authentication token scopes support

Signed-off-by: CrazyMax <[email protected]>

Author: crazy-max

.github/workflows/.test-bake.yml

@@ -179,6 +179,55 @@ jobs:
             const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
             core.info(JSON.stringify(builderOutputs, null, 2));
 
+  bake-dockerhub-stage:
+    uses: ./.github/workflows/bake.yml
+    permissions:
+      contents: read
+      id-token: write
+    with:
+      context: test
+      output: image
+      push: ${{ github.event_name != 'pull_request' }}
+      sbom: true
+      target: hello-cross
+      meta-images: |
+        registry-1-stage.docker.io/docker/github-builder-test
+      meta-tags: |
+        type=raw,value=bake-ghbuilder-${{ github.run_id }}
+    secrets:
+      registry-auths: |
+        - registry: registry-1-stage.docker.io
+          username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
+
+  bake-dockerhub-stage-verify:
+    uses: ./.github/workflows/verify.yml
+    if: ${{ github.event_name != 'pull_request' }}
+    needs:
+      - bake-dockerhub-stage
+    with:
+      builder-outputs: ${{ toJSON(needs.bake-dockerhub-stage.outputs) }}
+    secrets:
+      registry-auths: |
+        - registry: registry-1-stage.docker.io
+          username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
+
+  bake-dockerhub-stage-outputs:
+    runs-on: ubuntu-24.04
+    needs:
+      - bake-dockerhub-stage
+    steps:
+      -
+        name: Builder outputs
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-dockerhub-stage.outputs) }}
+        with:
+          script: |
+            const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
+            core.info(JSON.stringify(builderOutputs, null, 2));
+
   bake-ghcr-and-aws:
     uses: ./.github/workflows/bake.yml
     permissions:
@@ -395,3 +444,38 @@ jobs:
         public.ecr.aws/q3b5f1u4/test-docker-action
       meta-tags: |
         type=raw,value=bake-ghbuilder-${{ github.run_id }}
+
+  bake-auth-scope:
+    uses: ./.github/workflows/bake.yml
+    permissions:
+      contents: read
+      id-token: write
+    with:
+      context: test
+      output: image
+      push: ${{ github.event_name != 'pull_request' }}
+      sbom: true
+      target: hello-cross
+      meta-images: |
+        registry-1-stage.docker.io/docker/github-builder-test
+      meta-tags: |
+        type=raw,value=bake-ghbuilder-scope-${{ github.run_id }}
+    secrets:
+      registry-auths: |
+        - registry: registry-1-stage.docker.io
+          username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
+          scope: '@push'
+
+  bake-auth-scope-verify:
+    uses: ./.github/workflows/verify.yml
+    if: ${{ github.event_name != 'pull_request' }}
+    needs:
+      - bake-auth-scope
+    with:
+      builder-outputs: ${{ toJSON(needs.bake-auth-scope.outputs) }}
+    secrets:
+      registry-auths: |
+        - registry: registry-1-stage.docker.io
+          username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}

.github/workflows/.test-build.yml

@@ -490,3 +490,37 @@ jobs:
       meta-images: ghcr.io/docker/github-builder-test
       meta-tags: |
         type=raw,value=build-${{ github.run_id }}
+
+  build-auth-scope:
+    uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+      id-token: write
+    with:
+      file: test/hello.Dockerfile
+      output: image
+      platforms: linux/amd64,linux/arm64
+      push: ${{ github.event_name != 'pull_request' }}
+      sbom: true
+      meta-images: registry-1-stage.docker.io/docker/github-builder-test
+      meta-tags: |
+        type=raw,value=build-scope-${{ github.run_id }}
+    secrets:
+      registry-auths: |
+        - registry: registry-1-stage.docker.io
+          username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
+          scope: '@push'
+
+  build-auth-scope-verify:
+    uses: ./.github/workflows/verify.yml
+    if: ${{ github.event_name != 'pull_request' }}
+    needs:
+      - build-auth-scope
+    with:
+      builder-outputs: ${{ toJSON(needs.build-auth-scope.outputs) }}
+    secrets:
+      registry-auths: |
+        - registry: registry-1-stage.docker.io
+          username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}

