romualdo/login-action
1
0
Fork 0
mirror of https://github.com/docker/login-action.git synced 2026-05-15 06:40:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: romualdo:master
Branches Tags
romualdo:master
romualdo:dependabot/npm_and_yarn/tar-7.5.15
romualdo:dependabot/github_actions/actions/create-github-app-token-3.2.0
romualdo:dependabot/github_actions/crazy-max-dot-github-6667ecc476
romualdo:dependabot/github_actions/github/codeql-action-4.35.4
romualdo:dependabot/npm_and_yarn/vite-7.3.3
romualdo:dependabot/npm_and_yarn/fast-xml-builder-1.2.0
romualdo:dependabot/github_actions/aws-actions/configure-aws-credentials-6.1.1
romualdo:dependabot/npm_and_yarn/postcss-8.5.10
romualdo:esbuild
romualdo:dependabot/npm_and_yarn/actions/core-3.0.1
romualdo:dependabot/npm_and_yarn/docker/actions-toolkit-0.88.0
romualdo:dependabot/npm_and_yarn/fast-xml-parser-5.5.8
romualdo:dependabot/npm_and_yarn/aws-sdk-dependencies-6bb1d9fb1e
romualdo:releases/v3
romualdo:releases/v2
romualdo:releases/v1
romualdo:v4.1.0
romualdo:v4
romualdo:v4.0.0
romualdo:v3.7.0
romualdo:v3.6.0
romualdo:v3.5.0
romualdo:v3.4.0
romualdo:v3.3.0
romualdo:v3
romualdo:v3.2.0
romualdo:v3.1.0
romualdo:v3.0.0
romualdo:v2
romualdo:v2.2.0
romualdo:v2.1.0
romualdo:v2.0.0
romualdo:v1.14.1
romualdo:v1
romualdo:v1.14.0
romualdo:v1.13.0
romualdo:v1.12.0
romualdo:v1.11.0
romualdo:v1.10.0
romualdo:v1.9.0
romualdo:v1.8.0
romualdo:v1.7.0
romualdo:v1.6.0
romualdo:v1.5.0
romualdo:v1.4.1
romualdo:v1.4.0
romualdo:v1.3.0
romualdo:v1.2.0
romualdo:v1.1.1
romualdo:v1.1.0
romualdo:v1.0.1
romualdo:v1.0.0
..
compare: romualdo:v1.13.0
Branches Tags
romualdo:dependabot/npm_and_yarn/tar-7.5.15
romualdo:dependabot/github_actions/actions/create-github-app-token-3.2.0
romualdo:dependabot/github_actions/crazy-max-dot-github-6667ecc476
romualdo:dependabot/github_actions/github/codeql-action-4.35.4
romualdo:dependabot/npm_and_yarn/vite-7.3.3
romualdo:dependabot/npm_and_yarn/fast-xml-builder-1.2.0
romualdo:dependabot/github_actions/aws-actions/configure-aws-credentials-6.1.1
romualdo:master
romualdo:dependabot/npm_and_yarn/postcss-8.5.10
romualdo:esbuild
romualdo:dependabot/npm_and_yarn/actions/core-3.0.1
romualdo:dependabot/npm_and_yarn/docker/actions-toolkit-0.88.0
romualdo:dependabot/npm_and_yarn/fast-xml-parser-5.5.8
romualdo:dependabot/npm_and_yarn/aws-sdk-dependencies-6bb1d9fb1e
romualdo:releases/v3
romualdo:releases/v2
romualdo:releases/v1
romualdo:v4.1.0
romualdo:v4
romualdo:v4.0.0
romualdo:v3.7.0
romualdo:v3.6.0
romualdo:v3.5.0
romualdo:v3.4.0
romualdo:v3.3.0
romualdo:v3
romualdo:v3.2.0
romualdo:v3.1.0
romualdo:v3.0.0
romualdo:v2
romualdo:v2.2.0
romualdo:v2.1.0
romualdo:v2.0.0
romualdo:v1.14.1
romualdo:v1
romualdo:v1.14.0
romualdo:v1.13.0
romualdo:v1.12.0
romualdo:v1.11.0
romualdo:v1.10.0
romualdo:v1.9.0
romualdo:v1.8.0
romualdo:v1.7.0
romualdo:v1.6.0
romualdo:v1.5.0
romualdo:v1.4.1
romualdo:v1.4.0
romualdo:v1.3.0
romualdo:v1.2.0
romualdo:v1.1.1
romualdo:v1.1.0
romualdo:v1.0.1
romualdo:v1.0.0

No commits in common. "master" and "v1.13.0" have entirely different histories.
master ... v1.13.0

52 changed files with 91012 additions and 16582 deletions
Show Stats Expand all files Collapse all files

12
.dockerignore
View File

@ -1,12 +1,2 @@
/coverage /coverage
/node_modules
# Dependency directories
node_modules/
jspm_packages/
# yarn v2
.yarn/cache
.yarn/unplugged
.yarn/build-state.yml
.yarn/install-state.gz
.pnp.*

2
.gitattributes vendored
View File

@ -1,4 +1,2 @@
/.yarn/releases/** binary
/.yarn/plugins/** binary
/dist/** linguist-generated=true /dist/** linguist-generated=true
/lib/** linguist-generated=true /lib/** linguist-generated=true

1
.github/CODEOWNERS vendored Normal file
View File

@ -0,0 +1 @@
* @crazy-max

3
.github/CODE_OF_CONDUCT.md vendored
View File

@ -1,3 +0,0 @@
# Code of conduct
- [Moby community guidelines](https://github.com/moby/moby/blob/master/CONTRIBUTING.md#moby-community-guidelines)

101
.github/ISSUE_TEMPLATE/bug.yml vendored
View File

@ -1,101 +0,0 @@
# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-githubs-form-schema
name: Bug Report
description: Report a bug
labels:
- status/triage
body:
- type: markdown
attributes:
value: |
Thank you for taking the time to report a bug!
If this is a security issue please report it to the [Docker Security team](mailto:security@docker.com).
- type: checkboxes
attributes:
label: Contributing guidelines
description: >
Make sure you've read the contributing guidelines before proceeding.
options:
- label: I've read the [contributing guidelines](https://github.com/docker/login-action/blob/master/.github/CONTRIBUTING.md) and wholeheartedly agree
required: true
- type: checkboxes
attributes:
label: "I've found a bug, and:"
description: |
Make sure that your request fulfills all of the following requirements.
If one requirement cannot be satisfied, explain in detail why.
options:
- label: The documentation does not mention anything about my problem
- label: There are no open or closed issues that are related to my problem
- type: textarea
attributes:
label: Description
description: >
Provide a brief description of the bug in 1-2 sentences.
validations:
required: true
- type: textarea
attributes:
label: Expected behaviour
description: >
Describe precisely what you'd expect to happen.
validations:
required: true
- type: textarea
attributes:
label: Actual behaviour
description: >
Describe precisely what is actually happening.
validations:
required: true
- type: input
attributes:
label: Repository URL
description: >
Enter the URL of the repository where you are experiencing the
issue. If your repository is private, provide a link to a minimal
repository that reproduces the issue.
- type: input
attributes:
label: Workflow run URL
description: >
Enter the URL of the GitHub Action workflow run if public (e.g.
`https://github.com/<user>/<repo>/actions/runs/<id>`)
- type: textarea
attributes:
label: YAML workflow
description: |
Provide the YAML of the workflow that's causing the issue.
Make sure to remove any sensitive information.
render: yaml
validations:
required: true
- type: textarea
attributes:
label: Workflow logs
description: >
[Attach](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/attaching-files)
the [log file of your workflow run](https://docs.github.com/en/actions/managing-workflow-runs/using-workflow-run-logs#downloading-logs)
and make sure to remove any sensitive information.
- type: textarea
attributes:
label: BuildKit logs
description: >
If applicable, provide the [BuildKit container logs](https://docs.docker.com/build/ci/github-actions/configure-builder/#buildkit-container-logs)
render: text
- type: textarea
attributes:
label: Additional info
description: |
Provide any additional information that could be useful.

34
.github/ISSUE_TEMPLATE/bug_report.md vendored Normal file
View File

@ -0,0 +1,34 @@
---
name: Bug report
about: Create a report to help us improve
---
### Behaviour
#### Steps to reproduce this issue
1.
2.
3.
#### Expected behaviour
> Tell us what should happen
#### Actual behaviour
> Tell us what happens instead
### Configuration
* Repository URL (if public):
* Build URL (if public):
```yml
# paste your YAML workflow file here and remove sensitive data
```
### Logs
> Download the [log file of your build](https://docs.github.com/en/actions/managing-workflow-runs/using-workflow-run-logs#downloading-logs)
> and [attach it](https://docs.github.com/en/github/managing-your-work-on-github/file-attachments-on-issues-and-pull-requests) to this issue.

9
.github/ISSUE_TEMPLATE/config.yml vendored
View File

@ -1,9 +0,0 @@
# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository#configuring-the-template-chooser
blank_issues_enabled: true
contact_links:
- name: Questions and Discussions
url: https://github.com/docker/login-action/discussions/new
about: Use Github Discussions to ask questions and/or open discussion topics.
- name: Documentation
url: https://docs.docker.com/build/ci/github-actions/
about: Read the documentation.

15
.github/ISSUE_TEMPLATE/feature.yml vendored
View File

@ -1,15 +0,0 @@
# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-githubs-form-schema
name: Feature request
description: Missing functionality? Come tell us about it!
labels:
- kind/enhancement
- status/triage
body:
- type: textarea
id: description
attributes:
label: Description
description: What is the feature you want to see?
validations:
required: true

12
.github/SECURITY.md vendored
View File

@ -1,12 +0,0 @@
# Reporting security issues
The project maintainers take security seriously. If you discover a security
issue, please bring it to their attention right away!
**Please _DO NOT_ file a public issue**, instead send your report privately to
[security@docker.com](mailto:security@docker.com).
Security reports are greatly appreciated, and we will publicly thank you for it.
We also like to send gifts&mdash;if you'd like Docker swag, make sure to let
us know. We currently do not offer a paid security bounty program, but are not
ruling it out in the future.

29
.github/SUPPORT.md vendored Normal file
View File

@ -0,0 +1,29 @@
# Support [![](https://isitmaintained.com/badge/resolution/docker/login-action.svg)](https://isitmaintained.com/project/docker/login-action)
## Reporting an issue
Please do a search in [open issues](https://github.com/docker/login-action/issues?utf8=%E2%9C%93&q=) to see if the issue or feature request has already been filed.
If you find your issue already exists, make relevant comments and add your [reaction](https://github.com/blog/2119-add-reactions-to-pull-requests-issues-and-comments). Use a reaction in place of a "+1" comment.
:+1: - upvote
:-1: - downvote
If you cannot find an existing issue that describes your bug or feature, submit an issue using the guidelines below.
## Writing good bug reports and feature requests
File a single issue per problem and feature request.
* Do not enumerate multiple bugs or feature requests in the same issue.
* Do not add your issue as a comment to an existing issue unless it's for the identical input. Many issues look similar, but have different causes.
The more information you can provide, the more likely someone will be successful reproducing the issue and finding a fix.
You are now ready to [create a new issue](https://github.com/docker/login-action/issues/new/choose)!
## Closure policy
* Issues that don't have the information requested above (when applicable) will be closed immediately and the poster directed to the support guidelines.
* Issues that go a week without a response from original poster are subject to closure at our discretion.

18
.github/dependabot.yml vendored
View File

@ -4,12 +4,6 @@ updates:
directory: "/" directory: "/"
schedule: schedule:
interval: "daily" interval: "daily"
cooldown:
default-days: 2
groups:
crazy-max-dot-github:
patterns:
- "crazy-max/.github/*"
labels: labels:
- "dependencies" - "dependencies"
- "bot" - "bot"
@ -17,18 +11,6 @@ updates:
directory: "/" directory: "/"
schedule: schedule:
interval: "daily" interval: "daily"
cooldown:
default-days: 2
exclude:
- "@docker/actions-toolkit"
versioning-strategy: "increase"
groups:
aws-sdk-dependencies:
patterns:
- "*aws-sdk*"
proxy-agent-dependencies:
patterns:
- "*-proxy-agent"
allow: allow:
- dependency-type: "production" - dependency-type: "production"
labels: labels:

237
.github/workflows/ci.yml vendored
View File

@ -1,12 +1,5 @@
name: ci name: ci
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on: on:
workflow_dispatch: workflow_dispatch:
schedule: schedule:
@ -22,7 +15,7 @@ jobs:
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v2
- -
name: Stop docker name: Stop docker
run: | run: |
@ -46,7 +39,7 @@ jobs:
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v2
- -
name: Login to GitHub Container Registry name: Login to GitHub Container Registry
uses: ./ uses: ./
@ -63,7 +56,7 @@ jobs:
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v2
- -
name: Login to GitHub Container Registry name: Login to GitHub Container Registry
uses: ./ uses: ./
@ -73,7 +66,7 @@ jobs:
password: ${{ secrets.GHCR_PAT }} password: ${{ secrets.GHCR_PAT }}
- -
name: DinD name: DinD
uses: docker://docker:29.3@sha256:4d90f1f6c400315c2dba96d3ec93c01e64198395cbba04f79d12adce4f737029 uses: docker://docker
with: with:
entrypoint: docker entrypoint: docker
args: pull ghcr.io/docker-ghactiontest/test args: pull ghcr.io/docker-ghactiontest/test
@ -88,7 +81,7 @@ jobs:
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v2
- -
name: Login to ACR name: Login to ACR
uses: ./ uses: ./
@ -108,7 +101,7 @@ jobs:
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v2
- -
name: Login to Docker Hub name: Login to Docker Hub
uses: ./ uses: ./
@ -127,7 +120,7 @@ jobs:
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v2
- -
name: Login to ECR name: Login to ECR
uses: ./ uses: ./
@ -147,10 +140,10 @@ jobs:
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v2
- -
name: Configure AWS Credentials name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 uses: aws-actions/configure-aws-credentials@v1
with: with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@ -172,10 +165,9 @@ jobs:
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v2
- -
name: Login to Public ECR name: Login to Public ECR
continue-on-error: ${{ matrix.os == 'windows-latest' }}
uses: ./ uses: ./
with: with:
registry: public.ecr.aws registry: public.ecr.aws
@ -195,22 +187,21 @@ jobs:
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v2
- -
name: Configure AWS Credentials name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 uses: aws-actions/configure-aws-credentials@v1
with: with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1 aws-region: us-east-1
- -
name: Login to Public ECR name: Login to ECR
continue-on-error: ${{ matrix.os == 'windows-latest' }}
uses: ./ uses: ./
with: with:
registry: public.ecr.aws registry: public.ecr.aws
ghcr: github-container:
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
strategy: strategy:
fail-fast: false fail-fast: false
@ -221,7 +212,7 @@ jobs:
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v2
- -
name: Login to GitHub Container Registry name: Login to GitHub Container Registry
uses: ./ uses: ./
@ -241,7 +232,7 @@ jobs:
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v2
- -
name: Login to GitLab name: Login to GitLab
uses: ./ uses: ./
@ -261,7 +252,7 @@ jobs:
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v2
- -
name: Login to Google Artifact Registry name: Login to Google Artifact Registry
uses: ./ uses: ./
@ -281,7 +272,7 @@ jobs:
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v2
- -
name: Login to Google Container Registry name: Login to Google Container Registry
uses: ./ uses: ./
@ -289,195 +280,3 @@ jobs:
registry: gcr.io registry: gcr.io
username: _json_key username: _json_key
password: ${{ secrets.GCR_JSON_KEY }} password: ${{ secrets.GCR_JSON_KEY }}
registry-auth:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Login to registries
uses: ./
with:
registry-auth: |
- username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- registry: registry.gitlab.com
username: ${{ secrets.GITLAB_USERNAME }}
password: ${{ secrets.GITLAB_TOKEN }}
registry-auth-dup:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Login to registries
uses: ./
with:
registry-auth: |
- registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry-auth-exclusive:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Login to registries
id: login
continue-on-error: true
uses: ./
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry-auth: |
- username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Check
run: |
if [ "${{ steps.login.outcome }}" != "failure" ] || [ "${{ steps.login.conclusion }}" != "success" ]; then
echo "::error::Should have failed"
exit 1
fi
scope-dockerhub:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
- windows-latest
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Login to Docker Hub
uses: ./
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
scope: '@push'
-
name: Print config.json files
shell: bash
run: |
shopt -s globstar nullglob
for file in ~/.docker/**/config.json; do
echo "## ${file}"
jq '(.auths[]?.auth) |= "REDACTED"' "$file"
echo ""
done
scope-dockerhub-repo:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
- windows-latest
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Login to Docker Hub
uses: ./
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
scope: 'docker/buildx-bin@push'
-
name: Print config.json files
shell: bash
run: |
shopt -s globstar nullglob
for file in ~/.docker/**/config.json; do
echo "## ${file}"
jq '(.auths[]?.auth) |= "REDACTED"' "$file"
echo ""
done
scope-ghcr:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
- windows-latest
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Login to GitHub Container Registry
uses: ./
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
scope: '@push'
-
name: Print config.json files
shell: bash
run: |
shopt -s globstar nullglob
for file in ~/.docker/**/config.json; do
echo "## ${file}"
jq '(.auths[]?.auth) |= "REDACTED"' "$file"
echo ""
done
scope-ghcr-repo:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
- windows-latest
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Login to GitHub Container Registry
uses: ./
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
scope: 'docker/login-action@push'
-
name: Print config.json files
shell: bash
run: |
shopt -s globstar nullglob
for file in ~/.docker/**/config.json; do
echo "## ${file}"
jq '(.auths[]?.auth) |= "REDACTED"' "$file"
echo ""
done

