Merge pull request #1070 from docker/dependabot/npm_and_yarn/docker/actions-toolkit-0.18.0

chore(deps): Bump @docker/actions-toolkit from 0.14.0 to 0.18.0

.eslintignore

@@ -0,0 +1,3 @@
+/dist/**
+/coverage/**
+/node_modules/**

.eslintrc.json

@@ -1,11 +1,12 @@
 {
   "env": {
     "node": true,
-    "es2021": true,
+    "es6": true,
     "jest": true
   },
   "extends": [
     "eslint:recommended",
+    "plugin:@typescript-eslint/eslint-recommended",
     "plugin:@typescript-eslint/recommended",
     "plugin:jest/recommended",
     "plugin:prettier/recommended"

.github/workflows/.e2e-run.yml

@@ -75,10 +75,11 @@ jobs:
         if: inputs.type == 'local'
         run: |
           sudo -E bash ./.github/e2e/${{ inputs.id }}/install.sh
+          sudo chown $(id -u):$(id -g) -R ~/.docker
       -
         name: Docker meta
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY_SLUG || inputs.slug }}
           tags: |
@@ -87,10 +88,10 @@ jobs:
             type=raw,gh-runid-${{ github.run_id }}
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ matrix.buildx_version }}
           config: /tmp/buildkitd.toml
@@ -101,7 +102,7 @@ jobs:
       -
         name: Login to Registry
         if: github.event_name != 'pull_request' && (env.REGISTRY_USER || inputs.username_secret) != ''
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY_FQDN || inputs.registry }}
           username: ${{ env.REGISTRY_USER || secrets[inputs.username_secret] }}

.github/workflows/ci.yml

@@ -38,7 +38,7 @@ jobs:
           path: action
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -64,11 +64,11 @@ jobs:
           path: action
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -113,11 +113,11 @@ jobs:
           path: action
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -170,11 +170,11 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -220,7 +220,7 @@ jobs:
       -
         name: Docker meta
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.DOCKER_IMAGE }}
           tags: |
@@ -233,7 +233,7 @@ jobs:
             type=sha
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -302,10 +302,10 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -378,7 +378,7 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -393,6 +393,31 @@ jobs:
             MYSECRET=foo
             INVALID_SECRET=
 
+  secret-envs:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        env:
+          ENV_SECRET: foo
+        with:
+          context: .
+          file: ./test/secret.Dockerfile
+          secret-envs: |
+            MYSECRET=ENV_SECRET
+            INVALID_SECRET=
+
   network:
     runs-on: ubuntu-latest
     steps:
@@ -401,7 +426,7 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -425,7 +450,7 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -447,7 +472,7 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -472,7 +497,7 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -495,7 +520,7 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -520,7 +545,7 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -554,7 +579,7 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ matrix.buildx }}
           driver-opts: |
@@ -573,19 +598,31 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        attrs:
+        include:
-          - ''
+          - target: image
-          - mode=max
+            output: type=image,name=localhost:5000/name/app:latest,push=true
-          - builder-id=foo
+            attr: mode=max
-          - false
+          - target: image
-          - true
+            output: type=image,name=localhost:5000/name/app:latest,push=true
+            attr: ''
+          - target: binary
+            output: /tmp/buildx-build
+            attr: mode=max
+          - target: binary
+            output: /tmp/buildx-build
+            attr: ''
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
     steps:
       -
         name: Checkout
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -597,11 +634,24 @@ jobs:
         with:
           context: ./test/go
           file: ./test/go/Dockerfile
-          target: binary
+          target: ${{ matrix.target }}
-          outputs: type=oci,dest=/tmp/build.tar
+          outputs: ${{ matrix.output }}
-          provenance: ${{ matrix.attrs }}
+          provenance: ${{ matrix.attr }}
-          cache-from: type=gha,scope=provenance
+      -
-          cache-to: type=gha,scope=provenance,mode=max
+        name: Inspect Provenance
+        if: matrix.target == 'image'
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .Provenance}}'
+      -
+        name: Check output folder
+        if: matrix.target == 'binary'
+        run: |
+          tree /tmp/buildx-build
+      -
+        name: Print local Provenance
+        if: matrix.target == 'binary'
+        run: |
+          cat /tmp/buildx-build/provenance.json | jq
 
