diff --git a/.github/workflows/.test.yml b/.github/workflows/.test.yml index 2a57304..0bcf0b0 100644 --- a/.github/workflows/.test.yml +++ b/.github/workflows/.test.yml @@ -56,7 +56,7 @@ jobs: steps: - name: Builder outputs - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-aws-single.outputs) }} with: @@ -107,7 +107,7 @@ jobs: steps: - name: Builder outputs - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-aws.outputs) }} with: @@ -156,7 +156,7 @@ jobs: steps: - name: Builder outputs - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-ghcr.outputs) }} with: @@ -204,7 +204,7 @@ jobs: steps: - name: Builder outputs - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-dockerhub-stage.outputs) }} with: @@ -212,55 +212,6 @@ jobs: const builderOutputs = JSON.parse(core.getInput('builder-outputs')); core.info(JSON.stringify(builderOutputs, null, 2)); - build-dockerhub-stage-oidc: - uses: ./.github/workflows/build.yml - permissions: - contents: read - id-token: write - with: - output: image - push: ${{ github.event_name != 'pull_request' }} - meta-images: registry-1-stage.docker.io/docker/github-builder-test - meta-tags: | - type=raw,value=${{ github.run_id }},prefix=oidc- - build-file: test/hello.Dockerfile - build-sbom: true - build-platforms: linux/amd64,linux/arm64 - secrets: - registry-auths: | - - registry: registry-1-stage.docker.io - username: docker:cdeb5882-30b7-4076-be92-bfdceb258e9c - - build-dockerhub-stage-oidc-verify: - uses: ./.github/workflows/verify.yml - if: ${{ github.event_name != 'pull_request' }} - permissions: - contents: read - id-token: write - needs: - - build-dockerhub-stage-oidc - with: - builder-outputs: ${{ toJSON(needs.build-dockerhub-stage-oidc.outputs) }} - secrets: - registry-auths: | - - registry: registry-1-stage.docker.io - username: docker:cdeb5882-30b7-4076-be92-bfdceb258e9c - - build-dockerhub-stage-oidc-outputs: - runs-on: ubuntu-24.04 - needs: - - build-dockerhub-stage-oidc - steps: - - - name: Builder outputs - uses: actions/github-script@v8 - env: - INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-dockerhub-stage-oidc.outputs) }} - with: - script: | - const builderOutputs = JSON.parse(core.getInput('builder-outputs')); - core.info(JSON.stringify(builderOutputs, null, 2)); - build-ghcr-and-aws: uses: ./.github/workflows/build.yml permissions: @@ -310,7 +261,7 @@ jobs: steps: - name: Builder outputs - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-ghcr-and-aws.outputs) }} with: @@ -346,7 +297,7 @@ jobs: steps: - name: Builder outputs - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.local.outputs) }} with: @@ -381,7 +332,7 @@ jobs: steps: - name: Builder outputs - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-local-single.outputs) }} with: @@ -447,7 +398,7 @@ jobs: steps: - name: Builder outputs - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-aws-single.outputs) }} with: @@ -498,7 +449,7 @@ jobs: steps: - name: Builder outputs - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-aws.outputs) }} with: @@ -557,7 +508,7 @@ jobs: steps: - name: Builder outputs - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-ghcr-and-aws.outputs) }} with: @@ -594,7 +545,7 @@ jobs: steps: - name: Builder outputs - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-local.outputs) }} with: @@ -631,7 +582,7 @@ jobs: steps: - name: Builder outputs - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-local-single.outputs) }} with: diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml index 2181597..1c48753 100644 --- a/.github/workflows/bake.yml +++ b/.github/workflows/bake.yml @@ -157,7 +157,7 @@ jobs: steps: - name: Environment variables - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_ENVS: ${{ inputs.envs }} with: @@ -169,7 +169,7 @@ jobs: } - name: Install @docker/actions-toolkit - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_DAT-MODULE: ${{ env.DOCKER_ACTIONS_TOOLKIT_MODULE }} with: @@ -178,7 +178,7 @@ jobs: - name: Set includes id: set - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_MATRIX-SIZE-LIMIT: ${{ env.MATRIX_SIZE_LIMIT }} INPUT_RUNNER: ${{ inputs.runner }} @@ -304,7 +304,7 @@ jobs: steps: - name: Environment variables - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_ENVS: ${{ inputs.envs }} with: @@ -316,7 +316,7 @@ jobs: } - name: Install @docker/actions-toolkit - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_DAT-MODULE: ${{ env.DOCKER_ACTIONS_TOOLKIT_MODULE }} with: @@ -326,7 +326,7 @@ jobs: name: Docker meta id: meta if: ${{ inputs.output == 'image' }} - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ inputs.meta-images }} tags: ${{ inputs.meta-tags }} @@ -336,13 +336,13 @@ jobs: bake-target: ${{ inputs.meta-bake-target }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 if: ${{ inputs.setup-qemu }} with: image: ${{ inputs.qemu-image }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 with: version: ${{ env.BUILDX_VERSION }} buildkitd-flags: --debug @@ -350,7 +350,7 @@ jobs: - name: Prepare id: prepare - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_PLATFORM: ${{ matrix.platform }} INPUT_LOCAL-EXPORT-DIR: ${{ env.LOCAL_EXPORT_DIR }} @@ -493,8 +493,7 @@ jobs: - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} - # TODO: switch to docker/login-action when OIDC is supported - uses: crazy-max/docker-login-action@dockerhub-oidc + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry-auth: ${{ secrets.registry-auths }} - @@ -516,7 +515,7 @@ jobs: name: Get image digest id: get-image-digest if: ${{ inputs.output == 'image' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_TARGET: ${{ steps.prepare.outputs.target }} INPUT_METADATA: ${{ steps.bake.outputs.metadata }} @@ -530,7 +529,7 @@ jobs: - name: Install Cosign if: ${{ inputs.push }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_COSIGN-VERSION: ${{ env.COSIGN_VERSION }} with: @@ -548,7 +547,7 @@ jobs: name: Signing attestation manifests id: signing-attestation-manifests if: ${{ inputs.push && inputs.output == 'image' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_IMAGE-NAMES: ${{ inputs.meta-images }} INPUT_IMAGE-DIGEST: ${{ steps.get-image-digest.outputs.digest }} @@ -595,7 +594,7 @@ jobs: name: Signing local artifacts id: signing-local-artifacts if: ${{ inputs.push && inputs.output == 'local' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_LOCAL-OUTPUT-DIR: ${{ env.LOCAL_EXPORT_DIR }} with: @@ -639,7 +638,7 @@ jobs: - name: Set result output id: result - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_INDEX: ${{ matrix.index }} INPUT_VERIFY-COMMANDS: ${{ steps.signing-attestation-manifests.outputs.verify-commands || steps.signing-local-artifacts.outputs.verify-commands }} @@ -676,7 +675,7 @@ jobs: name: Docker meta id: meta if: ${{ inputs.output == 'image' }} - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ inputs.meta-images }} tags: ${{ inputs.meta-tags }} @@ -687,14 +686,13 @@ jobs: - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} - # TODO: switch to docker/login-action when OIDC is supported - uses: crazy-max/docker-login-action@dockerhub-oidc + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry-auth: ${{ secrets.registry-auths }} - name: Set up Docker Buildx if: ${{ inputs.push && inputs.output == 'image' }} - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 with: version: ${{ env.BUILDX_VERSION }} buildkitd-flags: --debug @@ -702,7 +700,7 @@ jobs: - name: Create manifest if: ${{ inputs.output == 'image' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_PUSH: ${{ inputs.push }} INPUT_IMAGE-NAMES: ${{ inputs.meta-images }} @@ -751,7 +749,7 @@ jobs: - name: Set outputs id: set - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_BUILD-OUTPUTS: ${{ toJSON(needs.build.outputs) }} with: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cf2c5a1..b71faed 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -168,7 +168,7 @@ jobs: steps: - name: Install @docker/actions-toolkit - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_DAT-MODULE: ${{ env.DOCKER_ACTIONS_TOOLKIT_MODULE }} with: @@ -177,7 +177,7 @@ jobs: - name: Set includes id: set - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_MATRIX-SIZE-LIMIT: ${{ env.MATRIX_SIZE_LIMIT }} INPUT_RUNNER: ${{ inputs.runner }} @@ -258,7 +258,7 @@ jobs: steps: - name: Environment variables - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_ENVS: ${{ inputs.envs }} with: @@ -270,7 +270,7 @@ jobs: } - name: Install @docker/actions-toolkit - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_DAT-MODULE: ${{ env.DOCKER_ACTIONS_TOOLKIT_MODULE }} with: @@ -280,7 +280,7 @@ jobs: name: Docker meta id: meta if: ${{ inputs.output == 'image' }} - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ inputs.meta-images }} tags: ${{ inputs.meta-tags }} @@ -289,13 +289,13 @@ jobs: annotations: ${{ inputs.meta-annotations }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 if: ${{ inputs.setup-qemu }} with: image: ${{ inputs.qemu-image }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 with: version: ${{ env.BUILDX_VERSION }} buildkitd-flags: --debug @@ -303,7 +303,7 @@ jobs: - name: Prepare id: prepare - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_PLATFORM: ${{ matrix.platform }} INPUT_LOCAL-EXPORT-DIR: ${{ env.LOCAL_EXPORT_DIR }} @@ -393,8 +393,7 @@ jobs: - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} - # TODO: switch to docker/login-action when OIDC is supported - uses: crazy-max/docker-login-action@dockerhub-oidc + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry-auth: ${{ secrets.registry-auths }} - @@ -424,7 +423,7 @@ jobs: - name: Install Cosign if: ${{ inputs.push }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_COSIGN-VERSION: ${{ env.COSIGN_VERSION }} with: @@ -442,7 +441,7 @@ jobs: name: Signing attestation manifests id: signing-attestation-manifests if: ${{ inputs.push && inputs.output == 'image' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_IMAGE-NAMES: ${{ inputs.meta-images }} INPUT_IMAGE-DIGEST: ${{ steps.build.outputs.digest }} @@ -489,7 +488,7 @@ jobs: name: Signing local artifacts id: signing-local-artifacts if: ${{ inputs.push && inputs.output == 'local' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_LOCAL-OUTPUT-DIR: ${{ env.LOCAL_EXPORT_DIR }} with: @@ -533,7 +532,7 @@ jobs: - name: Set result output id: result - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_INDEX: ${{ matrix.index }} INPUT_VERIFY-COMMANDS: ${{ steps.signing-attestation-manifests.outputs.verify-commands || steps.signing-local-artifacts.outputs.verify-commands }} @@ -570,7 +569,7 @@ jobs: name: Docker meta id: meta if: ${{ inputs.output == 'image' }} - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ inputs.meta-images }} tags: ${{ inputs.meta-tags }} @@ -580,14 +579,13 @@ jobs: - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} - # TODO: switch to docker/login-action when OIDC is supported - uses: crazy-max/docker-login-action@dockerhub-oidc + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry-auth: ${{ secrets.registry-auths }} - name: Set up Docker Buildx if: ${{ inputs.push && inputs.output == 'image' }} - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 with: version: ${{ env.BUILDX_VERSION }} buildkitd-flags: --debug @@ -595,7 +593,7 @@ jobs: - name: Create manifest if: ${{ inputs.output == 'image' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_PUSH: ${{ inputs.push }} INPUT_IMAGE-NAMES: ${{ inputs.meta-images }} @@ -644,7 +642,7 @@ jobs: - name: Set outputs id: set - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_BUILD-OUTPUTS: ${{ toJSON(needs.build.outputs) }} with: diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 4948ef3..8a7e9ad 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -19,7 +19,7 @@ jobs: - name: Extract builder outputs id: vars - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_BUILDER-OUTPUTS: ${{ inputs.builder-outputs }} with: @@ -47,8 +47,7 @@ jobs: - name: Login to registry if: ${{ steps.vars.outputs.output-type == 'image' }} - # TODO: switch to docker/login-action when OIDC is supported - uses: crazy-max/docker-login-action@dockerhub-oidc + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry-auth: ${{ secrets.registry-auths }} - @@ -60,7 +59,7 @@ jobs: merge-multiple: true - name: Verify signatures - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_COSIGN-VERIFY-COMMANDS: ${{ steps.vars.outputs.cosign-verify-commands }} with: