From c4b93323b33c07550fdd9901728157b2c284393b Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Thu, 8 Jan 2026 11:46:16 +0100 Subject: [PATCH] authentication token scopes support Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/.test-bake.yml | 84 +++++++++++++++++++++++++++++++ .github/workflows/.test-build.yml | 34 +++++++++++++ .github/workflows/bake.yml | 18 +++++-- .github/workflows/build.yml | 18 +++++-- .github/workflows/verify.yml | 2 + 5 files changed, 146 insertions(+), 10 deletions(-) diff --git a/.github/workflows/.test-bake.yml b/.github/workflows/.test-bake.yml index 7ce57b7..f66359e 100644 --- a/.github/workflows/.test-bake.yml +++ b/.github/workflows/.test-bake.yml @@ -179,6 +179,55 @@ jobs: const builderOutputs = JSON.parse(core.getInput('builder-outputs')); core.info(JSON.stringify(builderOutputs, null, 2)); + bake-dockerhub-stage: + uses: ./.github/workflows/bake.yml + permissions: + contents: read + id-token: write + with: + context: test + output: image + push: ${{ github.event_name != 'pull_request' }} + sbom: true + target: hello-cross + meta-images: | + registry-1-stage.docker.io/docker/github-builder-test + meta-tags: | + type=raw,value=bake-ghbuilder-${{ github.run_id }} + secrets: + registry-auths: | + - registry: registry-1-stage.docker.io + username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} + password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} + + bake-dockerhub-stage-verify: + uses: ./.github/workflows/verify.yml + if: ${{ github.event_name != 'pull_request' }} + needs: + - bake-dockerhub-stage + with: + builder-outputs: ${{ toJSON(needs.bake-dockerhub-stage.outputs) }} + secrets: + registry-auths: | + - registry: registry-1-stage.docker.io + username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} + password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} + + bake-dockerhub-stage-outputs: + runs-on: ubuntu-24.04 + needs: + - bake-dockerhub-stage + steps: + - + name: Builder outputs + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-dockerhub-stage.outputs) }} + with: + script: | + const builderOutputs = JSON.parse(core.getInput('builder-outputs')); + core.info(JSON.stringify(builderOutputs, null, 2)); + bake-ghcr-and-aws: uses: ./.github/workflows/bake.yml permissions: @@ -395,3 +444,38 @@ jobs: public.ecr.aws/q3b5f1u4/test-docker-action meta-tags: | type=raw,value=bake-ghbuilder-${{ github.run_id }} + + bake-auth-scope: + uses: ./.github/workflows/bake.yml + permissions: + contents: read + id-token: write + with: + context: test + output: image + push: ${{ github.event_name != 'pull_request' }} + sbom: true + target: hello-cross + meta-images: | + registry-1-stage.docker.io/docker/github-builder-test + meta-tags: | + type=raw,value=bake-ghbuilder-scope-${{ github.run_id }} + secrets: + registry-auths: | + - registry: registry-1-stage.docker.io + username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} + password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} + scope: '@push' + + bake-auth-scope-verify: + uses: ./.github/workflows/verify.yml + if: ${{ github.event_name != 'pull_request' }} + needs: + - bake-auth-scope + with: + builder-outputs: ${{ toJSON(needs.bake-auth-scope.outputs) }} + secrets: + registry-auths: | + - registry: registry-1-stage.docker.io + username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} + password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} diff --git a/.github/workflows/.test-build.yml b/.github/workflows/.test-build.yml index 457c5ea..f9982d2 100644 --- a/.github/workflows/.test-build.yml +++ b/.github/workflows/.test-build.yml @@ -490,3 +490,37 @@ jobs: meta-images: ghcr.io/docker/github-builder-test meta-tags: | type=raw,value=build-${{ github.run_id }} + + build-auth-scope: + uses: ./.github/workflows/build.yml + permissions: + contents: read + id-token: write + with: + file: test/hello.Dockerfile + output: image + platforms: linux/amd64,linux/arm64 + push: ${{ github.event_name != 'pull_request' }} + sbom: true + meta-images: registry-1-stage.docker.io/docker/github-builder-test + meta-tags: | + type=raw,value=build-scope-${{ github.run_id }} + secrets: + registry-auths: | + - registry: registry-1-stage.docker.io + username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} + password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} + scope: '@push' + + build-auth-scope-verify: + uses: ./.github/workflows/verify.yml + if: ${{ github.event_name != 'pull_request' }} + needs: + - build-auth-scope + with: + builder-outputs: ${{ toJSON(needs.build-auth-scope.outputs) }} + secrets: + registry-auths: | + - registry: registry-1-stage.docker.io + username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} + password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml index f24accd..ebc64a9 100644 --- a/.github/workflows/bake.yml +++ b/.github/workflows/bake.yml @@ -137,7 +137,7 @@ on: value: ${{ jobs.finalize.outputs.signed }} env: - BUILDX_VERSION: "v0.30.1" + BUILDX_VERSION: "https://github.com/docker/buildx.git#8037f199dbf353dd0bc51b6d4f4cec64544dbcdd" # TODO: pin to a specific version when scope feature is available BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.72.0" COSIGN_VERSION: "v3.0.2" @@ -358,7 +358,6 @@ jobs: uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 with: version: ${{ env.BUILDX_VERSION }} - cache-binary: false buildkitd-flags: --debug driver-opts: | image=${{ env.BUILDKIT_IMAGE }} @@ -603,7 +602,7 @@ jobs: - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported with: registry-auth: ${{ secrets.registry-auths }} - @@ -634,6 +633,14 @@ jobs: const imageDigest = inpMetadata[inpTarget]['containerimage.digest']; core.info(imageDigest); core.setOutput('digest', imageDigest); + - + name: Login to registry for signing + if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }} + uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported + with: + registry-auth: ${{ secrets.registry-auths }} + env: + DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login - name: Signing attestation manifests id: signing-attestation-manifests @@ -784,9 +791,11 @@ jobs: - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported with: registry-auth: ${{ secrets.registry-auths }} + env: + DOCKER_LOGIN_SCOPE_DISABLED: true # FIXME: scope feature is not yet supported by Buildx imagetools command - name: Set up Docker Buildx if: ${{ inputs.push && inputs.output == 'image' }} @@ -795,7 +804,6 @@ jobs: version: ${{ env.BUILDX_VERSION }} buildkitd-flags: --debug driver-opts: image=${{ env.BUILDKIT_IMAGE }} - cache-binary: false - name: Create manifest if: ${{ inputs.output == 'image' }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 784525d..67f368f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -144,7 +144,7 @@ on: value: ${{ jobs.finalize.outputs.signed }} env: - BUILDX_VERSION: "v0.30.1" + BUILDX_VERSION: "https://github.com/docker/buildx.git#8037f199dbf353dd0bc51b6d4f4cec64544dbcdd" # TODO: pin to a specific version when scope feature is available BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.72.0" COSIGN_VERSION: "v3.0.2" @@ -319,7 +319,6 @@ jobs: uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 with: version: ${{ env.BUILDX_VERSION }} - cache-binary: false buildkitd-flags: --debug driver-opts: | image=${{ env.BUILDKIT_IMAGE }} @@ -512,7 +511,7 @@ jobs: - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported with: registry-auth: ${{ secrets.registry-auths }} - @@ -538,6 +537,14 @@ jobs: env: BUILDKIT_MULTI_PLATFORM: 1 GIT_AUTH_TOKEN: ${{ secrets.github-token || github.token }} + - + name: Login to registry for signing + if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }} + uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported + with: + registry-auth: ${{ secrets.registry-auths }} + env: + DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login - name: Signing attestation manifests id: signing-attestation-manifests @@ -687,9 +694,11 @@ jobs: - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported with: registry-auth: ${{ secrets.registry-auths }} + env: + DOCKER_LOGIN_SCOPE_DISABLED: true # FIXME: scope feature is not yet supported by Buildx imagetools command - name: Set up Docker Buildx if: ${{ inputs.push && inputs.output == 'image' }} @@ -698,7 +707,6 @@ jobs: version: ${{ env.BUILDX_VERSION }} buildkitd-flags: --debug driver-opts: image=${{ env.BUILDKIT_IMAGE }} - cache-binary: false - name: Create manifest if: ${{ inputs.output == 'image' }} diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 186713c..82c4623 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -84,6 +84,8 @@ jobs: uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry-auth: ${{ secrets.registry-auths }} + env: + DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login - name: Download artifacts if: ${{ steps.vars.outputs.signed == 'true' && steps.vars.outputs.output-type == 'local' }}