name: ci concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true on: workflow_dispatch: inputs: buildx-version: description: 'Buildx version or Git context' default: 'latest' required: false buildkit-image: description: 'BuildKit image' default: 'moby/buildkit:buildx-stable-1' required: false schedule: - cron: '0 10 * * *' push: branches: - 'master' - 'releases/v*' pull_request: env: BUILDX_VERSION: v0.12.0-rc1 BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1 jobs: minimal: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: path: action - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build uses: ./action with: file: ./test/Dockerfile git-context: runs-on: ubuntu-latest services: registry: image: registry:2 ports: - 5000:5000 steps: - name: Checkout uses: actions/checkout@v4 with: path: action - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | network=host image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build and push id: docker_build uses: ./action with: file: ./test/Dockerfile builder: ${{ steps.buildx.outputs.name }} platforms: linux/amd64,linux/arm64 push: true tags: | localhost:5000/name/app:latest localhost:5000/name/app:1.0.0 - name: Inspect run: | docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}' - name: Check digest run: | if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then echo "::error::Digest should not be empty" exit 1 fi git-context-secret: runs-on: ubuntu-latest services: registry: image: registry:2 ports: - 5000:5000 steps: - name: Checkout uses: actions/checkout@v4 with: path: action - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | network=host image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build and push id: docker_build uses: ./action with: file: ./test/Dockerfile builder: ${{ steps.buildx.outputs.name }} platforms: linux/amd64,linux/arm64 push: true tags: | localhost:5000/name/app:latest localhost:5000/name/app:1.0.0 secrets: | GIT_AUTH_TOKEN=${{ github.token }} "MYSECRET=aaaaaaaa bbbbbbb ccccccccc" FOO=bar "EMPTYLINE=aaaa bbbb ccc" - name: Inspect run: | docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}' - name: Check digest run: | if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then echo "::error::Digest should not be empty" exit 1 fi path-context: runs-on: ubuntu-latest services: registry: image: registry:2 ports: - 5000:5000 steps: - name: Checkout uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | network=host image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build and push id: docker_build uses: ./ with: context: ./test file: ./test/Dockerfile builder: ${{ steps.buildx.outputs.name }} push: true tags: | localhost:5000/name/app:latest localhost:5000/name/app:1.0.0 - name: Inspect run: | docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}' - name: Check digest run: | if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then echo "::error::Digest should not be empty" exit 1 fi example: runs-on: ubuntu-latest env: DOCKER_IMAGE: localhost:5000/name/app services: registry: image: registry:2 ports: - 5000:5000 steps: - name: Checkout uses: actions/checkout@v4 - name: Docker meta id: meta uses: docker/metadata-action@v5 with: images: ${{ env.DOCKER_IMAGE }} tags: | type=schedule type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=sha - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | network=host image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build and export to Docker client uses: ./ with: context: ./test file: ./test/Dockerfile load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - name: Build and push to local registry uses: ./ with: context: ./test file: ./test/Dockerfile push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - name: Inspect image run: | docker image inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} - name: Check manifest if: github.event_name != 'pull_request' run: | docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} --format '{{json .}}' error: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Stop docker run: | sudo systemctl stop docker docker.socket - name: Build id: docker_build continue-on-error: true uses: ./ with: context: ./test file: ./test/Dockerfile - name: Check run: | echo "${{ toJson(steps.docker_build) }}" if [ "${{ steps.docker_build.outcome }}" != "failure" ] || [ "${{ steps.docker_build.conclusion }}" != "success" ]; then echo "::error::Should have failed" exit 1 fi error-buildx: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build id: docker_build continue-on-error: true uses: ./ with: context: ./test file: ./test/Dockerfile platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x push: true tags: localhost:5000/name/app:latest - name: Check run: | echo "${{ toJson(steps.docker_build) }}" if [ "${{ steps.docker_build.outcome }}" != "failure" ] || [ "${{ steps.docker_build.conclusion }}" != "success" ]; then echo "::error::Should have failed" exit 1 fi docker-driver: runs-on: ubuntu-latest services: registry: image: registry:2 ports: - 5000:5000 steps: - name: Checkout uses: actions/checkout@v4 - name: Build id: docker_build uses: ./ with: context: ./test file: ./test/Dockerfile push: true tags: localhost:5000/name/app:latest export-docker: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Build uses: ./ with: context: ./test file: ./test/Dockerfile load: true tags: myimage:latest - name: Inspect run: | docker image inspect