 @@ jobs:
target: go
vars: |
XX_VERSION=1.9.0

bake-auth-scope:
uses: ./.github/workflows/bake.yml
permissions:
contents: read
id-token: write
with:
context: test
output: image
push: ${{ github.event_name != 'pull_request' }}
sbom: true
target: hello-cross
meta-images: |
registry-1-stage.docker.io/docker/github-builder-test
meta-tags: |
type=raw,value=bake-ghbuilder-scope-${{ github.run_id }}
secrets:
registry-auths: |
- registry: registry-1-stage.docker.io
username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
scope: '@push'

bake-auth-scope-verify:
uses: ./.github/workflows/verify.yml
if: ${{ github.event_name != 'pull_request' }}
needs:
- bake-auth-scope
with:
builder-outputs: ${{ toJSON(needs.bake-auth-scope.outputs) }}
secrets:
registry-auths: |
- registry: registry-1-stage.docker.io
username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
34 changes: 34 additions & 0 deletions .github/workflows/.test-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -542,3 +542,37 @@ jobs:
platforms: linux/amd64,linux/arm64
sbom: true
sign: ${{ github.event_name != 'pull_request' }}

build-auth-scope:
uses: ./.github/workflows/build.yml
permissions:
contents: read
id-token: write
with:
file: test/hello.Dockerfile
output: image
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
sbom: true
meta-images: registry-1-stage.docker.io/docker/github-builder-test
meta-tags: |
type=raw,value=build-scope-${{ github.run_id }}
secrets:
registry-auths: |
- registry: registry-1-stage.docker.io
username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
scope: '@push'

build-auth-scope-verify:
uses: ./.github/workflows/verify.yml
if: ${{ github.event_name != 'pull_request' }}
needs:
- build-auth-scope
with:
builder-outputs: ${{ toJSON(needs.build-auth-scope.outputs) }}
secrets:
registry-auths: |
- registry: registry-1-stage.docker.io
username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
14 changes: 12 additions & 2 deletions .github/workflows/bake.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -677,7 +677,7 @@ jobs:
-
name: Login to registry
if: ${{ inputs.push && inputs.output == 'image' }}
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry-auth: ${{ secrets.registry-auths }}
-
Expand Down Expand Up @@ -706,6 +706,14 @@ jobs:
const imageDigest = inpMetadata[inpTarget]['containerimage.digest'];
core.info(imageDigest);
core.setOutput('digest', imageDigest);
-
name: Login to registry for signing
if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry-auth: ${{ secrets.registry-auths }}
env:
DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login
-
name: Signing attestation manifests
id: signing-attestation-manifests
Expand Down Expand Up @@ -855,9 +863,11 @@ jobs:
-
name: Login to registry
if: ${{ inputs.push && inputs.output == 'image' }}
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry-auth: ${{ secrets.registry-auths }}
env:
DOCKER_LOGIN_SCOPE_DISABLED: true # FIXME: scope feature is not yet supported by Buildx imagetools command
-
name: Set up Docker Buildx
if: ${{ inputs.push && inputs.output == 'image' }}
Expand Down
14 changes: 12 additions & 2 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -545,7 +545,7 @@ jobs:
-
name: Login to registry
if: ${{ inputs.push && inputs.output == 'image' }}
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry-auth: ${{ secrets.registry-auths }}
-
Expand All @@ -571,6 +571,14 @@ jobs:
env:
BUILDKIT_MULTI_PLATFORM: 1
GIT_AUTH_TOKEN: ${{ secrets.github-token || github.token }}
-
name: Login to registry for signing
if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry-auth: ${{ secrets.registry-auths }}
env:
DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login
-
name: Signing attestation manifests
id: signing-attestation-manifests
Expand Down Expand Up @@ -719,9 +727,11 @@ jobs:
-
name: Login to registry
if: ${{ inputs.push && inputs.output == 'image' }}
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry-auth: ${{ secrets.registry-auths }}
env:
DOCKER_LOGIN_SCOPE_DISABLED: true # FIXME: scope feature is not yet supported by Buildx imagetools command
-
name: Set up Docker Buildx
if: ${{ inputs.push && inputs.output == 'image' }}
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/verify.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,8 @@ jobs:
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry-auth: ${{ secrets.registry-auths }}
env:
DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login
-
name: Download artifacts
if: ${{ steps.vars.outputs.signed == 'true' && steps.vars.outputs.output-type == 'local' }}
Expand Down
Loading