bake: vars support

crazy-max · crazy-max · commit 70685ffb80b9 · 2026-01-15T16:23:32.000+01:00
Signed-off-by: CrazyMax &lt;1951866+crazy-max@users.noreply.github.com&gt;
diff --git a/.github/workflows/.test-bake.yml b/.github/workflows/.test-bake.yml
@@ -447,3 +447,17 @@ jobs:
       sbom: true
       sign: ${{ github.event_name != 'pull_request' }}
       target: hello-cross
+
+  bake-vars:
+    uses: ./.github/workflows/bake.yml
+    permissions:
+      contents: read
+      id-token: write
+    with:
+      setup-qemu: true
+      artifact-upload: false
+      context: test
+      output: local
+      target: go
+      vars: |
+        XX_VERSION=1.9.0
diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
@@ -79,6 +79,10 @@ on:
         description: "Bake target to build"
         required: true
         default: default
+      vars:
+        type: string
+        description: "Variables to set in the Bake definition as list of key-value pair"
+        required: false
       # docker/metadata-action
       set-meta-annotations:
         type: boolean
@@ -189,6 +193,7 @@ jobs:
           INPUT_SET: ${{ inputs.set }}
           INPUT_SIGN: ${{ inputs.sign }}
           INPUT_TARGET: ${{ inputs.target }}
+          INPUT_VARS: ${{ inputs.vars }}
           INPUT_GITHUB-TOKEN: ${{ secrets.github-token || github.token }}
         with:
           script: |
@@ -205,6 +210,7 @@ jobs:
             const inpDistribute = core.getBooleanInput('distribute');
             const inpArtifactUpload = core.getBooleanInput('artifact-upload');
             const inpContext = core.getInput('context');
+            const inpVars = Util.getInputList('vars');
             const inpFiles = Util.getInputList('files');
             const inpOutput = core.getInput('output');
             const inpPush = core.getBooleanInput('push');
@@ -243,6 +249,21 @@ jobs:
             await core.group(`Set bake source`, async () => {
               core.info(bakeSource);
             });
+            
+            const envs = Object.assign({},
+              inpVars ? inpVars.reduce((acc, curr) => {
+                const [key, ...rest] = curr.split('=');
+                acc[key] = rest.join('=');
+                return acc;
+              }, {}) : {},
+              {
+                BUILDKIT_MULTI_PLATFORM: '1',
+                BUILDX_BAKE_GIT_AUTH_TOKEN: inpGitHubToken
+              }
+            );
+            await core.group(`Set envs`, async () => {
+              core.info(JSON.stringify(envs, null, 2));
+            });
 
             let def;
             let target;
@@ -254,8 +275,9 @@ jobs:
                   overrides: inpSet,
                   sbom: inpSbom ? `generator=${inpSbomImage}` : 'false',
                   source: bakeSource,
-                  targets: [inpTarget],
-                  githubToken: inpGitHubToken
+                  targets: [inpTarget]
+                }, {
+                  env: Object.keys(envs).length > 0 ? envs : undefined
                 });
                 if (!def) {
                   throw new Error('Bake definition not set');
@@ -495,6 +517,7 @@ jobs:
           INPUT_SBOM: ${{ inputs.sbom }}
           INPUT_SET: ${{ inputs.set }}
           INPUT_TARGET: ${{ inputs.target }}
+          INPUT_VARS: ${{ inputs.vars }}
           INPUT_META-IMAGES: ${{ inputs.meta-images }}
           INPUT_SET-META-ANNOTATIONS: ${{ inputs.set-meta-annotations }}
           INPUT_SET-META-LABELS: ${{ inputs.set-meta-labels }}
@@ -526,6 +549,7 @@ jobs:
             const inpSbom = core.getBooleanInput('sbom');
             const inpSet = Util.getInputList('set', {ignoreComma: true, quote: false});
             const inpTarget = core.getInput('target');
+            const inpVars = Util.getInputList('vars');
             const inpMetaImages = core.getMultilineInput('meta-images');
             const inpSetMetaAnnotations = core.getBooleanInput('set-meta-annotations');
             const inpSetMetaLabels = core.getBooleanInput('set-meta-labels');
@@ -546,6 +570,22 @@ jobs:
               core.setOutput('sbom', sbom);
             });
             