   sbom:
     runs-on: ubuntu-latest
@@ -624,7 +674,7 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -642,22 +692,17 @@ jobs:
           cache-from: type=gha,scope=attests-${{ matrix.target }}
           cache-to: type=gha,scope=attests-${{ matrix.target }},mode=max
       -
-        name: Inspect image
+        name: Inspect SBOM
         if: matrix.target == 'image'
         run: |
-          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .SBOM}}'
       -
         name: Check output folder
         if: matrix.target == 'binary'
         run: |
           tree /tmp/buildx-build
       -
-        name: Print provenance
+        name: Print local SBOM
-        if: matrix.target == 'binary'
-        run: |
-          cat /tmp/buildx-build/provenance.json | jq
-      -
-        name: Print SBOM
         if: matrix.target == 'binary'
         run: |
           cat /tmp/buildx-build/sbom.spdx.json | jq
@@ -681,11 +726,11 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -750,7 +795,7 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver: ${{ matrix.driver }}
@@ -820,10 +865,10 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -869,10 +914,10 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -897,6 +942,63 @@ jobs:
         run: |
           docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
 
+  local-cache:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Cache Build
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-local-test-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-local-test-
+      -
+        name: Build and push
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/multi.Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            localhost:5000/name/app:latest
+            localhost:5000/name/app:1.0.0
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
+      -
+        name: Inspect
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
+      -
+        # Temp fix
+        # https://github.com/docker/build-push-action/issues/252
+        # https://github.com/moby/buildkit/issues/1896
+        name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+
   standalone:
     runs-on: ubuntu-latest
     steps:
@@ -913,7 +1015,7 @@ jobs:
           fi
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -934,7 +1036,7 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -956,7 +1058,7 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver: docker
@@ -990,7 +1092,7 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -1053,7 +1155,7 @@ jobs:
           echo '{"proxies":{"default":{"httpProxy":"http://127.0.0.1:3128","httpsProxy":"http://127.0.0.1:3128"}}}' > ~/.docker/config.json
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -1085,7 +1187,7 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
           driver-opts: |
@@ -1100,3 +1202,55 @@ jobs:
         with:
           context: ./test
           file: ./test/Dockerfile
+
+  annotations:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_IMAGE: localhost:5000/name/app
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.DOCKER_IMAGE }}
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build and push to local registry
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          annotations: |
+            index:com.example.key=value
+            index:com.example.key2=value2
+            manifest:com.example.key3=value3
+      -
+        name: Check manifest
+        run: |
+          docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} --format '{{json .}}'

.github/workflows/e2e.yml

@@ -88,13 +88,13 @@ jobs:
             username_secret: QUAY_USERNAME
             password_secret: QUAY_TOKEN
             type: remote
-          -
+#          -
-            name: Artifactory
+#            name: Artifactory
-            registry: sforzando-build-team-local.jfrog.io
+#            registry: sforzando-build-team-local.jfrog.io
-            slug: sforzando-build-team-local.jfrog.io/build-push-action-e2e
+#            slug: sforzando-build-team-local.jfrog.io/build-push-action-e2e
-            username_secret: ARTIFACTORY_USERNAME
+#            username_secret: ARTIFACTORY_USERNAME
-            password_secret: ARTIFACTORY_TOKEN
+#            password_secret: ARTIFACTORY_TOKEN
-            type: remote
+#            type: remote
           -
             name: Harbor
             id: harbor

.github/workflows/test.yml

@@ -20,11 +20,12 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Test
-        uses: docker/bake-action@v3
+        uses: docker/bake-action@v4
         with:
           targets: test
       -
         name: Upload coverage
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           file: ./coverage/clover.xml
+          token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/validate.yml

@@ -40,6 +40,6 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Validate
-        uses: docker/bake-action@v3
+        uses: docker/bake-action@v4
         with:
           targets: ${{ matrix.target }}

