From d04604b877fb45d22c1a478d92f04b293dc62733 Mon Sep 17 00:00:00 2001 From: Nikita COEUR Date: Fri, 16 Jan 2026 17:18:48 +0100 Subject: [PATCH 1/5] fix(build-image): fix command to test docker existence --- actions/docker/build-image/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/docker/build-image/action.yml b/actions/docker/build-image/action.yml index 81f65932..55d9f733 100644 --- a/actions/docker/build-image/action.yml +++ b/actions/docker/build-image/action.yml @@ -178,7 +178,7 @@ runs: core.setOutput('cache-image', cacheImage); try { - await exec.exec('command -v docker', { stdio: 'ignore' }); + await exec.exec('which', ['docker'], { silent: true }); core.setOutput('docker-exists', 'true'); } catch (error) { // docker not available on runner From ab9783f4b6a5e0f4f8bceb37eeea8a60b7c4cf19 Mon Sep 17 00:00:00 2001 From: Nikita COEUR Date: Fri, 16 Jan 2026 17:19:49 +0100 Subject: [PATCH 2/5] feat(docker-images): add cache-registry and buildkit configuration support Add new inputs to support: - cache-registry: separate registry for Docker build cache - cache-registry-username/password: credentials for cache registry - buildkitd-config-inline: custom BuildKit daemon configuration When cache-registry is specified, the cache image path is automatically constructed using this registry instead of the main oci-registry. This allows using a local/private registry for build cache while pushing final images to a different registry (e.g., ghcr.io). --- .github/workflows/docker-build-images.yml | 31 +++++++++++++++ actions/docker/build-image/action.yml | 47 ++++++++++++++++++++++- 2 files changed, 77 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-build-images.yml b/.github/workflows/docker-build-images.yml index aa7883c3..7c7b4ac2 100644 --- a/.github/workflows/docker-build-images.yml +++ b/.github/workflows/docker-build-images.yml @@ -93,6 +93,28 @@ on: # yamllint disable-line rule:truthy default: "gha" type: string required: false + buildkitd-config-inline: + description: | + Inline BuildKit daemon configuration. + See https://github.com/docker/setup-buildx-action#inputs. + Example for insecure registry: + [registry."my-registry.local:5000"] + http = true + insecure = true + type: string + required: false + cache-registry: + description: | + Optional separate registry for Docker build cache. + Use this when cache is stored on a different registry than the final image. + type: string + required: false + cache-registry-username: + description: | + Username for the cache registry. + Required if cache-registry is set and requires authentication. + type: string + required: false sign: description: | Sign built images. @@ -116,6 +138,11 @@ on: # yamllint disable-line rule:truthy GitHub App private key to generate GitHub token to be passed as build secret env. See https://github.com/actions/create-github-app-token. required: false + cache-registry-password: + description: | + Password for the cache registry. + Required if cache-registry is set and requires authentication. + required: false outputs: built-images: description: | @@ -414,6 +441,10 @@ jobs: secret-envs: ${{ steps.prepare-secret-envs.outputs.secret-envs }} secrets: ${{ secrets.build-secrets }} cache-type: ${{ inputs.cache-type }} + cache-registry: ${{ inputs.cache-registry }} + cache-registry-username: ${{ inputs.cache-registry-username }} + cache-registry-password: ${{ secrets.cache-registry-password }} + buildkitd-config-inline: ${{ inputs.buildkitd-config-inline }} multi-platform: ${{ matrix.image.multi-platform }} # FIXME: Set built images infos in file to be uploaded as artifacts, because github action does not handle job outputs for matrix diff --git a/actions/docker/build-image/action.yml b/actions/docker/build-image/action.yml index 55d9f733..8e61d5e6 100644 --- a/actions/docker/build-image/action.yml +++ b/actions/docker/build-image/action.yml @@ -87,6 +87,31 @@ inputs: See https://docs.docker.com/build/cache/backends. default: "gha" required: false + cache-registry: + description: | + Optional separate registry for Docker build cache. + Use this when cache is stored on a different registry than the final image. + If not set, cache operations use the main oci-registry. + required: false + cache-registry-username: + description: | + Username for the cache registry. + Required if cache-registry is set and requires authentication. + required: false + cache-registry-password: + description: | + Password for the cache registry. + Required if cache-registry is set and requires authentication. + required: false + buildkitd-config-inline: + description: | + Inline BuildKit daemon configuration. + See https://github.com/docker/setup-buildx-action#inputs. + Example for insecure registry: + [registry."my-registry.local:5000"] + http = true + insecure = true + required: false multi-platform: description: | Whether this build participates in a multi-platform image publication. @@ -174,7 +199,19 @@ runs: const cacheType = `${{ inputs.cache-type }}`.trim(); const metadataImage = `${{ steps.metadata.outputs.image }}`; - const cacheImage = cacheType === 'registry' ? `${metadataImage}/cache` : metadataImage; + const cacheRegistry = `${{ inputs.cache-registry }}`.trim(); + + let cacheImage; + if (cacheRegistry) { + // Use separate cache registry: replace the registry part of the image + const imageParts = metadataImage.split('/'); + // Remove the original registry (first part) and join with cache registry + imageParts.shift(); + cacheImage = `${cacheRegistry}/${imageParts.join('/')}/cache`; + } else { + // Use main registry for cache + cacheImage = cacheType === 'registry' ? `${metadataImage}/cache` : metadataImage; + } core.setOutput('cache-image', cacheImage); try { @@ -248,6 +285,7 @@ runs: # FIXME: upgrade version when available (https://hub.docker.com/r/moby/buildkit) driver-opts: | image=moby/buildkit:v0.27.0 + buildkitd-config-inline: ${{ inputs.buildkitd-config-inline }} # Caching setup - id: cache-arguments @@ -278,6 +316,13 @@ runs: registry: ${{ inputs.oci-registry }} username: ${{ inputs.oci-registry-username }} password: ${{ inputs.oci-registry-password }} + + - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + if: inputs.cache-registry + with: + registry: ${{ inputs.cache-registry }} + username: ${{ inputs.cache-registry-username }} + password: ${{ inputs.cache-registry-password }} # jscpd:ignore-end - id: build From a587b652de6a8d0014022ab90822adae92874d30 Mon Sep 17 00:00:00 2001 From: Nikita COEUR Date: Thu, 5 Mar 2026 15:00:45 +0100 Subject: [PATCH 3/5] chore(deps): update docker login action after rebase --- actions/docker/build-image/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/docker/build-image/action.yml b/actions/docker/build-image/action.yml index 8e61d5e6..0fc63fed 100644 --- a/actions/docker/build-image/action.yml +++ b/actions/docker/build-image/action.yml @@ -317,7 +317,7 @@ runs: username: ${{ inputs.oci-registry-username }} password: ${{ inputs.oci-registry-password }} - - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 if: inputs.cache-registry with: registry: ${{ inputs.cache-registry }} From 62df580c15700d3287df78274264714e4e3602a9 Mon Sep 17 00:00:00 2001 From: Nikita COEUR Date: Thu, 5 Mar 2026 16:52:27 +0100 Subject: [PATCH 4/5] fix(build-image): use built-in which to detect docker --- actions/docker/build-image/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/docker/build-image/action.yml b/actions/docker/build-image/action.yml index 0fc63fed..b6bddc00 100644 --- a/actions/docker/build-image/action.yml +++ b/actions/docker/build-image/action.yml @@ -215,7 +215,7 @@ runs: core.setOutput('cache-image', cacheImage); try { - await exec.exec('which', ['docker'], { silent: true }); + await io.which('docker', true); core.setOutput('docker-exists', 'true'); } catch (error) { // docker not available on runner From 06944d473d6f96b0876944f9d2d7ef4c077c60b0 Mon Sep 17 00:00:00 2001 From: Nikita COEUR Date: Thu, 5 Mar 2026 16:54:37 +0100 Subject: [PATCH 5/5] docs: specify ini to insecure registry inputs --- .github/workflows/docker-build-images.yml | 2 ++ actions/docker/build-image/action.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/docker-build-images.yml b/.github/workflows/docker-build-images.yml index 7c7b4ac2..83b47f40 100644 --- a/.github/workflows/docker-build-images.yml +++ b/.github/workflows/docker-build-images.yml @@ -98,9 +98,11 @@ on: # yamllint disable-line rule:truthy Inline BuildKit daemon configuration. See https://github.com/docker/setup-buildx-action#inputs. Example for insecure registry: + ```ini [registry."my-registry.local:5000"] http = true insecure = true + ``` type: string required: false cache-registry: diff --git a/actions/docker/build-image/action.yml b/actions/docker/build-image/action.yml index b6bddc00..49f42eb1 100644 --- a/actions/docker/build-image/action.yml +++ b/actions/docker/build-image/action.yml @@ -108,9 +108,11 @@ inputs: Inline BuildKit daemon configuration. See https://github.com/docker/setup-buildx-action#inputs. Example for insecure registry: + ```ini [registry."my-registry.local:5000"] http = true insecure = true + ``` required: false multi-platform: description: |