46
.github/workflows/codeql.yml vendored
View File

@ -1,46 +0,0 @@
name: codeql
permissions:
contents: read
on:
push:
branches:
- 'master'
- 'releases/v*'
pull_request:
env:
NODE_VERSION: "24"
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Enable corepack
run: |
corepack enable
yarn --version
-
name: Set up Node
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: ${{ env.NODE_VERSION }}
-
name: Initialize CodeQL
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
languages: javascript-typescript
build-mode: none
-
name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
category: "/language:javascript-typescript"

17
.github/workflows/pr-assign-author.yml vendored
View File

@ -1,17 +0,0 @@
name: pr-assign-author
permissions:
contents: read
on:
pull_request_target: # zizmor: ignore[dangerous-triggers] safe to use without checkout
types:
- opened
- reopened
jobs:
run:
uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@64a0bfaf6e6bb1c448d6e4c42b11034ee7094f16 # v1.7.1
permissions:
contents: read
pull-requests: write

28
.github/workflows/publish.yml vendored
View File

@ -1,28 +0,0 @@
name: publish
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
release:
types:
- published
jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
packages: write
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Publish
uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4

25
.github/workflows/test.yml vendored
View File

@ -1,18 +1,14 @@
name: test name: test
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on: on:
push: push:
branches: branches:
- 'master' - 'master'
- 'releases/v*' - 'releases/v*'
pull_request: pull_request:
branches:
- 'master'
- 'releases/v*'
jobs: jobs:
test: test:
@ -20,16 +16,19 @@ jobs:
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@v2
-
name: Validate
uses: docker/bake-action@v1
with:
targets: validate
- -
name: Test name: Test
uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0 uses: docker/bake-action@v1
with: with:
source: .
targets: test targets: test
- -
name: Upload coverage name: Upload coverage
uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 uses: codecov/codecov-action@v2
with: with:
files: ./coverage/clover.xml file: ./coverage/clover.xml
token: ${{ secrets.CODECOV_TOKEN }}

56
.github/workflows/update-dist.yml vendored
View File

@ -1,56 +0,0 @@
name: update-dist
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
pull_request:
types:
- opened
- synchronize
jobs:
update-dist:
if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
runs-on: ubuntu-latest
steps:
-
name: GitHub auth token from GitHub App
id: docker-read-app
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
with:
app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
owner: docker
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.event.pull_request.head.ref }}
fetch-depth: 0
token: ${{ steps.docker-read-app.outputs.token }}
-
name: Build
uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
with:
source: .
targets: build
-
name: Commit and push dist
run: |
if [ -n "$(git status --porcelain -- dist)" ]; then
(
set -x
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add dist
git commit -m "chore: update generated content"
git push
)
else
echo "No changes in dist"
fi

46
.github/workflows/validate.yml vendored
View File

@ -1,46 +0,0 @@
name: validate
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
push:
branches:
- 'master'
- 'releases/v*'
pull_request:
jobs:
prepare:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.generate.outputs.matrix }}
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Generate matrix
id: generate
uses: docker/bake-action/subaction/matrix@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
with:
target: validate
validate:
runs-on: ubuntu-latest
needs:
- prepare
strategy:
fail-fast: false
matrix:
include: ${{ fromJson(needs.prepare.outputs.matrix) }}
steps:
-
name: Validate
uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
with:
targets: ${{ matrix.target }}

29
.github/workflows/zizmor.yml vendored
View File

@ -1,29 +0,0 @@
name: zizmor
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
workflow_dispatch:
push:
branches:
- 'master'
- 'releases/v*'
tags:
- 'v*'
pull_request:
jobs:
zizmor:
uses: crazy-max/.github/.github/workflows/zizmor.yml@64a0bfaf6e6bb1c448d6e4c42b11034ee7094f16 # v1.7.1
permissions:
contents: read
security-events: write
with:
min-severity: medium
min-confidence: medium
persona: pedantic

71
.gitignore vendored
View File

@ -1,5 +1,12 @@
# https://raw.githubusercontent.com/github/gitignore/main/Node.gitignore /.dev
node_modules/
lib
# Jetbrains
/.idea
/*.iml
# Rest of the file pulled from https://github.com/github/gitignore/blob/master/Node.gitignore
# Logs # Logs
logs logs
*.log *.log
@ -7,7 +14,6 @@ npm-debug.log*
yarn-debug.log* yarn-debug.log*
yarn-error.log* yarn-error.log*
lerna-debug.log* lerna-debug.log*
.pnpm-debug.log*
# Diagnostic reports (https://nodejs.org/api/report.html) # Diagnostic reports (https://nodejs.org/api/report.html)
report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
@ -18,14 +24,34 @@ pids
*.seed *.seed
*.pid.lock *.pid.lock
# Directory for instrumented libs generated by jscoverage/JSCover
lib-cov
# Coverage directory used by tools like istanbul # Coverage directory used by tools like istanbul
coverage coverage
*.lcov *.lcov
# nyc test coverage
.nyc_output
# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
.grunt
# Bower dependency directory (https://bower.io/)
bower_components
# node-waf configuration
.lock-wscript
# Compiled binary addons (https://nodejs.org/api/addons.html)
build/Release
# Dependency directories # Dependency directories
node_modules/
jspm_packages/ jspm_packages/
# TypeScript v1 declaration files
typings/
# TypeScript cache # TypeScript cache
*.tsbuildinfo *.tsbuildinfo
@ -35,19 +61,36 @@ jspm_packages/
# Optional eslint cache # Optional eslint cache
.eslintcache .eslintcache
# Optional REPL history
.node_repl_history
# Output of 'npm pack'
*.tgz
# Yarn Integrity file # Yarn Integrity file
.yarn-integrity .yarn-integrity
# dotenv environment variable files # dotenv environment variables file
.env .env
.env.development.local .env.test
.env.test.local
.env.production.local
.env.local
# yarn v2 # parcel-bundler cache (https://parceljs.org/)
.yarn/cache .cache
.yarn/unplugged
.yarn/build-state.yml # next.js build output
.yarn/install-state.gz .next
.pnp.*
# nuxt.js build output
.nuxt
# vuepress build output
.vuepress/dist
# Serverless directories
.serverless/
# FuseBox cache
.fusebox/
# DynamoDB Local files
.dynamodb/

6
.prettierignore
View File

@ -1,6 +0,0 @@
# Dependency directories
node_modules/
jspm_packages/
# yarn v2
.yarn/

3
.prettierrc.json
View File

@ -6,5 +6,6 @@
"singleQuote": true, "singleQuote": true,
"trailingComma": "none", "trailingComma": "none",
"bracketSpacing": false, "bracketSpacing": false,
"arrowParens": "avoid" "arrowParens": "avoid",
"parser": "typescript"
} }

17
.yarnrc.yml
View File

@ -1,17 +0,0 @@
# https://yarnpkg.com/configuration/yarnrc
compressionLevel: mixed
enableGlobalCache: false
enableHardenedMode: true
logFilters:
- code: YN0013
level: discard
- code: YN0019
level: discard
- code: YN0076
level: discard
- code: YN0086
level: discard
nodeLinker: node-modules