myimage:latest secret: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build uses: ./ with: context: . file: ./test/secret.Dockerfile secrets: | MYSECRET=foo INVALID_SECRET= secret-envs: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build uses: ./ env: ENV_SECRET: foo with: context: . file: ./test/secret.Dockerfile secret-envs: | MYSECRET=ENV_SECRET INVALID_SECRET= network: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: List networks run: docker network ls - name: Build uses: ./ with: context: ./test tags: name/app:latest network: host shm-size: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build uses: ./ with: context: ./test file: ./test/shmsize.Dockerfile tags: name/app:latest shm-size: 2g ulimit: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | network=host image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build uses: ./ with: context: ./test file: ./test/ulimit.Dockerfile tags: name/app:latest ulimit: | nofile=1024:1024 nproc=3 cgroup-parent: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | network=host image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build uses: ./ with: context: ./test file: ./test/cgroup.Dockerfile tags: name/app:latest cgroup-parent: foo add-hosts: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | network=host image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build uses: ./ with: context: ./test file: ./test/addhost.Dockerfile tags: name/app:latest add-hosts: | docker:10.180.0.1 foo:10.0.0.1 no-cache-filters: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build uses: ./ with: context: ./test file: ./test/nocachefilter.Dockerfile no-cache-filters: build tags: name/app:latest cache-from: type=gha,scope=nocachefilter cache-to: type=gha,scope=nocachefilter,mode=max attests-compat: runs-on: ubuntu-latest strategy: fail-fast: false matrix: include: - buildx: latest buildkit: moby/buildkit:buildx-stable-1 - buildx: latest buildkit: moby/buildkit:v0.10.6 - buildx: v0.9.1 buildkit: moby/buildkit:buildx-stable-1 steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ matrix.buildx }} driver-opts: | network=host image=${{ matrix.buildkit }} - name: Build uses: ./ with: context: ./test/go file: ./test/go/Dockerfile outputs: type=cacheonly provenance: runs-on: ubuntu-latest strategy: fail-fast: false matrix: attrs: - '' - mode=max - builder-id=foo - false - true steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | network=host image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build uses: ./ with: context: ./test/go file: ./test/go/Dockerfile target: binary outputs: type=oci,dest=/tmp/build.tar provenance: ${{ matrix.attrs }} cache-from: type=gha,scope=provenance cache-to: type=gha,scope=provenance,mode=max sbom: runs-on: ubuntu-latest strategy: fail-fast: false matrix: include: - target: image output: type=image,name=localhost:5000/name/app:latest,push=true - target: binary output: /tmp/buildx-build services: registry: image: registry:2 ports: - 5000:5000 steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | network=host image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build uses: ./ with: context: ./test/go file: ./test/go/Dockerfile target: ${{ matrix.target }} outputs: ${{ matrix.output }} sbom: true cache-from: type=gha,scope=attests-${{ matrix.target }} cache-to: type=gha,scope=attests-${{ matrix.target }},mode=max - name: Inspect image if: matrix.target == 'image' run: | docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}' - name: Check output folder if: matrix.target == 'binary' run: | tree /tmp/buildx-build - name: Print provenance if: matrix.target == 'binary' run: | cat /tmp/buildx-build/provenance.json | jq - name: Print SBOM if: matrix.target == 'binary' run: | cat /tmp/buildx-build/sbom.spdx.json | jq multi: runs-on: ubuntu-latest strategy: fail-fast: false matrix: dockerfile: - multi - multi-sudo services: registry: image: registry:2 ports: - 5000:5000 steps: - name: Checkout uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | network=host image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build and push id: docker_build uses: ./ with: context: ./test file: ./test/${{ matrix.dockerfile }}.Dockerfile builder: ${{ steps.buildx.outputs.name }} platforms: linux/amd64,linux/arm64 push: true tags: | localhost:5000/name/app:latest localhost:5000/name/app:1.0.0 - name: Inspect run: | docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}' - name: Check digest run: | if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then echo "::error::Digest should not be empty" exit 1 fi digest: runs-on: ubuntu-latest env: DOCKER_IMAGE: localhost:5000/name/app strategy: fail-fast: false matrix: driver: - docker - docker-container load: - true - false push: - true - false exclude: - driver: docker load: true push: true - driver: docker-container load: true push: true services: registry: image: registry:2 ports: - 5000:5000 steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver: ${{ matrix.driver }} driver-opts: | network=host - name: Build id: docker_build uses: ./ with: context: ./test load: ${{ matrix.load }} push: ${{ matrix.push }} tags: ${{ env.DOCKER_IMAGE }}:latest platforms: ${{ matrix.platforms }} - name: Docker images run: | docker image ls --no-trunc - name: Check digest run: | if [[ "${{ matrix.driver }}" = "docker-container" ]] && [[ "${{ matrix.load }}" = "false" ]] && [[ "${{ matrix.push }}" = "false" ]]; then if [ -n "${{ steps.docker_build.outputs.digest }}" ]; then echo "::error::Digest should be empty" exit 1 fi elif [[ "${{ matrix.push }}" = "true" ]] && [[ -z "${{ steps.docker_build.outputs.digest }}" ]]; then echo "::error::Digest should not be empty" exit 1 fi - name: Check manifest if: ${{ matrix.push }} run: | set -x docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}@${{ steps.docker_build.outputs.digest }} --format '{{json .