@@ -4,6 +4,10 @@ concurrency:
44 group : ${{ github.workflow }}-${{ github.ref }}
55 cancel-in-progress : true
66
7+ # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
8+ permissions :
9+ contents : read
10+
711on :
812 workflow_dispatch :
913 push :
@@ -134,42 +138,28 @@ jobs:
134138 allow-failure : ${{ matrix.allow-failure }}
135139
136140 build :
137- runs-on : ubuntu-latest
141+ uses : docker/github-builder-experimental/.github/workflows/bake.yml@8fc70909404a502fd0eca6601b99b32fa7192b03
142+ permissions :
143+ contents : read # same as global permission
144+ id-token : write # for signing attestation(s) with GitHub OIDC Token
138145 needs :
139146 - validate
140147 - test
141- steps :
142- -
143- name : Login to DockerHub
144- if : github.event_name != 'pull_request'
145- uses : docker/login-action@v3
146- with :
148+ with :
149+ runner : amd64
150+ target : xx-all
151+ output : image
152+ push : ${{ github.event_name != 'pull_request' }}
153+ set-meta-labels : true
154+ meta-images : |
155+ tonistiigi/xx
156+ meta-tags : |
157+ type=ref,event=branch
158+ type=ref,event=pr
159+ type=semver,pattern={{version}}
160+ meta-bake-target : meta-helper
161+ secrets :
162+ registry-auths : |
163+ - registry: docker.io
147164 username: ${{ secrets.DOCKERHUB_USERNAME }}
148165 password: ${{ secrets.DOCKERHUB_TOKEN }}
149- -
150- name : Set up QEMU
151- uses : docker/setup-qemu-action@v3
152- -
153- name : Set up Docker Buildx
154- uses : docker/setup-buildx-action@v3
155- -
156- name : Docker meta
157- id : meta
158- uses : docker/metadata-action@v5
159- with :
160- images : |
161- tonistiigi/xx
162- tags : |
163- type=ref,event=branch
164- type=ref,event=pr
165- type=semver,pattern={{version}}
166- bake-target : meta-helper
167- -
168- name : Build
169- uses : docker/bake-action@v6
170- with :
171- files : |
172- ./docker-bake.hcl
173- cwd://${{ steps.meta.outputs.bake-file }}
174- targets : xx-all
175- push : ${{ github.event_name != 'pull_request' }}
0 commit comments