README.md

@@ -74,19 +74,19 @@ jobs:
     steps:
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       -
         name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           push: true
           tags: user/app:latest
@@ -108,10 +108,10 @@ to the default Git context:
         # Setting up Docker Buildx with docker-container driver is required
         # at the moment to be able to use a subdirectory with Git context
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       -
         name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: "{{defaultContext}}:mysubdir"
           push: true
@@ -134,7 +134,7 @@ named `GIT_AUTH_TOKEN` to be able to authenticate against it with Buildx:
 ```yaml
       -
         name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           push: true
           tags: user/app:latest
@@ -158,22 +158,22 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       -
         name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: true
@@ -217,6 +217,7 @@ Following inputs can be used as `step.with` keys
 |--------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `add-hosts`        | List/CSV    | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`)      |
 | `allow`            | List/CSV    | List of [extra privileged entitlement](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow) (e.g., `network.host,security.insecure`)                         |
+| `annotations`      | List        | List of annotation to set to the image                                                                                                                                            |
 | `attests`          | List        | List of [attestation](https://docs.docker.com/build/attestations/) parameters (e.g., `type=sbom,generator=image`)                                                                 | 
 | `builder`          | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                                       |
 | `build-args`       | List        | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg)                                                                      |
@@ -238,6 +239,7 @@ Following inputs can be used as `step.with` keys
 | `push`             | Bool        | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`)                                     |
 | `sbom`             | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`)                                                  |
 | `secrets`          | List        | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`)                |
+| `secret-envs`      | List/CSV    | List of [secret env vars](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=envname`, `MY_SECRET=MY_ENV_VAR`)         |
 | `secret-files`     | List        | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`)         |
 | `shm-size`         | String      | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`)                                                                    |
 | `ssh`              | List        | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build                                                 |
@@ -252,7 +254,7 @@ Following inputs can be used as `step.with` keys
 
 ### outputs
 
-Following outputs are available
+The following outputs are available:
 
 | Name       | Type    | Description           |
 |------------|---------|-----------------------|

TROUBLESHOOTING.md

@@ -45,13 +45,13 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           buildkitd-flags: --debug
       -
@@ -59,7 +59,7 @@ jobs:
         uses: crazy-max/ghaction-setup-containerd@v2
       -
         name: Build Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           platforms: linux/amd64,linux/arm64
@@ -112,7 +112,7 @@ to generate sanitized tags:
     tags: latest
 
 - name: Build and push
-  uses: docker/build-push-action@v4
+  uses: docker/build-push-action@v5
   with:
     context: .
     push: true
@@ -130,7 +130,7 @@ Or a dedicated step to sanitize the slug:
     script: return 'ghcr.io/${{ github.repository }}'.toLowerCase()
 
 - name: Build and push
-  uses: docker/build-push-action@v4
+  uses: docker/build-push-action@v5
   with:
     context: .
     push: true
@@ -156,7 +156,7 @@ Sometimes when your workflows are heavy consumers of disk storage, it can happen
 
