From 86856eb41231cee8fb44040fa432c2ec12870ed5 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Tue, 22 Sep 2020 20:49:18 +0200 Subject: [PATCH 1/3] Expose Git secret token if default context used Signed-off-by: CrazyMax --- README.md | 258 +++++++++++++++++++++++-------------------------- action.yml | 4 + dist/index.js | 25 ++++- src/context.ts | 18 +++- 4 files changed, 158 insertions(+), 147 deletions(-) diff --git a/README.md b/README.md index 85b0f1b..5bcbd20 100644 --- a/README.md +++ b/README.md @@ -45,10 +45,7 @@ build-secrets, remote cache, etc. and different builder deployment/namespacing o The default behavior of this action is to use the [Git context invoked by your workflow](https://github.com/docker/build-push-action/blob/master/src/context.ts#L35). -
- Show workflow - - ```yaml +```yaml name: ci on: @@ -81,11 +78,10 @@ jobs: - name: Image digest run: echo ${{ steps.docker_build.outputs.digest }} - ``` -
+``` -If you use this action in a private repository, you have to pass the [GitHub Token](https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token) -as a secret named `GIT_AUTH_TOKEN` to be able to authenticate against it with buildx: +If you want to authenticate against a private repository, you have to use a secret named `GIT_AUTH_TOKEN` to be able +to authenticate against it with buildx: ```yaml - @@ -96,7 +92,7 @@ as a secret named `GIT_AUTH_TOKEN` to be able to authenticate against it with bu push: true tags: user/app:latest secrets: | - GIT_AUTH_TOKEN=${{ github.token }} + GIT_AUTH_TOKEN=${{ secrets.MYTOKEN }} ``` > :warning: Subdir for Git context is [not yet supported](https://github.com/docker/build-push-action/issues/120). @@ -106,140 +102,128 @@ as a secret named `GIT_AUTH_TOKEN` to be able to authenticate against it with bu You can also use the `PATH` context alongside the [`actions/checkout`](https://github.com/actions/checkout/) action. -
- Show workflow - - ```yaml - name: ci +```yaml +name: ci - on: - push: - branches: master +on: + push: + branches: master - jobs: - path-context: - runs-on: ubuntu-latest - steps: - - - name: Checkout - uses: actions/checkout@v2 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v1 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Build and push - uses: docker/build-push-action@v2 - with: - context: . - file: ./Dockerfile - platforms: linux/amd64,linux/arm64,linux/386 - push: true - tags: user/app:latest - ``` -
+jobs: + path-context: + runs-on: ubuntu-latest + steps: + - + name: Checkout + uses: actions/checkout@v2 + - + name: Set up QEMU + uses: docker/setup-qemu-action@v1 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + - + name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - + name: Build and push + uses: docker/build-push-action@v2 + with: + context: . + file: ./Dockerfile + platforms: linux/amd64,linux/arm64,linux/386 + push: true + tags: user/app:latest +``` ### Isolated builders -
- Show workflow - - ```yaml - name: ci +```yaml +name: ci - on: - push: - branches: master +on: + push: + branches: master - jobs: - multi-builders: - runs-on: ubuntu-latest - steps: - - - uses: docker/setup-buildx-action@v1 - id: builder1 - - - uses: docker/setup-buildx-action@v1 - id: builder2 - - - name: Builder 1 name - run: echo ${{ steps.builder1.outputs.name }} - - - name: Builder 2 name - run: echo ${{ steps.builder2.outputs.name }} - - - name: Build against builder1 - uses: docker/build-push-action@v2 - with: - builder: ${{ steps.builder1.outputs.name }} - target: mytarget1 - - - name: Build against builder2 - uses: docker/build-push-action@v2 - with: - builder: ${{ steps.builder2.outputs.name }} - target: mytarget2 - ``` -
+jobs: + multi-builders: + runs-on: ubuntu-latest + steps: + - + uses: docker/setup-buildx-action@v1 + id: builder1 + - + uses: docker/setup-buildx-action@v1 + id: builder2 + - + name: Builder 1 name + run: echo ${{ steps.builder1.outputs.name }} + - + name: Builder 2 name + run: echo ${{ steps.builder2.outputs.name }} + - + name: Build against builder1 + uses: docker/build-push-action@v2 + with: + builder: ${{ steps.builder1.outputs.name }} + target: mytarget1 + - + name: Build against builder2 + uses: docker/build-push-action@v2 + with: + builder: ${{ steps.builder2.outputs.name }} + target: mytarget2 +``` ### Multi-platform image -
- Show workflow - - ```yaml - name: ci +```yaml +name: ci - on: - push: - branches: master +on: + push: + branches: master - jobs: - multi: - runs-on: ubuntu-latest - steps: - - - name: Checkout - uses: actions/checkout@v2 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v1 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Build and push - uses: docker/build-push-action@v2 - with: - context: . - file: ./Dockerfile - platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x - push: true - tags: | - user/app:latest - user/app:1.0.0 - ``` -