}}' - name: Check image ID run: | if [[ "${{ matrix.driver }}" = "docker-container" ]] && [[ "${{ matrix.load }}" = "false" ]] && [[ "${{ matrix.push }}" = "false" ]]; then if [ -n "${{ steps.docker_build.outputs.imageid }}" ]; then echo "::error::Image ID should be empty" exit 1 fi elif [ -z "${{ steps.docker_build.outputs.imageid }}" ]; then echo "::error::Image ID should not be empty" exit 1 fi - name: Inspect image if: ${{ matrix.load }} run: | set -x docker image inspect ${{ steps.docker_build.outputs.imageid }} registry-cache: runs-on: ubuntu-latest services: registry: image: registry:2 ports: - 5000:5000 steps: - name: Checkout uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | network=host image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build and push id: docker_build uses: ./ with: context: ./test file: ./test/multi.Dockerfile builder: ${{ steps.buildx.outputs.name }} platforms: linux/amd64,linux/arm64 push: true tags: | localhost:5000/name/app:latest localhost:5000/name/app:1.0.0 cache-from: type=registry,ref=localhost:5000/name/app cache-to: type=inline - name: Inspect run: | docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}' - name: Check digest run: | if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then echo "::error::Digest should not be empty" exit 1 fi github-cache: runs-on: ubuntu-latest services: registry: image: registry:2 ports: - 5000:5000 steps: - name: Checkout uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | network=host image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} buildkitd-flags: --debug - name: Build and push uses: ./ with: context: ./test file: ./test/multi.Dockerfile platforms: linux/amd64,linux/arm64 push: true tags: | localhost:5000/name/app:latest localhost:5000/name/app:1.0.0 cache-from: type=gha,scope=ci-${{ matrix.buildx_version }} cache-to: type=gha,scope=ci-${{ matrix.buildx_version }} - name: Inspect run: | docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}' standalone: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Uninstall docker cli run: | if dpkg -s "docker-ce" >/dev/null 2>&1; then sudo dpkg -r --force-depends docker-ce-cli docker-buildx-plugin else sudo apt-get purge -y moby-cli moby-buildx fi - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | network=host image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build uses: ./ with: context: ./test file: ./test/Dockerfile named-context-pin: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} - name: Build base image uses: ./ with: context: ./test file: ./test/named-context.Dockerfile build-contexts: | alpine=docker-image://alpine:edge named-context-docker: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver: docker - name: Build base image uses: ./ with: context: ./test file: ./test/named-context-base.Dockerfile load: true tags: my-base-image:local - name: Build uses: ./ with: context: ./test file: ./test/named-context.Dockerfile build-contexts: | base=docker-image://my-base-image:local named-context-container: runs-on: ubuntu-latest services: registry: image: registry:2 ports: - 5000:5000 steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} network=host - name: Build base image uses: ./ with: context: ./test file: ./test/named-context-base.Dockerfile tags: localhost:5000/my-base-image:latest push: true - name: Build uses: ./ with: context: ./test file: ./test/named-context.Dockerfile build-contexts: | alpine=docker-image://localhost:5000/my-base-image:latest docker-config-malformed: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set malformed docker config run: | mkdir -p ~/.docker echo 'foo_bar' >> ~/.docker/config.json - name: Build uses: ./ with: context: ./test proxy-docker-config: runs-on: ubuntu-latest services: squid-proxy: image: ubuntu/squid:latest ports: - 3128:3128 steps: - name: Check proxy run: | netstat -aptn curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy http://127.0.0.1:3128 -v --insecure --head https://www.google.com - name: Checkout uses: actions/checkout@v4 - name: Set proxy config run: | mkdir -p ~/.docker echo '{"proxies":{"default":{"httpProxy":"http://127.0.0.1:3128","httpsProxy":"http://127.0.0.1:3128"}}}' > ~/.docker/config.json - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} network=host buildkitd-flags: --debug - name: Build uses: ./ with: context: ./test file: ./test/proxy.Dockerfile proxy-buildkitd: runs-on: ubuntu-latest services: squid-proxy: image: ubuntu/squid:latest ports: - 3128:3128 steps: - name: Check proxy run: | netstat -aptn curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy http://127.0.0.1:3128 -v --insecure --head https://www.google.com - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} driver-opts: | image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} network=host env.http_proxy=http://127.0.0.1:3128 env.https_proxy=http://127.0.0.1:3128 buildkitd-flags: --debug - name: Build uses: ./ with: context: ./test file: ./test/Dockerfile