From a5959dc3d1ff163a11dcc323e46e812f569e594a Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Fri, 22 Nov 2024 08:24:48 +0100
Subject: [PATCH] allow filesystem entitlements by default

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/ci.yml | 9 ++++++++-
 src/context.ts           | 8 ++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fcffb71..df0ece1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -694,6 +694,13 @@ jobs:
 
   allow:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        buildx-version:
+          - v0.19.0-rc1
+          - v0.18.0
+          - v0.17.1
     steps:
       -
         name: Checkout
@@ -702,7 +709,7 @@ jobs:
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
-          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          version: ${{ matrix.buildx-version }}
           driver-opts: |
             image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
       -
diff --git a/src/context.ts b/src/context.ts
index c2a1e03..6891b45 100644
--- a/src/context.ts
+++ b/src/context.ts
@@ -83,9 +83,13 @@ async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit:
     args.push(inputs.source);
   }
   if (await toolkit.buildx.versionSatisfies('>=0.17.0')) {
-    if (inputs.allow.length > 0) {
-      args.push('--allow', inputs.allow.join(','));
+    if (await toolkit.buildx.versionSatisfies('>=0.18.0')) {
+      // allow filesystem entitlements by default
+      inputs.allow.push('fs=/');
     }
+    await Util.asyncForEach(inputs.allow, async allow => {
+      args.push('--allow', allow);
+    });
   }
   await Util.asyncForEach(inputs.files, async file => {
     args.push('--file', file);