356
README.md
View File

@ -1,7 +1,7 @@
[![GitHub release](https://img.shields.io/github/release/docker/login-action.svg?style=flat-square)](https://github.com/docker/login-action/releases/latest) [![GitHub release](https://img.shields.io/github/release/docker/login-action.svg?style=flat-square)](https://github.com/docker/login-action/releases/latest)
[![GitHub marketplace](https://img.shields.io/badge/marketplace-docker--login-blue?logo=github&style=flat-square)](https://github.com/marketplace/actions/docker-login) [![GitHub marketplace](https://img.shields.io/badge/marketplace-docker--login-blue?logo=github&style=flat-square)](https://github.com/marketplace/actions/docker-login)
[![CI workflow](https://img.shields.io/github/actions/workflow/status/docker/login-action/ci.yml?branch=master&label=ci&logo=github&style=flat-square)](https://github.com/docker/login-action/actions?workflow=ci) [![CI workflow](https://img.shields.io/github/workflow/status/docker/login-action/ci?label=ci&logo=github&style=flat-square)](https://github.com/docker/login-action/actions?workflow=ci)
[![Test workflow](https://img.shields.io/github/actions/workflow/status/docker/login-action/test.yml?branch=master&label=test&logo=github&style=flat-square)](https://github.com/docker/login-action/actions?workflow=test) [![Test workflow](https://img.shields.io/github/workflow/status/docker/login-action/test?label=test&logo=github&style=flat-square)](https://github.com/docker/login-action/actions?workflow=test)
[![Codecov](https://img.shields.io/codecov/c/github/docker/login-action?logo=codecov&style=flat-square)](https://codecov.io/gh/docker/login-action) [![Codecov](https://img.shields.io/codecov/c/github/docker/login-action?logo=codecov&style=flat-square)](https://codecov.io/gh/docker/login-action)
## About ## About
@ -23,20 +23,16 @@ ___
* [AWS Public Elastic Container Registry (ECR)](#aws-public-elastic-container-registry-ecr) * [AWS Public Elastic Container Registry (ECR)](#aws-public-elastic-container-registry-ecr)
* [OCI Oracle Cloud Infrastructure Registry (OCIR)](#oci-oracle-cloud-infrastructure-registry-ocir) * [OCI Oracle Cloud Infrastructure Registry (OCIR)](#oci-oracle-cloud-infrastructure-registry-ocir)
* [Quay.io](#quayio) * [Quay.io](#quayio)
* [DigitalOcean](#digitalocean-container-registry)
* [Authenticate to multiple registries](#authenticate-to-multiple-registries)
* [Set scopes for the authentication token](#set-scopes-for-the-authentication-token)
* [Customizing](#customizing) * [Customizing](#customizing)
* [inputs](#inputs) * [inputs](#inputs)
* [Contributing](#contributing) * [Keep up-to-date with GitHub Dependabot](#keep-up-to-date-with-github-dependabot)
## Usage ## Usage
### Docker Hub ### Docker Hub
When authenticating to [Docker Hub](https://hub.docker.com) with GitHub Actions, To authenticate against [Docker Hub](https://hub.docker.com) it's strongly recommended to create a
use a [personal access token](https://docs.docker.com/docker-hub/access-tokens/). [personal access token](https://docs.docker.com/docker-hub/access-tokens/) as an alternative to your password.
Don't use your account password.
```yaml ```yaml
name: ci name: ci
@ -51,17 +47,17 @@ jobs:
steps: steps:
- -
name: Login to Docker Hub name: Login to Docker Hub
uses: docker/login-action@v4 uses: docker/login-action@v1
with: with:
username: ${{ vars.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }} password: ${{ secrets.DOCKERHUB_TOKEN }}
``` ```
### GitHub Container Registry ### GitHub Container Registry
To authenticate to the [GitHub Container Registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry), To authenticate against the [GitHub Container Registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry),
use the [`GITHUB_TOKEN`](https://docs.github.com/en/actions/reference/authentication-in-a-workflow) use the [`GITHUB_TOKEN`](https://docs.github.com/en/actions/reference/authentication-in-a-workflow) for the best
secret. security and experience.
```yaml ```yaml
name: ci name: ci
@ -76,7 +72,7 @@ jobs:
steps: steps:
- -
name: Login to GitHub Container Registry name: Login to GitHub Container Registry
uses: docker/login-action@v4 uses: docker/login-action@v1
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.actor }} username: ${{ github.actor }}
@ -104,23 +100,18 @@ jobs:
steps: steps:
- -
name: Login to GitLab name: Login to GitLab
uses: docker/login-action@v4 uses: docker/login-action@v1
with: with:
registry: registry.gitlab.com registry: registry.gitlab.com
username: ${{ vars.GITLAB_USERNAME }} username: ${{ secrets.GITLAB_USERNAME }}
password: ${{ secrets.GITLAB_PASSWORD }} password: ${{ secrets.GITLAB_PASSWORD }}
``` ```
If you have [Two-Factor Authentication](https://gitlab.com/help/user/profile/account/two_factor_authentication)
enabled, use a [Personal Access Token](https://gitlab.com/help/user/profile/personal_access_tokens)
instead of a password.
### Azure Container Registry (ACR) ### Azure Container Registry (ACR)
[Create a service principal](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal#create-a-service-principal) [Create a service principal](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal#create-a-service-principal)
with access to your container registry through the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) with access to your container registry through the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
and take note of the generated service principal's ID (also called _client ID_) and take note of the generated service principal's ID (also called _client ID_) and password (also called _client secret_).
and password (also called _client secret_).
```yaml ```yaml
name: ci name: ci
@ -135,10 +126,10 @@ jobs:
steps: steps:
- -
name: Login to ACR name: Login to ACR
uses: docker/login-action@v4 uses: docker/login-action@v1
with: with:
registry: <registry-name>.azurecr.io registry: <registry-name>.azurecr.io
username: ${{ vars.AZURE_CLIENT_ID }} username: ${{ secrets.AZURE_CLIENT_ID }}
password: ${{ secrets.AZURE_CLIENT_SECRET }} password: ${{ secrets.AZURE_CLIENT_SECRET }}
``` ```
@ -146,21 +137,16 @@ jobs:
### Google Container Registry (GCR) ### Google Container Registry (GCR)
> [Google Artifact Registry](#google-artifact-registry-gar) is the evolution of > [Google Artifact Registry](#google-artifact-registry-gar) is the evolution of Google Container Registry. As a
> Google Container Registry. As a fully-managed service with support for both > fully-managed service with support for both container images and non-container artifacts. If you currently use
> container images and non-container artifacts. If you currently use Google > Google Container Registry, use the information [on this page](https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr)
> Container Registry, use the information [on this page](https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr)
> to learn about transitioning to Google Artifact Registry. > to learn about transitioning to Google Artifact Registry.
You can authenticate with workload identity federation or a service account. You can use either workload identity federation based keyless authentication or service account based authentication.
#### Workload identity federation #### Workload identity federation based authentication
Configure the workload identity federation for GitHub Actions in Google Cloud, Configure the workload identity federation for github actions in gcloud (for steps, [refer here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)). In the steps, your service account should the ability to push to GCR. Then use google-github-actions/auth action for authentication using workload identity like below:
[see here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation).
Your service account must have permission to push to GCR. Use the
`google-github-actions/auth` action to authenticate using workload identity as
shown in the following example:
```yaml ```yaml
name: ci name: ci
@ -173,35 +159,33 @@ jobs:
login: login:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- - id: 'auth'
name: Authenticate to Google Cloud name: 'Authenticate to Google Cloud'
id: auth uses: 'google-github-actions/auth@v0'
uses: google-github-actions/auth@v1
with: with:
token_format: access_token token_format: 'access_token'
workload_identity_provider: <workload_identity_provider> workload_identity_provider: '<workload_identity_provider>'
service_account: <service_account> service_account: '<service_account>'
-
name: Login to GCR - name: Login to GCR
uses: docker/login-action@v4 uses: docker/login-action@v1
with: with:
registry: gcr.io registry: gcr.io
username: oauth2accesstoken username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }} password: ${{ steps.auth.outputs.access_token }}
``` ```
> Replace `<workload_identity_provider>` with configured workload identity > Replace `<workload_identity_provider>` with configured workload identity provider. For steps to configure, [refer here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation).
> provider. For steps to configure, [see here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation).
> Replace `<service_account>` with configured service account in workload > Replace `<service_account>` with configured service account in workload identity provider which has access to push to GCR
> identity provider which has access to push to GCR
#### Service account based authentication #### Service account based authentication
Use a service account with permission to push to GCR and [configure access control](https://cloud.google.com/container-registry/docs/access-control). Use a service account with the ability to push to GCR and [configure access control](https://cloud.google.com/container-registry/docs/access-control).
Download the key for the service account as a JSON file. Save the contents of Then create and download the JSON key for this service account and save content of `.json` file
the file [as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository) [as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
named `GCR_JSON_KEY` in your GitHub repository. Set the username to `_json_key`. called `GCR_JSON_KEY` in your GitHub repo. Ensure you set the username to `_json_key`,
or `_json_key_base64` if you use a base64-encoded key.
```yaml ```yaml
name: ci name: ci
@ -216,7 +200,7 @@ jobs:
steps: steps:
- -
name: Login to GCR name: Login to GCR
uses: docker/login-action@v4 uses: docker/login-action@v1
with: with:
registry: gcr.io registry: gcr.io
username: _json_key username: _json_key
@ -225,13 +209,11 @@ jobs:
### Google Artifact Registry (GAR) ### Google Artifact Registry (GAR)
You can authenticate with workload identity federation or a service account. You can use either workload identity federation based keyless authentication or service account based authentication.
#### Workload identity federation #### Workload identity federation based authentication
Your service account must have permission to push to GAR. Use the Configure the workload identity federation for github actions in gcloud (for steps, [refer here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)). In the steps, your service account should the ability to push to GAR. Then use google-github-actions/auth action for authentication using workload identity like below:
`google-github-actions/auth` action to authenticate using workload identity as
shown in the following example:
```yaml ```yaml
name: ci name: ci
@ -244,38 +226,34 @@ jobs:
login: login:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- - id: 'auth'
name: Authenticate to Google Cloud name: 'Authenticate to Google Cloud'
id: auth uses: 'google-github-actions/auth@v0'
uses: google-github-actions/auth@v1
with: with:
token_format: access_token token_format: 'access_token'
workload_identity_provider: <workload_identity_provider> workload_identity_provider: '<workload_identity_provider>'
service_account: <service_account> service_account: '<service_account>'
-
name: Login to GAR - name: Login to GAR
uses: docker/login-action@v4 uses: docker/login-action@v1
with: with:
registry: <location>-docker.pkg.dev registry: <location>-docker.pkg.dev
username: oauth2accesstoken username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }} password: ${{ steps.auth.outputs.access_token }}
``` ```
> Replace `<workload_identity_provider>` with configured workload identity provider
> Replace `<workload_identity_provider>` with configured workload identity > Replace `<service_account>` with configured service account in workload identity provider which has access to push to GCR
> provider
> Replace `<service_account>` with configured service account in workload
> identity provider which has access to push to GCR
> Replace `<location>` with the regional or multi-regional [location](https://cloud.google.com/artifact-registry/docs/repo-organize#locations) > Replace `<location>` with the regional or multi-regional [location](https://cloud.google.com/artifact-registry/docs/repo-organize#locations)
> of the repository where the image is stored. > of the repository where the image is stored.
#### Service account based authentication #### Service account based authentication
Use a service account with permission to push to GAR and [configure access control](https://cloud.google.com/artifact-registry/docs/access-control). Use a service account with the ability to push to GAR and [configure access control](https://cloud.google.com/artifact-registry/docs/access-control).
Download the key for the service account as a JSON file. Save the contents of Then create and download the JSON key for this service account and save content of `.json` file
the file [as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository) [as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
named `GAR_JSON_KEY` in your GitHub repository. Set the username to `_json_key`, called `GAR_JSON_KEY` in your GitHub repo. Ensure you set the username to `_json_key`,
or `_json_key_base64` if you use a base64-encoded key. or `_json_key_base64` if you use a base64-encoded key.
```yaml ```yaml
@ -291,7 +269,7 @@ jobs:
steps: steps:
- -
name: Login to GAR name: Login to GAR
uses: docker/login-action@v4 uses: docker/login-action@v1
with: with:
registry: <location>-docker.pkg.dev registry: <location>-docker.pkg.dev
username: _json_key username: _json_key
@ -303,8 +281,8 @@ jobs:
### AWS Elastic Container Registry (ECR) ### AWS Elastic Container Registry (ECR)
Use an IAM user with the ability to [push to ECR with `AmazonEC2ContainerRegistryPowerUser` managed policy for example](https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerRegistryPowerUser). Use an IAM user with the ability to [push to ECR with `AmazonEC2ContainerRegistryPowerUser` managed policy for example](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html#AmazonEC2ContainerRegistryPowerUser).
Download the access keys and save them as `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` [as secrets](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository) Then create and download access keys and save `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` [as secrets](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
in your GitHub repo. in your GitHub repo.
```yaml ```yaml
@ -320,15 +298,15 @@ jobs:
steps: steps:
- -
name: Login to ECR name: Login to ECR
uses: docker/login-action@v4 uses: docker/login-action@v1
with: with:
registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
username: ${{ vars.AWS_ACCESS_KEY_ID }} username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
``` ```
If you need to log in to Amazon ECR registries associated with other accounts, If you need to log in to Amazon ECR registries associated with other accounts, you can use the `AWS_ACCOUNT_IDS`
you can use the `AWS_ACCOUNT_IDS` environment variable: environment variable:
```yaml ```yaml
name: ci name: ci
@ -343,10 +321,10 @@ jobs:
steps: steps:
- -
name: Login to ECR name: Login to ECR
uses: docker/login-action@v4 uses: docker/login-action@v1
with: with:
registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
username: ${{ vars.AWS_ACCESS_KEY_ID }} username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
env: env:
AWS_ACCOUNT_IDS: 012345678910,023456789012 AWS_ACCOUNT_IDS: 012345678910,023456789012
@ -354,8 +332,8 @@ jobs:
> Only available with [AWS CLI version 1](https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login.html) > Only available with [AWS CLI version 1](https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login.html)
You can also use the [Configure AWS Credentials](https://github.com/aws-actions/configure-aws-credentials) You can also use the [Configure AWS Credentials](https://github.com/aws-actions/configure-aws-credentials) action in
action in combination with this action: combination with this action:
```yaml ```yaml
name: ci name: ci
@ -370,14 +348,14 @@ jobs:
steps: steps:
- -
name: Configure AWS Credentials name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4 uses: aws-actions/configure-aws-credentials@v1
with: with:
aws-access-key-id: ${{ vars.AWS_ACCESS_KEY_ID }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: <region> aws-region: <region>
- -
name: Login to ECR name: Login to ECR
uses: docker/login-action@v4 uses: docker/login-action@v1
with: with:
registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
``` ```
@ -386,10 +364,9 @@ jobs:
### AWS Public Elastic Container Registry (ECR) ### AWS Public Elastic Container Registry (ECR)
Use an IAM user with permission to push to ECR Public, for example using [managed policies](https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerRegistryPowerUser). Use an IAM user with the ability to [push to ECR Public with `AmazonElasticContainerRegistryPublicPowerUser` managed policy for example](https://docs.aws.amazon.com/AmazonECR/latest/public/public-ecr-managed-policies.html#AmazonElasticContainerRegistryPublicPowerUser).
Download the access keys and save them as `AWS_ACCESS_KEY_ID` and Then create and download access keys and save `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` [as secrets](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
`AWS_SECRET_ACCESS_KEY` [secrets](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository) in your GitHub repo.
in your GitHub repository.
```yaml ```yaml
name: ci name: ci
@ -404,10 +381,10 @@ jobs:
steps: steps:
- -
name: Login to Public ECR name: Login to Public ECR
uses: docker/login-action@v4 uses: docker/login-action@v1
with: with:
registry: public.ecr.aws registry: public.ecr.aws
username: ${{ vars.AWS_ACCESS_KEY_ID }} username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
env: env:
AWS_REGION: <region> AWS_REGION: <region>
@ -438,10 +415,10 @@ jobs:
steps: steps:
- -
name: Login to OCIR name: Login to OCIR
uses: docker/login-action@v4 uses: docker/login-action@v1
with: with:
registry: <region>.ocir.io registry: <region>.ocir.io
username: ${{ vars.OCI_USERNAME }} username: ${{ secrets.OCI_USERNAME }}
password: ${{ secrets.OCI_TOKEN }} password: ${{ secrets.OCI_TOKEN }}
``` ```
@ -449,8 +426,7 @@ jobs:
### Quay.io ### Quay.io
Use a [Robot account](https://docs.quay.io/glossary/robot-accounts.html) with Use a [Robot account](https://docs.quay.io/glossary/robot-accounts.html) with the ability to push to a public/private Quay.io repository.
permission to push to a Quay.io repository.
```yaml ```yaml
name: ci name: ci
@ -465,173 +441,39 @@ jobs:
steps: steps:
- -
name: Login to Quay.io name: Login to Quay.io
uses: docker/login-action@v4 uses: docker/login-action@v1
with: with:
registry: quay.io registry: quay.io
username: ${{ vars.QUAY_USERNAME }} username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_ROBOT_TOKEN }} password: ${{ secrets.QUAY_ROBOT_TOKEN }}
``` ```
### DigitalOcean Container Registry
Use your DigitalOcean registered email address and an API access token to authenticate.
```yaml
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to DigitalOcean Container Registry
uses: docker/login-action@v4
with:
registry: registry.digitalocean.com
username: ${{ vars.DIGITALOCEAN_USERNAME }}
password: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
```
### Authenticate to multiple registries
To authenticate against multiple registries, you can specify the login-action
step multiple times in your workflow:
```yaml
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to Docker Hub
uses: docker/login-action@v4
with:
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Login to GitHub Container Registry
uses: docker/login-action@v4
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
```
You can also use the `registry-auth` input for raw authentication to
registries, defined as YAML objects. Each object have the same attributes as
current inputs (except `logout`):
> [!WARNING]
> We don't recommend using this method, it's better to use the action multiple
> times as shown above.
```yaml
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to registries
uses: docker/login-action@v4
with:
registry-auth: |
- username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
```
### Set scopes for the authentication token
The `scope` input allows limiting registry credentials to a specific repository
or namespace scope when building images with Buildx.
This is useful in GitHub Actions to avoid overriding the Docker Hub
authentication token embedded in GitHub-hosted runners, which is used for
pulling images without rate limits. By scoping credentials, you can
authenticate only where needed (typically for pushing), while keeping
unauthenticated pulls for base images.
When `scope` is set, credentials are written to the Buildx configuration
instead of the global Docker configuration. This means:
* Authentication applies only to the specified scope
* The default Docker Hub credentials remain available for pulls
* Credentials are used only by Buildx during the build
> [!IMPORTANT]
> Credentials written to the Buildx configuration are only accessible by Buildx.
> They are not available to `docker pull`, `docker push`, or any other Docker
> CLI commands outside Buildx.
> [!NOTE]
> This feature requires Buildx version 0.31.0 or later.
```yaml
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to Docker Hub (scoped)
uses: docker/login-action@v4
with:
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
scope: 'myorg/myimage@push'
-
name: Build and push
uses: docker/build-push-action@v6
with:
push: true
tags: myorg/myimage:latest
```
In this example, base images are pulled using the embedded GitHub-hosted runner
credentials, while authenticated access is used only to push `myorg/myimage`.
## Customizing ## Customizing
### inputs ### inputs
The following inputs can be used as `step.with` keys: Following inputs can be used as `step.with` keys
| Name | Type | Default | Description | | Name | Type | Default | Description |
|-----------------|--------|-------------|-------------------------------------------------------------------------------| |------------------|---------|-----------------------------|------------------------------------|
| `registry` | String | `docker.io` | Server address of Docker registry. If not set then will default to Docker Hub | | `registry` | String | | Server address of Docker registry. If not set then will default to Docker Hub |
| `username` | String | | Username for authenticating to the Docker registry | | `username` | String | | Username used to log against the Docker registry |
| `password` | String | | Password or personal access token for authenticating the Docker registry | | `password` | String | | Password or personal access token used to log against the Docker registry |
| `scope` | String | | Scope for the authentication token |
| `ecr` | String | `auto` | Specifies whether the given registry is ECR (`auto`, `true` or `false`) | | `ecr` | String | `auto` | Specifies whether the given registry is ECR (`auto`, `true` or `false`) |
| `logout` | Bool | `true` | Log out from the Docker registry at the end of a job | | `logout` | Bool | `true` | Log out from the Docker registry at the end of a job |
| `registry-auth` | YAML | | Raw authentication to registries, defined as YAML objects |
> [!NOTE] ## Keep up-to-date with GitHub Dependabot
> The `registry-auth` input cannot be used with other inputs except `logout`.
## Contributing Since [Dependabot](https://docs.github.com/en/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot)
has [native GitHub Actions support](https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates#package-ecosystem),
to enable it on your GitHub repo all you need to do is add the `.github/dependabot.yml` file:
Want to contribute? Awesome! You can find information about contributing to ```yaml
this project in the [CONTRIBUTING.md](/.github/CONTRIBUTING.md) version: 2
updates:
# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
```

42
__tests__/aws.test.ts
View File

@ -1,7 +1,5 @@
import {beforeEach, describe, expect, test, vi} from 'vitest';
import {AuthorizationData} from '@aws-sdk/client-ecr'; import {AuthorizationData} from '@aws-sdk/client-ecr';
import * as aws from '../src/aws';
import * as aws from '../src/aws.js';
describe('isECR', () => { describe('isECR', () => {
test.each([ test.each([
@ -10,10 +8,7 @@ describe('isECR', () => {
['012345678901.dkr.ecr.eu-west-3.amazonaws.com', true], ['012345678901.dkr.ecr.eu-west-3.amazonaws.com', true],
['876820548815.dkr.ecr.cn-north-1.amazonaws.com.cn', true], ['876820548815.dkr.ecr.cn-north-1.amazonaws.com.cn', true],
['390948362332.dkr.ecr.cn-northwest-1.amazonaws.com.cn', true], ['390948362332.dkr.ecr.cn-northwest-1.amazonaws.com.cn', true],
['012345678901.dkr-ecr.eu-north-1.on.aws', true], ['public.ecr.aws', true]
['012345678901.dkr.ecr.eusc-de-east-1.amazonaws.eu', true],
['public.ecr.aws', true],
['ecr-public.aws.com', true]
])('given registry %p', async (registry, expected) => { ])('given registry %p', async (registry, expected) => {
expect(aws.isECR(registry)).toEqual(expected); expect(aws.isECR(registry)).toEqual(expected);
}); });
@ -26,10 +21,7 @@ describe('isPubECR', () => {
['012345678901.dkr.ecr.eu-west-3.amazonaws.com', false], ['012345678901.dkr.ecr.eu-west-3.amazonaws.com', false],
['876820548815.dkr.ecr.cn-north-1.amazonaws.com.cn', false], ['876820548815.dkr.ecr.cn-north-1.amazonaws.com.cn', false],
['390948362332.dkr.ecr.cn-northwest-1.amazonaws.com.cn', false], ['390948362332.dkr.ecr.cn-northwest-1.amazonaws.com.cn', false],
['012345678901.dkr-ecr.eu-north-1.on.aws', false], ['public.ecr.aws', true]
['012345678901.dkr.ecr.eusc-de-east-1.amazonaws.eu', false],
['public.ecr.aws', true],
['ecr-public.aws.com', true]
])('given registry %p', async (registry, expected) => { ])('given registry %p', async (registry, expected) => {
expect(aws.isPubECR(registry)).toEqual(expected); expect(aws.isPubECR(registry)).toEqual(expected);
}); });
@ -40,8 +32,6 @@ describe('getRegion', () => {
['012345678901.dkr.ecr.eu-west-3.amazonaws.com', 'eu-west-3'], ['012345678901.dkr.ecr.eu-west-3.amazonaws.com', 'eu-west-3'],
['876820548815.dkr.ecr.cn-north-1.amazonaws.com.cn', 'cn-north-1'], ['876820548815.dkr.ecr.cn-north-1.amazonaws.com.cn', 'cn-north-1'],
['390948362332.dkr.ecr.cn-northwest-1.amazonaws.com.cn', 'cn-northwest-1'], ['390948362332.dkr.ecr.cn-northwest-1.amazonaws.com.cn', 'cn-northwest-1'],
['012345678901.dkr-ecr.eu-north-1.on.aws', 'eu-north-1'],
['012345678901.dkr.ecr.eusc-de-east-1.amazonaws.eu', 'eusc-de-east-1'],
['public.ecr.aws', 'us-east-1'] ['public.ecr.aws', 'us-east-1']
])('given registry %p', async (registry, expected) => { ])('given registry %p', async (registry, expected) => {
expect(aws.getRegion(registry)).toEqual(expected); expect(aws.getRegion(registry)).toEqual(expected);
@ -54,8 +44,6 @@ describe('getAccountIDs', () => {
['012345678901.dkr.ecr.eu-west-3.amazonaws.com', '012345678910,023456789012', ['012345678901', '012345678910', '023456789012']], ['012345678901.dkr.ecr.eu-west-3.amazonaws.com', '012345678910,023456789012', ['012345678901', '012345678910', '023456789012']],
['012345678901.dkr.ecr.eu-west-3.amazonaws.com', '012345678901,012345678910,023456789012', ['012345678901', '012345678910', '023456789012']], ['012345678901.dkr.ecr.eu-west-3.amazonaws.com', '012345678901,012345678910,023456789012', ['012345678901', '012345678910', '023456789012']],
['390948362332.dkr.ecr.cn-northwest-1.amazonaws.com.cn', '012345678910,023456789012', ['390948362332', '012345678910', '023456789012']], ['390948362332.dkr.ecr.cn-northwest-1.amazonaws.com.cn', '012345678910,023456789012', ['390948362332', '012345678910', '023456789012']],
['876820548815.dkr-ecr.eu-north-1.on.aws', '012345678910,023456789012', ['876820548815', '012345678910', '023456789012']],
['012345678901.dkr.ecr.eusc-de-east-1.amazonaws.eu', '012345678910,023456789012', ['012345678901', '012345678910', '023456789012']],
['public.ecr.aws', undefined, []] ['public.ecr.aws', undefined, []]
])('given registry %p', async (registry, accountIDsEnv, expected) => { ])('given registry %p', async (registry, accountIDsEnv, expected) => {
if (accountIDsEnv) { if (accountIDsEnv) {
@ -65,28 +53,26 @@ describe('getAccountIDs', () => {
}); });
}); });
const mockEcrGetAuthToken = vi.fn(); const mockEcrGetAuthToken = jest.fn();
const mockEcrPublicGetAuthToken = vi.fn(); const mockEcrPublicGetAuthToken = jest.fn();
vi.mock('@aws-sdk/client-ecr', () => { jest.mock('@aws-sdk/client-ecr', () => {
class ECR {
getAuthorizationToken = mockEcrGetAuthToken;
}
return { return {
ECR ECR: jest.fn(() => ({
getAuthorizationToken: mockEcrGetAuthToken
}))
}; };
}); });
vi.mock('@aws-sdk/client-ecr-public', () => { jest.mock('@aws-sdk/client-ecr-public', () => {
class ECRPUBLIC {
getAuthorizationToken = mockEcrPublicGetAuthToken;
}
return { return {
ECRPUBLIC ECRPUBLIC: jest.fn(() => ({
getAuthorizationToken: mockEcrPublicGetAuthToken
}))
}; };
}); });
describe('getRegistriesData', () => { describe('getRegistriesData', () => {
beforeEach(() => { beforeEach(() => {
vi.clearAllMocks(); jest.clearAllMocks();
delete process.env.AWS_ACCOUNT_IDS; delete process.env.AWS_ACCOUNT_IDS;
}); });
// prettier-ignore // prettier-ignore

