Merge pull request #781 from crazy-max/disable-provenance

Disable provenance by default if not set

.eslintrc.json

@@ -0,0 +1,23 @@
+{
+  "env": {
+    "node": true,
+    "es2021": true,
+    "jest/globals": true
+  },
+  "extends": [
+    "eslint:recommended",
+    "plugin:@typescript-eslint/recommended",
+    "plugin:jest/recommended",
+    "plugin:prettier/recommended"
+  ],
+  "parser": "@typescript-eslint/parser",
+  "parserOptions": {
+    "ecmaVersion": "latest",
+    "sourceType": "module"
+  },
+  "plugins": [
+    "@typescript-eslint",
+    "jest",
+    "prettier"
+  ]
+}

.github/workflows/ci.yml

@@ -2,6 +2,15 @@ name: ci
 
 on:
   workflow_dispatch:
+    inputs:
+      buildx-version:
+        description: 'Buildx version or Git context'
+        default: 'latest'
+        required: false
+      buildkit-image:
+        description: 'BuildKit image'
+        default: 'moby/buildkit:buildx-stable-1'
+        required: false
   push:
     branches:
       - 'master'
@@ -9,6 +18,10 @@ on:
     branches:
       - 'master'
 
+env:
+  BUILDX_VERSION: latest
+  BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1
+
 jobs:
   minimal:
     runs-on: ubuntu-latest
@@ -20,7 +33,11 @@ jobs:
           path: action
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build
         uses: ./action
@@ -42,14 +59,16 @@ jobs:
           path: action
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: latest
-          driver-opts: network=host
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build and push
         id: docker_build
@@ -65,7 +84,7 @@ jobs:
       -
         name: Inspect
         run: |
-          docker buildx imagetools inspect localhost:5000/name/app:1.0.0
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
       -
         name: Check digest
         run: |
@@ -89,13 +108,16 @@ jobs:
           path: action
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          driver-opts: network=host
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build and push
         id: docker_build
@@ -121,7 +143,7 @@ jobs:
       -
         name: Inspect
         run: |
-          docker buildx imagetools inspect localhost:5000/name/app:1.0.0
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
       -
         name: Check digest
         run: |
@@ -132,12 +154,6 @@ jobs:
 
   path-context:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        buildx-version:
-          - ""
-          - latest
     services:
       registry:
         image: registry:2
@@ -149,14 +165,16 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: ${{ matrix.buildx-version }}
-          driver-opts: network=host
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build and push
         id: docker_build
@@ -172,7 +190,7 @@ jobs:
       -
         name: Inspect
         run: |
-          docker buildx imagetools inspect localhost:5000/name/app:1.0.0
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
       -
         name: Check digest
         run: |
@@ -216,10 +234,14 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build
         id: docker_build
@@ -280,6 +302,29 @@ jobs:
         run: |
           docker image inspect myimage:latest
 
+  secret:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: .
+          file: ./test/secret.Dockerfile
+          secrets: |
+            MYSECRET=foo
+            INVALID_SECRET=
+
   network:
     runs-on: ubuntu-latest
     steps:
@@ -288,7 +333,11 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: List networks
         run: docker network ls
@@ -308,11 +357,11 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: v0.7.0
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
-            image=moby/buildkit:master
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build
         uses: ./
@@ -330,11 +379,12 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: v0.7.0
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
-            image=moby/buildkit:master
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build
         uses: ./
@@ -354,11 +404,12 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: v0.7.0
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
-            image=moby/buildkit:master
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build
         uses: ./
@@ -376,7 +427,12 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build
         uses: ./
@@ -393,12 +449,14 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: v0.8.0
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build
         uses: ./
@@ -409,14 +467,156 @@ jobs:
             alpine=docker-image://debian:stable-slim
           tags: name/app:latest
 
+  no-cache-filters:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/nocachefilter.Dockerfile
+          no-cache-filters: build
+          tags: name/app:latest
+          cache-from: type=gha,scope=nocachefilter
+          cache-to: type=gha,scope=nocachefilter,mode=max
+
+  attests-compat:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - buildx: latest
+            buildkit: moby/buildkit:buildx-stable-1
+          - buildx: latest
+            buildkit: moby/buildkit:v0.10.6
+          - buildx: v0.9.1
+            buildkit: moby/buildkit:buildx-stable-1
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ matrix.buildx }}
+          driver-opts: |
+            network=host
+            image=${{ matrix.buildkit }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test/go
+          file: ./test/go/Dockerfile
+          outputs: type=cacheonly
+
+  provenance:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        attrs:
+          - ''
+          - mode=max
+          - builder-id=foo
+          - false
+          - true
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test/go
+          file: ./test/go/Dockerfile
+          target: binary
+          outputs: type=oci,dest=/tmp/build.tar
+          provenance: ${{ matrix.attrs }}
+          cache-from: type=gha,scope=provenance
+          cache-to: type=gha,scope=provenance,mode=max
+
+  sbom:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - target: image
+            output: type=image,name=localhost:5000/name/app:latest,push=true
+          - target: binary
+            output: /tmp/buildx-build
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test/go
+          file: ./test/go/Dockerfile
+          target: ${{ matrix.target }}
+          outputs: ${{ matrix.output }}
+          sbom: true
+          cache-from: type=gha,scope=attests-${{ matrix.target }}
+          cache-to: type=gha,scope=attests-${{ matrix.target }},mode=max
+      -
+        name: Inspect image
+        if: matrix.target == 'image'
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
+      -
+        name: Check output folder
+        if: matrix.target == 'binary'
+        run: |
+          tree /tmp/buildx-build
+      -
+        name: Print SBOM
+        if: matrix.target == 'binary'
+        run: |
+          cat /tmp/buildx-build/sbom.spdx.json | jq
+
   multi:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        buildx-version:
-          - ""
-          - latest
         dockerfile:
           - multi
           - multi-sudo
@@ -431,14 +631,16 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: ${{ matrix.buildx-version }}
-          driver-opts: network=host
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Build and push
         id: docker_build
@@ -455,7 +657,7 @@ jobs:
       -
         name: Inspect
         run: |
-          docker buildx imagetools inspect localhost:5000/name/app:1.0.0
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
       -
         name: Check digest
         run: |
@@ -501,12 +703,12 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: v0.8.0
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver: ${{ matrix.driver }}
           driver-opts: |
             network=host
@@ -565,16 +767,17 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
             network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
-        name: Build and push (1)
+        name: Build and push
         id: docker_build
         uses: ./
         with:
@@ -588,110 +791,10 @@ jobs:
             localhost:5000/name/app:1.0.0
           cache-from: type=registry,ref=localhost:5000/name/app
           cache-to: type=inline
-      -
-        name: Inspect (1)
-        run: |
-          docker buildx imagetools inspect localhost:5000/name/app:latest
-      -
-        name: Check digest (1)
-        run: |
-          if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then
-            echo "::error::Digest should not be empty"
-            exit 1
-          fi
-      -
-        name: Prune
-        run: |
-          docker buildx prune -a -f --verbose
-      -
-        name: Build and push (2)
-        id: docker_build2
-        uses: ./
-        with:
-          context: ./test
-          file: ./test/multi.Dockerfile
-          builder: ${{ steps.buildx.outputs.name }}
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            localhost:5000/name/app:latest
-            localhost:5000/name/app:1.0.0
-          cache-from: type=registry,ref=localhost:5000/name/app
-          cache-to: type=inline
-      -
-        name: Inspect (2)
-        run: |
-          docker buildx imagetools inspect localhost:5000/name/app:latest
-      -
-        name: Check digest (2)
-        run: |
-          if [ -z "${{ steps.docker_build2.outputs.digest }}" ]; then
-            echo "::error::Digest should not be empty"
-            exit 1
-          fi
-      -
-        name: Compare digests
-        run: |
-          echo Compare "${{ steps.docker_build.outputs.digest }}" with "${{ steps.docker_build2.outputs.digest }}"
-          if [ "${{ steps.docker_build.outputs.digest }}" != "${{ steps.docker_build2.outputs.digest }}" ]; then
-            echo "::error::Digests should be identical"
-            exit 1
-          fi
-
-  local-cache-first:
-    runs-on: ubuntu-latest
-    outputs:
-      digest: ${{ steps.docker_build.outputs.digest }}
-    services:
-      registry:
-        image: registry:2
-        ports:
-          - 5000:5000
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v3
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          driver-opts: |
-            network=host
-      -
-        name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-local-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-ghcache-
-      -
-        name: Erase cache
-        run: |
-          rm -rf /tmp/.buildx-cache/*
-      -
-        name: Build and push
-        id: docker_build
-        uses: ./
-        with:
-          context: ./test
-          file: ./test/multi.Dockerfile
-          builder: ${{ steps.buildx.outputs.name }}
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            localhost:5000/name/app:latest
-            localhost:5000/name/app:1.0.0
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache
       -
         name: Inspect
         run: |
-          docker buildx imagetools inspect localhost:5000/name/app:1.0.0
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
       -
         name: Check digest
         run: |
@@ -700,83 +803,8 @@ jobs:
             exit 1
           fi
 
-  local-cache-hit:
-    runs-on: ubuntu-latest
-    needs: local-cache-first
-    services:
-      registry:
-        image: registry:2
-        ports:
-          - 5000:5000
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v3
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          driver-opts: |
-            network=host
-      -
-        name: Cache Docker layers
-        uses: actions/cache@v2
-        id: cache
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-local-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-ghcache-
-      -
-        name: Build and push
-        id: docker_build
-        uses: ./
-        with:
-          context: ./test
-          file: ./test/multi.Dockerfile
-          builder: ${{ steps.buildx.outputs.name }}
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            localhost:5000/name/app:latest
-            localhost:5000/name/app:1.0.0
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache
-      -
-        name: Inspect
-        run: |
-          docker buildx imagetools inspect localhost:5000/name/app:1.0.0
-      -
-        name: Check digest
-        run: |
-          if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then
-            echo "::error::Digest should not be empty"
-            exit 1
-          fi
-      -
-        name: Compare digests
-        run: |
-          echo Compare "${{ needs.local-cache-first.outputs.digest }}" with "${{ steps.docker_build.outputs.digest }}"
-          if [ "${{ needs.local-cache-first.outputs.digest }}" != "${{ steps.docker_build.outputs.digest }}" ]; then
-            echo "::error::Digests should be identical"
-            exit 1
-          fi
-      -
-        name: Cache hit
-        run: echo ${{ steps.cache.outputs.cache-hit }}
-
   github-cache:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        buildx_version:
-          - ""
-          - latest
     services:
       registry:
         image: registry:2
@@ -788,14 +816,15 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          version: ${{ matrix.buildx_version }}
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
             network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
           buildkitd-flags: --debug
       -
         name: Build and push
@@ -813,4 +842,29 @@ jobs:
       -
         name: Inspect
         run: |
-          docker buildx imagetools inspect localhost:5000/name/app:1.0.0
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
+
+  standalone:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Uninstall moby cli
+        run: |
+          sudo apt-get purge -y moby-cli moby-buildx
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/Dockerfile

.github/workflows/e2e.yml

@@ -2,6 +2,15 @@ name: e2e
 
 on:
   workflow_dispatch:
+    inputs:
+      buildx-version:
+        description: 'Buildx version or Git context'
+        default: 'latest'
+        required: false
+      buildkit-image:
+        description: 'BuildKit image'
+        default: 'moby/buildkit:buildx-stable-1'
+        required: false
   schedule:
     - cron: '0 10 * * *'
   push:
@@ -10,6 +19,10 @@ on:
     tags:
       - v*
 
+env:
+  BUILDX_VERSION: latest
+  BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1
+
 jobs:
   docker:
     runs-on: ubuntu-latest
@@ -64,19 +77,23 @@ jobs:
       -
         name: Docker meta
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
         with:
           images: ${{ matrix.slug }}
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
         name: Login to Registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ${{ matrix.registry }}
           username: ${{ secrets[matrix.username_secret] }}
@@ -103,8 +120,4 @@ jobs:
         name: Check manifest
         if: github.event_name != 'pull_request'
         run: |
-          docker buildx imagetools inspect ${{ matrix.slug }}:${{ steps.meta.outputs.version }}
-      -
-        name: Dump context
-        if: always()
-        uses: crazy-max/ghaction-dump-context@v1
+          docker buildx imagetools inspect ${{ matrix.slug }}:${{ steps.meta.outputs.version }} --format '{{json .}}'

