bake: vars support

crazy-max · crazy-max · commit 972f3dca325f · 2026-01-15T11:50:42.000+01:00
Signed-off-by: CrazyMax &lt;1951866+crazy-max@users.noreply.github.com&gt;
diff --git a/.github/workflows/.test-bake.yml b/.github/workflows/.test-bake.yml
@@ -408,3 +408,17 @@ jobs:
       output: local
       sbom: true
       target: hello-cross
+
+  bake-envs:
+    uses: ./.github/workflows/bake.yml
+    permissions:
+      contents: read
+      id-token: write
+    with:
+      setup-qemu: true
+      artifact-upload: false
+      context: test
+      output: local
+      target: go
+      vars: |
+        XX_VERSION=1.9.0
diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
@@ -42,6 +42,10 @@ on:
         description: "Context to build from in the Git working tree"
         required: false
         default: .
+      vars:
+        type: string
+        description: "Variables to set in the Bake definition as list of key-value pair"
+        required: false
       files:
         type: string
         description: "List of bake definition files"
@@ -176,6 +180,7 @@ jobs:
           INPUT_RUNNER: ${{ inputs.runner }}
           INPUT_ARTIFACT-UPLOAD: ${{ inputs.artifact-upload }}
           INPUT_CONTEXT: ${{ inputs.context }}
+          INPUT_VARS: ${{ inputs.vars }}
           INPUT_FILES: ${{ inputs.files }}
           INPUT_OUTPUT: ${{ inputs.output }}
           INPUT_PUSH: ${{ inputs.push }}
@@ -198,6 +203,7 @@ jobs:
             const inpRunner = core.getInput('runner');
             const inpArtifactUpload = core.getBooleanInput('artifact-upload');
             const inpContext = core.getInput('context');
+            const inpVars = Util.getInputList('vars');
             const inpFiles = Util.getInputList('files');
             const inpOutput = core.getInput('output');
             const inpPush = core.getBooleanInput('push');
@@ -236,6 +242,21 @@ jobs:
             await core.group(`Set bake source`, async () => {
               core.info(bakeSource);
             });
+            
+            const envs = Object.assign({},
+              inpVars ? inpVars.reduce((acc, curr) => {
+                const [key, ...rest] = curr.split('=');
+                acc[key] = rest.join('=');
+                return acc;
+              }, {}) : {},
+              {
+                BUILDKIT_MULTI_PLATFORM: '1',
+                BUILDX_BAKE_GIT_AUTH_TOKEN: inpGitHubToken
+              }
+            );
+            await core.group(`Set envs`, async () => {
+              core.info(JSON.stringify(envs, null, 2));
+            });
 
             let def;
             let target;
@@ -247,8 +268,9 @@ jobs:
                   overrides: inpSet,
                   sbom: inpSbom ? `generator=${inpSbomImage}` : 'false',
                   source: bakeSource,
-                  targets: [inpTarget],
-                  githubToken: inpGitHubToken
+                  targets: [inpTarget]
+                }, {
+                  env: Object.keys(envs).length > 0 ? envs : undefined
                 });
                 if (!def) {
                   throw new Error('Bake definition not set');
@@ -482,6 +504,7 @@ jobs:
           INPUT_CACHE-SCOPE: ${{ inputs.cache-scope }}
           INPUT_CACHE-MODE: ${{ inputs.cache-mode }}
           INPUT_CONTEXT: ${{ inputs.context }}
+          INPUT_VARS: ${{ inputs.vars }}
           INPUT_FILES: ${{ inputs.files }}
           INPUT_OUTPUT: ${{ inputs.output }}
           INPUT_PUSH: ${{ inputs.push }}
@@ -513,6 +536,7 @@ jobs:
             const inpCacheScope = core.getInput('cache-scope');
             const inpCacheMode = core.getInput('cache-mode');
             const inpContext = core.getInput('context');
+            const inpVars = Util.getInputList('vars');
             const inpFiles = Util.getInputList('files');
             const inpOutput = core.getInput('output');
             const inpPush = core.getBooleanInput('push');
@@ -539,6 +563,22 @@ jobs:
               core.setOutput('sbom', sbom);
             });
             