 ```yaml
 name: Set up Docker Buildx
-uses: docker/setup-buildx-action@v2
+uses: docker/setup-buildx-action@v3
 with:
   driver: docker
 ```

__tests__/context.test.ts

@@ -619,6 +619,93 @@ nproc=3`],
         '.'
       ]
     ],
+    [
+      25,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['no-cache', 'false'],
+        ['load', 'true'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['secret-envs', `MY_SECRET=MY_SECRET_ENV
+ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
+      ]),
+      [
+        'build',
+        '--secret', 'id=MY_SECRET,env=MY_SECRET_ENV',
+        '--secret', 'id=ANOTHER_SECRET,env=ANOTHER_SECRET_ENV',
+        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--load',
+        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '.'
+      ]
+    ],
+    [
+      26,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['no-cache', 'false'],
+        ['load', 'true'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['secret-envs', 'MY_SECRET=MY_SECRET_ENV,ANOTHER_SECRET=ANOTHER_SECRET_ENV']
+      ]),
+      [
+        'build',
+        '--secret', 'id=MY_SECRET,env=MY_SECRET_ENV',
+        '--secret', 'id=ANOTHER_SECRET,env=ANOTHER_SECRET_ENV',
+        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--load',
+        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '.'
+      ]
+    ],
+    [
+      27,
+      '0.11.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['annotations', 'example1=www\nindex:example2=xxx\nmanifest:example3=yyy\nmanifest-descriptor[linux/amd64]:example4=zzz'],
+        ['outputs', 'type=local,dest=./release-out'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--output', 'type=local,dest=./release-out',
+        "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '.'
+      ]
+    ],
+    [
+      28,
+      '0.12.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['annotations', 'example1=www\nindex:example2=xxx\nmanifest:example3=yyy\nmanifest-descriptor[linux/amd64]:example4=zzz'],
+        ['outputs', 'type=local,dest=./release-out'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--annotation', 'example1=www',
+        '--annotation', 'index:example2=xxx',
+        '--annotation', 'manifest:example3=yyy',
+        '--annotation', 'manifest-descriptor[linux/amd64]:example4=zzz',
+        '--output', 'type=local,dest=./release-out',
+        "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '.'
+      ]
+    ]
   ])(
     '[%d] given %p with %p as inputs, returns %p',
     async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {

action.yml

@@ -13,6 +13,9 @@ inputs:
   allow:
     description: "List of extra privileged entitlement (e.g., network.host,security.insecure)"
     required: false
+  annotations:
+    description: "List of annotation to set to the image"
+    required: false
   attests:
     description: "List of attestation parameters (e.g., type=sbom,generator=image)"
     required: false
@@ -80,6 +83,9 @@ inputs:
   secrets:
     description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)"
     required: false
+  secret-envs:
+    description: "List of secret env vars to expose to the build (e.g., key=envname, MY_SECRET=MY_ENV_VAR)"
+    required: false
   secret-files:
     description: "List of secret files to expose to the build (e.g., key=filename, MY_SECRET=./secret.txt)"
     required: false
@@ -112,6 +118,6 @@ outputs:
     description: 'Build result metadata'
 
 runs:
-  using: 'node16'
+  using: 'node20'
   main: 'dist/index.js'
   post: 'dist/index.js'

dev.Dockerfile

@@ -1,8 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG NODE_VERSION=16
+ARG NODE_VERSION=20
-ARG DOCKER_VERSION=20.10.13
-ARG BUILDX_VERSION=0.8.0
 
 FROM node:${NODE_VERSION}-alpine AS base
 RUN apk add --no-cache cpio findutils git
@@ -62,15 +60,10 @@ RUN --mount=type=bind,target=.,rw \
   --mount=type=cache,target=/src/node_modules \
   yarn run lint
 
-FROM docker:${DOCKER_VERSION} as docker
-FROM docker/buildx-bin:${BUILDX_VERSION} as buildx
-
 FROM deps AS test
 RUN --mount=type=bind,target=.,rw \
   --mount=type=cache,target=/src/node_modules \
-  --mount=type=bind,from=docker,source=/usr/local/bin/docker,target=/usr/bin/docker \
+  yarn run test --coverage --coverageDirectory=/tmp/coverage
-  --mount=type=bind,from=buildx,source=/buildx,target=/usr/libexec/docker/cli-plugins/docker-buildx \
-  yarn run test --coverageDirectory=/tmp/coverage
 
 FROM scratch AS test-coverage
 COPY --from=test /tmp/coverage /

dist/licenses.txt

@@ -527,6 +527,28 @@ Apache-2.0