.github/workflows/example.yml

@@ -29,7 +29,7 @@ jobs:
       -
         name: Docker meta
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
         with:
           images: ${{ env.DOCKER_IMAGE }}
           tags: |
@@ -42,7 +42,7 @@ jobs:
             type=sha
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
           driver-opts: network=host
       -
@@ -71,8 +71,4 @@ jobs:
         name: Check manifest
         if: github.event_name != 'pull_request'
         run: |
-          docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }}
-      -
-        name: Dump context
-        if: always()
-        uses: crazy-max/ghaction-dump-context@v1
+          docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} --format '{{json .}}'

.github/workflows/test.yml

@@ -17,16 +17,16 @@ jobs:
         uses: actions/checkout@v3
       -
         name: Validate
-        uses: docker/bake-action@v1
+        uses: docker/bake-action@v2
         with:
           targets: validate
       -
         name: Test
-        uses: docker/bake-action@v1
+        uses: docker/bake-action@v2
         with:
           targets: test
       -
         name: Upload coverage
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@v3
         with:
           file: ./coverage/clover.xml

.github/workflows/virtual-env.yml

@@ -4,6 +4,16 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 10 * * *'
+  push:
+    branches:
+      - 'master'
+    paths:
+      - '.github/workflows/virtual-env.yml'
+  pull_request:
+    branches:
+      - 'master'
+    paths:
+      - '.github/workflows/virtual-env.yml'
 
 jobs:
   os:
@@ -13,21 +23,40 @@ jobs:
       matrix:
         os:
           - ubuntu-latest
+          - ubuntu-22.04
           - ubuntu-20.04
           - ubuntu-18.04
     steps:
       -
         name: File system
         run: df -ah
+      -
+        name: Mounts
+        run: mount
+      -
+        name: Node info
+        run: node -p process
+      -
+        name: NPM version
+        run: npm version
       -
         name: List install packages
         run: apt list --installed
+      -
+        name: Docker daemon conf
+        run: |
+          cat /etc/docker/daemon.json
       -
         name: Docker info
         run: docker info
       -
         name: Docker version
         run: docker version
+      -
+        name: Cgroups
+        run: |
+          sudo apt-get install -y cgroup-tools
+          lscgroup
       -
         name: buildx version
         run: docker buildx version

README.md

@@ -1,14 +1,15 @@
 [![GitHub release](https://img.shields.io/github/release/docker/build-push-action.svg?style=flat-square)](https://github.com/docker/build-push-action/releases/latest)
 [![GitHub marketplace](https://img.shields.io/badge/marketplace-build--and--push--docker--images-blue?logo=github&style=flat-square)](https://github.com/marketplace/actions/build-and-push-docker-images)
-[![CI workflow](https://img.shields.io/github/workflow/status/docker/build-push-action/ci?label=ci&logo=github&style=flat-square)](https://github.com/docker/build-push-action/actions?workflow=ci)
-[![Test workflow](https://img.shields.io/github/workflow/status/docker/build-push-action/test?label=test&logo=github&style=flat-square)](https://github.com/docker/build-push-action/actions?workflow=test)
+[![CI workflow](https://img.shields.io/github/actions/workflow/status/docker/build-push-action/ci.yml?branch=master&label=ci&logo=github&style=flat-square)](https://github.com/docker/build-push-action/actions?workflow=ci)
+[![Test workflow](https://img.shields.io/github/actions/workflow/status/docker/build-push-action/test.yml?branch=master&label=test&logo=github&style=flat-square)](https://github.com/docker/build-push-action/actions?workflow=test)
 [![Codecov](https://img.shields.io/codecov/c/github/docker/build-push-action?logo=codecov&style=flat-square)](https://codecov.io/gh/docker/build-push-action)
 
 ## About
 
-GitHub Action to build and push Docker images with [Buildx](https://github.com/docker/buildx) with full support of the
-features provided by [Moby BuildKit](https://github.com/moby/buildkit) builder toolkit. This includes multi-platform
-build, secrets, remote cache, etc. and different builder deployment/namespacing options.
+GitHub Action to build and push Docker images with [Buildx](https://github.com/docker/buildx)
+with full support of the features provided by [Moby BuildKit](https://github.com/moby/buildkit)
+builder toolkit. This includes multi-platform build, secrets, remote cache, etc.
+and different builder deployment/namespacing options.
 
 ![Screenshot](.github/build-push-action.png)
 
@@ -17,43 +18,34 @@ ___
 * [Usage](#usage)
   * [Git context](#git-context)
   * [Path context](#path-context)
-* [Advanced usage](#advanced-usage)
-  * [Multi-platform image](docs/advanced/multi-platform.md)
-  * [Secrets](docs/advanced/secrets.md)
-  * [Isolated builders](docs/advanced/isolated-builders.md)
-  * [Push to multi-registries](docs/advanced/push-multi-registries.md)
-  * [Copy between registries](docs/advanced/copy-between-registries.md)  
-  * [Cache](docs/advanced/cache.md)
-  * [Local registry](docs/advanced/local-registry.md)
-  * [Export image to Docker](docs/advanced/export-docker.md)
-  * [Share built image between jobs](docs/advanced/share-image-jobs.md)
-  * [Test your image before pushing it](docs/advanced/test-before-push.md)
-  * [Handle tags and labels](docs/advanced/tags-labels.md)
-  * [Update DockerHub repo description](docs/advanced/dockerhub-desc.md)
+* [Examples](#examples)
 * [Customizing](#customizing)
   * [inputs](#inputs)
   * [outputs](#outputs)
 * [Troubleshooting](#troubleshooting)
-* [Keep up-to-date with GitHub Dependabot](#keep-up-to-date-with-github-dependabot)
+* [Contributing](#contributing)
 
 ## Usage
 
 In the examples below we are also using 3 other actions:
 
-* [`setup-buildx`](https://github.com/docker/setup-buildx-action) action will create and boot a builder using by 
-default the `docker-container` [builder driver](https://github.com/docker/buildx/blob/master/docs/reference/buildx_create.md#driver).
-This is **not required but recommended** using it to be able to build multi-platform images, export cache, etc.
-* [`setup-qemu`](https://github.com/docker/setup-qemu-action) action can be useful if you want
-to add emulation support with QEMU to be able to build against more platforms. 
-* [`login`](https://github.com/docker/login-action) action will take care to log in against a Docker registry.
+* [`setup-buildx`](https://github.com/docker/setup-buildx-action) action will
+  create and boot a builder using by default the [`docker-container` driver](https://docs.docker.com/build/building/drivers/docker-container/).
+  This is **not required but recommended** using it to be able to build
+  multi-platform images, export cache, etc.
+* [`setup-qemu`](https://github.com/docker/setup-qemu-action) action can be
+  useful if you want to add emulation support with QEMU to be able to build
+  against more platforms. 
+* [`login`](https://github.com/docker/login-action) action will take care to
+  log in against a Docker registry.
 
 ### Git context
 
-By default, this action uses the [Git context](#git-context) so you don't need
-to use the [`actions/checkout`](https://github.com/actions/checkout/) action to
-check out the repository because this will be done directly by [BuildKit](https://github.com/moby/buildkit).
+By default, this action uses the [Git context](https://docs.docker.com/engine/reference/commandline/build/#git-repositories),
+so you don't need to use the [`actions/checkout`](https://github.com/actions/checkout/)
+action to check out the repository as this will be done directly by [BuildKit](https://github.com/moby/buildkit).
 
-The git reference will be based on the [event that triggered your workflow](https://docs.github.com/en/actions/reference/events-that-trigger-workflows)
+The git reference will be based on the [event that triggered your workflow](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows)
 and will result in the following context: `https://github.com/<owner>/<repo>.git#<ref>`.
 
 ```yaml
@@ -70,19 +62,19 @@ jobs:
     steps:
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
+        name: Login to Docker Hub
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Build and push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           push: true
           tags: user/app:latest
@@ -100,25 +92,37 @@ expression `{{defaultContext}}`. Here we can use it to provide a subdirectory
 to the default Git context:
 
 ```yaml
+      -
+        # Setting up Docker Buildx with docker-container driver is required
+        # at the moment to be able to use a subdirectory with Git context
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
       -
         name: Build and push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           context: "{{defaultContext}}:mysubdir"
           push: true
           tags: user/app:latest
 ```
-> :warning: Subdirectory for Git context is not yet available for the buildx [`docker` driver](https://github.com/docker/buildx/blob/master/docs/reference/buildx_create.md#driver).
 
-Building from the current repository automatically uses the [GitHub Token](https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token)
+> **Warning**
+>
+> Subdirectory for Git context is available from [BuildKit v0.9.0](https://github.com/moby/buildkit/releases/tag/v0.9.0).
+> If you're using the `docker` builder (default if `setup-buildx-action` not used),
+> then BuildKit in Docker Engine will be used. As Docker Engine < v22.x.x embeds
+> Buildkit 0.8.2 at the moment, it does not support this feature. It's therefore
+> required to use the `setup-buildx-action` at the moment.
+
+Building from the current repository automatically uses the [GitHub Token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication),
 so it does not need to be passed. If you want to authenticate against another
-private repository, you have to use a [secret](docs/advanced/secrets.md) named
-`GIT_AUTH_TOKEN` to be able to authenticate against it with buildx:
+private repository, you have to use a [secret](https://docs.docker.com/build/ci/github-actions/examples/#secrets)
+named `GIT_AUTH_TOKEN` to be able to authenticate against it with Buildx:
 