+            const envs = Object.assign({},
+              inpVars ? inpVars.reduce((acc, curr) => {
+                const [key, ...rest] = curr.split('=');
+                acc[key] = rest.join('=');
+                return acc;
+              }, {}) : {},
+              {
+                BUILDKIT_MULTI_PLATFORM: '1',
+                BUILDX_BAKE_GIT_AUTH_TOKEN: inpGitHubToken
+              }
+            );
+            await core.group(`Set envs`, async () => {
+              core.info(JSON.stringify(envs, null, 2));
+              core.setOutput('envs', JSON.stringify(envs));
+            });
+            
             let target;
             try {
               await core.group(`Validating definition`, async () => {
@@ -548,8 +588,9 @@ jobs:
                   overrides: inpSet,
                   sbom: sbom,
                   source: bakeSource,
-                  targets: [inpTarget],
-                  githubToken: inpGitHubToken
+                  targets: [inpTarget]
+                }, {
+                  env: Object.keys(envs).length > 0 ? envs : undefined
                 });
                 if (!def) {
                   throw new Error('Bake definition not set');
@@ -638,9 +679,7 @@ jobs:
           targets: ${{ steps.prepare.outputs.target }}
           sbom: ${{ steps.prepare.outputs.sbom }}
           set: ${{ steps.prepare.outputs.overrides }}
-        env:
-          BUILDKIT_MULTI_PLATFORM: 1
-          BUILDX_BAKE_GIT_AUTH_TOKEN: ${{ secrets.github-token || github.token }}
+        env: ${{ fromJson(steps.prepare.outputs.envs) }}
       -
         name: Get image digest
         id: get-image-digest
diff --git a/README.md b/README.md
@@ -247,6 +247,7 @@ on:
 | `sign`                 | String   | `auto`                         | Sign attestation manifest for `image` output or artifacts for `local` output, can be one of `auto`, `true` or `false`. The `auto` mode will enable signing if `push` is enabled for pushing the `image` or if `artifact-upload` is enabled for uploading the `local` build output as GitHub Artifact                                  |
 | `target`               | String   |                                | Sets the target stage to build                                                                                                                                                                                                                                                                                                        |
 | `ulimit`               | List     |                                | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`)                                                                                                                                                                                                                |
+| `vars`                 | List     |                                | [Variables](https://docs.docker.com/build/bake/variables/) to set in the Bake definition as list of key-value pair                                                                                                                                                                                                                    |
 | `set-meta-annotations` | Bool     | `false`                        | Append OCI Image Format Specification annotations generated by `docker/metadata-action`                                                                                                                                                                                                                                               |
 | `set-meta-labels`      | Bool     | `false`                        | Append OCI Image Format Specification labels generated by `docker/metadata-action`                                                                                                                                                                                                                                                    |
 | `meta-images`          | List     |                                | [List of images](https://github.com/docker/metadata-action?tab=readme-ov-file#images-input) to use as base name for tags (required for image output)                                                                                                                                                                                  |
diff --git a/test/docker-bake.hcl b/test/docker-bake.hcl
@@ -11,8 +11,15 @@ group "grp" {
   targets = ["go", "hello"]
 }
 
+variable "XX_VERSION" {
+  default = null
+}
+
 target "go" {
   inherits = ["docker-metadata-action"]
+  args = {
+    XX_VERSION = XX_VERSION
+  }
   dockerfile = "go.Dockerfile"
 }
 
diff --git a/test/go.Dockerfile b/test/go.Dockerfile
@@ -1,9 +1,10 @@
 # syntax=docker/dockerfile:1
 
 ARG GO_VERSION="1.25"
+ARG XX_VERSION="1.7.0"
 
 # xx is a helper for cross-compilation
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.7.0 AS xx
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS base
 COPY --from=xx / /

Original file line number	Diff line number	Diff line change
`@@ -11,8 +11,15 @@ group "grp" {`
`11`	`11`	`targets = ["go", "hello"]`
`12`	`12`	`}`
`13`	`13`
	`14`	`+variable "XX_VERSION" {`
	`15`	`+ default = null`
	`16`	`+}`
	`17`	`+`
`14`	`18`	`target "go" {`
`15`	`19`	`inherits = ["docker-metadata-action"]`
	`20`	`+ args = {`
	`21`	`+ XX_VERSION = XX_VERSION`
	`22`	`+ }`
`16`	`23`	`dockerfile = "go.Dockerfile"`
`17`	`24`	`}`
`18`	`25`