29
__tests__/context.test.ts
View File

@ -1,17 +1,4 @@
import {afterEach, expect, test} from 'vitest'; import {getInputs} from '../src/context';
import * as path from 'path';
import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx.js';
import {getAuthList, getInputs} from '../src/context.js';
afterEach(() => {
for (const key of Object.keys(process.env)) {
if (key.startsWith('INPUT_')) {
delete process.env[key];
}
}
});
test('with password and username getInputs does not throw error', async () => { test('with password and username getInputs does not throw error', async () => {
process.env['INPUT_USERNAME'] = 'dbowie'; process.env['INPUT_USERNAME'] = 'dbowie';
@ -19,17 +6,5 @@ test('with password and username getInputs does not throw error', async () => {
process.env['INPUT_LOGOUT'] = 'true'; process.env['INPUT_LOGOUT'] = 'true';
expect(() => { expect(() => {
getInputs(); getInputs();
}).not.toThrow(); }).not.toThrowError();
});
test('getAuthList uses the default Docker Hub registry when computing scoped config dir', async () => {
process.env['INPUT_USERNAME'] = 'dbowie';
process.env['INPUT_PASSWORD'] = 'groundcontrol';
process.env['INPUT_SCOPE'] = 'myscope';
process.env['INPUT_LOGOUT'] = 'false';
const [auth] = getAuthList(getInputs());
expect(auth).toMatchObject({
registry: 'docker.io',
configDir: path.join(Buildx.configDir, 'config', 'registry-1.docker.io', 'myscope')
});
}); });

52
__tests__/docker.test.ts
View File

@ -1,31 +1,28 @@
import {expect, test, vi} from 'vitest'; import {loginStandard, logout} from '../src/docker';
import {Docker} from '@docker/actions-toolkit/lib/docker/docker.js'; import * as path from 'path';
import {loginStandard, logout} from '../src/docker.js'; import * as exec from '@actions/exec';
process.env['RUNNER_TEMP'] = path.join(__dirname, 'runner');
test('loginStandard calls exec', async () => { test('loginStandard calls exec', async () => {
const execSpy = vi.spyOn(Docker, 'getExecOutput').mockImplementation(async () => { const execSpy: jest.SpyInstance = jest.spyOn(exec, 'getExecOutput');
return { execSpy.mockImplementation(() =>
Promise.resolve({
exitCode: expect.any(Number), exitCode: expect.any(Number),
stdout: expect.any(Function), stdout: expect.any(Function),
stderr: expect.any(Function) stderr: expect.any(Function)
}; })
}); );
const username = 'dbowie'; const username: string = 'dbowie';
const password = 'groundcontrol'; const password: string = 'groundcontrol';
const registry = 'https://ghcr.io'; const registry: string = 'https://ghcr.io';
await loginStandard(registry, username, password); await loginStandard(registry, username, password);
expect(execSpy).toHaveBeenCalledTimes(1); expect(execSpy).toHaveBeenCalledWith(`docker`, ['login', '--password-stdin', '--username', username, registry], {
const callfunc = execSpy.mock.calls[0];
if (callfunc && callfunc[1]) {
// we don't want to check env opt
callfunc[1].env = undefined;
}
expect(execSpy).toHaveBeenCalledWith(['login', '--password-stdin', '--username', username, registry], {
input: Buffer.from(password), input: Buffer.from(password),
silent: true, silent: true,
ignoreReturnCode: true ignoreReturnCode: true
@ -33,25 +30,20 @@ test('loginStandard calls exec', async () => {
}); });
test('logout calls exec', async () => { test('logout calls exec', async () => {
const execSpy = vi.spyOn(Docker, 'getExecOutput').mockImplementation(async () => { const execSpy: jest.SpyInstance = jest.spyOn(exec, 'getExecOutput');
return { execSpy.mockImplementation(() =>
Promise.resolve({
exitCode: expect.any(Number), exitCode: expect.any(Number),
stdout: expect.any(Function), stdout: expect.any(Function),
stderr: expect.any(Function) stderr: expect.any(Function)
}; })
}); );
const registry = 'https://ghcr.io'; const registry: string = 'https://ghcr.io';
await logout(registry, ''); await logout(registry);
expect(execSpy).toHaveBeenCalledTimes(1); expect(execSpy).toHaveBeenCalledWith(`docker`, ['logout', registry], {
const callfunc = execSpy.mock.calls[0];
if (callfunc && callfunc[1]) {
// we don't want to check env opt
callfunc[1].env = undefined;
}
expect(execSpy).toHaveBeenCalledWith(['logout', registry], {
ignoreReturnCode: true ignoreReturnCode: true
}); });
}); });

79
__tests__/main.test.ts Normal file
View File

@ -0,0 +1,79 @@
import osm = require('os');
import {run} from '../src/main';
import * as docker from '../src/docker';
import * as stateHelper from '../src/state-helper';
import * as core from '@actions/core';
test('errors without username and password', async () => {
const platSpy = jest.spyOn(osm, 'platform');
platSpy.mockImplementation(() => 'linux');
process.env['INPUT_LOGOUT'] = 'true'; // default value
const coreSpy: jest.SpyInstance = jest.spyOn(core, 'setFailed');
await run();
expect(coreSpy).toHaveBeenCalledWith('Username and password required');
});
test('successful with username and password', async () => {
const platSpy = jest.spyOn(osm, 'platform');
platSpy.mockImplementation(() => 'linux');
const setRegistrySpy: jest.SpyInstance = jest.spyOn(stateHelper, 'setRegistry');
const setLogoutSpy: jest.SpyInstance = jest.spyOn(stateHelper, 'setLogout');
const dockerSpy: jest.SpyInstance = jest.spyOn(docker, 'login');
dockerSpy.mockImplementation(() => {});
const username: string = 'dbowie';
process.env[`INPUT_USERNAME`] = username;
const password: string = 'groundcontrol';
process.env[`INPUT_PASSWORD`] = password;
const ecr: string = 'auto';
process.env['INPUT_ECR'] = ecr;
const logout: boolean = false;
process.env['INPUT_LOGOUT'] = String(logout);
await run();
expect(setRegistrySpy).toHaveBeenCalledWith('');
expect(setLogoutSpy).toHaveBeenCalledWith(logout);
expect(dockerSpy).toHaveBeenCalledWith('', username, password, ecr);
});
test('calls docker login', async () => {
const platSpy = jest.spyOn(osm, 'platform');
platSpy.mockImplementation(() => 'linux');
const setRegistrySpy: jest.SpyInstance = jest.spyOn(stateHelper, 'setRegistry');
const setLogoutSpy: jest.SpyInstance = jest.spyOn(stateHelper, 'setLogout');
const dockerSpy: jest.SpyInstance = jest.spyOn(docker, 'login');
dockerSpy.mockImplementation(() => {});
const username: string = 'dbowie';
process.env[`INPUT_USERNAME`] = username;
const password: string = 'groundcontrol';
process.env[`INPUT_PASSWORD`] = password;
const registry: string = 'ghcr.io';
process.env[`INPUT_REGISTRY`] = registry;
const ecr: string = 'auto';
process.env['INPUT_ECR'] = ecr;
const logout: boolean = true;
process.env['INPUT_LOGOUT'] = String(logout);
await run();
expect(setRegistrySpy).toHaveBeenCalledWith(registry);
expect(setLogoutSpy).toHaveBeenCalledWith(logout);
expect(dockerSpy).toHaveBeenCalledWith(registry, username, password, ecr);
});

12
__tests__/setup.unit.ts
View File

@ -1,12 +0,0 @@
import fs from 'node:fs';
import os from 'node:os';
import path from 'node:path';
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'docker-login-action-'));
process.env = Object.assign({}, process.env, {
TEMP: tmpDir,
GITHUB_REPOSITORY: 'docker/login-action',
RUNNER_TEMP: path.join(tmpDir, 'runner-temp'),
RUNNER_TOOL_CACHE: path.join(tmpDir, 'runner-tool-cache')
});

13
action.yml
View File

@ -18,19 +18,14 @@ inputs:
required: false required: false
ecr: ecr:
description: 'Specifies whether the given registry is ECR (auto, true or false)' description: 'Specifies whether the given registry is ECR (auto, true or false)'
required: false default: 'auto'
scope:
description: 'Scope for the authentication token'
required: false required: false
logout: logout:
description: 'Log out from the Docker registry at the end of a job' description: 'Log out from the Docker registry at the end of a job'
default: 'true' default: 'true'
required: false required: false
registry-auth:
description: 'Raw authentication to registries, defined as YAML objects'
required: false
runs: runs:
using: 'node24' using: 'node12'
main: 'dist/index.cjs' main: 'dist/index.js'
post: 'dist/index.cjs' post: 'dist/index.js'

91
dev.Dockerfile
View File

@ -1,91 +0,0 @@
# syntax=docker/dockerfile:1
ARG NODE_VERSION=24
FROM node:${NODE_VERSION}-alpine AS base
RUN apk add --no-cache cpio findutils git rsync
WORKDIR /src
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/src/.yarn/cache <<EOT
set -e
corepack enable
yarn --version
yarn config set --home enableTelemetry 0
EOT
FROM base AS deps
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/src/.yarn/cache \
--mount=type=cache,target=/src/node_modules \
yarn install && mkdir /vendor && cp yarn.lock /vendor
FROM scratch AS vendor-update
COPY --from=deps /vendor /
FROM deps AS vendor-validate
RUN --mount=type=bind,target=.,rw <<EOT
set -e
git add -A
cp -rf /vendor/* .
if [ -n "$(git status --porcelain -- yarn.lock)" ]; then
echo >&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor"'
git status --porcelain -- yarn.lock
exit 1
fi
EOT
FROM deps AS build
RUN --mount=target=/context \
--mount=type=cache,target=/src/.yarn/cache \
--mount=type=cache,target=/src/node_modules <<EOT
set -e
rsync -a /context/. .
rm -rf dist
yarn run build
mkdir /out
cp -r dist /out
EOT
FROM scratch AS build-update
COPY --from=build /out /
FROM build AS build-validate
RUN --mount=target=/context \
--mount=target=.,type=tmpfs <<EOT
set -e
rsync -a /context/. .
git add -A
rm -rf dist
cp -rf /out/* .
if [ -n "$(git status --porcelain -- dist)" ]; then
echo >&2 'ERROR: Build result differs. Please build first with "docker buildx bake build"'
git status --porcelain -- dist
exit 1
fi
EOT
FROM deps AS format
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/src/.yarn/cache \
--mount=type=cache,target=/src/node_modules \
yarn run format && mkdir /out && find . -name '*.ts' -not -path './node_modules/*' -not -path './.yarn/*' | cpio -pdm /out
FROM scratch AS format-update
COPY --from=format /out /
FROM deps AS lint
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/src/.yarn/cache \
--mount=type=cache,target=/src/node_modules \
yarn run lint
FROM deps AS test
ENV RUNNER_TEMP=/tmp/github_runner
ENV RUNNER_TOOL_CACHE=/tmp/github_tool_cache
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/src/.yarn/cache \
--mount=type=cache,target=/src/node_modules \
yarn run test --coverage --coverage.reportsDirectory=/tmp/coverage
FROM scratch AS test-coverage
COPY --from=test /tmp/coverage /