 ```yaml
       -
         name: Build and push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           push: true
           tags: user/app:latest
@@ -142,42 +146,31 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       -
-        name: Login to DockerHub
-        uses: docker/login-action@v1
+        name: Login to Docker Hub
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Build and push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           context: .
           push: true
           tags: user/app:latest
 ```
 
-## Advanced usage
+## Examples
 
-* [Multi-platform image](docs/advanced/multi-platform.md)
-* [Secrets](docs/advanced/secrets.md)
-* [Isolated builders](docs/advanced/isolated-builders.md)
-* [Push to multi-registries](docs/advanced/push-multi-registries.md)
-* [Copy between registries](docs/advanced/copy-between-registries.md)
-* [Cache](docs/advanced/cache.md)
-* [Local registry](docs/advanced/local-registry.md)
-* [Export image to Docker](docs/advanced/export-docker.md)
-* [Share built image between jobs](docs/advanced/share-image-jobs.md)
-* [Test your image before pushing it](docs/advanced/test-before-push.md)
-* [Handle tags and labels](docs/advanced/tags-labels.md)
-* [Update DockerHub repo description](docs/advanced/dockerhub-desc.md)
+See https://docs.docker.com/build/ci/github-actions/examples/.
 
 ## Customizing
 
@@ -197,61 +190,58 @@ Following inputs can be used as `step.with` keys
 > tags: name/app:latest,name/app:1.0.0
 > ```
 
-| Name                | Type     | Description                        |
-|---------------------|----------|------------------------------------|
-| `add-hosts`         | List/CSV | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`) |
-| `allow`             | List/CSV | List of [extra privileged entitlement](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#allow) (e.g., `network.host,security.insecure`) |
-| `builder`           | String   | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action) |
-| `build-args`        | List     | List of [build-time variables](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#build-arg) |
-| `build-contexts`    | List     | List of additional [build contexts](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#build-context) (e.g., `name=path`) |
-| `cache-from`        | List     | List of [external cache sources](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#cache-from) (e.g., `type=local,src=path/to/dir`) |
-| `cache-to`          | List     | List of [cache export destinations](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#cache-to) (e.g., `type=local,dest=path/to/dir`) |
-| `cgroup-parent`     | String   | Optional [parent cgroup](https://docs.docker.com/engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent) for the container used in the build |
-| `context`           | String   | Build's context is the set of files located in the specified [`PATH` or `URL`](https://docs.docker.com/engine/reference/commandline/build/) (default [Git context](#git-context)) |
-| `file`              | String   | Path to the Dockerfile. (default `{context}/Dockerfile`) |
-| `labels`            | List     | List of metadata for an image |
-| `load`              | Bool     | [Load](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#load) is a shorthand for `--output=type=docker` (default `false`) |
-| `network`           | String   | Set the networking mode for the `RUN` instructions during build |
-| `no-cache`          | Bool     | Do not use cache when building the image (default `false`) |
-| `outputs`           | List     | List of [output destinations](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#output) (format: `type=local,dest=path`) |
-| `platforms`         | List/CSV | List of [target platforms](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#platform) for build |
-| `pull`              | Bool     | Always attempt to pull all referenced images (default `false`) |
-| `push`              | Bool     | [Push](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#push) is a shorthand for `--output=type=registry` (default `false`) |
-| `secrets`           | List     | List of [secrets](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`) |
-| `secret-files`      | List     | List of [secret files](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`) |
-| `shm-size`          | String   | Size of [`/dev/shm`](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#-size-of-devshm---shm-size) (e.g., `2g`) |
-| `ssh`               | List     | List of [SSH agent socket or keys](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#ssh) to expose to the build |
-| `tags`              | List/CSV | List of tags |
-| `target`            | String   | Sets the target stage to build |
-| `ulimit`            | List     | [Ulimit](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#-set-ulimits---ulimit) options (e.g., `nofile=1024:1024`) |
-| `github-token`      | String   | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`) |
+| Name               | Type        | Description                                                                                                                                                                       |
+|--------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `add-hosts`        | List/CSV    | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`)      |
+| `allow`            | List/CSV    | List of [extra privileged entitlement](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow) (e.g., `network.host,security.insecure`)                         |
+| `attests`          | List        | List of [attestation](https://docs.docker.com/build/attestations/) parameters (e.g., `type=sbom,generator=image`)                                                                 | 
+| `builder`          | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                                       |
+| `build-args`       | List        | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg)                                                                      |
+| `build-contexts`   | List        | List of additional [build contexts](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context) (e.g., `name=path`)                                         |
+| `cache-from`       | List        | List of [external cache sources](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from) (e.g., `type=local,src=path/to/dir`)                              |
+| `cache-to`         | List        | List of [cache export destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-to) (e.g., `type=local,dest=path/to/dir`)                            |
+| `cgroup-parent`    | String      | Optional [parent cgroup](https://docs.docker.com/engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent) for the container used in the build              |
+| `context`          | String      | Build's context is the set of files located in the specified [`PATH` or `URL`](https://docs.docker.com/engine/reference/commandline/build/) (default [Git context](#git-context)) |
+| `file`             | String      | Path to the Dockerfile. (default `{context}/Dockerfile`)                                                                                                                          |
+| `labels`           | List        | List of metadata for an image                                                                                                                                                     |
+| `load`             | Bool        | [Load](https://docs.docker.com/engine/reference/commandline/buildx_build/#load) is a shorthand for `--output=type=docker` (default `false`)                                       |
+| `network`          | String      | Set the networking mode for the `RUN` instructions during build                                                                                                                   |
+| `no-cache`         | Bool        | Do not use cache when building the image (default `false`)                                                                                                                        |
+| `no-cache-filters` | List/CSV    | Do not cache specified stages                                                                                                                                                     |
+| `outputs`¹         | List        | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`)                                         |
+| `platforms`        | List/CSV    | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build                                                                 |
+| `provenance`       | Bool/String | Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build (shorthand for `--attest=type=provenance`)                           |
+| `pull`             | Bool        | Always attempt to pull all referenced images (default `false`)                                                                                                                    |
+| `push`             | Bool        | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`)                                     |
+| `sbom`             | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`)                                                  |
+| `secrets`          | List        | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`)                |
+| `secret-files`     | List        | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`)         |
+| `shm-size`         | String      | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`)                                                                    |
+| `ssh`              | List        | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build                                                 |
+| `tags`             | List/CSV    | List of tags                                                                                                                                                                      |
+| `target`           | String      | Sets the target stage to build                                                                                                                                                    |
+| `ulimit`           | List        | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`)                                                            |
+| `github-token`     | String      | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`)                                                            |
+
+> **Note**
+>
+> * ¹ multiple `outputs` are [not yet supported](https://github.com/moby/buildkit/issues/1555)
 
 ### outputs
 
 Following outputs are available
 
-| Name              | Type    | Description                           |
-|-------------------|---------|---------------------------------------|
-| `imageid`         | String  | Image ID |
-| `digest`          | String  | Image digest |
-| `metadata`        | JSON    | Build result metadata |
+| Name       | Type    | Description           |
+|------------|---------|-----------------------|
+| `imageid`  | String  | Image ID              |
+| `digest`   | String  | Image digest          |
+| `metadata` | JSON    | Build result metadata |
 
 ## Troubleshooting
 
 See [TROUBLESHOOTING.md](TROUBLESHOOTING.md)
 
-## Keep up-to-date with GitHub Dependabot
+## Contributing
 
-Since [Dependabot](https://docs.github.com/en/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot)
-has [native GitHub Actions support](https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates#package-ecosystem),
-to enable it on your GitHub repo all you need to do is add the `.github/dependabot.yml` file:
-
-```yaml
-version: 2
-updates:
-  # Maintain dependencies for GitHub Actions
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "daily"
-```
+Want to contribute? Awesome! You can find information about contributing to
+this project in the [CONTRIBUTING.md](/.github/CONTRIBUTING.md)

TROUBLESHOOTING.md

@@ -16,7 +16,7 @@ While pushing to a registry, you may encounter these kinds of issues:
 * `unexpected response: 401 Unauthorized`
 
 These issues are not directly related to this action but are rather linked to
-[buildx](https://github.com/docker/buildx), [buildkit](https://github.com/moby/buildkit),
+[Buildx](https://github.com/docker/buildx), [BuildKit](https://github.com/moby/buildkit),
 [containerd](https://github.com/containerd/containerd) or the registry on which
 you're pushing your image. The quality of error message depends on the registry
 and are usually not very informative.
@@ -29,7 +29,7 @@ action step and attach BuildKit container logs to your issue.
 ### With containerd
 
 Next you can test pushing with [containerd action](https://github.com/crazy-max/ghaction-setup-containerd)
-using the following workflow. If it works then open an issue on [buildkit](https://github.com/moby/buildkit)
+using the following workflow. If it works then open an issue on [BuildKit](https://github.com/moby/buildkit)
 repository.
 
 ```yaml
@@ -44,21 +44,21 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
           buildkitd-flags: --debug
       -
         name: Set up containerd
-        uses: crazy-max/ghaction-setup-containerd@v1
+        uses: crazy-max/ghaction-setup-containerd@v2
       -
         name: Build Docker image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           context: .
           platforms: linux/amd64,linux/arm64
@@ -105,13 +105,13 @@ to generate sanitized tags:
 ```yaml
 - name: Docker meta
   id: meta
-  uses: docker/metadata-action@v3
+  uses: docker/metadata-action@v4
   with:
     images: ghcr.io/${{ github.repository }}
     tags: latest
 
 - name: Build and push
-  uses: docker/build-push-action@v2
+  uses: docker/build-push-action@v3
   with:
     context: .
     push: true
@@ -122,14 +122,14 @@ Or a dedicated step to sanitize the slug:
 
 ```yaml
 - name: Sanitize repo slug
-  uses: actions/github-script@v4
+  uses: actions/github-script@v6
   id: repo_slug
   with:
     result-encoding: string
     script: return 'ghcr.io/${{ github.repository }}'.toLowerCase()
 
 - name: Build and push
-  uses: docker/build-push-action@v2
+  uses: docker/build-push-action@v3
   with:
     context: .
     push: true

UPGRADE.md

@@ -1,133 +0,0 @@
-# Upgrade notes
-
-## v1 to v2
-
-* Input `path` is now called `context` for consistency with other Docker build tools
-* `path` defaults to current git repository so checkout action is not required in a workflow
-* Rename `dockerfile` input to `file` for consistency with other Docker build tools
-* Rename `always_pull` input to `pull` for consistency with other Docker build tools
-* Add `builder` input to be able to choose a builder instance through our [setup-buildx action](https://github.com/docker/setup-buildx-action)
-* Add `platforms` input to support multi-platform builds
-* Add `allow` input
-* Add `load` input
-* Add `outputs` input
-* Add `cache-from` input (`cache_froms` removed)
-* Add `cache-to` input
-* Rename `build_args` input to `build-args` for consistency with other Docker build tools
-* Add `secrets` input
-* Review `tags` input
-* Remove `repository` input. See [Simple workflow](#simple-workflow) for migration
-* Remove `username`, `password` and `registry` inputs. Login support moved to [docker/login-action](https://github.com/docker/login-action) repo
-* Remove `tag_with_sha`, `tag_with_ref`, `add_git_labels` inputs. See [Tags with ref and Git labels](#tags-with-ref-and-git-labels) for migration
-* Handle Git context
-* Add `digest` output
-
-### Simple workflow
-
-```yaml
-# v1
-steps:
-  -
-    name: Checkout
-    uses: actions/checkout@v2
-  -
-    name: Build and push Docker images
-    uses: docker/build-push-action@v1
-    with:
-      username: ${{ secrets.DOCKER_USERNAME }}
-      password: ${{ secrets.DOCKER_PASSWORD }}
-      repository: myorg/myrepository
-      always_pull: true
-      build_args: arg1=value1,arg2=value2
-      cache_froms: myorg/myrepository:latest
-      tags: latest
-```
-
-```yaml
-# v2
-steps:
-  -
-    name: Checkout
-    uses: actions/checkout@v2
-  -
-    name: Set up Docker Buildx
-    uses: docker/setup-buildx-action@v1
-  -
-    name: Login to DockerHub
-    uses: docker/login-action@v1
-    with:
-      username: ${{ secrets.DOCKER_USERNAME }}
-      password: ${{ secrets.DOCKER_PASSWORD }}
-  -
-    name: Build and push
-    uses: docker/build-push-action@v2
-    with:
-      context: .
-      pull: true
-      push: true
-      build-args: |
-        arg1=value1
-        arg2=value2
-      cache-from: type=registry,ref=myorg/myrepository:latest
-      cache-to: type=inline
-      tags: myorg/myrepository:latest
-```
-
-### Tags with ref and Git labels
-
-```yaml
-# v1
-steps:
-  -
-    name: Checkout
-    uses: actions/checkout@v2
-  -
-    name: Build and push Docker images
-    uses: docker/build-push-action@v1
-    with:
-      username: ${{ secrets.DOCKER_USERNAME }}
-      password: ${{ secrets.DOCKER_PASSWORD }}
-      repository: myorg/myrepository
-      push: ${{ github.event_name != 'pull_request' }}
-      tag_with_ref: true
-      tag_with_sha: true
-      add_git_labels: true
-```
-
-```yaml
-# v2
-steps:
-  -
-    name: Checkout
-    uses: actions/checkout@v2
-  -
-    name: Docker meta
-    id: meta
-    uses: docker/metadata-action@v3
-    with:
-      images: |
-        myorg/myrepository
-      tags: |
-        type=ref,event=branch
-        type=ref,event=pr
-        type=semver,pattern={{version}}
-        type=sha
-  -
-    name: Set up Docker Buildx
-    uses: docker/setup-buildx-action@v1
-  -
-    name: Login to DockerHub
-    if: github.event_name != 'pull_request'
-    uses: docker/login-action@v1 
-    with:
-      username: ${{ secrets.DOCKER_USERNAME }}
-      password: ${{ secrets.DOCKER_PASSWORD }}
-  -
-    name: Build and push
-    uses: docker/build-push-action@v2
-    with:
-      context: .
-      push: ${{ github.event_name != 'pull_request' }}
-      tags: ${{ steps.meta.outputs.tags }}
-      labels: ${{ steps.meta.outputs.labels }}
-```

__tests__/buildx.test.ts

@@ -1,8 +1,8 @@
+import {describe, expect, it, jest, test} from '@jest/globals';
 import * as fs from 'fs';
 import * as path from 'path';
 import * as semver from 'semver';
 import * as exec from '@actions/exec';
-
 import * as buildx from '../src/buildx';
 import * as context from '../src/context';
 
