From cebcf4084186f73373feaa119df4c0582c84ed6f Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Thu, 18 Dec 2025 11:17:55 +0100 Subject: [PATCH 1/2] switch sbom input type from string to boolean Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/bake.yml | 11 ++--- .github/workflows/build.yml | 3 +- README.md | 90 ++++++++++++++++++------------------- 3 files changed, 53 insertions(+), 51 deletions(-) diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml index 0553e31..08c8b62 100644 --- a/.github/workflows/bake.yml +++ b/.github/workflows/bake.yml @@ -42,9 +42,10 @@ on: required: false default: false sbom: - type: string + type: boolean description: "Generate SBOM attestation for the build" required: false + default: false set: type: string description: "List of targets values to override (eg. targetpattern.key=value)" @@ -176,7 +177,7 @@ jobs: const inpFiles = Util.getInputList('files'); const inpOutput = core.getInput('output'); const inpPush = core.getBooleanInput('push'); - const inpSbom = core.getInput('sbom'); + const inpSbom = core.getBooleanInput('sbom'); const inpSet = Util.getInputList('set', {ignoreComma: true, quote: false}); const inpSign = core.getInput('sign'); const inpTarget = core.getInput('target'); @@ -220,7 +221,7 @@ jobs: def = await bake.getDefinition({ files: inpFiles, overrides: inpSet, - sbom: inpSbom, + sbom: inpSbom ? 'true' : 'false', source: bakeSource, targets: [inpTarget], githubToken: inpGitHubToken @@ -376,7 +377,7 @@ jobs: const inpFiles = Util.getInputList('files'); const inpOutput = core.getInput('output'); const inpPush = core.getBooleanInput('push'); - const inpSbom = core.getInput('sbom'); + const inpSbom = core.getBooleanInput('sbom'); const inpSet = Util.getInputList('set', {ignoreComma: true, quote: false}); const inpTarget = core.getInput('target'); const inpMetaImages = core.getMultilineInput('meta-images'); @@ -400,7 +401,7 @@ jobs: const def = await bake.getDefinition({ files: inpFiles, overrides: inpSet, - sbom: inpSbom, + sbom: inpSbom ? 'true' : 'false', source: bakeSource, targets: [inpTarget], githubToken: inpGitHubToken diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 33db9a9..cf30a57 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -58,9 +58,10 @@ on: required: false default: false sbom: - type: string + type: boolean description: "Generate SBOM attestation for the build" required: false + default: false shm-size: type: string description: "Size of /dev/shm (e.g., 2g)" diff --git a/README.md b/README.md index 29482c9..5aa58ce 100644 --- a/README.md +++ b/README.md @@ -219,30 +219,30 @@ on: > tags: name/app:latest,name/app:1.0.0 > ``` -| Name | Type | Default | Description | -|------------------------|-------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `runner` | String | `auto` | [Ubuntu GitHub Hosted Runner](https://github.com/actions/runner-images?tab=readme-ov-file#available-images) to build on (one of `auto`, `amd64`, `arm64`). The `auto` runner selects the best-matching runner based on target `platforms`. You can set it to `amd64` if your build doesn't require emulation (e.g. cross-compilation) | -| `setup-qemu` | Bool | `false` | Runs the `setup-qemu-action` step to install QEMU static binaries | -| `artifact-name` | String | `docker-github-builder-assets` | Name of the uploaded GitHub artifact (for `local` output) | -| `artifact-upload` | Bool | `false` | Upload build output GitHub artifact (for `local` output) | -| `annotations` | List | | List of annotations to set to the image (for `image` output) | -| `build-args` | List | `auto` | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg). If you want to set a build-arg through an environment variable, use the `envs` input | -| `context` | String | `.` | Context to build from in the Git working tree | -| `file` | String | `{context}/Dockerfile` | Path to the Dockerfile | -| `labels` | List | | List of labels for an image (for `image` output) | -| `output` | String | | Build output destination (one of [`image`](https://docs.docker.com/build/exporters/image-registry/) or [`local`](https://docs.docker.com/build/exporters/local-tar/)). Unlike the `build-push-action`, it only accepts `image` or `local`. The reusable workflow takes care of setting the `outputs` attribute | -| `platforms` | List/CSV | | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) to build | -| `push` | Bool | `false` | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) image to the registry (for `image` output) | -| `sbom` | Bool/String | | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build | -| `shm-size` | String | | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) | -| `sign` | String | `auto` | Sign attestation manifest for `image` output or artifacts for `local` output, can be one of `auto`, `true` or `false`. The `auto` mode will enable signing if `push` is enabled for pushing the `image` or if `artifact-upload` is enabled for uploading the `local` build output as GitHub Artifact | -| `target` | String | | Sets the target stage to build | -| `ulimit` | List | | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`) | -| `set-meta-annotations` | Bool | `false` | Append OCI Image Format Specification annotations generated by `docker/metadata-action` | -| `set-meta-labels` | Bool | `false` | Append OCI Image Format Specification labels generated by `docker/metadata-action` | -| `meta-images` | List | | [List of images](https://github.com/docker/metadata-action?tab=readme-ov-file#images-input) to use as base name for tags (required for image output) | -| `meta-tags` | List | | [List of tags](https://github.com/docker/metadata-action?tab=readme-ov-file#tags-input) as key-value pair attributes | -| `meta-flavor` | List | | [Flavor](https://github.com/docker/metadata-action?tab=readme-ov-file#flavor-input) defines a global behavior for `meta-tags` | +| Name | Type | Default | Description | +|------------------------|----------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `runner` | String | `auto` | [Ubuntu GitHub Hosted Runner](https://github.com/actions/runner-images?tab=readme-ov-file#available-images) to build on (one of `auto`, `amd64`, `arm64`). The `auto` runner selects the best-matching runner based on target `platforms`. You can set it to `amd64` if your build doesn't require emulation (e.g. cross-compilation) | +| `setup-qemu` | Bool | `false` | Runs the `setup-qemu-action` step to install QEMU static binaries | +| `artifact-name` | String | `docker-github-builder-assets` | Name of the uploaded GitHub artifact (for `local` output) | +| `artifact-upload` | Bool | `false` | Upload build output GitHub artifact (for `local` output) | +| `annotations` | List | | List of annotations to set to the image (for `image` output) | +| `build-args` | List | `auto` | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg). If you want to set a build-arg through an environment variable, use the `envs` input | +| `context` | String | `.` | Context to build from in the Git working tree | +| `file` | String | `{context}/Dockerfile` | Path to the Dockerfile | +| `labels` | List | | List of labels for an image (for `image` output) | +| `output` | String | | Build output destination (one of [`image`](https://docs.docker.com/build/exporters/image-registry/) or [`local`](https://docs.docker.com/build/exporters/local-tar/)). Unlike the `build-push-action`, it only accepts `image` or `local`. The reusable workflow takes care of setting the `outputs` attribute | +| `platforms` | List/CSV | | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) to build | +| `push` | Bool | `false` | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) image to the registry (for `image` output) | +| `sbom` | Bool | `false` | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build | +| `shm-size` | String | | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) | +| `sign` | String | `auto` | Sign attestation manifest for `image` output or artifacts for `local` output, can be one of `auto`, `true` or `false`. The `auto` mode will enable signing if `push` is enabled for pushing the `image` or if `artifact-upload` is enabled for uploading the `local` build output as GitHub Artifact | +| `target` | String | | Sets the target stage to build | +| `ulimit` | List | | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`) | +| `set-meta-annotations` | Bool | `false` | Append OCI Image Format Specification annotations generated by `docker/metadata-action` | +| `set-meta-labels` | Bool | `false` | Append OCI Image Format Specification labels generated by `docker/metadata-action` | +| `meta-images` | List | | [List of images](https://github.com/docker/metadata-action?tab=readme-ov-file#images-input) to use as base name for tags (required for image output) | +| `meta-tags` | List | | [List of tags](https://github.com/docker/metadata-action?tab=readme-ov-file#tags-input) as key-value pair attributes | +| `meta-flavor` | List | | [Flavor](https://github.com/docker/metadata-action?tab=readme-ov-file#flavor-input) defines a global behavior for `meta-tags` | #### Secrets @@ -323,27 +323,27 @@ on: > foo*.args.mybuildarg=value > ``` -| Name | Type | Default | Description | -|------------------------|-------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `runner` | String | `auto` | [Ubuntu GitHub Hosted Runner](https://github.com/actions/runner-images?tab=readme-ov-file#available-images) to build on (one of `auto`, `amd64`, `arm64`). The `auto` runner selects the best-matching runner based on target `platforms`. You can set it to `amd64` if your build doesn't require emulation (e.g. cross-compilation) | -| `setup-qemu` | Bool | `false` | Runs the `setup-qemu-action` step to install QEMU static binaries | -| `artifact-name` | String | `docker-github-builder-assets` | Name of the uploaded GitHub artifact (for `local` output) | -| `artifact-upload` | Bool | `false` | Upload build output GitHub artifact (for `local` output) | -| `context` | String | `.