    limitations under the License.
 
 
+@fastify/busboy
+MIT
+Copyright Brian White. All rights reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+IN THE SOFTWARE.
+
 @octokit/auth-token
 MIT
 The MIT License
@@ -1329,78 +1351,6 @@ Copyright (c) 2012 Felix Geisendörfer (felix@debuggable.com) and contributors
  THE SOFTWARE.
 
 
-fs.realpath
-ISC
-The ISC License
-
-Copyright (c) Isaac Z. Schlueter and Contributors
-
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-----
-
-This library bundles a version of the `fs.realpath` and `fs.realpathSync`
-methods from Node.js v0.10 under the terms of the Node.js MIT license.
-
-Node's license follows, also included at the header of `old.js` which contains
-the licensed code:
-
-  Copyright Joyent, Inc. and other Node contributors.
-
-  Permission is hereby granted, free of charge, to any person obtaining a
-  copy of this software and associated documentation files (the "Software"),
-  to deal in the Software without restriction, including without limitation
-  the rights to use, copy, modify, merge, publish, distribute, sublicense,
-  and/or sell copies of the Software, and to permit persons to whom the
-  Software is furnished to do so, subject to the following conditions:
-
-  The above copyright notice and this permission notice shall be included in
-  all copies or substantial portions of the Software.
-
-  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-  FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-  DEALINGS IN THE SOFTWARE.
-
-
-glob
-ISC
-The ISC License
-
-Copyright (c) Isaac Z. Schlueter and Contributors
-
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-## Glob Logo
-
-Glob's logo created by Tanya Brassie <http://tanyabrassie.com/>, licensed
-under a Creative Commons Attribution-ShareAlike 4.0 International License
-https://creativecommons.org/licenses/by-sa/4.0/
-
-
 handlebars
 MIT
 Copyright (C) 2011-2019 by Yehuda Katz
@@ -1424,45 +1374,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 
 
-inflight
-ISC
-The ISC License
-
-Copyright (c) Isaac Z. Schlueter
-
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-
-inherits
-ISC
-The ISC License
-
-Copyright (c) Isaac Z. Schlueter
-
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
-FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
-OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-PERFORMANCE OF THIS SOFTWARE.
-
-
-
 is-plain-object
 MIT
 The MIT License (MIT)
@@ -1650,50 +1561,6 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
 IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 
-path-is-absolute
-MIT
-The MIT License (MIT)
-
-Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com)
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
-
-
-rimraf
-ISC
-The ISC License
-
-Copyright (c) Isaac Z. Schlueter and Contributors
-
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-
 sax
 ISC
 The ISC License
@@ -1858,6 +1725,31 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 
 
+undici
+MIT
+MIT License
+
+Copyright (c) Matteo Collina and Undici contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
 universal-user-agent
 ISC
 # [ISC License](https://spdx.org/licenses/ISC)

package.json

@@ -4,9 +4,13 @@
   "main": "lib/main.js",
   "scripts": {
     "build": "ncc build src/main.ts --source-map --minify --license licenses.txt",
-    "lint": "eslint src/**/*.ts __tests__/**/*.ts",
+    "lint": "yarn run prettier && yarn run eslint",
-    "format": "eslint --fix src/**/*.ts __tests__/**/*.ts",
+    "format": "yarn run prettier:fix && yarn run eslint:fix",
-    "test": "jest --coverage",
+    "eslint": "eslint --max-warnings=0 .",
+    "eslint:fix": "eslint --fix .",
+    "prettier": "prettier --check \"./**/*.ts\"",
+    "prettier:fix": "prettier --write \"./**/*.ts\"",
+    "test": "jest",
     "all": "yarn run build && yarn run format && yarn test"
   },
   "repository": {
@@ -19,33 +23,27 @@
     "build",
     "push"
   ],
-  "author": "Docker",
+  "author": "Docker Inc.",
-  "contributors": [
-    {
-      "name": "CrazyMax",
-      "url": "https://crazymax.dev"
-    }
-  ],
   "license": "Apache-2.0",
   "dependencies": {
-    "@actions/core": "^1.10.0",
+    "@actions/core": "^1.10.1",
-    "@docker/actions-toolkit": "^0.8.0",
+    "@docker/actions-toolkit": "0.18.0",
     "handlebars": "^4.7.7"
   },
   "devDependencies": {
     "@types/csv-parse": "^1.2.2",
-    "@types/node": "^16.18.21",
+    "@types/node": "^20.5.9",
-    "@typescript-eslint/eslint-plugin": "^5.56.0",
