bake: handle git auth token when parsing remote definition

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

.github/workflows/test.yml

@@ -15,6 +15,7 @@ on:
 
 env:
   NODE_VERSION: "20"
+  BUILDX_VERSION: "v0.14.0-rc1"
 
 jobs:
   test:
@@ -102,6 +103,20 @@ jobs:
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'yarn'
+      -
+        name: Set up Docker Buildx
+        if: startsWith(matrix.os, 'ubuntu')
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.BUILDX_VERSION }}
+          driver: docker
+      -
+        name: GitHub auth token from GitHub App
+        id: docker-read-app
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        with:
+          app_id: ${{ vars.DOCKER_READ_APP_ID }}
+          private_key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }}
       -
         name: Install
         run: yarn install
@@ -110,7 +125,7 @@ jobs:
         run: |
           yarn test:itg-coverage --runTestsByPath __tests__/${{ matrix.test }} --coverageDirectory=./coverage
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.docker-read-app.outputs.token }}
       -
         name: Check coverage
         run: |

__tests__/buildx/bake.test.itg.ts

@@ -35,14 +35,28 @@ maybe('getDefinition', () => {
     [
       'https://github.com/docker/buildx.git#v0.10.4',
       ['binaries-cross'],
-      path.join(fixturesDir, 'bake-buildx-0.10.4-binaries-cross.json')
+      path.join(fixturesDir, 'bake-buildx-0.10.4-binaries-cross.json'),
+      false,
     ],
-  ])('given %p', async (source: string, targets: string[], out: string) => {
+    [
+      'https://github.com/docker/test-docker-action.git#remote-private',
+      ['default'],
+      path.join(fixturesDir, 'bake-test-docker-action-remote-private.json'),
+      true,
+    ]
+  ])('given %p', async (source: string, targets: string[], out: string, auth) => {
+    const gitAuthToken = process.env.GITHUB_TOKEN || '';
+    if (auth && !gitAuthToken) {
+      console.log(`Git auth token not available, skipping test`);
+      return;
+    }
     const bake = new Bake();
     const expectedDef = <BakeDefinition>JSON.parse(fs.readFileSync(out, {encoding: 'utf-8'}).trim())
+    // eslint-disable-next-line jest/no-conditional-expect
     expect(await bake.getDefinition({
       source: source,
-      targets: targets
+      targets: targets,
+      githubToken: gitAuthToken,
     })).toEqual(expectedDef);
   });
 });

__tests__/fixtures/bake-test-docker-action-remote-private.json

@@ -0,0 +1,11 @@
+{
+  "target": {
+    "default": {
+      "context": "https://github.com/docker/test-docker-action.git#remote-private",
+      "dockerfile": "Dockerfile",
+      "tags": [
+        "foo"
+      ]
+    }
+  }
+}

dev.Dockerfile

@@ -16,7 +16,7 @@
 
 ARG NODE_VERSION=20
 ARG DOCKER_VERSION=26.0.0
-ARG BUILDX_VERSION=0.13.1
+ARG BUILDX_VERSION=0.14.0-rc1
 
 FROM node:${NODE_VERSION}-alpine AS base
 RUN apk add --no-cache cpio findutils git

src/buildx/bake.ts

@@ -36,6 +36,8 @@ export interface BakeCmdOpts {
   sbom?: string;
   source?: string;
   targets?: Array<string>;
+
+  githubToken?: string; // for auth with remote definitions on private repos
 }
 
 export class Bake {
@@ -48,6 +50,13 @@ export class Bake {
   public async getDefinition(cmdOpts: BakeCmdOpts, execOptions?: ExecOptions): Promise<BakeDefinition> {
     execOptions = execOptions || {ignoreReturnCode: true};
     execOptions.ignoreReturnCode = true;
+    if (cmdOpts.githubToken) {
+      execOptions.env = Object.assign({}, process.env, {
+        BUILDX_BAKE_GIT_AUTH_TOKEN: cmdOpts.githubToken
+      }) as {
+        [key: string]: string;
+      };
+    }
 
     const args = ['bake'];
 

src/buildx/inputs.ts

@@ -77,24 +77,23 @@ export class Inputs {
   }
 
   public static resolveBuildSecretString(kvp: string): string {
-    return Inputs.resolveBuildSecret(kvp, false);
+    const [key, file] = Inputs.resolveBuildSecret(kvp, false);
+    return `id=${key},src=${file}`;
   }
 
   public static resolveBuildSecretFile(kvp: string): string {
-    return Inputs.resolveBuildSecret(kvp, true);
+    const [key, file] = Inputs.resolveBuildSecret(kvp, true);
+    return `id=${key},src=${file}`;
   }
 
   public static resolveBuildSecretEnv(kvp: string): string {
     const [key, value] = parseKvp(kvp);
-
     return `id=${key},env=${value}`;
   }
 
-  public static resolveBuildSecret(kvp: string, file: boolean): string {
+  public static resolveBuildSecret(kvp: string, file: boolean): [string, string] {
     const [key, _value] = parseKvp(kvp);
-
     let value = _value;
-
     if (file) {
       if (!fs.existsSync(value)) {
         throw new Error(`secret file ${value} not found`);
@@ -103,7 +102,7 @@ export class Inputs {
     }
     const secretFile = Context.tmpName({tmpdir: Context.tmpDir()});
     fs.writeFileSync(secretFile, value);
-    return `id=${key},src=${secretFile}`;
+    return [key, secretFile];
   }
 
   public static getProvenanceInput(name: string): string {