984
dist/bridge.js generated vendored Normal file
View File

@ -0,0 +1,984 @@
/******/ (() => { // webpackBootstrap
/******/ "use strict";
/******/ var __webpack_modules__ = ({
/***/ 989:
/***/ ((__unused_webpack_module, exports) => {
/**
* __ ___ ____ _ _ ___ _ _ ____
* \ \ / / \ | _ \| \ | |_ _| \ | |/ ___|
* \ \ /\ / / _ \ | |_) | \| || || \| | | _
* \ V V / ___ \| _ <| |\ || || |\ | |_| |
* \_/\_/_/ \_\_| \_\_| \_|___|_| \_|\____|
*
* This file is critical for vm2. It implements the bridge between the host and the sandbox.
* If you do not know exactly what you are doing, you should NOT edit this file.
*
* The file is loaded in the host and sandbox to handle objects in both directions.
* This is done to ensure that RangeErrors are from the correct context.
* The boundary between the sandbox and host might throw RangeErrors from both contexts.
* Therefore, thisFromOther and friends can handle objects from both domains.
*
* Method parameters have comments to tell from which context they came.
*
*/
const globalsList = [
'Number',
'String',
'Boolean',
'Date',
'RegExp',
'Map',
'WeakMap',
'Set',
'WeakSet',
'Promise',
'Function'
];
const errorsList = [
'RangeError',
'ReferenceError',
'SyntaxError',
'TypeError',
'EvalError',
'URIError',
'Error'
];
const OPNA = 'Operation not allowed on contextified object.';
const thisGlobalPrototypes = {
__proto__: null,
Object: Object.prototype,
Array: Array.prototype
};
for (let i = 0; i < globalsList.length; i++) {
const key = globalsList[i];
const g = global[key];
if (g) thisGlobalPrototypes[key] = g.prototype;
}
for (let i = 0; i < errorsList.length; i++) {
const key = errorsList[i];
const g = global[key];
if (g) thisGlobalPrototypes[key] = g.prototype;
}
const {
getPrototypeOf: thisReflectGetPrototypeOf,
setPrototypeOf: thisReflectSetPrototypeOf,
defineProperty: thisReflectDefineProperty,
deleteProperty: thisReflectDeleteProperty,
getOwnPropertyDescriptor: thisReflectGetOwnPropertyDescriptor,
isExtensible: thisReflectIsExtensible,
preventExtensions: thisReflectPreventExtensions,
apply: thisReflectApply,
construct: thisReflectConstruct,
set: thisReflectSet,
get: thisReflectGet,
has: thisReflectHas,
ownKeys: thisReflectOwnKeys,
enumerate: thisReflectEnumerate,
} = Reflect;
const thisObject = Object;
const {
freeze: thisObjectFreeze,
prototype: thisObjectPrototype
} = thisObject;
const thisObjectHasOwnProperty = thisObjectPrototype.hasOwnProperty;
const ThisProxy = Proxy;
const ThisWeakMap = WeakMap;
const {
get: thisWeakMapGet,
set: thisWeakMapSet
} = ThisWeakMap.prototype;
const ThisMap = Map;
const thisMapGet = ThisMap.prototype.get;
const thisMapSet = ThisMap.prototype.set;
const thisFunction = Function;
const thisFunctionBind = thisFunction.prototype.bind;
const thisArrayIsArray = Array.isArray;
const thisErrorCaptureStackTrace = Error.captureStackTrace;
const thisSymbolToString = Symbol.prototype.toString;
const thisSymbolToStringTag = Symbol.toStringTag;
/**
* VMError.
*
* @public
* @extends {Error}
*/
class VMError extends Error {
/**
* Create VMError instance.
*
* @public
* @param {string} message - Error message.
* @param {string} code - Error code.
*/
constructor(message, code) {
super(message);
this.name = 'VMError';
this.code = code;
thisErrorCaptureStackTrace(this, this.constructor);
}
}
thisGlobalPrototypes['VMError'] = VMError.prototype;
function thisUnexpected() {
return new VMError('Unexpected');
}
if (!thisReflectSetPrototypeOf(exports, null)) throw thisUnexpected();
function thisSafeGetOwnPropertyDescriptor(obj, key) {
const desc = thisReflectGetOwnPropertyDescriptor(obj, key);
if (!desc) return desc;
if (!thisReflectSetPrototypeOf(desc, null)) throw thisUnexpected();
return desc;
}
function thisThrowCallerCalleeArgumentsAccess(key) {
'use strict';
thisThrowCallerCalleeArgumentsAccess[key];
return thisUnexpected();
}
function thisIdMapping(factory, other) {
return other;
}
const thisThrowOnKeyAccessHandler = thisObjectFreeze({
__proto__: null,
get(target, key, receiver) {
if (typeof key === 'symbol') {
key = thisReflectApply(thisSymbolToString, key, []);
}
throw new VMError(`Unexpected access to key '${key}'`);
}
});
const emptyForzenObject = thisObjectFreeze({
__proto__: null
});
const thisThrowOnKeyAccess = new ThisProxy(emptyForzenObject, thisThrowOnKeyAccessHandler);
function SafeBase() {}
if (!thisReflectDefineProperty(SafeBase, 'prototype', {
__proto__: null,
value: thisThrowOnKeyAccess
})) throw thisUnexpected();
function SHARED_FUNCTION() {}
const TEST_PROXY_HANDLER = thisObjectFreeze({
__proto__: thisThrowOnKeyAccess,
construct() {
return this;
}
});
function thisIsConstructor(obj) {
// Note: obj@any(unsafe)
const Func = new ThisProxy(obj, TEST_PROXY_HANDLER);
try {
// eslint-disable-next-line no-new
new Func();
return true;
} catch (e) {
return false;
}
}
function thisCreateTargetObject(obj, proto) {
// Note: obj@any(unsafe) proto@any(unsafe) returns@this(unsafe) throws@this(unsafe)
let base;
if (typeof obj === 'function') {
if (thisIsConstructor(obj)) {
// Bind the function since bound functions do not have a prototype property.
base = thisReflectApply(thisFunctionBind, SHARED_FUNCTION, [null]);
} else {
base = () => {};
}
} else if (thisArrayIsArray(obj)) {
base = [];
} else {
return {__proto__: proto};
}
if (!thisReflectSetPrototypeOf(base, proto)) throw thisUnexpected();
return base;
}
function createBridge(otherInit, registerProxy) {
const mappingOtherToThis = new ThisWeakMap();
const protoMappings = new ThisMap();
const protoName = new ThisMap();
function thisAddProtoMapping(proto, other, name) {
// Note: proto@this(unsafe) other@other(unsafe) name@this(unsafe) throws@this(unsafe)
thisReflectApply(thisMapSet, protoMappings, [proto, thisIdMapping]);
thisReflectApply(thisMapSet, protoMappings, [other,
(factory, object) => thisProxyOther(factory, object, proto)]);
if (name) thisReflectApply(thisMapSet, protoName, [proto, name]);
}
function thisAddProtoMappingFactory(protoFactory, other, name) {
// Note: protoFactory@this(unsafe) other@other(unsafe) name@this(unsafe) throws@this(unsafe)
let proto;
thisReflectApply(thisMapSet, protoMappings, [other,
(factory, object) => {
if (!proto) {
proto = protoFactory();
thisReflectApply(thisMapSet, protoMappings, [proto, thisIdMapping]);
if (name) thisReflectApply(thisMapSet, protoName, [proto, name]);
}
return thisProxyOther(factory, object, proto);
}]);
}
const result = {
__proto__: null,
globalPrototypes: thisGlobalPrototypes,
safeGetOwnPropertyDescriptor: thisSafeGetOwnPropertyDescriptor,
fromArguments: thisFromOtherArguments,
from: thisFromOther,
fromWithFactory: thisFromOtherWithFactory,
ensureThis: thisEnsureThis,
mapping: mappingOtherToThis,
connect: thisConnect,
reflectSet: thisReflectSet,
reflectGet: thisReflectGet,
reflectDefineProperty: thisReflectDefineProperty,
reflectDeleteProperty: thisReflectDeleteProperty,
reflectApply: thisReflectApply,
reflectConstruct: thisReflectConstruct,
reflectHas: thisReflectHas,
reflectOwnKeys: thisReflectOwnKeys,
reflectEnumerate: thisReflectEnumerate,
reflectGetPrototypeOf: thisReflectGetPrototypeOf,
reflectIsExtensible: thisReflectIsExtensible,
reflectPreventExtensions: thisReflectPreventExtensions,
objectHasOwnProperty: thisObjectHasOwnProperty,
weakMapSet: thisWeakMapSet,
addProtoMapping: thisAddProtoMapping,
addProtoMappingFactory: thisAddProtoMappingFactory,
defaultFactory,
protectedFactory,
readonlyFactory,
VMError
};
const isHost = typeof otherInit !== 'object';
if (isHost) {
otherInit = otherInit(result, registerProxy);
}
result.other = otherInit;
const {
globalPrototypes: otherGlobalPrototypes,
safeGetOwnPropertyDescriptor: otherSafeGetOwnPropertyDescriptor,
fromArguments: otherFromThisArguments,
from: otherFromThis,
mapping: mappingThisToOther,
reflectSet: otherReflectSet,
reflectGet: otherReflectGet,
reflectDefineProperty: otherReflectDefineProperty,
reflectDeleteProperty: otherReflectDeleteProperty,
reflectApply: otherReflectApply,
reflectConstruct: otherReflectConstruct,
reflectHas: otherReflectHas,
reflectOwnKeys: otherReflectOwnKeys,
reflectEnumerate: otherReflectEnumerate,
reflectGetPrototypeOf: otherReflectGetPrototypeOf,
reflectIsExtensible: otherReflectIsExtensible,
reflectPreventExtensions: otherReflectPreventExtensions,
objectHasOwnProperty: otherObjectHasOwnProperty,
weakMapSet: otherWeakMapSet
} = otherInit;
function thisOtherHasOwnProperty(object, key) {
// Note: object@other(safe) key@prim throws@this(unsafe)
try {
return otherReflectApply(otherObjectHasOwnProperty, object, [key]) === true;
} catch (e) { // @other(unsafe)
throw thisFromOther(e);
}
}
function thisDefaultGet(handler, object, key, desc) {
// Note: object@other(unsafe) key@prim desc@other(safe)
let ret; // @other(unsafe)
if (desc.get || desc.set) {
const getter = desc.get;
if (!getter) return undefined;
try {
ret = otherReflectApply(getter, object, [key]);
} catch (e) {
throw thisFromOther(e);
}
} else {
ret = desc.value;
}
return handler.fromOtherWithContext(ret);
}
function otherFromThisIfAvailable(to, from, key) {
// Note: to@other(safe) from@this(safe) key@prim throws@this(unsafe)
if (!thisReflectApply(thisObjectHasOwnProperty, from, [key])) return false;
try {
to[key] = otherFromThis(from[key]);
} catch (e) { // @other(unsafe)
throw thisFromOther(e);
}
return true;
}
class BaseHandler extends SafeBase {
constructor(object) {
// Note: object@other(unsafe) throws@this(unsafe)
super();
this.object = object;
}
getFactory() {
return defaultFactory;
}
fromOtherWithContext(other) {
// Note: other@other(unsafe) throws@this(unsafe)
return thisFromOtherWithFactory(this.getFactory(), other);
}
doPreventExtensions(target, object, factory) {
// Note: target@this(unsafe) object@other(unsafe) throws@this(unsafe)
let keys; // @other(safe-array-of-prim)
try {
keys = otherReflectOwnKeys(object);
} catch (e) { // @other(unsafe)
throw thisFromOther(e);
}
for (let i = 0; i < keys.length; i++) {
const key = keys[i]; // @prim
let desc;
try {
desc = otherSafeGetOwnPropertyDescriptor(object, key);
} catch (e) { // @other(unsafe)
throw thisFromOther(e);
}
if (!desc) continue;
if (!desc.configurable) {
const current = thisSafeGetOwnPropertyDescriptor(target, key);
if (current && !current.configurable) continue;
if (desc.get || desc.set) {
desc.get = this.fromOtherWithContext(desc.get);
desc.set = this.fromOtherWithContext(desc.set);
} else if (typeof object === 'function' && (key === 'caller' || key === 'callee' || key === 'arguments')) {
desc.value = null;
} else {
desc.value = this.fromOtherWithContext(desc.value);
}
} else {
if (desc.get || desc.set) {
desc = {
__proto__: null,
configurable: true,
enumerable: desc.enumerable,
writable: true,
value: null
};
} else {
desc.value = null;
}
}
if (!thisReflectDefineProperty(target, key, desc)) throw thisUnexpected();
}
if (!thisReflectPreventExtensions(target)) throw thisUnexpected();
}
get(target, key, receiver) {
// Note: target@this(unsafe) key@prim receiver@this(unsafe) throws@this(unsafe)
const object = this.object; // @other(unsafe)
switch (key) {
case 'constructor': {
const desc = otherSafeGetOwnPropertyDescriptor(object, key);
if (desc) return thisDefaultGet(this, object, key, desc);
const proto = thisReflectGetPrototypeOf(target);
return proto === null ? undefined : proto.constructor;
}
case '__proto__': {
const desc = otherSafeGetOwnPropertyDescriptor(object, key);
if (desc) return thisDefaultGet(this, object, key, desc);
return thisReflectGetPrototypeOf(target);
}
case thisSymbolToStringTag:
if (!thisOtherHasOwnProperty(object, thisSymbolToStringTag)) {
const proto = thisReflectGetPrototypeOf(target);
const name = thisReflectApply(thisMapGet, protoName, [proto]);
if (name) return name;
}
break;
case 'arguments':
case 'caller':
case 'callee':
if (thisOtherHasOwnProperty(object, key)) throw thisThrowCallerCalleeArgumentsAccess(key);
break;
}
let ret; // @other(unsafe)
try {
ret = otherReflectGet(object, key);
} catch (e) { // @other(unsafe)
throw thisFromOther(e);
}
return this.fromOtherWithContext(ret);
}
set(target, key, value, receiver) {
// Note: target@this(unsafe) key@prim value@this(unsafe) receiver@this(unsafe) throws@this(unsafe)
const object = this.object; // @other(unsafe)
if (key === '__proto__' && !thisOtherHasOwnProperty(object, key)) {
return this.setPrototypeOf(target, value);
}
try {
value = otherFromThis(value);
return otherReflectSet(object, key, value) === true;
} catch (e) { // @other(unsafe)
throw thisFromOther(e);
}
}
getPrototypeOf(target) {
// Note: target@this(unsafe)
return thisReflectGetPrototypeOf(target);
}
setPrototypeOf(target, value) {
// Note: target@this(unsafe) throws@this(unsafe)
throw new VMError(OPNA);
}
apply(target, context, args) {
// Note: target@this(unsafe) context@this(unsafe) args@this(safe-array) throws@this(unsafe)
const object = this.object; // @other(unsafe)
let ret; // @other(unsafe)
try {
context = otherFromThis(context);
args = otherFromThisArguments(args);
ret = otherReflectApply(object, context, args);
} catch (e) { // @other(unsafe)
throw thisFromOther(e);
}
return thisFromOther(ret);
}
construct(target, args, newTarget) {
// Note: target@this(unsafe) args@this(safe-array) newTarget@this(unsafe) throws@this(unsafe)
const object = this.object; // @other(unsafe)
let ret; // @other(unsafe)
try {
args = otherFromThisArguments(args);
ret = otherReflectConstruct(object, args);
} catch (e) { // @other(unsafe)
throw thisFromOther(e);
}
return thisFromOtherWithFactory(this.getFactory(), ret, thisFromOther(object));
}
getOwnPropertyDescriptorDesc(target, prop, desc) {
// Note: target@this(unsafe) prop@prim desc@other{safe} throws@this(unsafe)
const object = this.object; // @other(unsafe)
if (desc && typeof object === 'function' && (prop === 'arguments' || prop === 'caller' || prop === 'callee')) desc.value = null;
return desc;
}
getOwnPropertyDescriptor(target, prop) {
// Note: target@this(unsafe) prop@prim throws@this(unsafe)
const object = this.object; // @other(unsafe)
let desc; // @other(safe)
try {
desc = otherSafeGetOwnPropertyDescriptor(object, prop);
} catch (e) { // @other(unsafe)
throw thisFromOther(e);
}
desc = this.getOwnPropertyDescriptorDesc(target, prop, desc);
if (!desc) return undefined;
let thisDesc;
if (desc.get || desc.set) {
thisDesc = {
__proto__: null,
get: this.fromOtherWithContext(desc.get),
set: this.fromOtherWithContext(desc.set),
enumerable: desc.enumerable === true,
configurable: desc.configurable === true
};
} else {
thisDesc = {
__proto__: null,
value: this.fromOtherWithContext(desc.value),
writable: desc.writable === true,
enumerable: desc.enumerable === true,
configurable: desc.configurable === true
};
}
if (!thisDesc.configurable) {
const oldDesc = thisSafeGetOwnPropertyDescriptor(target, prop);
if (!oldDesc || oldDesc.configurable || oldDesc.writable !== thisDesc.writable) {
if (!thisReflectDefineProperty(target, prop, thisDesc)) throw thisUnexpected();
}
}
return thisDesc;
}
definePropertyDesc(target, prop, desc) {
// Note: target@this(unsafe) prop@prim desc@this(safe) throws@this(unsafe)
return desc;
}
defineProperty(target, prop, desc) {
// Note: target@this(unsafe) prop@prim desc@this(unsafe) throws@this(unsafe)
const object = this.object; // @other(unsafe)
if (!thisReflectSetPrototypeOf(desc, null)) throw thisUnexpected();
desc = this.definePropertyDesc(target, prop, desc);
if (!desc) return false;
let otherDesc = {__proto__: null};
let hasFunc = true;
let hasValue = true;
let hasBasic = true;
hasFunc &= otherFromThisIfAvailable(otherDesc, desc, 'get');
hasFunc &= otherFromThisIfAvailable(otherDesc, desc, 'set');
hasValue &= otherFromThisIfAvailable(otherDesc, desc, 'value');
hasValue &= otherFromThisIfAvailable(otherDesc, desc, 'writable');
hasBasic &= otherFromThisIfAvailable(otherDesc, desc, 'enumerable');
hasBasic &= otherFromThisIfAvailable(otherDesc, desc, 'configurable');
try {
if (!otherReflectDefineProperty(object, prop, otherDesc)) return false;
if (otherDesc.configurable !== true && (!hasBasic || !(hasFunc || hasValue))) {
otherDesc = otherSafeGetOwnPropertyDescriptor(object, prop);
}
} catch (e) { // @other(unsafe)
throw thisFromOther(e);
}
if (!otherDesc.configurable) {
let thisDesc;
if (otherDesc.get || otherDesc.set) {
thisDesc = {
__proto__: null,
get: this.fromOtherWithContext(otherDesc.get),
set: this.fromOtherWithContext(otherDesc.set),
enumerable: otherDesc.enumerable,
configurable: otherDesc.configurable
};
} else {
thisDesc = {
__proto__: null,
value: this.fromOtherWithContext(otherDesc.value),
writable: otherDesc.writable,
enumerable: otherDesc.enumerable,
configurable: otherDesc.configurable
};
}
if (!thisReflectDefineProperty(target, prop, thisDesc)) throw thisUnexpected();
}
return true;
}
deleteProperty(target, prop) {
// Note: target@this(unsafe) prop@prim throws@this(unsafe)
const object = this.object; // @other(unsafe)
try {
return otherReflectDeleteProperty(object, prop) === true;
} catch (e) { // @other(unsafe)
throw thisFromOther(e);
}
}
has(target, key) {
// Note: target@this(unsafe) key@prim throws@this(unsafe)
const object = this.object; // @other(unsafe)
try {
return otherReflectHas(object, key) === true;
} catch (e) { // @other(unsafe)
throw thisFromOther(e);
}
}
isExtensible(target) {
// Note: target@this(unsafe) throws@this(unsafe)
const object = this.object; // @other(unsafe)
try {
if (otherReflectIsExtensible(object)) return true;
} catch (e) { // @other(unsafe)
throw thisFromOther(e);
}
if (thisReflectIsExtensible(target)) {
this.doPreventExtensions(target, object, this);
}
return false;
}
ownKeys(target) {
// Note: target@this(unsafe) throws@this(unsafe)
const object = this.object; // @other(unsafe)
let res; // @other(unsafe)
try {
res = otherReflectOwnKeys(object);
} catch (e) { // @other(unsafe)
throw thisFromOther(e);
}
return thisFromOther(res);
}
preventExtensions(target) {
// Note: target@this(unsafe) throws@this(unsafe)
const object = this.object; // @other(unsafe)
try {
if (!otherReflectPreventExtensions(object)) return false;
} catch (e) { // @other(unsafe)
throw thisFromOther(e);
}
if (thisReflectIsExtensible(target)) {
this.doPreventExtensions(target, object, this);
}
return true;
}
enumerate(target) {
// Note: target@this(unsafe) throws@this(unsafe)
const object = this.object; // @other(unsafe)
let res; // @other(unsafe)
try {
res = otherReflectEnumerate(object);
} catch (e) { // @other(unsafe)
throw thisFromOther(e);
}
return this.fromOtherWithContext(res);
}
}
function defaultFactory(object) {
// Note: other@other(unsafe) returns@this(unsafe) throws@this(unsafe)
return new BaseHandler(object);
}
class ProtectedHandler extends BaseHandler {
getFactory() {
return protectedFactory;
}
set(target, key, value, receiver) {
// Note: target@this(unsafe) key@prim value@this(unsafe) receiver@this(unsafe) throws@this(unsafe)
if (typeof value === 'function') {
return thisReflectDefineProperty(receiver, key, {
__proto__: null,
value: value,
writable: true,
enumerable: true,
configurable: true
}) === true;
}
return super.set(target, key, value, receiver);
}
definePropertyDesc(target, prop, desc) {
// Note: target@this(unsafe) prop@prim desc@this(safe) throws@this(unsafe)
if (desc && (desc.set || desc.get || typeof desc.value === 'function')) return undefined;
return desc;
}
}
function protectedFactory(object) {
// Note: other@other(unsafe) returns@this(unsafe) throws@this(unsafe)
return new ProtectedHandler(object);
}
class ReadOnlyHandler extends BaseHandler {
getFactory() {
return readonlyFactory;
}
set(target, key, value, receiver) {
// Note: target@this(unsafe) key@prim value@this(unsafe) receiver@this(unsafe) throws@this(unsafe)
return thisReflectDefineProperty(receiver, key, {
__proto__: null,
value: value,
writable: true,
enumerable: true,
configurable: true
});
}
setPrototypeOf(target, value) {
// Note: target@this(unsafe) throws@this(unsafe)
return false;
}
defineProperty(target, prop, desc) {
// Note: target@this(unsafe) prop@prim desc@this(unsafe) throws@this(unsafe)
return false;
}
deleteProperty(target, prop) {
// Note: target@this(unsafe) prop@prim throws@this(unsafe)
return false;
}
isExtensible(target) {
// Note: target@this(unsafe) throws@this(unsafe)
return false;
}
preventExtensions(target) {
// Note: target@this(unsafe) throws@this(unsafe)
return false;
}
}
function readonlyFactory(object) {
// Note: other@other(unsafe) returns@this(unsafe) throws@this(unsafe)
return new ReadOnlyHandler(object);
}
class ReadOnlyMockHandler extends ReadOnlyHandler {
constructor(object, mock) {
// Note: object@other(unsafe) mock:this(unsafe) throws@this(unsafe)
super(object);
this.mock = mock;
}
get(target, key, receiver) {
// Note: target@this(unsafe) key@prim receiver@this(unsafe) throws@this(unsafe)
const object = this.object; // @other(unsafe)
const mock = this.mock;
if (thisReflectApply(thisObjectHasOwnProperty, mock, key) && !thisOtherHasOwnProperty(object, key)) {
return mock[key];
}
return super.get(target, key, receiver);
}
}
function thisFromOther(other) {
// Note: other@other(unsafe) returns@this(unsafe) throws@this(unsafe)
return thisFromOtherWithFactory(defaultFactory, other);
}
function thisProxyOther(factory, other, proto) {
const target = thisCreateTargetObject(other, proto);
const handler = factory(other);
const proxy = new ThisProxy(target, handler);
try {
otherReflectApply(otherWeakMapSet, mappingThisToOther, [proxy, other]);
registerProxy(proxy, handler);
} catch (e) {
throw new VMError('Unexpected error');
}
if (!isHost) {
thisReflectApply(thisWeakMapSet, mappingOtherToThis, [other, proxy]);
return proxy;
}
const proxy2 = new ThisProxy(proxy, emptyForzenObject);
try {
otherReflectApply(otherWeakMapSet, mappingThisToOther, [proxy2, other]);
registerProxy(proxy2, handler);
} catch (e) {
throw new VMError('Unexpected error');
}
thisReflectApply(thisWeakMapSet, mappingOtherToThis, [other, proxy2]);
return proxy2;
}
function thisEnsureThis(other) {
const type = typeof other;
switch (type) {
case 'object':
case 'function':
if (other === null) {
return null;
} else {
let proto = thisReflectGetPrototypeOf(other);
if (!proto) {
return other;
}
while (proto) {
const mapping = thisReflectApply(thisMapGet, protoMappings, [proto]);
if (mapping) {
const mapped = thisReflectApply(thisWeakMapGet, mappingOtherToThis, [other]);
if (mapped) return mapped;
return mapping(defaultFactory, other);
}
proto = thisReflectGetPrototypeOf(proto);
}
return other;
}
case 'undefined':
case 'string':
case 'number':
case 'boolean':
case 'symbol':
case 'bigint':
return other;
default: // new, unknown types can be dangerous
throw new VMError(`Unknown type '${type}'`);
}
}
function thisFromOtherWithFactory(factory, other, proto) {
for (let loop = 0; loop < 10; loop++) {
const type = typeof other;
switch (type) {
case 'object':
case 'function':
if (other === null) {
return null;
} else {
const mapped = thisReflectApply(thisWeakMapGet, mappingOtherToThis, [other]);
if (mapped) return mapped;
if (proto) {
return thisProxyOther(factory, other, proto);
}
try {
proto = otherReflectGetPrototypeOf(other);
} catch (e) { // @other(unsafe)
other = e;
break;
}
if (!proto) {
return thisProxyOther(factory, other, null);
}
while (proto) {
const mapping = thisReflectApply(thisMapGet, protoMappings, [proto]);
if (mapping) return mapping(factory, other);
try {
proto = otherReflectGetPrototypeOf(proto);
} catch (e) { // @other(unsafe)
other = e;
break;
}
}
return thisProxyOther(factory, other, thisObjectPrototype);
}
case 'undefined':
case 'string':
case 'number':
case 'boolean':
case 'symbol':
case 'bigint':
return other;
default: // new, unknown types can be dangerous
throw new VMError(`Unknown type '${type}'`);
}
factory = defaultFactory;
proto = undefined;
}
throw new VMError('Exception recursion depth');
}
function thisFromOtherArguments(args) {
// Note: args@other(safe-array) returns@this(safe-array) throws@this(unsafe)
const arr = [];
for (let i = 0; i < args.length; i++) {
const value = thisFromOther(args[i]);
thisReflectDefineProperty(arr, i, {
__proto__: null,
value: value,
writable: true,
enumerable: true,
configurable: true
});
}
return arr;
}
function thisConnect(obj, other) {
// Note: obj@this(unsafe) other@other(unsafe) throws@this(unsafe)
try {
otherReflectApply(otherWeakMapSet, mappingThisToOther, [obj, other]);
} catch (e) {
throw new VMError('Unexpected error');
}
thisReflectApply(thisWeakMapSet, mappingOtherToThis, [other, obj]);
}
thisAddProtoMapping(thisGlobalPrototypes.Object, otherGlobalPrototypes.Object);
thisAddProtoMapping(thisGlobalPrototypes.Array, otherGlobalPrototypes.Array);
for (let i = 0; i < globalsList.length; i++) {
const key = globalsList[i];
const tp = thisGlobalPrototypes[key];
const op = otherGlobalPrototypes[key];
if (tp && op) thisAddProtoMapping(tp, op, key);
}
for (let i = 0; i < errorsList.length; i++) {
const key = errorsList[i];
const tp = thisGlobalPrototypes[key];
const op = otherGlobalPrototypes[key];
if (tp && op) thisAddProtoMapping(tp, op, 'Error');
}
thisAddProtoMapping(thisGlobalPrototypes.VMError, otherGlobalPrototypes.VMError, 'Error');
result.BaseHandler = BaseHandler;
result.ProtectedHandler = ProtectedHandler;
result.ReadOnlyHandler = ReadOnlyHandler;
result.ReadOnlyMockHandler = ReadOnlyMockHandler;
return result;
}
exports.createBridge = createBridge;
exports.VMError = VMError;
/***/ })
/******/ });
/************************************************************************/
/******/ /* webpack/runtime/compat */
/******/
/******/ if (typeof __nccwpck_require__ !== 'undefined') __nccwpck_require__.ab = __dirname + "/";/************************************************************************/
/******/
/******/ // startup
/******/ // Load entry module and return exports
/******/ // This entry module is referenced by other modules so it can't be inlined
/******/ var __webpack_exports__ = {};
/******/ __webpack_modules__[989](0, __webpack_exports__);
/******/ module.exports = __webpack_exports__;
/******/
/******/ })()
;