+    "@typescript-eslint/eslint-plugin": "^6.6.0",
-    "@typescript-eslint/parser": "^5.56.0",
+    "@typescript-eslint/parser": "^6.6.0",
-    "@vercel/ncc": "^0.36.1",
+    "@vercel/ncc": "^0.38.0",
-    "eslint": "^8.36.0",
+    "eslint": "^8.48.0",
-    "eslint-config-prettier": "^8.8.0",
+    "eslint-config-prettier": "^9.0.0",
-    "eslint-plugin-jest": "^27.2.1",
+    "eslint-plugin-jest": "^27.2.3",
-    "eslint-plugin-prettier": "^4.2.1",
+    "eslint-plugin-prettier": "^5.0.0",
-    "jest": "^29.5.0",
+    "jest": "^29.6.4",
-    "prettier": "^2.8.7",
+    "prettier": "^3.0.3",
-    "ts-jest": "^29.0.5",
+    "ts-jest": "^29.1.1",
     "ts-node": "^10.9.1",
-    "typescript": "^4.9.5"
+    "typescript": "^5.2.2"
   }
 }

src/context.ts

@@ -9,6 +9,7 @@ import {Util} from '@docker/actions-toolkit/lib/util';
 export interface Inputs {
   addHosts: string[];
   allow: string[];
+  annotations: string[];
   attests: string[];
   buildArgs: string[];
   buildContexts: string[];
@@ -30,6 +31,7 @@ export interface Inputs {
   push: boolean;
   sbom: string;
   secrets: string[];
+  secretEnvs: string[];
   secretFiles: string[];
   shmSize: string;
   ssh: string[];
@@ -43,6 +45,7 @@ export async function getInputs(): Promise<Inputs> {
   return {
     addHosts: Util.getInputList('add-hosts'),
     allow: Util.getInputList('allow'),
+    annotations: Util.getInputList('annotations', {ignoreComma: true}),
     attests: Util.getInputList('attests', {ignoreComma: true}),
     buildArgs: Util.getInputList('build-args', {ignoreComma: true}),
     buildContexts: Util.getInputList('build-contexts', {ignoreComma: true}),
@@ -64,6 +67,7 @@ export async function getInputs(): Promise<Inputs> {
     push: core.getBooleanInput('push'),
     sbom: core.getInput('sbom'),
     secrets: Util.getInputList('secrets', {ignoreComma: true}),
+    secretEnvs: Util.getInputList('secret-envs'),
     secretFiles: Util.getInputList('secret-files', {ignoreComma: true}),
     shmSize: core.getInput('shm-size'),
     ssh: Util.getInputList('ssh'),
@@ -98,6 +102,15 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
     await Util.asyncForEach(inputs.attests, async attest => {
       args.push('--attest', attest);
     });
+  } else if (inputs.attests.length > 0) {
+    core.warning("Attestations are only supported by buildx >= 0.10.0; the input 'attests' is ignored.");
+  }
+  if (await toolkit.buildx.versionSatisfies('>=0.12.0')) {
+    await Util.asyncForEach(inputs.annotations, async annotation => {
+      args.push('--annotation', annotation);
+    });
+  } else if (inputs.annotations.length > 0) {
+    core.warning("Annotations are only supported by buildx >= 0.12.0; the input 'annotations' is ignored.");
   }
   await Util.asyncForEach(inputs.buildArgs, async buildArg => {
     args.push('--build-arg', buildArg);
@@ -106,6 +119,8 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
     await Util.asyncForEach(inputs.buildContexts, async buildContext => {
       args.push('--build-context', buildContext);
     });
+  } else if (inputs.buildContexts.length > 0) {
+    core.warning("Build contexts are only supported by buildx >= 0.8.0; the input 'build-contexts' is ignored.");
   }
   await Util.asyncForEach(inputs.cacheFrom, async cacheFrom => {
     args.push('--cache-from', cacheFrom);
@@ -116,6 +131,13 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
   if (inputs.cgroupParent) {
     args.push('--cgroup-parent', inputs.cgroupParent);
   }
+  await Util.asyncForEach(inputs.secretEnvs, async secretEnv => {
+    try {
+      args.push('--secret', BuildxInputs.resolveBuildSecretEnv(secretEnv));
+    } catch (err) {
+      core.warning(err.message);
+    }
+  });
   if (inputs.file) {
     args.push('--file', inputs.file);
   }
@@ -153,6 +175,8 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
     if (inputs.sbom) {
       args.push('--sbom', inputs.sbom);
     }
+  } else if (inputs.provenance || inputs.sbom) {
+    core.warning("Attestations are only supported by buildx >= 0.10.0; the inputs 'provenance' and 'sbom' are ignored.");
   }
   await Util.asyncForEach(inputs.secrets, async secret => {
     try {

src/main.ts

@@ -48,7 +48,7 @@ actionsToolkit.run(
       if (dockerConfig && dockerConfig.proxies) {
         for (const host in dockerConfig.proxies) {
           let prefix = '';
-          if (dockerConfig.proxies.length > 1) {
+          if (Object.keys(dockerConfig.proxies).length > 1) {
             prefix = '  ';
             core.info(host);
           }