.github/workflows/bake.yml

@@ -137,7 +137,7 @@ on:
         value: ${{ jobs.finalize.outputs.signed }}
 
 env:
-  BUILDX_VERSION: "v0.30.1"
+  BUILDX_VERSION: "https://github.com/docker/buildx.git#8037f199dbf353dd0bc51b6d4f4cec64544dbcdd" # TODO: pin to a specific version when scope feature is available
   BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available
   DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/[email protected]"
   COSIGN_VERSION: "v3.0.2"
@@ -358,7 +358,6 @@ jobs:
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
         with:
           version: ${{ env.BUILDX_VERSION }}
-          cache-binary: false
           buildkitd-flags: --debug
           driver-opts: |
             image=${{ env.BUILDKIT_IMAGE }}
@@ -603,7 +602,7 @@ jobs:
       -
         name: Login to registry
         if: ${{ inputs.push && inputs.output == 'image' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported
         with:
           registry-auth: ${{ secrets.registry-auths }}
       -
@@ -634,6 +633,14 @@ jobs:
             const imageDigest = inpMetadata[inpTarget]['containerimage.digest'];
             core.info(imageDigest);
             core.setOutput('digest', imageDigest);
+      -
+        name: Login to registry
+        if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }}
+        uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported
+        with:
+          registry-auth: ${{ secrets.registry-auths }}
+        env:
+          DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login
       -
         name: Signing attestation manifests
         id: signing-attestation-manifests
@@ -784,7 +791,7 @@ jobs:
       -
         name: Login to registry
         if: ${{ inputs.push && inputs.output == 'image' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported
         with:
           registry-auth: ${{ secrets.registry-auths }}
       -
@@ -795,7 +802,6 @@ jobs:
           version: ${{ env.BUILDX_VERSION }}
           buildkitd-flags: --debug
           driver-opts: image=${{ env.BUILDKIT_IMAGE }}
-          cache-binary: false
       -
         name: Create manifest
         if: ${{ inputs.output == 'image' }}

.github/workflows/build.yml

@@ -144,7 +144,7 @@ on:
         value: ${{ jobs.finalize.outputs.signed }}
 
 env:
-  BUILDX_VERSION: "v0.30.1"
+  BUILDX_VERSION: "https://github.com/docker/buildx.git#8037f199dbf353dd0bc51b6d4f4cec64544dbcdd" # TODO: pin to a specific version when scope feature is available
   BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available
   DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/[email protected]"
   COSIGN_VERSION: "v3.0.2"
@@ -319,7 +319,6 @@ jobs:
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
         with:
           version: ${{ env.BUILDX_VERSION }}
-          cache-binary: false
           buildkitd-flags: --debug
           driver-opts: |
             image=${{ env.BUILDKIT_IMAGE }}
@@ -512,7 +511,7 @@ jobs:
       -
         name: Login to registry
         if: ${{ inputs.push && inputs.output == 'image' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported
         with:
           registry-auth: ${{ secrets.registry-auths }}
       -
@@ -538,6 +537,14 @@ jobs:
         env:
           BUILDKIT_MULTI_PLATFORM: 1
           GIT_AUTH_TOKEN: ${{ secrets.github-token || github.token }}
+      -
+        name: Login to registry
+        if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }}
+        uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported
+        with:
+          registry-auth: ${{ secrets.registry-auths }}
+        env:
+          DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login
       -
         name: Signing attestation manifests
         id: signing-attestation-manifests
@@ -687,7 +694,7 @@ jobs:
       -
         name: Login to registry
         if: ${{ inputs.push && inputs.output == 'image' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported
         with:
           registry-auth: ${{ secrets.registry-auths }}
       -
@@ -698,7 +705,6 @@ jobs:
           version: ${{ env.BUILDX_VERSION }}
           buildkitd-flags: --debug
           driver-opts: image=${{ env.BUILDKIT_IMAGE }}
-          cache-binary: false
       -
         name: Create manifest
         if: ${{ inputs.output == 'image' }}

.github/workflows/verify.yml

@@ -84,6 +84,8 @@ jobs:
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry-auth: ${{ secrets.registry-auths }}
+        env:
+          DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login
       -
         name: Download artifacts
         if: ${{ steps.vars.outputs.signed == 'true' && steps.vars.outputs.output-type == 'local' }}