Skip to content

Commit 53e933c

Browse files
crazy-maxcrazy-max
committed
add registry-login input for optional registry auth before build
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
1 parent 85f73be commit 53e933c

File tree

3 files changed

+62
-12
lines changed

3 files changed

+62
-12
lines changed

.github/workflows/bake.yml

Lines changed: 26 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,11 @@ on:
6060
description: "Push image to the registry (for image output)"
6161
required: false
6262
default: false
63+
registry-login:
64+
type: string
65+
description: "Login to registry before build to allow pulling private images (one of auto, true or false). The auto mode enables login only when output is image and push is true"
66+
required: false
67+
default: auto
6368
sbom:
6469
type: boolean
6570
description: "Generate SBOM attestation for the build"
@@ -120,7 +125,7 @@ on:
120125
required: false
121126
secrets:
122127
registry-auths:
123-
description: "Raw authentication to registries, defined as YAML objects (for image output)"
128+
description: "Raw authentication to registries, defined as YAML objects"
124129
required: false
125130
github-token:
126131
description: "GitHub Token used to authenticate against the repository for Git context"
@@ -162,6 +167,7 @@ jobs:
162167
includes: ${{ steps.set.outputs.includes }}
163168
sign: ${{ steps.set.outputs.sign }}
164169
ghaCacheSign: ${{ steps.set.outputs.ghaCacheSign }}
170+
registryLogin: ${{ steps.set.outputs.registryLogin }}
165171
steps:
166172
-
167173
name: Install @docker/actions-toolkit
@@ -240,6 +246,8 @@ jobs:
240246
INPUT_FILES: ${{ inputs.files }}
241247
INPUT_OUTPUT: ${{ inputs.output }}
242248
INPUT_PUSH: ${{ inputs.push }}
249+
INPUT_REGISTRY-LOGIN: ${{ inputs.registry-login }}
250+
INPUT_REGISTRY-AUTHS-SET: ${{ secrets.registry-auths != '' }}
243251
INPUT_SBOM: ${{ inputs.sbom }}
244252
INPUT_SET: ${{ inputs.set }}
245253
INPUT_SIGN: ${{ inputs.sign }}
@@ -265,6 +273,8 @@ jobs:
265273
const inpFiles = Util.getInputList('files');
266274
const inpOutput = core.getInput('output');
267275
const inpPush = core.getBooleanInput('push');
276+
const inpRegistryLogin = core.getInput('registry-login');
277+
const inpRegistryAuthsSet = core.getBooleanInput('registry-auths-set');
268278
const inpSbom = core.getBooleanInput('sbom');
269279
const inpSet = Util.getInputList('set', {ignoreComma: true, quote: false});
270280
const inpSign = core.getInput('sign');
@@ -296,6 +306,16 @@ jobs:
296306
return;
297307
}
298308
309+
if (!['auto', 'true', 'false'].includes(inpRegistryLogin)) {
310+
core.setFailed(`Invalid registry-login input: ${inpRegistryLogin}`);
311+
return;
312+
}
313+
const registryLogin = inpRegistryLogin === 'auto' ? inpOutput === 'image' && inpPush : inpRegistryLogin === 'true';
314+
if (registryLogin && !inpRegistryAuthsSet) {
315+
core.setFailed(`registry-login is enabled but registry-auths secret is not set`);
316+
return;
317+
}
318+
299319
const bakeSource = `${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}.git#${process.env.GITHUB_REF}:${inpContext}`;
300320
await core.group(`Set bake source`, async () => {
301321
core.info(bakeSource);
@@ -421,6 +441,10 @@ jobs:
421441
core.info(`ghaCacheSign: ${ghaCacheSign}`);
422442
core.setOutput('ghaCacheSign', ghaCacheSign);
423443
});
444+
await core.group(`Set registryLogin output`, async () => {
445+
core.info(`registryLogin: ${registryLogin}`);
446+
core.setOutput('registryLogin', registryLogin);
447+
});
424448
425449
build:
426450
runs-on: ${{ matrix.runner }}
@@ -738,7 +762,7 @@ jobs:
738762
});
739763
-
740764
name: Login to registry
741-
if: ${{ inputs.push && inputs.output == 'image' }}
765+
if: ${{ needs.prepare.outputs.registryLogin == 'true' }}
742766
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
743767
with:
744768
registry-auth: ${{ secrets.registry-auths }}

.github/workflows/build.yml

Lines changed: 26 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,11 @@ on:
7676
description: "Push image to the registry (for image output)"
7777
required: false
7878
default: false
79+
registry-login:
80+
type: string
81+
description: "Login to registry before build to allow pulling private images (one of auto, true or false). The auto mode enables login only when output is image and push is true"
82+
required: false
83+
default: auto
7984
sbom:
8085
type: boolean
8186
description: "Generate SBOM attestation for the build"
@@ -123,7 +128,7 @@ on:
123128
required: false
124129
secrets:
125130
registry-auths:
126-
description: "Raw authentication to registries, defined as YAML objects (for image output)"
131+
description: "Raw authentication to registries, defined as YAML objects"
127132
required: false
128133
github-token:
129134
description: "GitHub Token used to authenticate against the repository for Git context"
@@ -166,6 +171,7 @@ jobs:
166171
sign: ${{ steps.set.outputs.sign }}
167172
privateRepo: ${{ steps.set.outputs.privateRepo }}
168173
ghaCacheSign: ${{ steps.set.outputs.ghaCacheSign }}
174+
registryLogin: ${{ steps.set.outputs.registryLogin }}
169175
steps:
170176
-
171177
name: Install @docker/actions-toolkit
@@ -242,6 +248,8 @@ jobs:
242248
INPUT_OUTPUT: ${{ inputs.output }}
243249
INPUT_PLATFORMS: ${{ inputs.platforms }}
244250
INPUT_PUSH: ${{ inputs.push }}
251+
INPUT_REGISTRY-LOGIN: ${{ inputs.registry-login }}
252+
INPUT_REGISTRY-AUTHS-SET: ${{ secrets.registry-auths != '' }}
245253
INPUT_SIGN: ${{ inputs.sign }}
246254
with:
247255
script: |
@@ -257,6 +265,8 @@ jobs:
257265
const inpPlatforms = Util.getInputList('platforms');
258266
const inpOutput = core.getInput('output');
259267
const inpPush = core.getBooleanInput('push');
268+
const inpRegistryLogin = core.getInput('registry-login');
269+
const inpRegistryAuthsSet = core.getBooleanInput('registry-auths-set');
260270
const inpSign = core.getInput('sign');
261271
262272
let runner = inpRunner;
@@ -284,6 +294,16 @@ jobs:
284294
return;
285295
}
286296
297+
if (!['auto', 'true', 'false'].includes(inpRegistryLogin)) {
298+
core.setFailed(`Invalid registry-login input: ${inpRegistryLogin}`);
299+
return;
300+
}
301+
const registryLogin = inpRegistryLogin === 'auto' ? inpOutput === 'image' && inpPush : inpRegistryLogin === 'true';
302+
if (registryLogin && !inpRegistryAuthsSet) {
303+
core.setFailed(`registry-login is enabled but registry-auths secret is not set`);
304+
return;
305+
}
306+
287307
if (inpDistribute && inpPlatforms.length > inpMatrixSizeLimit) {
288308
core.setFailed(`Platforms to build exceed matrix size limit of ${inpMatrixSizeLimit}`);
289309
return;
@@ -323,6 +343,10 @@ jobs:
323343
core.info(`ghaCacheSign: ${ghaCacheSign}`);
324344
core.setOutput('ghaCacheSign', ghaCacheSign);
325345
});
346+
await core.group(`Set registryLogin output`, async () => {
347+
core.info(`registryLogin: ${registryLogin}`);
348+
core.setOutput('registryLogin', registryLogin);
349+
});
326350
327351
build:
328352
runs-on: ${{ matrix.runner }}
@@ -595,7 +619,7 @@ jobs:
595619
}
596620
-
597621
name: Login to registry
598-
if: ${{ inputs.push && inputs.output == 'image' }}
622+
if: ${{ needs.prepare.outputs.registryLogin == 'true' }}
599623
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
600624
with:
601625
registry-auth: ${{ secrets.registry-auths }}