@@ -53,94 +53,47 @@ describe('getDigest', () => {
 });
 
 describe('isLocalOrTarExporter', () => {
-  // prettier-ignore
   test.each([
-    [
-      [
-        'type=registry,ref=user/app',
-      ],
-      false
-    ],
-    [
-      [
-        'type=docker',
-      ],
-      false
-    ],
-    [
-      [
-        'type=local,dest=./release-out'
-      ],
-      true
-    ],
-    [
-      [
-        'type=tar,dest=/tmp/image.tar'
-      ],
-      true
-    ],
-    [
-      [
-        'type=docker',
-        'type=tar,dest=/tmp/image.tar'
-      ],
-      true
-    ],
-    [
-      [
-        '"type=tar","dest=/tmp/image.tar"'
-      ],
-      true
-    ],
-    [
-      [
-        '" type= local" , dest=./release-out'
-      ],
-      true
-    ],
-    [
-      [
-        '.'
-      ],
-      true
-    ],
-  ])(
-    'given %p returns %p',
-    async (outputs: Array<string>, expected: boolean) => {
-      expect(buildx.isLocalOrTarExporter(outputs)).toEqual(expected);
-    }
-  );
+    [['type=registry,ref=user/app'], false],
+    [['type=docker'], false],
+    [['type=local,dest=./release-out'], true],
+    [['type=tar,dest=/tmp/image.tar'], true],
+    [['type=docker', 'type=tar,dest=/tmp/image.tar'], true],
+    [['"type=tar","dest=/tmp/image.tar"'], true],
+    [['" type= local" , dest=./release-out'], true],
+    [['.'], true]
+  ])('given %p returns %p', async (outputs: Array<string>, expected: boolean) => {
+    expect(buildx.isLocalOrTarExporter(outputs)).toEqual(expected);
+  });
 });
 
 describe('isAvailable', () => {
-  const execSpy: jest.SpyInstance = jest.spyOn(exec, 'getExecOutput');
+  const execSpy = jest.spyOn(exec, 'getExecOutput');
   buildx.isAvailable();
 
+  // eslint-disable-next-line jest/no-standalone-expect
   expect(execSpy).toHaveBeenCalledWith(`docker`, ['buildx'], {
     silent: true,
     ignoreReturnCode: true
   });
 });
 
+describe('isAvailable standalone', () => {
+  const execSpy = jest.spyOn(exec, 'getExecOutput');
+  buildx.isAvailable(true);
+
+  // eslint-disable-next-line jest/no-standalone-expect
+  expect(execSpy).toHaveBeenCalledWith(`buildx`, [], {
+    silent: true,
+    ignoreReturnCode: true
+  });
+});
+
 describe('getVersion', () => {
-  async function isDaemonRunning() {
-    return await exec
-      .getExecOutput(`docker`, ['version', '--format', '{{.Server.Os}}'], {
-        ignoreReturnCode: true,
-        silent: true
-      })
-      .then(res => {
-        return !res.stdout.includes(' ') && res.exitCode == 0;
-      });
-  }
-  (isDaemonRunning() ? it : it.skip)(
-    'valid',
-    async () => {
-      const version = await buildx.getVersion();
-      expect(semver.valid(version)).not.toBeNull();
-    },
-    100000
-  );
+  it('valid', async () => {
+    const version = await buildx.getVersion();
+    expect(semver.valid(version)).not.toBeNull();
+  });
 });
 
 describe('parseVersion', () => {
@@ -184,9 +137,9 @@ describe('getSecret', () => {
       }
       expect(true).toBe(!invalid);
       expect(secret).toEqual(`id=${exKey},src=${tmpNameSync}`);
-      const secretValue = await fs.readFileSync(tmpNameSync, 'utf-8');
-      expect(secretValue).toEqual(exValue);
+      expect(fs.readFileSync(tmpNameSync, 'utf-8')).toEqual(exValue);
     } catch (err) {
+      // eslint-disable-next-line jest/no-conditional-expect
       expect(true).toBe(invalid);
     }
   });

__tests__/context.test.ts

@@ -1,7 +1,8 @@
+import {beforeEach, describe, expect, it, jest, test} from '@jest/globals';
 import * as fs from 'fs';
-import * as os from 'os';
 import * as path from 'path';
 
+import * as buildx from '../src/buildx';
 import * as context from '../src/context';
 
 const pgp = `-----BEGIN PGP PRIVATE KEY BLOCK-----
@@ -127,6 +128,8 @@ jest.spyOn(context, 'tmpNameSync').mockImplementation((): string => {
   return path.join('/tmp/.docker-build-push-jest', '.tmpname-jest').split(path.sep).join(path.posix.sep);
 });
 
+jest.spyOn(buildx, 'satisfiesBuildKitVersion').mockResolvedValueOnce(true);
+
 describe('getArgs', () => {
   beforeEach(() => {
     process.env = Object.keys(process.env).reduce((object, key) => {
@@ -150,7 +153,6 @@ describe('getArgs', () => {
         ['pull', 'false'],
       ]),
       [
-        'buildx',
         'build',
         '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
         '.'
@@ -160,17 +162,21 @@ describe('getArgs', () => {
       1,
       '0.4.2',
       new Map<string, string>([
-        ['build-args', 'MY_ARG=val1,val2,val3\nARG=val'],
+        ['build-args', `MY_ARG=val1,val2,val3
+ARG=val
+"MULTILINE=aaaa
+bbbb
+ccc"`],
         ['load', 'false'],
         ['no-cache', 'false'],
         ['push', 'false'],
         ['pull', 'false'],
       ]),
       [
-        'buildx',
         'build',
         '--build-arg', 'MY_ARG=val1,val2,val3',
         '--build-arg', 'ARG=val',
+        '--build-arg', `MULTILINE=aaaa\nbbbb\nccc`,
         '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
         'https://github.com/docker/build-push-action.git#refs/heads/test-jest'
       ]
@@ -186,7 +192,6 @@ describe('getArgs', () => {
         ['pull', 'false'],
       ]),
       [
-        'buildx',
         'build',
         '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
         '--tag', 'name/app:7.4',
@@ -207,7 +212,6 @@ describe('getArgs', () => {
         ['pull', 'false'],
       ]),
       [
-        'buildx',
         'build',
         '--label', 'org.opencontainers.image.title=buildkit',
         '--label', 'org.opencontainers.image.description=concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit',
@@ -227,7 +231,6 @@ describe('getArgs', () => {
         ['pull', 'false'],
       ]),
       [
-        'buildx',
         'build',
         '--platform', 'linux/amd64,linux/arm64',
         '.'
@@ -244,7 +247,6 @@ describe('getArgs', () => {
         ['pull', 'false'],
       ]),
       [
-        'buildx',
         'build',
         '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
         '.'
@@ -262,7 +264,6 @@ describe('getArgs', () => {
         ['pull', 'false'],
       ]),
       [
-        'buildx',
         'build',
         '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
         '--secret', 'id=GIT_AUTH_TOKEN,src=/tmp/.docker-build-push-jest/.tmpname-jest',
@@ -281,7 +282,6 @@ describe('getArgs', () => {
         ['pull', 'false'],
       ]),
       [
-        'buildx',
         'build',
         '--output', '.',
         '--secret', 'id=GIT_AUTH_TOKEN,src=/tmp/.docker-build-push-jest/.tmpname-jest',
@@ -304,7 +304,6 @@ describe('getArgs', () => {
         ['pull', 'false'],
       ]),
       [
-        'buildx',
         'build',
         '--file', './test/Dockerfile',
         '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
@@ -339,7 +338,6 @@ ccc"`],
         ['pull', 'false'],
       ]),
       [
-        'buildx',
         'build',
         '--file', './test/Dockerfile',
         '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
@@ -377,7 +375,6 @@ ccc`],
         ['pull', 'false'],
       ]),
       [
-        'buildx',
         'build',
         '--file', './test/Dockerfile',
         '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
@@ -407,7 +404,6 @@ ccc`],
         ['pull', 'false'],
       ]),
       [
-        'buildx',
         'build',
         '--file', './test/Dockerfile',
         '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
@@ -431,7 +427,6 @@ ccc`],
         ['pull', 'false'],
       ]),
       [
-        'buildx',
         'build',
         '--label', 'org.opencontainers.image.title=filter_results_top_n',
         '--label', 'org.opencontainers.image.description=Reference implementation of operation "filter results (top-n)"',
@@ -454,7 +449,6 @@ ccc`],
         ['pull', 'false'],
       ]),
       [
-        'buildx',
         'build',
         '--add-host', 'docker:10.180.0.1',
         '--add-host', 'foo:10.0.0.1',
@@ -483,7 +477,6 @@ nproc=3`],
         ['pull', 'false'],
       ]),
       [
-        'buildx',
         'build',
         '--add-host', 'docker:10.180.0.1',
         '--add-host', 'foo:10.0.0.1',
@@ -508,17 +501,184 @@ nproc=3`],
         ['pull', 'false'],
       ]),
       [
-        'buildx',
         'build',
         '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
         '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
         'https://github.com/docker/build-push-action.git#refs/heads/test-jest:docker'
       ]
     ],
+    [
+      16,
+      '0.8.2',
+      new Map<string, string>([
+        ['github-token', 'abcdefghijklmno0123456789'],
+        ['context', '{{defaultContext}}:subdir'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '--secret', 'id=GIT_AUTH_TOKEN,src=/tmp/.docker-build-push-jest/.tmpname-jest',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        'https://github.com/docker/build-push-action.git#refs/heads/test-jest:subdir'
+      ]
+    ],
+    [
+      17,
+      '0.8.2',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'true'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      18,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--provenance", 'false',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      19,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'true'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--provenance", `builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      20,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'mode=max'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--provenance", `mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      21,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--provenance", 'false',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      22,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['provenance', 'builder-id=foo'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--provenance", 'builder-id=foo',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      23,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['outputs', 'type=docker'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--output", 'type=docker',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      24,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'true'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--load",
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
   ])(
     '[%d] given %p with %p as inputs, returns %p',
-    async (num: number, buildxVersion: string, inputs: Map<string, any>, expected: Array<string>) => {
-      await inputs.forEach((value: string, name: string) => {
+    async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {
+      inputs.forEach((value: string, name: string) => {
         setInput(name, value);
       });
       const defContext = context.defaultContext();
@@ -666,7 +826,7 @@ FOO=bar`
     expect(res).toEqual([
       'GIT_AUTH_TOKEN=abcdefgh,ijklmno=0123456789',
       `MYSECRET=aaaaaaaa
-bbbb\"bbb
+bbbb"bbb
 ccccccccc`,
       'FOO=bar'
     ]);
@@ -686,27 +846,6 @@ describe('asyncForEach', () => {
   });
 });
 
-describe('setOutput', () => {
-  beforeEach(() => {
-    process.stdout.write = jest.fn();
-  });
-
-  it('setOutput produces the correct command', () => {
-    context.setOutput('some output', 'some value');
-    assertWriteCalls([`::set-output name=some output::some value${os.EOL}`]);
-  });
-
-  it('setOutput handles bools', () => {
-    context.setOutput('some output', false);
-    assertWriteCalls([`::set-output name=some output::false${os.EOL}`]);
-  });
-
-  it('setOutput handles numbers', () => {
-    context.setOutput('some output', 1.01);
-    assertWriteCalls([`::set-output name=some output::1.01${os.EOL}`]);
-  });
-});
-
 // See: https://github.com/actions/toolkit/blob/a1b068ec31a042ff1e10a522d8fdf0b8869d53ca/packages/core/src/core.ts#L89
 function getInputName(name: string): string {
   return `INPUT_${name.replace(/ /g, '_').toUpperCase()}`;
@@ -715,11 +854,3 @@ function getInputName(name: string): string {
 function setInput(name: string, value: string): void {
   process.env[getInputName(name)] = value;
 }
-
-// Assert that process.stdout.write calls called only with the given arguments.
-function assertWriteCalls(calls: string[]): void {
-  expect(process.stdout.write).toHaveBeenCalledTimes(calls.length);
-  for (let i = 0; i < calls.length; i++) {
-    expect(process.stdout.write).toHaveBeenNthCalledWith(i + 1, calls[i]);
-  }
-}

__tests__/docker.test.ts

@@ -0,0 +1,16 @@
+import {describe, expect, it, jest} from '@jest/globals';
+import * as docker from '../src/docker';
+import * as exec from '@actions/exec';
+
+describe('isAvailable', () => {
+  it('cli', () => {
+    const execSpy = jest.spyOn(exec, 'getExecOutput');
+    docker.isAvailable();
+
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(execSpy).toHaveBeenCalledWith(`docker`, undefined, {
+      silent: true,
+      ignoreReturnCode: true
+    });
+  });
+});

action.yml

@@ -13,6 +13,9 @@ inputs:
   allow:
     description: "List of extra privileged entitlement (e.g., network.host,security.insecure)"
     required: false
+  attests:
+    description: "List of attestation parameters (e.g., type=sbom,generator=image)"
+    required: false
   build-args:
     description: "List of build-time variables"
     required: false
@@ -51,12 +54,18 @@ inputs:
     description: "Do not use cache when building the image"
     required: false
     default: 'false'
+  no-cache-filters:
+    description: "Do not cache specified stages"
+    required: false
   outputs:
     description: "List of output destinations (format: type=local,dest=path)"
     required: false
   platforms:
     description: "List of target platforms for build"
     required: false
+  provenance:
+    description: "Generate provenance attestation for the build (shorthand for --attest=type=provenance)"
+    required: false
   pull:
     description: "Always attempt to pull all referenced images"
     required: false
@@ -65,6 +74,9 @@ inputs:
     description: "Push is a shorthand for --output=type=registry"
     required: false
     default: 'false'
+  sbom:
+    description: "Generate SBOM attestation for the build (shorthand for --attest=type=sbom)"
+    required: false
   secrets:
     description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)"
     required: false
@@ -100,6 +112,6 @@ outputs:
     description: 'Build result metadata'
 
 runs:
-  using: 'node12'
+  using: 'node16'
   main: 'dist/index.js'
   post: 'dist/index.js'

dev.Dockerfile

@@ -1,8 +1,8 @@
-# syntax=docker/dockerfile:1.3-labs
+# syntax=docker/dockerfile:1
 
