GitHub Action
Depot Bake
This action implements the same inputs and outputs as the docker/bake-action, but uses the depot CLI to execute the build.
The depot CLI will need to be available in your workflow, you can use the depot/setup-action to install it:
steps:
- uses: depot/setup-action@v1This action implements the same inputs and outputs as the docker/bake-action. You will need to supply your project ID and Depot authentication information, although both can be inferred from the environment. See below for more details.
This action needs a Depot API token to communicate with your project's builders. You can supply this one of three ways. The third, using OICD, is the preferred method, but you can also supply a token directly.
-
You can supply a user or project API token via the
tokeninput:steps: - uses: depot/bake-action@v1 with: token: ${{ secrets.DEPOT_TOKEN }}
-
You can supply a user or project API token via the
DEPOT_TOKENenvironment variable:steps: - uses: depot/bake-action@v1 env: DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
-
Depot supports GitHub's OpenID Connect tokens via a trust relationship, so your Actions builds can securely authenticate with your Depot projects without any static access tokens. To configure the trust relationship, visit your Depot project settings, then add your repository and desired workflow config to
Trust Relationships. Then in your workflow, enable theid-token: writepermission:permissions: # allow issuing OIDC tokens for this workflow run id-token: write # allow at least reading the repo contents, add other permissions if necessary contents: read steps: # no need to provide a DEPOT_TOKEN - uses: depot/bake-action@v1
-
Authentication — this action needs to authenticate with a Depot API token to communicate with your project's builders (see above).
-
If you have not configured a
depot.jsonfile withdepot init, you can explicitly specify your project ID via theprojectinput:steps: - uses: depot/build-push-action@v1 with: project: abc123xyz
-
The
builderinput is not supported - this action always runs builds using Depot's hosted builders, if you need to route builds to a local buildx builder, you should use thedocker/build-push-action.
| Name | Type | Description |
|---|---|---|
project |
String | Depot project ID to route the image build to your projects builders (default: the depot.json file at the root of your repo) |
token |
String | You must authenticate with the Depot API to communicate with your projects builders (see Authentication above) |
build-platform |
String | The platform to use for the build ( linux/amd64 or linux/arm64) |
lint |
Bool | Lint dockerfiles and fail build if any issues are of error severity. (default false) |
lint-fail-on |
String | Severity of linter issue to cause the build to fail. (error, warn, info, none) |
The following inputs can be used as step.with keys and match the inputs from docker/bake-action:
| Name | Type | Description |
|---|---|---|
files |
List/CSV | List of bake definition files |
workdir |
String | Working directory of execution |
targets |
List/CSV | List of bake targets (default target used if empty) |
no-cache |
Bool | Do not use cache when building the image (default false) |
pull |
Bool | Always attempt to pull a newer version of the image (default false) |
load |
Bool | Load is a shorthand for --set=*.output=type=docker (default false) |
provenance |
Bool/String | Provenance is a shorthand for --set=*.attest=type=provenance |
push |
Bool | Push is a shorthand for --set=*.output=type=registry (default false) |
sbom |
Bool/String | SBOM is a shorthand for --set=*.attest=type=sbom |
set |
List | List of targets values to override (eg: targetpattern.key=value) |
| Name | Type | Description |
|---|---|---|
metadata |
JSON | Build result metadata |
MIT License, see LICENSE.
Code derived from docker/bake-action copyright 2013-2018 Docker, Inc., Apache License, Version 2.0.