README.md

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -234,6 +234,7 @@ on:
234234
| `output` | String | | Build output destination (one of [`image`](https://docs.docker.com/build/exporters/image-registry/) or [`local`](https://docs.docker.com/build/exporters/local-tar/)). Unlike the `build-push-action`, it only accepts `image` or `local`. The reusable workflow takes care of setting the `outputs` attribute |
235235
| `platforms` | List/CSV | | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) to build |
236236
| `push` | Bool | `false` | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) image to the registry (for `image` output) |
237+
| `registry-login` | String | `auto` | Login to registry before build to allow pulling private images (one of `auto`, `true` or `false`). The `auto` mode enables login only when output is image and push is true |
237238
| `sbom` | Bool | `false` | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build |
238239
| `shm-size` | String | | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) |
239240
| `sign` | String | `auto` | Sign attestation manifest for `image` output or artifacts for `local` output, can be one of `auto`, `true` or `false`. The `auto` mode will enable signing if `push` is enabled for pushing the `image` or if `artifact-upload` is enabled for uploading the `local` build output as GitHub Artifact |
@@ -247,10 +248,10 @@ on:
247248

248249
#### Secrets
249250

250-
| Name | Default | Description |
251-
|------------------|-----------------------|--------------------------------------------------------------------------------|
252-
| `registry-auths` | | Raw authentication to registries, defined as YAML objects (for `image` output) |
253-
| `github-token` | `${{ github.token }}` | GitHub Token used to authenticate against the repository for Git context |
251+
| Name | Default | Description |
252+
|------------------|-----------------------|----------------------------------------------------------------------------------------------------------------|
253+
| `registry-auths` | | Raw authentication to registries, defined as YAML objects (used for push/signing and optional pre-build login) |
254+
| `github-token` | `${{ github.token }}` | GitHub Token used to authenticate against the repository for Git context |
254255

255256
### Bake reusable workflow
256257

@@ -338,6 +339,7 @@ on:
338339
| `files` | List | `{context}/docker-bake.hcl` | List of bake definition files |
339340
| `output` | String | | Build output destination (one of [`image`](https://docs.docker.com/build/exporters/image-registry/) or [`local`](https://docs.docker.com/build/exporters/local-tar/)). |
340341
| `push` | Bool | `false` | Push image to the registry (for `image` output) |
342+
| `registry-login` | String | `auto` | Login to registry before build to allow pulling private images (one of `auto`, `true` or `false`). The `auto` mode enables login only when output is image and push is true |
341343
| `sbom` | Bool | `false` | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build |
342344
| `set` | List | | List of [target values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (e.g., `targetpattern.key=value`) |
343345
| `sign` | String | `auto` | Sign attestation manifest for `image` output or artifacts for `local` output, can be one of `auto`, `true` or `false`. The `auto` mode will enable signing if `push` is enabled for pushing the `image` or if `artifact-upload` is enabled for uploading the `local` build output as GitHub Artifact |
@@ -353,7 +355,7 @@ on:
353355

354356
#### Secrets
355357

356-
| Name | Default | Description |
357-
|------------------|-----------------------|--------------------------------------------------------------------------------|
358-
| `registry-auths` | | Raw authentication to registries, defined as YAML objects (for `image` output) |
359-
| `github-token` | `${{ github.token }}` | GitHub Token used to authenticate against the repository for Git context |
358+
| Name | Default | Description |
359+
|------------------|-----------------------|----------------------------------------------------------------------------------------------------------------|
360+
| `registry-auths` | | Raw authentication to registries, defined as YAML objects (used for push/signing and optional pre-build login) |
361+
| `github-token` | `${{ github.token }}` | GitHub Token used to authenticate against the repository for Git context |

0 commit comments

Comments
 (0)