-ARG NODE_VERSION
-ARG DOCKER_VERSION=20.10.10
-ARG BUILDX_VERSION=0.7.0
+ARG NODE_VERSION=16
+ARG DOCKER_VERSION=20.10.13
+ARG BUILDX_VERSION=0.8.0
 
 FROM node:${NODE_VERSION}-alpine AS base
 RUN apk add --no-cache cpio findutils git
@@ -57,17 +57,15 @@ RUN --mount=type=bind,target=.,rw \
 FROM scratch AS format-update
 COPY --from=format /out /
 
-FROM deps AS format-validate
+FROM deps AS lint
 RUN --mount=type=bind,target=.,rw \
   --mount=type=cache,target=/src/node_modules \
-  yarn run format-check
+  yarn run lint
 
 FROM docker:${DOCKER_VERSION} as docker
 FROM docker/buildx-bin:${BUILDX_VERSION} as buildx
 
 FROM deps AS test
-ENV RUNNER_TEMP=/tmp/github_runner
-ENV RUNNER_TOOL_CACHE=/tmp/github_tool_cache
 RUN --mount=type=bind,target=.,rw \
   --mount=type=cache,target=/src/node_modules \
   --mount=type=bind,from=docker,source=/usr/local/bin/docker,target=/usr/bin/docker \

docker-bake.hcl

@@ -1,13 +1,3 @@
-variable "NODE_VERSION" {
-  default = "12"
-}
-
-target "node-version" {
-  args = {
-    NODE_VERSION = NODE_VERSION
-  }
-}
-
 group "default" {
   targets = ["build"]
 }
@@ -17,54 +7,47 @@ group "pre-checkin" {
 }
 
 group "validate" {
-  targets = ["format-validate", "build-validate", "vendor-validate"]
+  targets = ["lint", "build-validate", "vendor-validate"]
 }
 
 target "build" {
-  inherits = ["node-version"]
-  dockerfile = "./hack/build.Dockerfile"
+  dockerfile = "dev.Dockerfile"
   target = "build-update"
   output = ["."]
 }
 
 target "build-validate" {
-  inherits = ["node-version"]
-  dockerfile = "./hack/build.Dockerfile"
+  dockerfile = "dev.Dockerfile"
   target = "build-validate"
   output = ["type=cacheonly"]
 }
 
 target "format" {
-  inherits = ["node-version"]
-  dockerfile = "./hack/build.Dockerfile"
+  dockerfile = "dev.Dockerfile"
   target = "format-update"
   output = ["."]
 }
 
-target "format-validate" {
-  inherits = ["node-version"]
-  dockerfile = "./hack/build.Dockerfile"
-  target = "format-validate"
+target "lint" {
+  dockerfile = "dev.Dockerfile"
+  target = "lint"
   output = ["type=cacheonly"]
 }
 
 target "vendor-update" {
-  inherits = ["node-version"]
-  dockerfile = "./hack/build.Dockerfile"
+  dockerfile = "dev.Dockerfile"
   target = "vendor-update"
   output = ["."]
 }
 
 target "vendor-validate" {
-  inherits = ["node-version"]
-  dockerfile = "./hack/build.Dockerfile"
+  dockerfile = "dev.Dockerfile"
   target = "vendor-validate"
   output = ["type=cacheonly"]
 }
 
 target "test" {
-  inherits = ["node-version"]
-  dockerfile = "./hack/build.Dockerfile"
+  dockerfile = "dev.Dockerfile"
   target = "test-coverage"
   output = ["./coverage"]
 }

docs/advanced/cache.md

@@ -1,200 +1,3 @@
 # Cache
 
-* [Inline cache](#inline-cache)
-* [Registry cache](#registry-cache)
-* [GitHub cache](#github-cache)
-  * [Cache backend API](#cache-backend-api)
-  * [Local cache](#local-cache)
-
-> More info about cache on [BuildKit](https://github.com/moby/buildkit#export-cache) and [Buildx](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#cache-from) repositories.
-
-## Inline cache
-
-In most cases you want to use the [`type=inline` cache exporter](https://github.com/moby/buildkit#inline-push-image-and-cache-together).
-However, note that the `inline` cache exporter only supports `min` cache mode. To enable `max` cache mode, push the
-image and the cache separately by using the `registry` cache exporter as shown in the [next example](#registry-cache).
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          push: true
-          tags: user/app:latest
-          cache-from: type=registry,ref=user/app:latest
-          cache-to: type=inline
-```
-
-## Registry cache
-
-You can import/export cache from a cache manifest or (special) image configuration on the registry with the
-[`type=registry` cache exporter](https://github.com/moby/buildkit/tree/master#registry-push-image-and-cache-separately).
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          push: true
-          tags: user/app:latest
-          cache-from: type=registry,ref=user/app:buildcache
-          cache-to: type=registry,ref=user/app:buildcache,mode=max
-```
-
-## GitHub cache
-
-### Cache backend API
-
-> :test_tube: This cache exporter is considered EXPERIMENTAL until further notice. Please provide feedback on
-> [BuildKit repository](https://github.com/moby/buildkit) if you encounter any issues.
-
-Since [buildx 0.6.0](https://github.com/docker/buildx/releases/tag/v0.6.0) and [BuildKit 0.9.0](https://github.com/moby/buildkit/releases/tag/v0.9.0),
-you can use the [`type=gha` cache exporter](https://github.com/moby/buildkit/tree/master#github-actions-cache-experimental).
-
-GitHub Actions cache exporter backend uses the [GitHub Cache API](https://github.com/tonistiigi/go-actions-cache/blob/master/api.md)
-to fetch and upload cache blobs. That's why this type of cache should be exclusively used in a GitHub Action workflow
-as the `url` (`$ACTIONS_CACHE_URL`) and `token` (`$ACTIONS_RUNTIME_TOKEN`) attributes are populated when a workflow
-is started.
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          push: true
-          tags: user/app:latest
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-```
-
-### Local cache
-
-> :warning: At the moment caches are copied over the existing cache so it [keeps growing](https://github.com/docker/build-push-action/issues/252).
-> The `Move cache` step is used as a temporary fix (see https://github.com/moby/buildkit/issues/1896).
-
-You can also leverage [GitHub cache](https://docs.github.com/en/actions/configuring-and-managing-workflows/caching-dependencies-to-speed-up-workflows)
-using [actions/cache](https://github.com/actions/cache) and [`type=local` cache exporter](https://github.com/moby/buildkit#local-directory-1)
-with this action:
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          push: true
-          tags: user/app:latest
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
-      -
-        # Temp fix
-        # https://github.com/docker/build-push-action/issues/252
-        # https://github.com/moby/buildkit/issues/1896
-        name: Move cache
-        run: |
-          rm -rf /tmp/.buildx-cache
-          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#cache)

docs/advanced/copy-between-registries.md

@@ -1,73 +1,3 @@
 # Copy images between registries
 
-Multi-platform images built using buildx can be copied from one registry to another without
-changing the image SHA using the [tag-push-action](https://github.com/akhilerm/tag-push-action).
-
-The following workflow will first push the image to dockerhub, run some tests using the images
-and then push to quay and ghcr
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      - 
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - # quay and ghcr logins for pushing image after testing
-        name: Login to Quay Registry
-        uses: docker/login-action@v1 
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_USERNAME }}
-          password: ${{ secrets.QUAY_TOKEN }}
-      -
-        name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            user/app:latest
-            user/app:1.0.0
-      - # run tests using image from docker hub
-        name: Run Tests
-        run: make tests
-      - # copy multiplatform image from dockerhub to quay and ghcr
-        name: Push Image to multiple registries
-        uses: akhilerm/tag-push-action@v2.0.0
-        with:
-          src: docker.io/user/app:1.0.0
-          dst: |
-            quay.io/user/app:latest
-            quay.io/user/app:1.0.0
-            ghcr.io/user/app:latest
-            ghcr.io/user/app:1.0.0
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#copy-images-between-registries)

docs/advanced/dockerhub-desc.md

@@ -1,48 +1,3 @@
-# Update DockerHub repo description
+# Update Docker Hub repo description
 
-You can update the [DockerHub repository description](https://docs.docker.com/docker-hub/repos/) using
-a third party action called [DockerHub Description](https://github.com/peter-evans/dockerhub-description)
-with this action:
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          push: true
-          tags: user/app:latest
-      -
-        name: Update repo description
-        uses: peter-evans/dockerhub-description@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PASSWORD }}
-          repository: user/app
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#update-docker-hub-repository-description)

docs/advanced/export-docker.md

@@ -1,35 +1,3 @@
 # Export image to Docker
 
-You may want your build result to be available in the Docker client through `docker images` to be able to use it
-in another step of your workflow:
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Build
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          load: true
-          tags: myimage:latest
-      -
-        name: Inspect
-        run: |
-          docker image inspect myimage:latest
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#export-image-to-docker)

docs/advanced/isolated-builders.md

@@ -1,44 +1,3 @@
 # Isolated builders
 
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        uses: docker/setup-buildx-action@v1
-        id: builder1
-      -
-        uses: docker/setup-buildx-action@v1
-        id: builder2
-      -
-        name: Builder 1 name
-        run: echo ${{ steps.builder1.outputs.name }}
-      -
-        name: Builder 2 name
-        run: echo ${{ steps.builder2.outputs.name }}
-      -
-        name: Build against builder1
-        uses: docker/build-push-action@v2
-        with:
-          builder: ${{ steps.builder1.outputs.name }}
-          context: .
-          target: mytarget1
-      -
-        name: Build against builder2
-        uses: docker/build-push-action@v2
-        with:
-          builder: ${{ steps.builder2.outputs.name }}
-          context: .
-          target: mytarget2
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/configure-builder/#isolated-builders)

docs/advanced/local-registry.md

@@ -1,44 +1,3 @@
 # Local registry
 
-For testing purposes you may need to create a [local registry](https://hub.docker.com/_/registry) to push images into:
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    services:
-      registry:
-        image: registry:2
-        ports:
-          - 5000:5000
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          driver-opts: network=host
-      -
-        name: Build and push to local registry
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          push: true
-          tags: localhost:5000/name/app:latest
-      -
-        name: Inspect
-        run: |
-          docker buildx imagetools inspect localhost:5000/name/app:latest
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#local-registry)

docs/advanced/multi-platform.md

@@ -1,44 +1,3 @@
 # Multi-platform image
 
-You can build multi-platform images using the [`platforms` input](../../README.md#inputs) as described below.
-
-> :bulb: List of available platforms will be displayed and available through our [setup-buildx](https://github.com/docker/setup-buildx-action#about) action.
-
-> :bulb: If you want support for more platforms, you can use QEMU with our [setup-qemu](https://github.com/docker/setup-qemu-action) action.
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: user/app:latest
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#multi-platform-images)

docs/advanced/named-contexts.md

@@ -0,0 +1,3 @@
+# Named contexts
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#named-contexts)

docs/advanced/push-multi-registries.md

@@ -1,57 +1,3 @@
 # Push to multi-registries
 
-* [Docker Hub and GHCR](#docker-hub-and-ghcr)
-
-## Docker Hub and GHCR
-
-The following workflow will connect you to [DockerHub](https://github.com/docker/login-action#dockerhub)
-and [GitHub Container Registry](https://github.com/docker/login-action#github-container-registry) and push the
-image to these registries.
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Login to GitHub Container Registry
-        uses: docker/login-action@v1 
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            user/app:latest
-            user/app:1.0.0
-            ghcr.io/user/app:latest
-            ghcr.io/user/app:1.0.0
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#push-to-multi-registries)

