From 818c69a4eaaa2e69d4a2db24ff4888465e57ee11 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Wed, 2 Oct 2024 11:36:15 +0200
Subject: [PATCH] always set buildkitd-flags if opt-in
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
README.md | 8 +++++++-
__tests__/context.test.ts | 18 ++++++++++++++++++
action.yml | 1 -
src/context.ts | 27 +++++++++++++++------------
4 files changed, 40 insertions(+), 14 deletions(-)
diff --git a/README.md b/README.md
index 672fc77..bdf9e20 100644
--- a/README.md
+++ b/README.md
@@ -101,7 +101,13 @@ The following inputs can be used as `step.with` keys:
| `cache-binary` | Bool | `true` | Cache buildx binary to GitHub Actions cache backend |
| `cleanup` | Bool | `true` | Cleanup temp files and remove builder at the end of a job |
-_\* `buildkitd-config` and `buildkitd-config-inline` are mutually exclusive_
+> [!IMPORTANT]
+> If you set the `buildkitd-flags` input, the default flags (`--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host`)
+> will be reset. If you want to retain the default behavior, make sure to
+> include these flags in your custom `buildkitd-flags` value.
+
+> [!NOTE]
+> `buildkitd-config` and `buildkitd-config-inline` are mutually exclusive.
### outputs
diff --git a/__tests__/context.test.ts b/__tests__/context.test.ts
index 720fd21..8a2b367 100644
--- a/__tests__/context.test.ts
+++ b/__tests__/context.test.ts
@@ -226,6 +226,24 @@ describe('getCreateArgs', () => {
'--buildkitd-flags', '--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host',
'--config', tmpName,
]
+ ],
+ [
+ 10,
+ 'v0.10.3',
+ new Map<string, string>([
+ ['install', 'false'],
+ ['use', 'false'],
+ ['driver', 'cloud'],
+ ['buildkitd-flags', '--allow-insecure-entitlement network.host'],
+ ['cache-binary', 'true'],
+ ['cleanup', 'true'],
+ ]),
+ [
+ 'create',
+ '--name', 'builder-9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d',
+ '--driver', 'cloud',
+ '--buildkitd-flags', '--allow-insecure-entitlement network.host',
+ ]
]
])(
'[%d] given buildx %s and %p as inputs, returns %p',
diff --git a/action.yml b/action.yml
index da3b05a..110fbed 100644
--- a/action.yml
+++ b/action.yml
@@ -19,7 +19,6 @@ inputs:
required: false
buildkitd-flags:
description: 'BuildKit daemon flags'
- default: '--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host'
required: false
buildkitd-config:
description: 'BuildKit daemon config file'
diff --git a/src/context.ts b/src/context.ts
index 587b3d3..4fb8d47 100644
--- a/src/context.ts
+++ b/src/context.ts
@@ -8,6 +8,7 @@ import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
import {Node} from '@docker/actions-toolkit/lib/types/buildx/builder';
export const builderNodeEnvPrefix = 'BUILDER_NODE';
+const defaultBuildkitdFlags = '--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host';
export interface Inputs {
version: string;
@@ -32,7 +33,7 @@ export async function getInputs(): Promise<Inputs> {
name: await getBuilderName(core.getInput('driver') || 'docker-container'),
driver: core.getInput('driver') || 'docker-container',
driverOpts: Util.getInputList('driver-opts', {ignoreComma: true, quote: false}),
- buildkitdFlags: core.getInput('buildkitd-flags') || '--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host',
+ buildkitdFlags: core.getInput('buildkitd-flags'),
platforms: Util.getInputList('platforms'),
install: core.getBooleanInput('install'),
use: core.getBooleanInput('use'),
@@ -52,11 +53,13 @@ export async function getBuilderName(driver: string): Promise<string> {
export async function getCreateArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<string>> {
const args: Array<string> = ['create', '--name', inputs.name, '--driver', inputs.driver];
if (await toolkit.buildx.versionSatisfies('>=0.3.0')) {
- await Util.asyncForEach(inputs.driverOpts, async driverOpt => {
+ await Util.asyncForEach(inputs.driverOpts, async (driverOpt: string) => {
args.push('--driver-opt', driverOpt);
});
- if (driverSupportsFlags(inputs.driver) && inputs.buildkitdFlags) {
+ if (inputs.buildkitdFlags) {
args.push('--buildkitd-flags', inputs.buildkitdFlags);
+ } else if (driverSupportsBuildkitdFlags(inputs.driver)) {
+ args.push('--buildkitd-flags', defaultBuildkitdFlags);
}
}
if (inputs.platforms.length > 0) {
@@ -65,12 +68,10 @@ export async function getCreateArgs(inputs: Inputs, toolkit: Toolkit): Promise<A
if (inputs.use) {
args.push('--use');
}
- if (driverSupportsFlags(inputs.driver)) {
- if (inputs.buildkitdConfig) {
- args.push('--config', toolkit.buildkit.config.resolveFromFile(inputs.buildkitdConfig));
- } else if (inputs.buildkitdConfigInline) {
- args.push('--config', toolkit.buildkit.config.resolveFromString(inputs.buildkitdConfigInline));
- }
+ if (inputs.buildkitdConfig) {
+ args.push('--config', toolkit.buildkit.config.resolveFromFile(inputs.buildkitdConfig));
+ } else if (inputs.buildkitdConfigInline) {
+ args.push('--config', toolkit.buildkit.config.resolveFromString(inputs.buildkitdConfigInline));
}
if (inputs.endpoint) {
args.push(inputs.endpoint);
@@ -86,11 +87,13 @@ export async function getAppendArgs(inputs: Inputs, node: Node, toolkit: Toolkit
args.push('--node', `node-${uuid.v4()}`);
}
if (node['driver-opts'] && (await toolkit.buildx.versionSatisfies('>=0.3.0'))) {
- await Util.asyncForEach(node['driver-opts'], async driverOpt => {
+ await Util.asyncForEach(node['driver-opts'], async (driverOpt: string) => {
args.push('--driver-opt', driverOpt);
});
- if (driverSupportsFlags(inputs.driver) && node['buildkitd-flags']) {
+ if (node['buildkitd-flags']) {
args.push('--buildkitd-flags', node['buildkitd-flags']);
+ } else if (driverSupportsBuildkitdFlags(inputs.driver)) {
+ args.push('--buildkitd-flags', defaultBuildkitdFlags);
}
}
if (node.platforms) {
@@ -110,6 +113,6 @@ export async function getInspectArgs(inputs: Inputs, toolkit: Toolkit): Promise<
return args;
}
-function driverSupportsFlags(driver: string): boolean {
+function driverSupportsBuildkitdFlags(driver: string): boolean {
return driver == '' || driver == 'docker-container' || driver == 'docker' || driver == 'kubernetes';
}