+            const envs = Object.assign({},
+              inpVars ? inpVars.reduce((acc, curr) => {
+                const [key, ...rest] = curr.split('=');
+                acc[key] = rest.join('=');
+                return acc;
+              }, {}) : {},
+              {
+                BUILDKIT_MULTI_PLATFORM: '1',
+                BUILDX_BAKE_GIT_AUTH_TOKEN: inpGitHubToken
+              }
+            );
+            await core.group(`Set envs`, async () => {
+              core.info(JSON.stringify(envs, null, 2));
+              core.setOutput('envs', JSON.stringify(envs));
+            });
+            
             let target;
             try {
               await core.group(`Validating definition`, async () => {
@@ -555,8 +595,9 @@ jobs:
                   overrides: inpSet,
                   sbom: sbom,
                   source: bakeSource,
-                  targets: [inpTarget],
-                  githubToken: inpGitHubToken
+                  targets: [inpTarget]
+                }, {
+                  env: Object.keys(envs).length > 0 ? envs : undefined
                 });
                 if (!def) {
                   throw new Error('Bake definition not set');
@@ -645,9 +686,7 @@ jobs:
           targets: ${{ steps.prepare.outputs.target }}
           sbom: ${{ steps.prepare.outputs.sbom }}
           set: ${{ steps.prepare.outputs.overrides }}
-        env:
-          BUILDKIT_MULTI_PLATFORM: 1
-          BUILDX_BAKE_GIT_AUTH_TOKEN: ${{ secrets.github-token || github.token }}
+        env: ${{ fromJson(steps.prepare.outputs.envs) }}
       -
         name: Get image digest
         id: get-image-digest
diff --git a/README.md b/README.md
@@ -248,6 +248,7 @@ on:
 | `sign`                 | String   | `auto`                         | Sign attestation manifest for `image` output or artifacts for `local` output, can be one of `auto`, `true` or `false`. The `auto` mode will enable signing if `push` is enabled for pushing the `image` or if `artifact-upload` is enabled for uploading the `local` build output as GitHub Artifact                                  |
 | `target`               | String   |                                | Sets the target stage to build                                                                                                                                                                                                                                                                                                        |
 | `ulimit`               | List     |                                | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`)                                                                                                                                                                                                                |
+| `vars`                 | List     |                                | [Variables](https://docs.docker.com/build/bake/variables/) to set in the Bake definition as list of key-value pair                                                                                                                                                                                                                    |
 | `set-meta-annotations` | Bool     | `false`                        | Append OCI Image Format Specification annotations generated by `docker/metadata-action`                                                                                                                                                                                                                                               |
 | `set-meta-labels`      | Bool     | `false`                        | Append OCI Image Format Specification labels generated by `docker/metadata-action`                                                                                                                                                                                                                                                    |
 | `meta-images`          | List     |                                | [List of images](https://github.com/docker/metadata-action?tab=readme-ov-file#images-input) to use as base name for tags (required for image output)                                                                                                                                                                                  |
diff --git a/test/docker-bake.hcl b/test/docker-bake.hcl
@@ -11,8 +11,15 @@ group "grp" {
   targets = ["go", "hello"]
 }
 
+variable "XX_VERSION" {
+  default = null
+}
+
 target "go" {
   inherits = ["docker-metadata-action"]
+  args = {
+    XX_VERSION = XX_VERSION
+  }
   dockerfile = "go.Dockerfile"
 }
 
diff --git a/test/go.Dockerfile b/test/go.Dockerfile
@@ -1,9 +1,10 @@
 # syntax=docker/dockerfile:1
 
 ARG GO_VERSION="1.25"
+ARG XX_VERSION="1.7.0"
 
 # xx is a helper for cross-compilation
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.7.0 AS xx
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS base
 COPY --from=xx / /

Original file line number	Diff line number	Diff line change
`@@ -11,8 +11,15 @@ group "grp" {`
`11`	`11`	`targets = ["go", "hello"]`
`12`	`12`	`}`
`13`	`13`
	`14`	`+variable "XX_VERSION" {`
	`15`	`+ default = null`
	`16`	`+}`
	`17`	`+`
`14`	`18`	`target "go" {`
`15`	`19`	`inherits = ["docker-metadata-action"]`
	`20`	`+ args = {`
	`21`	`+ XX_VERSION = XX_VERSION`
	`22`	`+ }`
`16`	`23`	`dockerfile = "go.Dockerfile"`
`17`	`24`	`}`
`18`	`25`