docs/advanced/secrets.md

@@ -1,84 +1,3 @@
 # Secrets
 
-In the following example we will expose and use the [GITHUB_TOKEN secret](https://docs.github.com/en/actions/reference/authentication-in-a-workflow#about-the-github_token-secret)
-as provided by GitHub in your workflow.
-
-First let's create our `Dockerfile` to use our secret:
-
-```Dockerfile
-#syntax=docker/dockerfile:1.2
-
-FROM alpine
-RUN --mount=type=secret,id=github_token \
-  cat /run/secrets/github_token
-```
-
-As you can see we have named our secret `github_token`. Here is the workflow you can use to expose this secret using
-the [`secrets` input](../../README.md#inputs):
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Build
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          tags: user/app:latest
-          secrets: |
-            "github_token=${{ secrets.GITHUB_TOKEN }}"
-```
-
-> :bulb: You can also expose a secret file to the build with [`secret-files`](../../README.md#inputs) input:
-> ```yaml
-> secret-files: |
->   "MY_SECRET=./secret.txt"
-> ```
-
-If you're using [GitHub secrets](https://docs.github.com/en/actions/reference/encrypted-secrets) and need to handle
-multi-line value, you will need to place the key-value pair between quotes:
-
-```yaml
-secrets: |
-  "MYSECRET=${{ secrets.GPG_KEY }}"
-  GIT_AUTH_TOKEN=abcdefghi,jklmno=0123456789
-  "MYSECRET=aaaaaaaa
-  bbbbbbb
-  ccccccccc"
-  FOO=bar
-  "EMPTYLINE=aaaa
-  
-  bbbb
-  ccc"
-  "JSON_SECRET={""key1"":""value1"",""key2"":""value2""}"
-```
-
-| Key                | Value                                            |
-|--------------------|--------------------------------------------------|
-| `MYSECRET`         | `***********************` |
-| `GIT_AUTH_TOKEN`   | `abcdefghi,jklmno=0123456789` |
-| `MYSECRET`         | `aaaaaaaa\nbbbbbbb\nccccccccc` |
-| `FOO`              | `bar` |
-| `EMPTYLINE`        | `aaaa\n\nbbbb\nccc` |
-| `JSON_SECRET`      | `{"key1":"value1","key2":"value2"}` |
-
-> :bulb: All quote signs need to be doubled for escaping.
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#secrets)

docs/advanced/share-image-jobs.md

@@ -1,58 +1,3 @@
 # Share built image between jobs
 
-As each job is isolated in its own runner you cannot use your built image between jobs (except for [self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners)).
-However, you can [pass data between jobs in a workflow](https://docs.github.com/en/actions/guides/storing-workflow-data-as-artifacts#passing-data-between-jobs-in-a-workflow)
-using the [actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/download-artifact](https://github.com/actions/download-artifact)
-actions:
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Build and export
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          tags: myimage:latest
-          outputs: type=docker,dest=/tmp/myimage.tar
-      -
-        name: Upload artifact
-        uses: actions/upload-artifact@v2
-        with:
-          name: myimage
-          path: /tmp/myimage.tar
-
-  use:
-    runs-on: ubuntu-latest
-    needs: build
-    steps:
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Download artifact
-        uses: actions/download-artifact@v2
-        with:
-          name: myimage
-          path: /tmp
-      -
-        name: Load image
-        run: |
-          docker load --input /tmp/myimage.tar
-          docker image ls -a
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#share-built-image-between-jobs)

docs/advanced/tags-labels.md

@@ -1,76 +1,3 @@
 # Handle tags and labels
 
-If you want an "automatic" tag management and [OCI Image Format Specification](https://github.com/opencontainers/image-spec/blob/master/annotations.md)
-for labels, you can do it in a dedicated step. The following workflow will use the [Docker metadata action](https://github.com/docker/metadata-action)
-to handle tags and labels based on GitHub actions events and Git metadata.
-
-```yaml
-name: ci
-
-on:
-  schedule:
-    - cron: '0 10 * * *'
-  push:
-    branches:
-      - '**'
-    tags:
-      - 'v*.*.*'
-  pull_request:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            name/app
-            ghcr.io/username/app
-          # generate Docker tags based on the following events/attributes
-          tags: |
-            type=schedule
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Login to DockerHub
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Login to GHCR
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#manage-tags-and-labels)

docs/advanced/test-before-push.md

@@ -1,64 +1,3 @@
 # Test your image before pushing it
 
-In some cases, you might want to validate that the image works as expected
-before pushing it.
-
-The workflow below will be composed of several steps to achieve this:
-* Build and export the image to Docker
-* Test your image
-* Multi-platform build and push the image
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-env:
-  TEST_TAG: user/myapp:test
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and export to Docker
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          load: true
-          tags: ${{ env.TEST_TAG }}
-      -
-        name: Test
-        run: |
-          docker run --rm ${{ env.TEST_TAG }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: user/app:latest
-```
-
-> :bulb: Build time will not be increased with this workflow because internal
-> cache for `linux/amd64` will be used from previous step on `Build and push`
-> step so only `linux/arm64` will be actually built.
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/github-actions/examples/#test-your-image-before-pushing-it)

jest.config.js

@@ -1,12 +0,0 @@
-module.exports = {
-  clearMocks: false,
-  moduleFileExtensions: ['js', 'ts'],
-  setupFiles: ["dotenv/config"],
-  testEnvironment: 'node',
-  testMatch: ['**/*.test.ts'],
-  testRunner: 'jest-circus/runner',
-  transform: {
-    '^.+\\.ts$': 'ts-jest'
-  },
-  verbose: false
-}

jest.config.ts

@@ -0,0 +1,23 @@
+process.env = Object.assign({}, process.env, {
+  RUNNER_TEMP: '/tmp/github_runner',
+  RUNNER_TOOL_CACHE: '/tmp/github_tool_cache',
+  GITHUB_REPOSITORY: 'docker/build-push-action',
+  GITHUB_RUN_ID: '123456789'
+}) as {
+  [key: string]: string;
+};
+
+module.exports = {
+  clearMocks: false,
+  testEnvironment: 'node',
+  moduleFileExtensions: ['js', 'ts'],
+  setupFiles: ['dotenv/config'],
+  testMatch: ['**/*.test.ts'],
+  transform: {
+    '^.+\\.ts$': 'ts-jest'
+  },
+  moduleNameMapper: {
+    '^csv-parse/sync': '<rootDir>/node_modules/csv-parse/dist/cjs/sync.cjs'
+  },
+  verbose: true
+};

package.json

@@ -3,11 +3,11 @@
   "description": "Build and push Docker images",
   "main": "lib/main.js",
   "scripts": {
-    "build": "tsc && ncc build",
-    "format": "prettier --write **/*.ts",
-    "format-check": "prettier --check **/*.ts",
+    "build": "ncc build src/main.ts --source-map --minify --license licenses.txt",
+    "lint": "eslint src/**/*.ts __tests__/**/*.ts",
+    "format": "eslint --fix src/**/*.ts __tests__/**/*.ts",
     "test": "jest --coverage",
-    "pre-checkin": "yarn run format && yarn run build"
+    "all": "yarn run build && yarn run format && yarn test"
   },
   "repository": {
     "type": "git",
@@ -28,27 +28,32 @@
   ],
   "license": "Apache-2.0",
   "dependencies": {
-    "@actions/core": "^1.6.0",
-    "@actions/exec": "^1.1.0",
-    "@actions/github": "^5.0.0",
-    "csv-parse": "^4.16.3",
+    "@actions/core": "^1.10.0",
+    "@actions/exec": "^1.1.1",
+    "@actions/github": "^5.1.1",
+    "csv-parse": "^5.3.3",
     "handlebars": "^4.7.7",
-    "semver": "^7.3.5",
+    "jwt-decode": "^3.1.2",
+    "semver": "^7.3.7",
     "tmp": "^0.2.1"
   },
   "devDependencies": {
     "@types/csv-parse": "^1.2.2",
-    "@types/jest": "^26.0.23",
-    "@types/node": "^14.17.4",
-    "@types/tmp": "^0.2.0",
-    "@vercel/ncc": "^0.28.6",
-    "dotenv": "^8.6.0",
-    "jest": "^26.6.3",
-    "jest-circus": "^26.6.3",
-    "jest-runtime": "^26.6.3",
+    "@types/node": "^16.11.26",
+    "@types/semver": "^7.3.9",
+    "@types/tmp": "^0.2.3",
+    "@typescript-eslint/eslint-plugin": "^5.14.0",
+    "@typescript-eslint/parser": "^5.14.0",
+    "@vercel/ncc": "^0.33.3",
+    "dotenv": "^16.0.0",
+    "eslint": "^8.11.0",
+    "eslint-config-prettier": "^8.5.0",
+    "eslint-plugin-jest": "^26.1.1",
+    "eslint-plugin-prettier": "^4.0.0",
+    "jest": "^27.2.5",
     "prettier": "^2.3.1",
-    "ts-jest": "^26.5.6",
-    "typescript": "^4.3.4",
-    "typescript-formatter": "^7.2.2"
+    "ts-jest": "^27.1.2",
+    "ts-node": "^10.7.0",
+    "typescript": "^4.4.4"
   }
 }

src/buildx.ts

@@ -1,11 +1,26 @@
-import csvparse from 'csv-parse/lib/sync';
+import {parse} from 'csv-parse/sync';
 import fs from 'fs';
 import path from 'path';
 import * as semver from 'semver';
 import * as exec from '@actions/exec';
-
 import * as context from './context';
 
+export type Builder = {
+  name?: string;
+  driver?: string;
+  nodes: Node[];
+};
+
+export type Node = {
+  name?: string;
+  endpoint?: string;
+  'driver-opts'?: Array<string>;
+  status?: string;
+  'buildkitd-flags'?: string;
+  buildkit?: string;
+  platforms?: string;
+};
+
 export async function getImageIDFile(): Promise<string> {
   return path.join(context.tmpDir(), 'iidfile').split(path.sep).join(path.posix.sep);
 }
@@ -76,19 +91,20 @@ export async function getSecret(kvp: string, file: boolean): Promise<string> {
   return `id=${key},src=${secretFile}`;
 }
 
-export function isLocalOrTarExporter(outputs: string[]): Boolean {
-  for (let output of csvparse(outputs.join(`\n`), {
+export function isLocalOrTarExporter(outputs: string[]): boolean {
+  const records = parse(outputs.join(`\n`), {
     delimiter: ',',
     trim: true,
     columns: false,
     relaxColumnCount: true
-  })) {
+  });
+  for (const record of records) {
     // Local if no type is defined
     // https://github.com/docker/buildx/blob/d2bf42f8b4784d83fde17acb3ed84703ddc2156b/build/output.go#L29-L43
-    if (output.length == 1 && !output[0].startsWith('type=')) {
+    if (record.length == 1 && !record[0].startsWith('type=')) {
       return true;
     }
-    for (let [key, value] of output.map(chunk => chunk.split('=').map(item => item.trim()))) {
+    for (const [key, value] of record.map(chunk => chunk.split('=').map(item => item.trim()))) {
       if (key == 'type' && (value == 'local' || value == 'tar')) {
         return true;
       }
@@ -97,8 +113,8 @@ export function isLocalOrTarExporter(outputs: string[]): Boolean {
   return false;
 }
 
-export function hasGitAuthToken(secrets: string[]): Boolean {
-  for (let secret of secrets) {
+export function hasGitAuthToken(secrets: string[]): boolean {
+  for (const secret of secrets) {
     if (secret.startsWith('GIT_AUTH_TOKEN=')) {
       return true;
     }
@@ -106,9 +122,10 @@ export function hasGitAuthToken(secrets: string[]): Boolean {
   return false;
 }
 
-export async function isAvailable(): Promise<Boolean> {
+export async function isAvailable(standalone?: boolean): Promise<boolean> {
+  const cmd = getCommand([], standalone);
   return await exec
-    .getExecOutput('docker', ['buildx'], {
+    .getExecOutput(cmd.command, cmd.args, {
       ignoreReturnCode: true,
       silent: true
     })
@@ -117,12 +134,123 @@ export async function isAvailable(): Promise<Boolean> {
         return false;
       }
       return res.exitCode == 0;
+    })
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    .catch(error => {
+      return false;
     });
 }
 