` | Context to build from in the Git working tree | -| `files` | List | `{context}/docker-bake.hcl` | List of bake definition files | -| `output` | String | | Build output destination (one of [`image`](https://docs.docker.com/build/exporters/image-registry/) or [`local`](https://docs.docker.com/build/exporters/local-tar/)). | -| `push` | Bool | `false` | Push image to the registry (for `image` output) | -| `sbom` | Bool/String | | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build | -| `set` | List | | List of [target values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (e.g., `targetpattern.key=value`) | -| `sign` | String | `auto` | Sign attestation manifest for `image` output or artifacts for `local` output, can be one of `auto`, `true` or `false`. The `auto` mode will enable signing if `push` is enabled for pushing the `image` or if `artifact-upload` is enabled for uploading the `local` build output as GitHub Artifact | -| `target` | String | `default` | Bake target to build | -| `set-meta-annotations` | Bool | `false` | Append OCI Image Format Specification annotations generated by `docker/metadata-action` | -| `set-meta-labels` | Bool | `false` | Append OCI Image Format Specification labels generated by `docker/metadata-action` | -| `meta-images` | List | | [List of images](https://github.com/docker/metadata-action?tab=readme-ov-file#images-input) to use as base name for tags (required for image output) | -| `meta-tags` | List | | [List of tags](https://github.com/docker/metadata-action?tab=readme-ov-file#tags-input) as key-value pair attributes | -| `meta-labels` | List | | [List of custom labels](https://github.com/docker/metadata-action?tab=readme-ov-file#overwrite-labels-and-annotations) | -| `meta-annotations` | List | | [List of custom annotations](https://github.com/docker/metadata-action?tab=readme-ov-file#overwrite-labels-and-annotations) | -| `meta-flavor` | List | | [Flavor](https://github.com/docker/metadata-action?tab=readme-ov-file#flavor-input) defines a global behavior for `meta-tags` | +| Name | Type | Default | Description | +|------------------------|--------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `runner` | String | `auto` | [Ubuntu GitHub Hosted Runner](https://github.com/actions/runner-images?tab=readme-ov-file#available-images) to build on (one of `auto`, `amd64`, `arm64`). The `auto` runner selects the best-matching runner based on target `platforms`. You can set it to `amd64` if your build doesn't require emulation (e.g. cross-compilation) | +| `setup-qemu` | Bool | `false` | Runs the `setup-qemu-action` step to install QEMU static binaries | +| `artifact-name` | String | `docker-github-builder-assets` | Name of the uploaded GitHub artifact (for `local` output) | +| `artifact-upload` | Bool | `false` | Upload build output GitHub artifact (for `local` output) | +| `context` | String | `.` | Context to build from in the Git working tree | +| `files` | List | `{context}/docker-bake.hcl` | List of bake definition files | +| `output` | String | | Build output destination (one of [`image`](https://docs.docker.com/build/exporters/image-registry/) or [`local`](https://docs.docker.com/build/exporters/local-tar/)). | +| `push` | Bool | `false` | Push image to the registry (for `image` output) | +| `sbom` | Bool | `false` | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build | +| `set` | List | | List of [target values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (e.g., `targetpattern.key=value`) | +| `sign` | String | `auto` | Sign attestation manifest for `image` output or artifacts for `local` output, can be one of `auto`, `true` or `false`. The `auto` mode will enable signing if `push` is enabled for pushing the `image` or if `artifact-upload` is enabled for uploading the `local` build output as GitHub Artifact | +| `target` | String | `default` | Bake target to build | +| `set-meta-annotations` | Bool | `false` | Append OCI Image Format Specification annotations generated by `docker/metadata-action` | +| `set-meta-labels` | Bool | `false` | Append OCI Image Format Specification labels generated by `docker/metadata-action` | +| `meta-images` | List | | [List of images](https://github.com/docker/metadata-action?tab=readme-ov-file#images-input) to use as base name for tags (required for image output) | +| `meta-tags` | List | | [List of tags](https://github.com/docker/metadata-action?tab=readme-ov-file#tags-input) as key-value pair attributes | +| `meta-labels` | List | | [List of custom labels](https://github.com/docker/metadata-action?tab=readme-ov-file#overwrite-labels-and-annotations) | +| `meta-annotations` | List | | [List of custom annotations](https://github.com/docker/metadata-action?tab=readme-ov-file#overwrite-labels-and-annotations) | +| `meta-flavor` | List | | [Flavor](https://github.com/docker/metadata-action?tab=readme-ov-file#flavor-input) defines a global behavior for `meta-tags` | #### Secrets From 41a644b1ab7255508606d092ad92a87dc83657e0 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Thu, 18 Dec 2025 13:47:31 +0100 Subject: [PATCH 2/2] ci: fix events Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/.test-bake.yml | 2 ++ .github/workflows/.test-build.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/.test-bake.yml b/.github/workflows/.test-bake.yml index 203f01b..f0d6d17 100644 --- a/.github/workflows/.test-bake.yml +++ b/.github/workflows/.test-bake.yml @@ -14,11 +14,13 @@ on: - 'v*' paths: - '.github/workflows/.test-bake.yml' + - '.github/workflows/bake.yml' - '.github/workflows/verify.yml' - 'test/**' pull_request: paths: - '.github/workflows/.test-bake.yml' + - '.github/workflows/bake.yml' - '.github/workflows/verify.yml' - 'test/**' diff --git a/.github/workflows/.test-build.yml b/.github/workflows/.test-build.yml index 0bd6e0c..4bd86d6 100644 --- a/.github/workflows/.test-build.yml +++ b/.github/workflows/.test-build.yml @@ -14,11 +14,13 @@ on: - 'v*' paths: - '.github/workflows/.test-build.yml' + - '.github/workflows/build.yml' - '.github/workflows/verify.yml' - 'test/**' pull_request: paths: - '.github/workflows/.test-build.yml' + - '.github/workflows/build.yml' - '.github/workflows/verify.yml' - 'test/**'