1033
dist/events.js generated vendored Normal file
View File

File diff suppressed because it is too large Load Diff

236
dist/index.cjs generated vendored
View File

File diff suppressed because one or more lines are too long

7
dist/index.cjs.map generated vendored
View File

File diff suppressed because one or more lines are too long

82917
dist/index.js generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

7865
dist/licenses.txt generated vendored
View File

File diff suppressed because it is too large Load Diff

473
dist/setup-node-sandbox.js generated vendored Normal file
View File

@ -0,0 +1,473 @@
/******/ (() => { // webpackBootstrap
/******/ "use strict";
/******/ /* webpack/runtime/compat */
/******/
/******/ if (typeof __nccwpck_require__ !== 'undefined') __nccwpck_require__.ab = __dirname + "/";/************************************************************************/
var __webpack_exports__ = {};
/* global host, data, VMError */
const LocalError = Error;
const LocalTypeError = TypeError;
const LocalWeakMap = WeakMap;
const {
apply: localReflectApply,
defineProperty: localReflectDefineProperty
} = Reflect;
const {
set: localWeakMapSet,
get: localWeakMapGet
} = LocalWeakMap.prototype;
const {
isArray: localArrayIsArray
} = Array;
function uncurryThis(func) {
return (thiz, ...args) => localReflectApply(func, thiz, args);
}
const localArrayPrototypeSlice = uncurryThis(Array.prototype.slice);
const localArrayPrototypeIncludes = uncurryThis(Array.prototype.includes);
const localArrayPrototypePush = uncurryThis(Array.prototype.push);
const localArrayPrototypeIndexOf = uncurryThis(Array.prototype.indexOf);
const localArrayPrototypeSplice = uncurryThis(Array.prototype.splice);
const localStringPrototypeStartsWith = uncurryThis(String.prototype.startsWith);
const localStringPrototypeSlice = uncurryThis(String.prototype.slice);
const localStringPrototypeIndexOf = uncurryThis(String.prototype.indexOf);
const {
argv: optionArgv,
env: optionEnv,
console: optionConsole,
vm,
resolver,
extensions
} = data;
function ensureSandboxArray(a) {
return localArrayPrototypeSlice(a);
}
const globalPaths = ensureSandboxArray(resolver.globalPaths);
class Module {
constructor(id, path, parent) {
this.id = id;
this.filename = id;
this.path = path;
this.parent = parent;
this.loaded = false;
this.paths = path ? ensureSandboxArray(resolver.genLookupPaths(path)) : [];
this.children = [];
this.exports = {};
}
_updateChildren(child, isNew) {
const children = this.children;
if (children && (isNew || !localArrayPrototypeIncludes(children, child))) {
localArrayPrototypePush(children, child);
}
}
require(id) {
return requireImpl(this, id, false);
}
}
const originalRequire = Module.prototype.require;
const cacheBuiltins = {__proto__: null};
function requireImpl(mod, id, direct) {
if (direct && mod.require !== originalRequire) {
return mod.require(id);
}
const filename = resolver.resolve(mod, id, undefined, Module._extensions, direct);
if (localStringPrototypeStartsWith(filename, 'node:')) {
id = localStringPrototypeSlice(filename, 5);
let nmod = cacheBuiltins[id];
if (!nmod) {
nmod = resolver.loadBuiltinModule(vm, id);
if (!nmod) throw new VMError(`Cannot find module '${filename}'`, 'ENOTFOUND');
cacheBuiltins[id] = nmod;
}
return nmod;
}
const cachedModule = Module._cache[filename];
if (cachedModule !== undefined) {
mod._updateChildren(cachedModule, false);
return cachedModule.exports;
}
let nmod = cacheBuiltins[id];
if (nmod) return nmod;
nmod = resolver.loadBuiltinModule(vm, id);
if (nmod) {
cacheBuiltins[id] = nmod;
return nmod;
}
const path = resolver.pathDirname(filename);
const module = new Module(filename, path, mod);
resolver.registerModule(module, filename, path, mod, direct);
mod._updateChildren(module, true);
try {
Module._cache[filename] = module;
const handler = findBestExtensionHandler(filename);
handler(module, filename);
module.loaded = true;
} catch (e) {
delete Module._cache[filename];
const children = mod.children;
if (localArrayIsArray(children)) {
const index = localArrayPrototypeIndexOf(children, module);
if (index !== -1) {
localArrayPrototypeSplice(children, index, 1);
}
}
throw e;
}
return module.exports;
}
Module.builtinModules = ensureSandboxArray(resolver.getBuiltinModulesList());
Module.globalPaths = globalPaths;
Module._extensions = {__proto__: null};
Module._cache = {__proto__: null};
{
const keys = Object.getOwnPropertyNames(extensions);
for (let i = 0; i < keys.length; i++) {
const key = keys[i];
const handler = extensions[key];
Module._extensions[key] = (mod, filename) => handler(mod, filename);
}
}
function findBestExtensionHandler(filename) {
const name = resolver.pathBasename(filename);
for (let i = 0; (i = localStringPrototypeIndexOf(name, '.', i + 1)) !== -1;) {
const ext = localStringPrototypeSlice(name, i + 1);
const handler = Module._extensions[ext];
if (handler) return handler;
}
const js = Module._extensions['.js'];
if (js) return js;
const keys = Object.getOwnPropertyNames(Module._extensions);
if (keys.length === 0) throw new VMError(`Failed to load '${filename}': Unknown type.`, 'ELOADFAIL');
return Module._extensions[keys[0]];
}
function createRequireForModule(mod) {
// eslint-disable-next-line no-shadow
function require(id) {
return requireImpl(mod, id, true);
}
function resolve(id, options) {
return resolver.resolve(mod, id, options, Module._extensions, true);
}
require.resolve = resolve;
function paths(id) {
return ensureSandboxArray(resolver.lookupPaths(mod, id));
}
resolve.paths = paths;
require.extensions = Module._extensions;
require.cache = Module._cache;
return require;
}
/**
* Prepare sandbox.
*/
const TIMERS = new LocalWeakMap();
class Timeout {
}
class Interval {
}
class Immediate {
}
function clearTimer(timer) {
const obj = localReflectApply(localWeakMapGet, TIMERS, [timer]);
if (obj) {
obj.clear(obj.value);
}
}
// This is a function and not an arrow function, since the original is also a function
// eslint-disable-next-line no-shadow
global.setTimeout = function setTimeout(callback, delay, ...args) {
if (typeof callback !== 'function') throw new LocalTypeError('"callback" argument must be a function');
const obj = new Timeout(callback, args);
const cb = () => {
localReflectApply(callback, null, args);
};
const tmr = host.setTimeout(cb, delay);
const ref = {
__proto__: null,
clear: host.clearTimeout,
value: tmr
};
localReflectApply(localWeakMapSet, TIMERS, [obj, ref]);
return obj;
};
// eslint-disable-next-line no-shadow
global.setInterval = function setInterval(callback, interval, ...args) {
if (typeof callback !== 'function') throw new LocalTypeError('"callback" argument must be a function');
const obj = new Interval();
const cb = () => {
localReflectApply(callback, null, args);
};
const tmr = host.setInterval(cb, interval);
const ref = {
__proto__: null,
clear: host.clearInterval,
value: tmr
};
localReflectApply(localWeakMapSet, TIMERS, [obj, ref]);
return obj;
};
// eslint-disable-next-line no-shadow
global.setImmediate = function setImmediate(callback, ...args) {
if (typeof callback !== 'function') throw new LocalTypeError('"callback" argument must be a function');
const obj = new Immediate();
const cb = () => {
localReflectApply(callback, null, args);
};
const tmr = host.setImmediate(cb);
const ref = {
__proto__: null,
clear: host.clearImmediate,
value: tmr
};
localReflectApply(localWeakMapSet, TIMERS, [obj, ref]);
return obj;
};
// eslint-disable-next-line no-shadow
global.clearTimeout = function clearTimeout(timeout) {
clearTimer(timeout);
};
// eslint-disable-next-line no-shadow
global.clearInterval = function clearInterval(interval) {
clearTimer(interval);
};
// eslint-disable-next-line no-shadow
global.clearImmediate = function clearImmediate(immediate) {
clearTimer(immediate);
};
const localProcess = host.process;
function vmEmitArgs(event, args) {
const allargs = [event];
for (let i = 0; i < args.length; i++) {
if (!localReflectDefineProperty(allargs, i + 1, {
__proto__: null,
value: args[i],
writable: true,
enumerable: true,
configurable: true
})) throw new LocalError('Unexpected');
}
return localReflectApply(vm.emit, vm, allargs);
}
const LISTENERS = new LocalWeakMap();
const LISTENER_HANDLER = new LocalWeakMap();
/**
*
* @param {*} name
* @param {*} handler
* @this process
* @return {this}
*/
function addListener(name, handler) {
if (name !== 'beforeExit' && name !== 'exit') {
throw new LocalError(`Access denied to listen for '${name}' event.`);
}
let cb = localReflectApply(localWeakMapGet, LISTENERS, [handler]);
if (!cb) {
cb = () => {
handler();
};
localReflectApply(localWeakMapSet, LISTENER_HANDLER, [cb, handler]);
localReflectApply(localWeakMapSet, LISTENERS, [handler, cb]);
}
localProcess.on(name, cb);
return this;
}
/**
*
* @this process
* @return {this}
*/
// eslint-disable-next-line no-shadow
function process() {
return this;
}
// FIXME wrong class structure
global.process = {
__proto__: process.prototype,
argv: optionArgv !== undefined ? optionArgv : [],
title: localProcess.title,
version: localProcess.version,
versions: localProcess.versions,
arch: localProcess.arch,
platform: localProcess.platform,
env: optionEnv !== undefined ? optionEnv : {},
pid: localProcess.pid,
features: localProcess.features,
nextTick: function nextTick(callback, ...args) {
if (typeof callback !== 'function') {
throw new LocalError('Callback must be a function.');
}
localProcess.nextTick(()=>{
localReflectApply(callback, null, args);
});
},
hrtime: function hrtime(time) {
return localProcess.hrtime(time);
},
cwd: function cwd() {
return localProcess.cwd();
},
addListener,
on: addListener,
once: function once(name, handler) {
if (name !== 'beforeExit' && name !== 'exit') {
throw new LocalError(`Access denied to listen for '${name}' event.`);
}
let triggered = false;
const cb = () => {
if (triggered) return;
triggered = true;
localProcess.removeListener(name, cb);
handler();
};
localReflectApply(localWeakMapSet, LISTENER_HANDLER, [cb, handler]);
localProcess.on(name, cb);
return this;
},
listeners: function listeners(name) {
if (name !== 'beforeExit' && name !== 'exit') {
// Maybe add ({__proto__:null})[name] to throw when name fails in https://tc39.es/ecma262/#sec-topropertykey.
return [];
}
// Filter out listeners, which were not created in this sandbox
const all = localProcess.listeners(name);
const filtered = [];
let j = 0;
for (let i = 0; i < all.length; i++) {
const h = localReflectApply(localWeakMapGet, LISTENER_HANDLER, [all[i]]);
if (h) {
if (!localReflectDefineProperty(filtered, j, {
__proto__: null,
value: h,
writable: true,
enumerable: true,
configurable: true
})) throw new LocalError('Unexpected');
j++;
}
}
return filtered;
},
removeListener: function removeListener(name, handler) {
if (name !== 'beforeExit' && name !== 'exit') {
return this;
}
const cb = localReflectApply(localWeakMapGet, LISTENERS, [handler]);
if (cb) localProcess.removeListener(name, cb);
return this;
},
umask: function umask() {
if (arguments.length) {
throw new LocalError('Access denied to set umask.');
}
return localProcess.umask();
}
};
if (optionConsole === 'inherit') {
global.console = host.console;
} else if (optionConsole === 'redirect') {
global.console = {
debug(...args) {
vmEmitArgs('console.debug', args);
},
log(...args) {
vmEmitArgs('console.log', args);
},
info(...args) {
vmEmitArgs('console.info', args);
},
warn(...args) {
vmEmitArgs('console.warn', args);
},
error(...args) {
vmEmitArgs('console.error', args);
},
dir(...args) {
vmEmitArgs('console.dir', args);
},
time() {},
timeEnd() {},
trace(...args) {
vmEmitArgs('console.trace', args);
}
};
}
return {
__proto__: null,
Module,
jsonParse: JSON.parse,
createRequireForModule
};
module.exports = __webpack_exports__;
/******/ })()
;