+jobs: + multi: + runs-on: ubuntu-latest + steps: + - + name: Checkout + uses: actions/checkout@v2 + - + name: Set up QEMU + uses: docker/setup-qemu-action@v1 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + - + name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - + name: Build and push + uses: docker/build-push-action@v2 + with: + context: . + file: ./Dockerfile + platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x + push: true + tags: | + user/app:latest + user/app:1.0.0 +``` ## Advanced usage ### Local registry -For testing purposes you may need to create a [local registry](https://hub.docker.com/_/registry) to push images into. +For testing purposes you may need to create a [local registry](https://hub.docker.com/_/registry) to push images into:
Show workflow @@ -284,7 +268,7 @@ For testing purposes you may need to create a [local registry](https://hub.docke ### Leverage GitHub cache You can leverage [GitHub cache](https://docs.github.com/en/actions/configuring-and-managing-workflows/caching-dependencies-to-speed-up-workflows) -using [actions/cache](https://github.com/actions/cache) with this action. +using [actions/cache](https://github.com/actions/cache) with this action:
Show workflow @@ -338,15 +322,6 @@ The following workflow with the `Prepare` step will generate some [outputs](http to handle tags and labels based on GitHub actions events. This is just an example to show many cases that you might want to use: -| Event | Ref | Commit SHA | Docker Tag | Pushed | -|-----------------|-------------------------------|------------|------------------------------------|--------| -| `schedule` | | | `nightly` | Yes | -| `pull_request` | `refs/pull/2/merge` | `a123b57` | `pr-2` | No | -| `push` | `refs/heads/` | `676cae2` | `sha-676cae2`, `edge` | Yes | -| `push` | `refs/heads/dev` | `cf20257` | `sha-cf20257`, `dev` | Yes | -| `push` | `refs/heads/my/branch` | `a5df687` | `sha-a5df687`, `my-branch` | Yes | -| `push tag` | `refs/tags/v1.2.3` | | `v1.2.3`, `v1.2`, `v1`, `latest` | Yes | -
Show workflow @@ -434,11 +409,20 @@ might want to use: ```
+| Event | Ref | Commit SHA | Docker Tag | Pushed | +|-----------------|-------------------------------|------------|------------------------------------|--------| +| `schedule` | | | `nightly` | Yes | +| `pull_request` | `refs/pull/2/merge` | `a123b57` | `pr-2` | No | +| `push` | `refs/heads/` | `676cae2` | `sha-676cae2`, `edge` | Yes | +| `push` | `refs/heads/dev` | `cf20257` | `sha-cf20257`, `dev` | Yes | +| `push` | `refs/heads/my/branch` | `a5df687` | `sha-a5df687`, `my-branch` | Yes | +| `push tag` | `refs/tags/v1.2.3` | | `v1.2.3`, `v1.2`, `v1`, `latest` | Yes | + ### Update DockerHub repo description You can update the [Docker Hub repository description](https://docs.docker.com/docker-hub/repos/) using a third-party action called [Docker Hub Description](https://github.com/peter-evans/dockerhub-description) -with this action. +with this action:
Show workflow diff --git a/action.yml b/action.yml index 5734fe3..ec7feb8 100644 --- a/action.yml +++ b/action.yml @@ -64,6 +64,10 @@ inputs: secrets: description: "List of secrets to expose to the build (eg. key=value, GIT_AUTH_TOKEN=mytoken)" required: false + github-token: + description: "GitHub Token used to authenticate against a repository for Git context" + default: ${{ github.token }} + required: false outputs: digest: diff --git a/dist/index.js b/dist/index.js index 063f93f..3c0c05e 100644 --- a/dist/index.js +++ b/dist/index.js @@ -7955,6 +7955,12 @@ function convertBody(buffer, headers) { // html4 if (!res && str) { res = / __awaiter(this, void 0, void 0, function* () { args.push('--cache-to', cacheTo); })); + let hasGitAuthToken = false; yield exports.asyncForEach(inputs.secrets, (secret) => __awaiter(this, void 0, void 0, function* () { + if (secret.startsWith('GIT_AUTH_TOKEN=')) { + hasGitAuthToken = true; + } args.push('--secret', yield buildx.getSecret(secret)); })); + if (inputs.githubToken && !hasGitAuthToken && inputs.context == defaultContext) { + args.push('--secret', yield buildx.getSecret(`GIT_AUTH_TOKEN=${inputs.githubToken}`)); + } if (inputs.file) { args.push('--file', inputs.file); } diff --git a/src/context.ts b/src/context.ts index 6977e3f..98eef07 100644 --- a/src/context.ts +++ b/src/context.ts @@ -6,7 +6,8 @@ import * as buildx from './buildx'; import * as core from '@actions/core'; import * as github from '@actions/github'; -export const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'docker-build-push-')); +export