-export async function getVersion(): Promise<string> {
+export async function satisfiesBuildKitVersion(builderName: string, range: string, standalone?: boolean): Promise<boolean> {
+  const builderInspect = await inspect(builderName, standalone);
+  for (const node of builderInspect.nodes) {
+    if (!node.buildkit) {
+      return false;
+    }
+    // BuildKit version reported by moby is in the format of `v0.11.0-moby`
+    if (builderInspect.driver == 'docker' && !node.buildkit.endsWith('-moby')) {
+      return false;
+    }
+    const version = node.buildkit.replace(/-moby$/, '');
+    if (!semver.satisfies(version, range)) {
+      return false;
+    }
+  }
+  return true;
+}
+
+async function inspect(name: string, standalone?: boolean): Promise<Builder> {
+  const cmd = getCommand(['inspect', name], standalone);
   return await exec
-    .getExecOutput('docker', ['buildx', 'version'], {
+    .getExecOutput(cmd.command, cmd.args, {
+      ignoreReturnCode: true,
+      silent: true
+    })
+    .then(res => {
+      if (res.stderr.length > 0 && res.exitCode != 0) {
+        throw new Error(res.stderr.trim());
+      }
+      return parseInspect(res.stdout);
+    });
+}
+
+async function parseInspect(data: string): Promise<Builder> {
+  const builder: Builder = {
+    nodes: []
+  };
+  let node: Node = {};
+  for (const line of data.trim().split(`\n`)) {
+    const [key, ...rest] = line.split(':');
+    const value = rest.map(v => v.trim()).join(':');
+    if (key.length == 0 || value.length == 0) {
+      continue;
+    }
+    switch (key.toLowerCase()) {
+      case 'name': {
+        if (builder.name == undefined) {
+          builder.name = value;
+        } else {
+          if (Object.keys(node).length > 0) {
+            builder.nodes.push(node);
+            node = {};
+          }
+          node.name = value;
+        }
+        break;
+      }
+      case 'driver': {
+        builder.driver = value;
+        break;
+      }
+      case 'endpoint': {
+        node.endpoint = value;
+        break;
+      }
+      case 'driver options': {
+        node['driver-opts'] = (value.match(/(\w+)="([^"]*)"/g) || []).map(v => v.replace(/^(.*)="(.*)"$/g, '$1=$2'));
+        break;
+      }
+      case 'status': {
+        node.status = value;
+        break;
+      }
+      case 'flags': {
+        node['buildkitd-flags'] = value;
+        break;
+      }
+      case 'buildkit': {
+        node.buildkit = value;
+        break;
+      }
+      case 'platforms': {
+        let platforms: Array<string> = [];
+        // if a preferred platform is being set then use only these
+        // https://docs.docker.com/engine/reference/commandline/buildx_inspect/#get-information-about-a-builder-instance
+        if (value.includes('*')) {
+          for (const platform of value.split(', ')) {
+            if (platform.includes('*')) {
+              platforms.push(platform.replace('*', ''));
+            }
+          }
+        } else {
+          // otherwise set all platforms available
+          platforms = value.split(', ');
+        }
+        node.platforms = platforms.join(',');
+        break;
+      }
+    }
+  }
+  if (Object.keys(node).length > 0) {
+    builder.nodes.push(node);
+  }
+  return builder;
+}
+
+export async function getVersion(standalone?: boolean): Promise<string> {
+  const cmd = getCommand(['version'], standalone);
+  return await exec
+    .getExecOutput(cmd.command, cmd.args, {
       ignoreReturnCode: true,
       silent: true
     })
@@ -145,3 +273,10 @@ export function parseVersion(stdout: string): string {
 export function satisfies(version: string, range: string): boolean {
   return semver.satisfies(version, range) || /^[0-9a-f]{7}$/.exec(version) !== null;
 }
+
+export function getCommand(args: Array<string>, standalone?: boolean) {
+  return {
+    command: standalone ? 'buildx' : 'docker',
+    args: standalone ? args : ['buildx', ...args]
+  };
+}

src/context.ts

@@ -1,14 +1,11 @@
-import csvparse from 'csv-parse/lib/sync';
 import * as fs from 'fs';
 import * as os from 'os';
 import * as path from 'path';
 import * as tmp from 'tmp';
-
-import * as core from '@actions/core';
-import {issueCommand} from '@actions/core/lib/command';
-import * as github from '@actions/github';
-
 import * as buildx from './buildx';
+import * as core from '@actions/core';
+import * as github from '@actions/github';
+import {parse} from 'csv-parse/sync';
 import * as handlebars from 'handlebars';
 
 let _defaultContext, _tmpDir: string;
@@ -16,6 +13,7 @@ let _defaultContext, _tmpDir: string;
 export interface Inputs {
   addHosts: string[];
   allow: string[];
+  attests: string[];
   buildArgs: string[];
   buildContexts: string[];
   builder: string;
@@ -28,10 +26,13 @@ export interface Inputs {
   load: boolean;
   network: string;
   noCache: boolean;
+  noCacheFilters: string[];
   outputs: string[];
   platforms: string[];
+  provenance: string;
   pull: boolean;
   push: boolean;
+  sbom: string;
   secrets: string[];
   secretFiles: string[];
   shmSize: string;
@@ -67,10 +68,15 @@ export function tmpNameSync(options?: tmp.TmpNameOptions): string {
   return tmp.tmpNameSync(options);
 }
 
+export function provenanceBuilderID(): string {
+  return `${process.env.GITHUB_SERVER_URL || 'https://github.com'}/${github.context.repo.owner}/${github.context.repo.repo}/actions/runs/${github.context.runId}`;
+}
+
 export async function getInputs(defaultContext: string): Promise<Inputs> {
   return {
     addHosts: await getInputList('add-hosts'),
     allow: await getInputList('allow'),
+    attests: await getInputList('attests', true),
     buildArgs: await getInputList('build-args', true),
     buildContexts: await getInputList('build-contexts', true),
     builder: core.getInput('builder'),
@@ -83,10 +89,13 @@ export async function getInputs(defaultContext: string): Promise<Inputs> {
     load: core.getBooleanInput('load'),
     network: core.getInput('network'),
     noCache: core.getBooleanInput('no-cache'),
+    noCacheFilters: await getInputList('no-cache-filters'),
     outputs: await getInputList('outputs', true),
     platforms: await getInputList('platforms'),
+    provenance: getProvenanceInput('provenance'),
     pull: core.getBooleanInput('pull'),
     push: core.getBooleanInput('push'),
+    sbom: core.getInput('sbom'),
     secrets: await getInputList('secrets', true),
     secretFiles: await getInputList('secret-files', true),
     shmSize: core.getInput('shm-size'),
@@ -98,22 +107,29 @@ export async function getInputs(defaultContext: string): Promise<Inputs> {
   };
 }
 
-export async function getArgs(inputs: Inputs, defaultContext: string, buildxVersion: string): Promise<Array<string>> {
-  let args: Array<string> = ['buildx'];
-  args.push.apply(args, await getBuildArgs(inputs, defaultContext, buildxVersion));
-  args.push.apply(args, await getCommonArgs(inputs, buildxVersion));
-  args.push(handlebars.compile(inputs.context)({defaultContext}));
-  return args;
+export async function getArgs(inputs: Inputs, defaultContext: string, buildxVersion: string, standalone?: boolean): Promise<Array<string>> {
+  const context = handlebars.compile(inputs.context)({defaultContext});
+  // prettier-ignore
+  return [
+    ...await getBuildArgs(inputs, defaultContext, context, buildxVersion, standalone),
+    ...await getCommonArgs(inputs, buildxVersion),
+    context
+  ];
 }
 
-async function getBuildArgs(inputs: Inputs, defaultContext: string, buildxVersion: string): Promise<Array<string>> {
-  let args: Array<string> = ['build'];
+async function getBuildArgs(inputs: Inputs, defaultContext: string, context: string, buildxVersion: string, standalone?: boolean): Promise<Array<string>> {
+  const args: Array<string> = ['build'];
   await asyncForEach(inputs.addHosts, async addHost => {
     args.push('--add-host', addHost);
   });
   if (inputs.allow.length > 0) {
     args.push('--allow', inputs.allow.join(','));
   }
+  if (buildx.satisfies(buildxVersion, '>=0.10.0')) {
+    await asyncForEach(inputs.attests, async attest => {
+      args.push('--attest', attest);
+    });
+  }
   await asyncForEach(inputs.buildArgs, async buildArg => {
     args.push('--build-arg', buildArg);
   });
@@ -140,12 +156,32 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, buildxVersio
   await asyncForEach(inputs.labels, async label => {
     args.push('--label', label);
   });
+  await asyncForEach(inputs.noCacheFilters, async noCacheFilter => {
+    args.push('--no-cache-filter', noCacheFilter);
+  });
   await asyncForEach(inputs.outputs, async output => {
     args.push('--output', output);
   });
   if (inputs.platforms.length > 0) {
     args.push('--platform', inputs.platforms.join(','));
   }
+  if (buildx.satisfies(buildxVersion, '>=0.10.0')) {
+    if (inputs.provenance) {
+      args.push('--provenance', inputs.provenance);
+    } else if ((await buildx.satisfiesBuildKitVersion(inputs.builder, '>=0.11.0', standalone)) && !hasDockerExport(inputs)) {
+      // If provenance not specified but BuildKit version compatible for
+      // attestation, disable provenance anyway. Also needs to make sure user
+      // doesn't want to explicitly load the image to docker.
+      // While this action successfully pushes OCI compliant images to
+      // well-known registries, some runtimes (e.g. Google Cloud Run and AWS
+      // Lambda) are not able to pull resulting image from their own registry...
+      // See also https://github.com/docker/buildx/issues/1533
+      args.push('--provenance', 'false');
+    }
+    if (inputs.sbom) {
+      args.push('--sbom', inputs.sbom);
+    }
+  }
   await asyncForEach(inputs.secrets, async secret => {
     try {
       args.push('--secret', await buildx.getSecretString(secret));
@@ -160,7 +196,7 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, buildxVersio
       core.warning(err.message);
     }
   });
-  if (inputs.githubToken && !buildx.hasGitAuthToken(inputs.secrets) && inputs.context == defaultContext) {
+  if (inputs.githubToken && !buildx.hasGitAuthToken(inputs.secrets) && context.startsWith(defaultContext)) {
     args.push('--secret', await buildx.getSecretString(`GIT_AUTH_TOKEN=${inputs.githubToken}`));
   }
   if (inputs.shmSize) {
@@ -182,7 +218,7 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, buildxVersio
 }
 
 async function getCommonArgs(inputs: Inputs, buildxVersion: string): Promise<Array<string>> {
-  let args: Array<string> = [];
+  const args: Array<string> = [];
   if (inputs.builder) {
     args.push('--builder', inputs.builder);
   }
@@ -208,27 +244,29 @@ async function getCommonArgs(inputs: Inputs, buildxVersion: string): Promise<Arr
 }
 
 export async function getInputList(name: string, ignoreComma?: boolean): Promise<string[]> {
-  let res: Array<string> = [];
+  const res: Array<string> = [];
 
   const items = core.getInput(name);
   if (items == '') {
     return res;
   }
 
-  for (let output of (await csvparse(items, {
+  const records = await parse(items, {
     columns: false,
-    relax: true,
+    relaxQuotes: true,
     relaxColumnCount: true,
-    skipLinesWithEmptyValues: true
-  })) as Array<string[]>) {
-    if (output.length == 1) {
-      res.push(output[0]);
+    skipEmptyLines: true
+  });
+
+  for (const record of records as Array<string[]>) {
+    if (record.length == 1) {
+      res.push(record[0]);
       continue;
     } else if (!ignoreComma) {
-      res.push(...output);
+      res.push(...record);
       continue;
     }
-    res.push(output.join(','));
+    res.push(record.join(','));
   }
 
   return res.filter(item => item).map(pat => pat.trim());
@@ -240,7 +278,63 @@ export const asyncForEach = async (array, callback) => {
   }
 };
 