462
dist/setup-sandbox.js generated vendored Normal file
View File

@ -0,0 +1,462 @@
/******/ (() => { // webpackBootstrap
/******/ "use strict";
/******/ /* webpack/runtime/compat */
/******/
/******/ if (typeof __nccwpck_require__ !== 'undefined') __nccwpck_require__.ab = __dirname + "/";/************************************************************************/
var __webpack_exports__ = {};
/* global host, bridge, data, context */
const {
Object: localObject,
Array: localArray,
Error: LocalError,
Reflect: localReflect,
Proxy: LocalProxy,
WeakMap: LocalWeakMap,
Function: localFunction,
Promise: localPromise,
eval: localEval
} = global;
const {
freeze: localObjectFreeze
} = localObject;
const {
getPrototypeOf: localReflectGetPrototypeOf,
apply: localReflectApply,
deleteProperty: localReflectDeleteProperty,
has: localReflectHas,
defineProperty: localReflectDefineProperty,
setPrototypeOf: localReflectSetPrototypeOf,
getOwnPropertyDescriptor: localReflectGetOwnPropertyDescriptor
} = localReflect;
const {
isArray: localArrayIsArray
} = localArray;
const {
ensureThis,
ReadOnlyHandler,
from,
fromWithFactory,
readonlyFactory,
connect,
addProtoMapping,
VMError,
ReadOnlyMockHandler
} = bridge;
const {
allowAsync,
GeneratorFunction,
AsyncFunction,
AsyncGeneratorFunction
} = data;
const localWeakMapGet = LocalWeakMap.prototype.get;
function localUnexpected() {
return new VMError('Should not happen');
}
// global is originally prototype of host.Object so it can be used to climb up from the sandbox.
if (!localReflectSetPrototypeOf(context, localObject.prototype)) throw localUnexpected();
Object.defineProperties(global, {
global: {value: global, writable: true, configurable: true, enumerable: true},
globalThis: {value: global, writable: true, configurable: true},
GLOBAL: {value: global, writable: true, configurable: true},
root: {value: global, writable: true, configurable: true}
});
if (!localReflectDefineProperty(global, 'VMError', {
__proto__: null,
value: VMError,
writable: true,
enumerable: false,
configurable: true
})) throw localUnexpected();
// Fixes buffer unsafe allocation
/* eslint-disable no-use-before-define */
class BufferHandler extends ReadOnlyHandler {
apply(target, thiz, args) {
if (args.length > 0 && typeof args[0] === 'number') {
return LocalBuffer.alloc(args[0]);
}
return localReflectApply(LocalBuffer.from, LocalBuffer, args);
}
construct(target, args, newTarget) {
if (args.length > 0 && typeof args[0] === 'number') {
return LocalBuffer.alloc(args[0]);
}
return localReflectApply(LocalBuffer.from, LocalBuffer, args);
}
}
/* eslint-enable no-use-before-define */
const LocalBuffer = fromWithFactory(obj => new BufferHandler(obj), host.Buffer);
if (!localReflectDefineProperty(global, 'Buffer', {
__proto__: null,
value: LocalBuffer,
writable: true,
enumerable: false,
configurable: true
})) throw localUnexpected();
addProtoMapping(LocalBuffer.prototype, host.Buffer.prototype, 'Uint8Array');
/**
*
* @param {*} size Size of new buffer
* @this LocalBuffer
* @return {LocalBuffer}
*/
function allocUnsafe(size) {
return LocalBuffer.alloc(size);
}
connect(allocUnsafe, host.Buffer.allocUnsafe);
/**
*
* @param {*} size Size of new buffer
* @this LocalBuffer
* @return {LocalBuffer}
*/
function allocUnsafeSlow(size) {
return LocalBuffer.alloc(size);
}
connect(allocUnsafeSlow, host.Buffer.allocUnsafeSlow);
/**
* Replacement for Buffer inspect
*
* @param {*} recurseTimes
* @param {*} ctx
* @this LocalBuffer
* @return {string}
*/
function inspect(recurseTimes, ctx) {
// Mimic old behavior, could throw but didn't pass a test.
const max = host.INSPECT_MAX_BYTES;
const actualMax = Math.min(max, this.length);
const remaining = this.length - max;
let str = this.hexSlice(0, actualMax).replace(/(.{2})/g, '$1 ').trim();
if (remaining > 0) str += ` ... ${remaining} more byte${remaining > 1 ? 's' : ''}`;
return `<${this.constructor.name} ${str}>`;
}
connect(inspect, host.Buffer.prototype.inspect);
connect(localFunction.prototype.bind, host.Function.prototype.bind);
connect(localObject.prototype.__defineGetter__, host.Object.prototype.__defineGetter__);
connect(localObject.prototype.__defineSetter__, host.Object.prototype.__defineSetter__);
connect(localObject.prototype.__lookupGetter__, host.Object.prototype.__lookupGetter__);
connect(localObject.prototype.__lookupSetter__, host.Object.prototype.__lookupSetter__);
/*
* PrepareStackTrace sanitization
*/
const oldPrepareStackTraceDesc = localReflectGetOwnPropertyDescriptor(LocalError, 'prepareStackTrace');
let currentPrepareStackTrace = LocalError.prepareStackTrace;
const wrappedPrepareStackTrace = new LocalWeakMap();
if (typeof currentPrepareStackTrace === 'function') {
wrappedPrepareStackTrace.set(currentPrepareStackTrace, currentPrepareStackTrace);
}
let OriginalCallSite;
LocalError.prepareStackTrace = (e, sst) => {
OriginalCallSite = sst[0].constructor;
};
new LocalError().stack;
if (typeof OriginalCallSite === 'function') {
LocalError.prepareStackTrace = undefined;
function makeCallSiteGetters(list) {
const callSiteGetters = [];
for (let i=0; i<list.length; i++) {
const name = list[i];
const func = OriginalCallSite.prototype[name];
callSiteGetters[i] = {__proto__: null,
name,
propName: '_' + name,
func: (thiz) => {
return localReflectApply(func, thiz, []);
}
};
}
return callSiteGetters;
}
function applyCallSiteGetters(thiz, callSite, getters) {
for (let i=0; i<getters.length; i++) {
const getter = getters[i];
localReflectDefineProperty(thiz, getter.propName, {
__proto__: null,
value: getter.func(callSite)
});
}
}
const callSiteGetters = makeCallSiteGetters([
'getTypeName',
'getFunctionName',
'getMethodName',
'getFileName',
'getLineNumber',
'getColumnNumber',
'getEvalOrigin',
'isToplevel',
'isEval',
'isNative',
'isConstructor',
'isAsync',
'isPromiseAll',
'getPromiseIndex'
]);
class CallSite {
constructor(callSite) {
applyCallSiteGetters(this, callSite, callSiteGetters);
}
getThis() {
return undefined;
}
getFunction() {
return undefined;
}
toString() {
return 'CallSite {}';
}
}
for (let i=0; i<callSiteGetters.length; i++) {
const name = callSiteGetters[i].name;
const funcProp = localReflectGetOwnPropertyDescriptor(OriginalCallSite.prototype, name);
if (!funcProp) continue;
const propertyName = callSiteGetters[i].propName;
const func = {func() {
return this[propertyName];
}}.func;
const nameProp = localReflectGetOwnPropertyDescriptor(func, 'name');
if (!nameProp) throw localUnexpected();
nameProp.value = name;
if (!localReflectDefineProperty(func, 'name', nameProp)) throw localUnexpected();
funcProp.value = func;
if (!localReflectDefineProperty(CallSite.prototype, name, funcProp)) throw localUnexpected();
}
if (!localReflectDefineProperty(LocalError, 'prepareStackTrace', {
configurable: false,
enumerable: false,
get() {
return currentPrepareStackTrace;
},
set(value) {
if (typeof(value) !== 'function') {
currentPrepareStackTrace = value;
return;
}
const wrapped = localReflectApply(localWeakMapGet, wrappedPrepareStackTrace, [value]);
if (wrapped) {
currentPrepareStackTrace = wrapped;
return;
}
const newWrapped = (error, sst) => {
if (localArrayIsArray(sst)) {
for (let i=0; i < sst.length; i++) {
const cs = sst[i];
if (typeof cs === 'object' && localReflectGetPrototypeOf(cs) === OriginalCallSite.prototype) {
sst[i] = new CallSite(cs);
}
}
}
return value(error, sst);
};
wrappedPrepareStackTrace.set(value, newWrapped);
wrappedPrepareStackTrace.set(newWrapped, newWrapped);
currentPrepareStackTrace = newWrapped;
}
})) throw localUnexpected();
} else if (oldPrepareStackTraceDesc) {
localReflectDefineProperty(LocalError, 'prepareStackTrace', oldPrepareStackTraceDesc);
} else {
localReflectDeleteProperty(LocalError, 'prepareStackTrace');
}
/*
* Exception sanitization
*/
const withProxy = localObjectFreeze({
__proto__: null,
has(target, key) {
if (key === host.INTERNAL_STATE_NAME) return false;
return localReflectHas(target, key);
}
});
const interanState = localObjectFreeze({
__proto__: null,
wrapWith(x) {
return new LocalProxy(x, withProxy);
},
handleException: ensureThis,
import(what) {
throw new VMError('Dynamic Import not supported');
}
});
if (!localReflectDefineProperty(global, host.INTERNAL_STATE_NAME, {
__proto__: null,
configurable: false,
enumerable: false,
writable: false,
value: interanState
})) throw localUnexpected();
/*
* Eval sanitization
*/
function throwAsync() {
return new VMError('Async not available');
}
function makeFunction(inputArgs, isAsync, isGenerator) {
const lastArgs = inputArgs.length - 1;
let code = lastArgs >= 0 ? `${inputArgs[lastArgs]}` : '';
let args = lastArgs > 0 ? `${inputArgs[0]}` : '';
for (let i = 1; i < lastArgs; i++) {
args += `,${inputArgs[i]}`;
}
try {
code = host.transformAndCheck(args, code, isAsync, isGenerator, allowAsync);
} catch (e) {
throw bridge.from(e);
}
return localEval(code);
}
const FunctionHandler = {
__proto__: null,
apply(target, thiz, args) {
return makeFunction(args, this.isAsync, this.isGenerator);
},
construct(target, args, newTarget) {
return makeFunction(args, this.isAsync, this.isGenerator);
}
};
const EvalHandler = {
__proto__: null,
apply(target, thiz, args) {
if (args.length === 0) return undefined;
let code = `${args[0]}`;
try {
code = host.transformAndCheck(null, code, false, false, allowAsync);
} catch (e) {
throw bridge.from(e);
}
return localEval(code);
}
};
const AsyncErrorHandler = {
__proto__: null,
apply(target, thiz, args) {
throw throwAsync();
},
construct(target, args, newTarget) {
throw throwAsync();
}
};
function makeCheckFunction(isAsync, isGenerator) {
if (isAsync && !allowAsync) return AsyncErrorHandler;
return {
__proto__: FunctionHandler,
isAsync,
isGenerator
};
}
function overrideWithProxy(obj, prop, value, handler) {
const proxy = new LocalProxy(value, handler);
if (!localReflectDefineProperty(obj, prop, {__proto__: null, value: proxy})) throw localUnexpected();
return proxy;
}
const proxiedFunction = overrideWithProxy(localFunction.prototype, 'constructor', localFunction, makeCheckFunction(false, false));
if (GeneratorFunction) {
if (!localReflectSetPrototypeOf(GeneratorFunction, proxiedFunction)) throw localUnexpected();
overrideWithProxy(GeneratorFunction.prototype, 'constructor', GeneratorFunction, makeCheckFunction(false, true));
}
if (AsyncFunction) {
if (!localReflectSetPrototypeOf(AsyncFunction, proxiedFunction)) throw localUnexpected();
overrideWithProxy(AsyncFunction.prototype, 'constructor', AsyncFunction, makeCheckFunction(true, false));
}
if (AsyncGeneratorFunction) {
if (!localReflectSetPrototypeOf(AsyncGeneratorFunction, proxiedFunction)) throw localUnexpected();
overrideWithProxy(AsyncGeneratorFunction.prototype, 'constructor', AsyncGeneratorFunction, makeCheckFunction(true, true));
}
global.Function = proxiedFunction;
global.eval = new LocalProxy(localEval, EvalHandler);
/*
* Promise sanitization
*/
if (localPromise && !allowAsync) {
const PromisePrototype = localPromise.prototype;
overrideWithProxy(PromisePrototype, 'then', PromisePrototype.then, AsyncErrorHandler);
// This seems not to work, and will produce
// UnhandledPromiseRejectionWarning: TypeError: Method Promise.prototype.then called on incompatible receiver [object Object].
// This is likely caused since the host.Promise.prototype.then cannot use the VM Proxy object.
// Contextify.connect(host.Promise.prototype.then, Promise.prototype.then);
if (PromisePrototype.finally) {
overrideWithProxy(PromisePrototype, 'finally', PromisePrototype.finally, AsyncErrorHandler);
// Contextify.connect(host.Promise.prototype.finally, Promise.prototype.finally);
}
if (Promise.prototype.catch) {
overrideWithProxy(PromisePrototype, 'catch', PromisePrototype.catch, AsyncErrorHandler);
// Contextify.connect(host.Promise.prototype.catch, Promise.prototype.catch);
}
}
function readonly(other, mock) {
// Note: other@other(unsafe) mock@other(unsafe) returns@this(unsafe) throws@this(unsafe)
if (!mock) return fromWithFactory(readonlyFactory, other);
const tmock = from(mock);
return fromWithFactory(obj=>new ReadOnlyMockHandler(obj, tmock), other);
}
return {
__proto__: null,
readonly,
global
};
module.exports = __webpack_exports__;
/******/ })()
;

46
docker-bake.hcl
View File

@ -1,6 +1,10 @@
target "_common" { variable "NODE_VERSION" {
default = "12"
}
target "node-version" {
args = { args = {
BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1 NODE_VERSION = NODE_VERSION
} }
} }
@ -9,58 +13,58 @@ group "default" {
} }
group "pre-checkin" { group "pre-checkin" {
targets = ["vendor", "format", "build"] targets = ["vendor-update", "format", "build"]
} }
group "validate" { group "validate" {
targets = ["lint", "build-validate", "vendor-validate"] targets = ["format-validate", "build-validate", "vendor-validate"]
} }
target "build" { target "build" {
inherits = ["_common"] inherits = ["node-version"]
dockerfile = "dev.Dockerfile" dockerfile = "./hack/build.Dockerfile"
target = "build-update" target = "build-update"
output = ["."] output = ["."]
} }
target "build-validate" { target "build-validate" {
inherits = ["_common"] inherits = ["node-version"]
dockerfile = "dev.Dockerfile" dockerfile = "./hack/build.Dockerfile"
target = "build-validate" target = "build-validate"
output = ["type=cacheonly"] output = ["type=cacheonly"]
} }
target "format" { target "format" {
inherits = ["_common"] inherits = ["node-version"]
dockerfile = "dev.Dockerfile" dockerfile = "./hack/build.Dockerfile"
target = "format-update" target = "format-update"
output = ["."] output = ["."]
} }
target "lint" { target "format-validate" {
inherits = ["_common"] inherits = ["node-version"]
dockerfile = "dev.Dockerfile" dockerfile = "./hack/build.Dockerfile"
target = "lint" target = "format-validate"
output = ["type=cacheonly"] output = ["type=cacheonly"]
} }
target "vendor" { target "vendor-update" {
inherits = ["_common"] inherits = ["node-version"]
dockerfile = "dev.Dockerfile" dockerfile = "./hack/build.Dockerfile"
target = "vendor-update" target = "vendor-update"
output = ["."] output = ["."]
} }
target "vendor-validate" { target "vendor-validate" {
inherits = ["_common"] inherits = ["node-version"]
dockerfile = "dev.Dockerfile" dockerfile = "./hack/build.Dockerfile"
target = "vendor-validate" target = "vendor-validate"
output = ["type=cacheonly"] output = ["type=cacheonly"]
} }
target "test" { target "test" {
inherits = ["_common"] inherits = ["node-version"]
dockerfile = "dev.Dockerfile" dockerfile = "./hack/build.Dockerfile"
target = "test-coverage" target = "test-coverage"
output = ["./coverage"] output = ["./coverage"]
} }

52
eslint.config.mjs
View File

@ -1,52 +0,0 @@
import {defineConfig} from 'eslint/config';
import js from '@eslint/js';
import tseslint from '@typescript-eslint/eslint-plugin';
import vitest from '@vitest/eslint-plugin';
import globals from 'globals';
import eslintConfigPrettier from 'eslint-config-prettier/flat';
import eslintPluginPrettier from 'eslint-plugin-prettier';
export default defineConfig([
{
ignores: ['.yarn/**/*', 'coverage/**/*', 'dist/**/*']
},
js.configs.recommended,
...tseslint.configs['flat/recommended'],
eslintConfigPrettier,
{
languageOptions: {
globals: {
...globals.node
}
}
},
{
files: ['__tests__/**'],
...vitest.configs.recommended,
languageOptions: {
globals: {
...globals.node,
...vitest.environments.env.globals
}
},
rules: {
...vitest.configs.recommended.rules,
'vitest/no-conditional-expect': 'error',
'vitest/no-disabled-tests': 0
}
},
{
plugins: {
prettier: eslintPluginPrettier
},
rules: {
'prettier/prettier': 'error',
'@typescript-eslint/no-require-imports': [
'error',
{
allowAsImport: true
}
]
}
}
]);