const tmpDir: string = fs.mkdtempSync(path.join(os.tmpdir(), 'docker-build-push-')); +const defaultContext: string = `https://github.com/${github.context.repo.owner}/${github.context.repo.repo}#${github.context.ref}`; export interface Inputs { context: string; @@ -26,13 +27,12 @@ export interface Inputs { cacheFrom: string[]; cacheTo: string[]; secrets: string[]; + githubToken: string; } export async function getInputs(): Promise { return { - context: - core.getInput('context') || - `https://github.com/${github.context.repo.owner}/${github.context.repo.repo}#${github.context.ref}`, + context: core.getInput('context') || defaultContext, file: core.getInput('file') || 'Dockerfile', buildArgs: await getInputList('build-args'), labels: await getInputList('labels'), @@ -48,7 +48,8 @@ export async function getInputs(): Promise { outputs: await getInputList('outputs', true), cacheFrom: await getInputList('cache-from', true), cacheTo: await getInputList('cache-to', true), - secrets: await getInputList('secrets', true) + secrets: await getInputList('secrets', true), + githubToken: core.getInput('github-token') }; } @@ -92,9 +93,16 @@ async function getBuildArgs(inputs: Inputs, buildxVersion: string): Promise { args.push('--cache-to', cacheTo); }); + let hasGitAuthToken: boolean = false; await asyncForEach(inputs.secrets, async secret => { + if (secret.startsWith('GIT_AUTH_TOKEN=')) { + hasGitAuthToken = true; + } args.push('--secret', await buildx.getSecret(secret)); }); + if (inputs.githubToken && !hasGitAuthToken && inputs.context == defaultContext) { + args.push('--secret', await buildx.getSecret(`GIT_AUTH_TOKEN=${inputs.githubToken}`)); + } if (inputs.file) { args.push('--file', inputs.file); } From 32351da9d7e807c843c344055923406763073ac0 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Tue, 22 Sep 2020 20:53:40 +0200 Subject: [PATCH 2/3] Update CI workflow Signed-off-by: CrazyMax --- .github/workflows/ci.yml | 54 +++++++++++++++++++++++++++++++++++----- 1 file changed, 48 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3452d5b..11618c4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,11 +11,53 @@ on: jobs: git-context: runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - buildx-version: - - latest + services: + registry: + image: registry:2 + ports: + - 5000:5000 + steps: + - + name: Checkout + uses: actions/checkout@v2.3.2 + - + name: Set up QEMU + uses: docker/setup-qemu-action@v1 + with: + platforms: all + - + name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v1 + with: + version: latest + driver-opts: network=host + - + name: Build and push + id: docker_build + uses: ./ + with: + file: ./test/Dockerfile + builder: ${{ steps.buildx.outputs.name }} + platforms: linux/amd64,linux/arm64 + push: true + tags: | + localhost:5000/name/app:latest + localhost:5000/name/app:1.0.0 + - + name: Inspect + run: | + docker buildx imagetools inspect localhost:5000/name/app:1.0.0 + - + name: Image digest + run: echo ${{ steps.docker_build.outputs.digest }} + - + name: Dump context + if: always() + uses: crazy-max/ghaction-dump-context@v1 + + git-context-secret: + runs-on: ubuntu-latest services: registry: image: registry:2 @@ -50,7 +92,7 @@ jobs: localhost:5000/name/app:latest localhost:5000/name/app:1.0.0 secrets: | - GIT_AUTH_TOKEN=${{ github.token }} + GIT_AUTH_TOKEN=01234567890abcdefgh - name: Inspect run: | From e952699f4d013b228ee24a72da01faae20ece9d1 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Wed, 23 Sep 2020 11:04:40 +0200 Subject: [PATCH 3/3] Fix CI workflow and README Signed-off-by: CrazyMax --- .github/workflows/ci.yml | 2 +- README.md | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 11618c4..ed78c32 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -92,7 +92,7 @@ jobs: localhost:5000/name/app:latest localhost:5000/name/app:1.0.0 secrets: | - GIT_AUTH_TOKEN=01234567890abcdefgh + GIT_AUTH_TOKEN=${{ github.token }} - name: Inspect run: | diff --git a/README.md b/README.md index 5bcbd20..b7a683f 100644 --- a/README.md +++ b/README.md @@ -80,8 +80,9 @@ jobs: run: echo ${{ steps.docker_build.outputs.digest }} ``` -If you want to authenticate against a private repository, you have to use a secret named `GIT_AUTH_TOKEN` to be able -to authenticate against it with buildx: +Building from current repository automatically uses the [GitHub Token](https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token) +as provided by `secrets` so it does not need to be passed. But if you want to authenticate against another private +repository, you have to use a secret named `GIT_AUTH_TOKEN` to be able to authenticate against it with buildx: ```yaml -