diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ead1af4..fcffb71 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -691,3 +691,25 @@ jobs: ./lint.hcl env: DOCKER_BUILD_CHECKS_ANNOTATIONS: false + + allow: + runs-on: ubuntu-latest + steps: + - + name: Checkout + uses: actions/checkout@v4 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} + driver-opts: | + image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} + - + name: Build + uses: ./ + with: + files: | + ./test/config.hcl + allow: network.host + targets: app-entitlements diff --git a/README.md b/README.md index 7e89d91..efedf38 100644 --- a/README.md +++ b/README.md @@ -184,6 +184,7 @@ The following inputs can be used as `step.with` keys |----------------|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `builder` | String | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action) | | `source` | String | Context to build from. Can be either local (`.`) or a [remote bake definition](https://docs.docker.com/build/customize/bake/file-definition/#remote-definition) | +| `allow` | List/CSV | Allow build to access specified resources (e.g., `network.host`) | | `files` | List/CSV | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/) | | `workdir` | String | Working directory of execution | | `targets` | List/CSV | List of bake targets (`default` target used if empty) | @@ -193,7 +194,7 @@ The following inputs can be used as `step.with` keys | `provenance` | Bool/String | [Provenance](https://docs.docker.com/build/attestations/slsa-provenance/) is a shorthand for `--set=*.attest=type=provenance` | | `push` | Bool | Push is a shorthand for `--set=*.output=type=registry` (default `false`) | | `sbom` | Bool/String | [SBOM](https://docs.docker.com/build/attestations/sbom/) is a shorthand for `--set=*.attest=type=sbom` | -| `set` | List | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (eg: `targetpattern.key=value`) | +| `set` | List | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (e.g., `targetpattern.key=value`) | | `github-token` | String | API token used to authenticate to a Git repository for [remote definitions](https://docs.docker.com/build/bake/remote-definition/) (default `${{ github.token }}`) | ### outputs diff --git a/__tests__/context.test.ts b/__tests__/context.test.ts index 8725ebc..d4a20bd 100644 --- a/__tests__/context.test.ts +++ b/__tests__/context.test.ts @@ -330,6 +330,23 @@ describe('getArgs', () => { '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`, ] ], + [ + 12, + '0.17.0', + new Map([ + ['allow', 'network.host'], + ['load', 'false'], + ['no-cache', 'false'], + ['push', 'false'], + ['pull', 'false'], + ]), + [ + 'bake', + '--allow', 'network.host', + '--metadata-file', metadataJson, + "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1` + ] + ], ])( '[%d] given %p with %p as inputs, returns %p', async (num: number, buildxVersion: string, inputs: Map, expected: Array) => { diff --git a/action.yml b/action.yml index 8ca21a8..361f317 100644 --- a/action.yml +++ b/action.yml @@ -13,6 +13,9 @@ inputs: source: description: "Context to build from. Can be either local or a remote bake definition" required: false + allow: + description: "Allow build to access specified resources (e.g., network.host)" + required: false files: description: "List of bake definition files" required: false diff --git a/src/context.ts b/src/context.ts index 0ea15bd..c2a1e03 100644 --- a/src/context.ts +++ b/src/context.ts @@ -11,6 +11,7 @@ import {Util} from '@docker/actions-toolkit/lib/util'; import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake'; export interface Inputs { + allow: string[]; builder: string; files: string[]; workdir: string; @@ -28,6 +29,7 @@ export interface Inputs { export async function getInputs(): Promise { return { + allow: Util.getInputList('allow'), builder: core.getInput('builder'), files: Util.getInputList('files'), workdir: core.getInput('workdir') || '.', @@ -80,6 +82,11 @@ async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit: if (inputs.source) { args.push(inputs.source); } + if (await toolkit.buildx.versionSatisfies('>=0.17.0')) { + if (inputs.allow.length > 0) { + args.push('--allow', inputs.allow.join(',')); + } + } await Util.asyncForEach(inputs.files, async file => { args.push('--file', file); }); diff --git a/test/config.hcl b/test/config.hcl index 3d74018..6e48771 100644 --- a/test/config.hcl +++ b/test/config.hcl @@ -42,3 +42,8 @@ target "app-proxy" { inherits = ["app"] dockerfile = "proxy.Dockerfile" } + +target "app-entitlements" { + inherits = ["app"] + entitlements = ["network.host"] +}