-// FIXME: Temp fix https://github.com/actions/toolkit/issues/777
-export function setOutput(name: string, value: any): void {
-  issueCommand('set-output', {name}, value);
+function getProvenanceInput(name: string): string {
+  const input = core.getInput(name);
+  if (!input) {
+    // if input is not set, default values will be set later.
+    return input;
+  }
+  const builderID = provenanceBuilderID();
+  try {
+    return core.getBooleanInput(name) ? `builder-id=${builderID}` : 'false';
+  } catch (err) {
+    // not a valid boolean, so we assume it's a string
+    return getProvenanceAttrs(input);
+  }
+}
+
+function getProvenanceAttrs(input: string): string {
+  const builderID = provenanceBuilderID();
+  // parse attributes from input
+  const fields = parse(input, {
+    relaxColumnCount: true,
+    skipEmptyLines: true
+  })[0];
+  // check if builder-id attribute exists in the input
+  for (const field of fields) {
+    const parts = field
+      .toString()
+      .split(/(?<=^[^=]+?)=/)
+      .map(item => item.trim());
+    if (parts[0] == 'builder-id') {
+      return input;
+    }
+  }
+  // if not add builder-id attribute
+  return `${input},builder-id=${builderID}`;
+}
+
+function hasDockerExport(inputs: Inputs): boolean {
+  if (inputs.load) {
+    return true;
+  }
+  for (const output of inputs.outputs) {
+    const fields = parse(output, {
+      relaxColumnCount: true,
+      skipEmptyLines: true
+    })[0];
+    for (const field of fields) {
+      const parts = field
+        .toString()
+        .split(/(?<=^[^=]+?)=/)
+        .map(item => item.trim());
+      if (parts.length != 2) {
+        continue;
+      }
+      if (parts[0] == 'type' && parts[1] == 'docker') {
+        return true;
+      }
+    }
+  }
+  return false;
 }

src/docker.ts

@@ -0,0 +1,19 @@
+import * as exec from '@actions/exec';
+
+export async function isAvailable(): Promise<boolean> {
+  return await exec
+    .getExecOutput('docker', undefined, {
+      ignoreReturnCode: true,
+      silent: true
+    })
+    .then(res => {
+      if (res.stderr.length > 0 && res.exitCode != 0) {
+        return false;
+      }
+      return res.exitCode == 0;
+    })
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    .catch(error => {
+      return false;
+    });
+}

src/github.ts

@@ -0,0 +1,9 @@
+import jwt_decode, {JwtPayload} from 'jwt-decode';
+
+interface Jwt extends JwtPayload {
+  ac?: string;
+}
+
+export const parseRuntimeToken = (token: string): Jwt => {
+  return jwt_decode<Jwt>(token);
+};

src/main.ts

@@ -1,35 +1,65 @@
 import * as fs from 'fs';
 import * as buildx from './buildx';
 import * as context from './context';
+import * as docker from './docker';
+import * as github from './github';
 import * as stateHelper from './state-helper';
 import * as core from '@actions/core';
 import * as exec from '@actions/exec';
 
 async function run(): Promise<void> {
   try {
+    const defContext = context.defaultContext();
+    const inputs: context.Inputs = await context.getInputs(defContext);
+
+    // standalone if docker cli not available
+    const standalone = !(await docker.isAvailable());
+
+    await core.group(`GitHub Actions runtime token access controls`, async () => {
+      const actionsRuntimeToken = process.env['ACTIONS_RUNTIME_TOKEN'];
+      if (actionsRuntimeToken) {
+        core.info(JSON.stringify(JSON.parse(github.parseRuntimeToken(actionsRuntimeToken).ac as string), undefined, 2));
+      } else {
+        core.info(`ACTIONS_RUNTIME_TOKEN not set`);
+      }
+    });
+
     core.startGroup(`Docker info`);
-    await exec.exec('docker', ['version']);
-    await exec.exec('docker', ['info']);
+    if (standalone) {
+      core.info(`Docker info skipped in standalone mode`);
+    } else {
+      await exec.exec('docker', ['version'], {
+        failOnStdErr: false
+      });
+      await exec.exec('docker', ['info'], {
+        failOnStdErr: false
+      });
+    }
     core.endGroup();
 
-    if (!(await buildx.isAvailable())) {
+    if (!(await buildx.isAvailable(standalone))) {
       core.setFailed(`Docker buildx is required. See https://github.com/docker/setup-buildx-action to set up buildx.`);
       return;
     }
     stateHelper.setTmpDir(context.tmpDir());
 
-    const buildxVersion = await buildx.getVersion();
-    const defContext = context.defaultContext();
-    let inputs: context.Inputs = await context.getInputs(defContext);
+    const buildxVersion = await buildx.getVersion(standalone);
+    await core.group(`Buildx version`, async () => {
+      const versionCmd = buildx.getCommand(['version'], standalone);
+      await exec.exec(versionCmd.command, versionCmd.args, {
+        failOnStdErr: false
+      });
+    });
 
-    const args: string[] = await context.getArgs(inputs, defContext, buildxVersion);
+    const args: string[] = await context.getArgs(inputs, defContext, buildxVersion, standalone);
+    const buildCmd = buildx.getCommand(args, standalone);
     await exec
-      .getExecOutput('docker', args, {
+      .getExecOutput(buildCmd.command, buildCmd.args, {
         ignoreReturnCode: true
       })
       .then(res => {
         if (res.stderr.length > 0 && res.exitCode != 0) {
-          throw new Error(`buildx failed with: ${res.stderr.match(/(.*)\s*$/)![0].trim()}`);
+          throw new Error(`buildx failed with: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
         }
       });
 
@@ -40,19 +70,19 @@ async function run(): Promise<void> {
     if (imageID) {
       await core.group(`ImageID`, async () => {
         core.info(imageID);
-        context.setOutput('imageid', imageID);
+        core.setOutput('imageid', imageID);
       });
     }
     if (digest) {
       await core.group(`Digest`, async () => {
         core.info(digest);
-        context.setOutput('digest', digest);
+        core.setOutput('digest', digest);
       });
     }
     if (metadata) {
       await core.group(`Metadata`, async () => {
         core.info(metadata);
-        context.setOutput('metadata', metadata);
+        core.setOutput('metadata', metadata);
       });
     }
   } catch (error) {
@@ -63,7 +93,7 @@ async function run(): Promise<void> {
 async function cleanup(): Promise<void> {
   if (stateHelper.tmpDir.length > 0) {
     core.startGroup(`Removing temp folder ${stateHelper.tmpDir}`);
-    fs.rmdirSync(stateHelper.tmpDir, {recursive: true});
+    fs.rmSync(stateHelper.tmpDir, {recursive: true});
     core.endGroup();
   }
 }

test/Dockerfile

@@ -1,3 +1,3 @@
+# syntax=docker/dockerfile:1
 FROM alpine
-
 RUN echo "Hello world!"

test/addhost.Dockerfile

@@ -1,2 +1,3 @@
+# syntax=docker/dockerfile:1
 FROM busybox
 RUN cat /etc/hosts

test/buildcontext.Dockerfile

@@ -1,3 +1,3 @@
-# syntax=docker/dockerfile-upstream:master
+# syntax=docker/dockerfile:1
 FROM alpine
 RUN cat /etc/*release

test/cgroup.Dockerfile

@@ -1,2 +1,3 @@
+# syntax=docker/dockerfile:1
 FROM alpine
 RUN cat /proc/self/cgroup

test/go/Dockerfile

@@ -0,0 +1,16 @@
+FROM golang:1.19-alpine AS base
+ENV CGO_ENABLED=0
+RUN apk add --no-cache file git
+WORKDIR /src
+
+FROM base as build
+COPY go.mod go.sum ./
+RUN go mod download -x
+COPY . .
+RUN go build -ldflags "-s -w" -o /usr/bin/app .
+
+FROM scratch AS binary
+COPY --from=build /usr/bin/app /bin/app
+
+FROM alpine:3.17 AS image
+COPY --from=build /usr/bin/app /bin/app

test/go/go.mod

@@ -0,0 +1,19 @@
+module github.com/docker/build-push-action/test/go
+
+go 1.18
+
+require github.com/labstack/echo/v4 v4.9.1
+
+require (
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
+	github.com/labstack/gommon v0.4.0 // indirect
+	github.com/mattn/go-colorable v0.1.11 // indirect
+	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/valyala/fasttemplate v1.2.1 // indirect
+	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect
+	golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f // indirect
+	golang.org/x/sys v0.0.0-20211103235746-7861aae1554b // indirect
+	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 // indirect
+)

test/go/go.sum

@@ -0,0 +1,38 @@
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/labstack/echo/v4 v4.9.1 h1:GliPYSpzGKlyOhqIbG8nmHBo3i1saKWFOgh41AN3b+Y=
+github.com/labstack/echo/v4 v4.9.1/go.mod h1:Pop5HLc+xoc4qhTZ1ip6C0RtP7Z+4VzRLWZZFKqbbjo=
+github.com/labstack/gommon v0.4.0 h1:y7cvthEAEbU0yHOf4axH8ZG2NH8knB9iNSoTO8dyIk8=
+github.com/labstack/gommon v0.4.0/go.mod h1:uW6kP17uPlLJsD3ijUYn3/M5bAxtlZhMI6m3MFxTMTM=
+github.com/mattn/go-colorable v0.1.11 h1:nQ+aFkoE2TMGc0b68U2OKSexC+eq46+XwZzWXHRmPYs=
+github.com/mattn/go-colorable v0.1.11/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
+github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
+github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
+github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
+github.com/valyala/fasttemplate v1.2.1 h1:TVEnxayobAdVkhQfrfes2IzOB6o+z4roRkPF52WA1u4=
+github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f h1:OfiFi4JbukWwe3lzw+xunroH1mnC1e2Gy5cxNJApiSY=
+golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211103235746-7861aae1554b h1:1VkfZQv42XQlA/jchYumAnv1UPo6RgF9rJFkTgZIxO4=
+golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 h1:Hir2P/De0WpUhtrKGGjvSb2YxUgyZ7EFOSLIcSSpiwE=
+golang.org/x/time v0.0.0-20201208040808-7e3f01d25324/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

test/go/main.go

@@ -0,0 +1,31 @@
+package main
+
+import (
+	"net/http"
+	"os"
+
+	"github.com/labstack/echo/v4"
+	"github.com/labstack/echo/v4/middleware"
+)
+
+func main() {
+	e := echo.New()
+
+	e.Use(middleware.Logger())
+	e.Use(middleware.Recover())
+
+	e.GET("/", func(c echo.Context) error {
+		return c.HTML(http.StatusOK, "Hello World")
+	})
+
+	e.GET("/ping", func(c echo.Context) error {
+		return c.JSON(http.StatusOK, struct{ Status string }{Status: "OK"})
+	})
+
+	httpPort := os.Getenv("HTTP_PORT")
+	if httpPort == "" {
+		httpPort = "8080"
+	}
+
+	e.Logger.Fatal(e.Start(":" + httpPort))
+}

test/multi-sudo.Dockerfile

@@ -1,9 +1,8 @@
+# syntax=docker/dockerfile:1
 FROM --platform=$BUILDPLATFORM golang:alpine AS build
-
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
 RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM" > /log
-
 RUN apk --update --no-cache add \
     shadow \
     sudo \
@@ -17,6 +16,5 @@ RUN sudo chown buildx. /log
 USER root
 
 FROM alpine
-
 COPY --from=build /log /log
 RUN ls -al /log

test/multi.Dockerfile

@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1
 FROM --platform=$BUILDPLATFORM golang:alpine AS build
 
 ARG TARGETPLATFORM

test/nocachefilter.Dockerfile

@@ -0,0 +1,9 @@
+# syntax=docker/dockerfile:1
+FROM busybox AS base
+RUN echo "Hello world!" > /hello
+
+FROM alpine AS build
+COPY --from=base /hello /hello
+RUN uname -a
+
+FROM build

test/secret.Dockerfile

@@ -0,0 +1,4 @@
+# syntax=docker/dockerfile:1
+FROM busybox
+RUN --mount=type=secret,id=MYSECRET \
+  echo "MYSECRET=$(cat /run/secrets/MYSECRET)"

test/shmsize.Dockerfile

@@ -1,2 +1,3 @@
+# syntax=docker/dockerfile:1
 FROM busybox
 RUN mount | grep /dev/shm

test/ulimit.Dockerfile

@@ -1,2 +1,3 @@
+# syntax=docker/dockerfile:1
 FROM busybox
 RUN ulimit -a

tsconfig.json

@@ -2,20 +2,18 @@
   "compilerOptions": {
     "target": "es6",
     "module": "commonjs",
-    "lib": [
-      "es6",
-      "dom"
-    ],
     "newLine": "lf",
     "outDir": "./lib",
     "rootDir": "./src",
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
     "strict": true,
     "noImplicitAny": false,
-    "esModuleInterop": true,
-    "sourceMap": true
+    "useUnknownInCatchVariables": false,
   },
   "exclude": [
     "node_modules",
-    "**/*.test.ts"
+    "**/*.test.ts",
+    "jest.config.ts"
   ]
 }