78
hack/build.Dockerfile Normal file
View File

@ -0,0 +1,78 @@
# syntax=docker/dockerfile:1.3-labs
ARG NODE_VERSION
ARG DOCKER_VERSION=20.10.10
ARG BUILDX_VERSION=0.7.0
FROM node:${NODE_VERSION}-alpine AS base
RUN apk add --no-cache cpio findutils git
WORKDIR /src
FROM base AS deps
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/src/node_modules \
yarn install && mkdir /vendor && cp yarn.lock /vendor
FROM scratch AS vendor-update
COPY --from=deps /vendor /
FROM deps AS vendor-validate
RUN --mount=type=bind,target=.,rw <<EOT
set -e
git add -A
cp -rf /vendor/* .
if [ -n "$(git status --porcelain -- yarn.lock)" ]; then
echo >&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor-update"'
git status --porcelain -- yarn.lock
exit 1
fi
EOT
FROM deps AS build
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/src/node_modules \
yarn run build && mkdir /out && cp -Rf dist /out/
FROM scratch AS build-update
COPY --from=build /out /
FROM build AS build-validate
RUN --mount=type=bind,target=.,rw <<EOT
set -e
git add -A
cp -rf /out/* .
if [ -n "$(git status --porcelain -- dist)" ]; then
echo >&2 'ERROR: Build result differs. Please build first with "docker buildx bake build"'
git status --porcelain -- dist
exit 1
fi
EOT
FROM deps AS format
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/src/node_modules \
yarn run format \
&& mkdir /out && find . -name '*.ts' -not -path './node_modules/*' | cpio -pdm /out
FROM scratch AS format-update
COPY --from=format /out /
FROM deps AS format-validate
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/src/node_modules \
yarn run format-check
FROM docker:${DOCKER_VERSION} as docker
FROM docker/buildx-bin:${BUILDX_VERSION} as buildx
FROM deps AS test
ENV RUNNER_TEMP=/tmp/github_runner
ENV RUNNER_TOOL_CACHE=/tmp/github_tool_cache
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/src/node_modules \
--mount=type=bind,from=docker,source=/usr/local/bin/docker,target=/usr/bin/docker \
--mount=type=bind,from=buildx,source=/buildx,target=/usr/libexec/docker/cli-plugins/docker-buildx \
yarn run test --coverageDirectory=/tmp/coverage
FROM scratch AS test-coverage
COPY --from=test /tmp/coverage /

12
jest.config.js Normal file
View File

@ -0,0 +1,12 @@
module.exports = {
clearMocks: true,
moduleFileExtensions: ['js', 'ts'],
setupFiles: ["dotenv/config"],
testEnvironment: 'node',
testMatch: ['**/*.test.ts'],
testRunner: 'jest-circus/runner',
transform: {
'^.+\\.ts$': 'ts-jest'
},
verbose: false
}

64
package.json
View File

@ -1,14 +1,13 @@
{ {
"name": "docker-login", "name": "docker-login",
"description": "GitHub Action to login against a Docker registry", "description": "GitHub Action to login against a Docker registry",
"type": "module", "main": "lib/main.js",
"main": "src/main.ts",
"scripts": { "scripts": {
"build": "esbuild src/main.ts --bundle --platform=node --target=node24 --format=cjs --outfile=dist/index.cjs --sourcemap --minify && yarn run license", "build": "tsc && ncc build",
"lint": "eslint --max-warnings=0 .", "format": "prettier --write **/*.ts",
"format": "eslint --fix .", "format-check": "prettier --check **/*.ts",
"test": "vitest run", "test": "jest --coverage",
"license": "generate-license-file --input package.json --output dist/licenses.txt --overwrite --ci --no-spinner --eol lf" "pre-checkin": "yarn run format && yarn run build"
}, },
"repository": { "repository": {
"type": "git", "type": "git",
@ -19,34 +18,33 @@
"docker", "docker",
"login" "login"
], ],
"author": "Docker Inc.", "author": "Docker",
"license": "Apache-2.0", "contributors": [
"packageManager": "yarn@4.9.2", {
"name": "CrazyMax",
"url": "https://crazymax.dev"
}
],
"license": "MIT",
"dependencies": { "dependencies": {
"@actions/core": "^3.0.0", "@actions/core": "^1.6.0",
"@aws-sdk/client-ecr": "^3.1020.0", "@actions/exec": "^1.1.0",
"@aws-sdk/client-ecr-public": "^3.1020.0", "@actions/io": "^1.1.1",
"@docker/actions-toolkit": "^0.86.0", "@aws-sdk/client-ecr": "^3.45.0",
"http-proxy-agent": "^9.0.0", "@aws-sdk/client-ecr-public": "^3.45.0",
"https-proxy-agent": "^9.0.0", "proxy-agent": "^5.0.0"
"js-yaml": "^4.1.1"
}, },
"devDependencies": { "devDependencies": {
"@eslint/js": "^9.39.3", "@types/jest": "^26.0.23",
"@types/js-yaml": "^4.0.9", "@types/node": "^14.17.4",
"@types/node": "^24.11.0", "@vercel/ncc": "^0.28.6",
"@typescript-eslint/eslint-plugin": "^8.56.1", "dotenv": "^8.6.0",
"@typescript-eslint/parser": "^8.56.1", "jest": "^26.6.3",
"@vitest/coverage-v8": "^4.0.18", "jest-circus": "^26.6.3",
"@vitest/eslint-plugin": "^1.6.9", "jest-runtime": "^26.6.3",
"esbuild": "^0.28.0", "prettier": "^2.3.2",
"eslint": "^9.39.3", "ts-jest": "^26.5.6",
"eslint-config-prettier": "^10.1.8", "typescript": "^3.9.10",
"eslint-plugin-prettier": "^5.5.5", "typescript-formatter": "^7.2.2"
"generate-license-file": "^4.1.1",
"globals": "^17.3.0",
"prettier": "^3.8.1",
"typescript": "^5.9.3",
"vitest": "^4.0.18"
} }
} }

26
src/aws.ts
View File

@ -1,19 +1,17 @@
import * as core from '@actions/core'; import * as core from '@actions/core';
import {ECR} from '@aws-sdk/client-ecr'; import {ECR} from '@aws-sdk/client-ecr';
import {ECRPUBLIC} from '@aws-sdk/client-ecr-public'; import {ECRPUBLIC} from '@aws-sdk/client-ecr-public';
import {NodeHttpHandler} from '@smithy/node-http-handler'; import {NodeHttpHandler} from '@aws-sdk/node-http-handler';
import {HttpProxyAgent} from 'http-proxy-agent'; import ProxyAgent from 'proxy-agent';
import {HttpsProxyAgent} from 'https-proxy-agent';
const ecrRegistryRegex = /^(([0-9]{12})\.(dkr\.ecr|dkr-ecr)\.(.+)\.(on\.aws|amazonaws\.(com(.cn)?|eu)))(\/([^:]+)(:.+)?)?$/; const ecrRegistryRegex = /^(([0-9]{12})\.dkr\.ecr\.(.+)\.amazonaws\.com(.cn)?)(\/([^:]+)(:.+)?)?$/;
const ecrPublicRegistryRegex = /public\.ecr\.aws|ecr-public\.aws\.com/;
export const isECR = (registry: string): boolean => { export const isECR = (registry: string): boolean => {
return ecrRegistryRegex.test(registry) || isPubECR(registry); return ecrRegistryRegex.test(registry) || isPubECR(registry);
}; };
export const isPubECR = (registry: string): boolean => { export const isPubECR = (registry: string): boolean => {
return ecrPublicRegistryRegex.test(registry); return registry === 'public.ecr.aws';
}; };
export const getRegion = (registry: string): string => { export const getRegion = (registry: string): string => {
@ -24,7 +22,7 @@ export const getRegion = (registry: string): string => {
if (!matches) { if (!matches) {
return ''; return '';
} }
return matches[4]; return matches[3];
}; };
export const getAccountIDs = (registry: string): string[] => { export const getAccountIDs = (registry: string): string[] => {
@ -35,7 +33,7 @@ export const getAccountIDs = (registry: string): string[] => {
if (!matches) { if (!matches) {
return []; return [];
} }
const accountIDs: Array<string> = [matches[2]]; let accountIDs: Array<string> = [matches[2]];
if (process.env.AWS_ACCOUNT_IDS) { if (process.env.AWS_ACCOUNT_IDS) {
accountIDs.push(...process.env.AWS_ACCOUNT_IDS.split(',')); accountIDs.push(...process.env.AWS_ACCOUNT_IDS.split(','));
} }
@ -58,18 +56,18 @@ export const getRegistriesData = async (registry: string, username?: string, pas
authTokenRequest['registryIds'] = accountIDs; authTokenRequest['registryIds'] = accountIDs;
} }
let httpProxyAgent; let httpProxyAgent: any = null;
const httpProxy = process.env.http_proxy || process.env.HTTP_PROXY || ''; const httpProxy = process.env.http_proxy || process.env.HTTP_PROXY || '';
if (httpProxy) { if (httpProxy) {
core.debug(`Using http proxy ${httpProxy}`); core.debug(`Using http proxy ${httpProxy}`);
httpProxyAgent = new HttpProxyAgent(httpProxy); httpProxyAgent = new ProxyAgent(httpProxy);
} }
let httpsProxyAgent; let httpsProxyAgent: any = null;
const httpsProxy = process.env.https_proxy || process.env.HTTPS_PROXY || ''; const httpsProxy = process.env.https_proxy || process.env.HTTPS_PROXY || '';
if (httpsProxy) { if (httpsProxy) {
core.debug(`Using https proxy ${httpsProxy}`); core.debug(`Using https proxy ${httpsProxy}`);
httpsProxyAgent = new HttpsProxyAgent(httpsProxy); httpsProxyAgent = new ProxyAgent(httpsProxy);
} }
const credentials = const credentials =
@ -97,8 +95,6 @@ export const getRegistriesData = async (registry: string, username?: string, pas
} }
const authToken = Buffer.from(authTokenResponse.authorizationData.authorizationToken, 'base64').toString('utf-8'); const authToken = Buffer.from(authTokenResponse.authorizationData.authorizationToken, 'base64').toString('utf-8');
const creds = authToken.split(':', 2); const creds = authToken.split(':', 2);
core.setSecret(creds[0]); // redacted in workflow logs
core.setSecret(creds[1]); // redacted in workflow logs
return [ return [
{ {
registry: 'public.ecr.aws', registry: 'public.ecr.aws',
@ -125,8 +121,6 @@ export const getRegistriesData = async (registry: string, username?: string, pas
for (const authData of authTokenResponse.authorizationData) { for (const authData of authTokenResponse.authorizationData) {
const authToken = Buffer.from(authData.authorizationToken || '', 'base64').toString('utf-8'); const authToken = Buffer.from(authData.authorizationToken || '', 'base64').toString('utf-8');
const creds = authToken.split(':', 2); const creds = authToken.split(':', 2);
core.setSecret(creds[0]); // redacted in workflow logs
core.setSecret(creds[1]); // redacted in workflow logs
regDatas.push({ regDatas.push({
registry: authData.proxyEndpoint || '', registry: authData.proxyEndpoint || '',
username: creds[0], username: creds[0],

75
src/context.ts
View File

@ -1,27 +1,11 @@
import path from 'path';
import * as core from '@actions/core'; import * as core from '@actions/core';
import * as yaml from 'js-yaml';
import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx.js';
import {Util} from '@docker/actions-toolkit/lib/util.js';
export interface Inputs { export interface Inputs {
registry: string; registry: string;
username: string; username: string;
password: string; password: string;
scope: string;
ecr: string; ecr: string;
logout: boolean; logout: boolean;
registryAuth: string;
}
export interface Auth {
registry: string;
username: string;
password: string;
scope: string;
ecr: string;
configDir: string;
} }
export function getInputs(): Inputs { export function getInputs(): Inputs {
@ -29,64 +13,7 @@ export function getInputs(): Inputs {
registry: core.getInput('registry'), registry: core.getInput('registry'),
username: core.getInput('username'), username: core.getInput('username'),
password: core.getInput('password'), password: core.getInput('password'),
scope: core.getInput('scope'),
ecr: core.getInput('ecr'), ecr: core.getInput('ecr'),
logout: core.getBooleanInput('logout'), logout: core.getBooleanInput('logout')
registryAuth: core.getInput('registry-auth')
}; };
} }
export function getAuthList(inputs: Inputs): Array<Auth> {
if (inputs.registryAuth && (inputs.registry || inputs.username || inputs.password || inputs.scope || inputs.ecr)) {
throw new Error('Cannot use registry-auth with other inputs');
}
let auths: Array<Auth> = [];
if (!inputs.registryAuth) {
const registry = inputs.registry || 'docker.io';
auths.push({
registry,
username: inputs.username,
password: inputs.password,
scope: inputs.scope,
ecr: inputs.ecr || 'auto',
configDir: scopeToConfigDir(registry, inputs.scope)
});
} else {
auths = (yaml.load(inputs.registryAuth) as Array<Auth>).map(auth => {
core.setSecret(auth.password); // redacted in workflow logs
const registry = auth.registry || 'docker.io';
return {
registry,
username: auth.username,
password: auth.password,
scope: auth.scope,
ecr: auth.ecr || 'auto',
configDir: scopeToConfigDir(registry, auth.scope)
};
});
}
if (auths.length == 0) {
throw new Error('No registry to login');
}
return auths;
}
export function scopeToConfigDir(registry: string, scope?: string): string {
if (scopeDisabled() || !scope || scope === '') {
return '';
}
let configDir = path.join(Buildx.configDir, 'config', registry === 'docker.io' ? 'registry-1.docker.io' : registry);
if (scope.startsWith('@')) {
configDir += scope;
} else {
configDir = path.join(configDir, scope);
}
return configDir;
}
function scopeDisabled(): boolean {
if (process.env.DOCKER_LOGIN_SCOPE_DISABLED) {
return Util.parseBool(process.env.DOCKER_LOGIN_SCOPE_DISABLED);
}
return false;
}

94
src/docker.ts
View File

@ -1,81 +1,71 @@
import * as aws from './aws';
import * as core from '@actions/core'; import * as core from '@actions/core';
import * as exec from '@actions/exec';
import {Docker} from '@docker/actions-toolkit/lib/docker/docker.js'; export async function login(registry: string, username: string, password: string, ecr: string): Promise<void> {
if (/true/i.test(ecr) || (ecr == 'auto' && aws.isECR(registry))) {
import * as aws from './aws.js'; await loginECR(registry, username, password);
import * as context from './context.js';
export async function login(auth: context.Auth): Promise<void> {
if (/true/i.test(auth.ecr) || (auth.ecr == 'auto' && aws.isECR(auth.registry))) {
await loginECR(auth.registry, auth.username, auth.password, auth.scope);
} else { } else {
await loginStandard(auth.registry, auth.username, auth.password, auth.scope); await loginStandard(registry, username, password);
} }
} }
export async function logout(registry: string, configDir: string): Promise<void> { export async function logout(registry: string): Promise<void> {
let envs: {[key: string]: string} | undefined; await exec
if (configDir !== '') { .getExecOutput('docker', ['logout', registry], {
envs = Object.assign({}, process.env, { ignoreReturnCode: true
DOCKER_CONFIG: configDir })
}) as { .then(res => {
[key: string]: string;
};
core.info(`Alternative config dir: ${configDir}`);
}
await Docker.getExecOutput(['logout', registry], {
ignoreReturnCode: true,
env: envs
}).then(res => {
if (res.stderr.length > 0 && res.exitCode != 0) { if (res.stderr.length > 0 && res.exitCode != 0) {
core.warning(res.stderr.trim()); core.warning(res.stderr.trim());
} }
}); });
} }
export async function loginStandard(registry: string, username: string, password: string, scope?: string): Promise<void> { export async function loginStandard(registry: string, username: string, password: string): Promise<void> {
if (!username && !password) { if (!username || !password) {
throw new Error('Username and password required'); throw new Error('Username and password required');
} }
if (!username) {
throw new Error('Username required'); let loginArgs: Array<string> = ['login', '--password-stdin'];
loginArgs.push('--username', username);
loginArgs.push(registry);
if (registry) {
core.info(`Logging into ${registry}...`);
} else {
core.info(`Logging into Docker Hub...`);
} }
if (!password) { await exec
throw new Error('Password required'); .getExecOutput('docker', loginArgs, {
ignoreReturnCode: true,
silent: true,
input: Buffer.from(password)
})
.then(res => {
if (res.stderr.length > 0 && res.exitCode != 0) {
throw new Error(res.stderr.trim());
} }
await loginExec(registry, username, password, scope); core.info(`Login Succeeded!`);
});
} }
export async function loginECR(registry: string, username: string, password: string, scope?: string): Promise<void> { export async function loginECR(registry: string, username: string, password: string): Promise<void> {
core.info(`Retrieving registries data through AWS SDK...`); core.info(`Retrieving registries data through AWS SDK...`);
const regDatas = await aws.getRegistriesData(registry, username, password); const regDatas = await aws.getRegistriesData(registry, username, password);
for (const regData of regDatas) { for (const regData of regDatas) {
await loginExec(regData.registry, regData.username, regData.password, scope); core.info(`Logging into ${regData.registry}...`);
} await exec
} .getExecOutput('docker', ['login', '--password-stdin', '--username', regData.username, regData.registry], {
async function loginExec(registry: string, username: string, password: string, scope?: string): Promise<void> {
let envs: {[key: string]: string} | undefined;
const configDir = context.scopeToConfigDir(registry, scope);
if (configDir !== '') {
envs = Object.assign({}, process.env, {
DOCKER_CONFIG: configDir
}) as {
[key: string]: string;
};
core.info(`Logging into ${registry} (scope ${scope})...`);
} else {
core.info(`Logging into ${registry}...`);
}
await Docker.getExecOutput(['login', '--password-stdin', '--username', username, registry], {
ignoreReturnCode: true, ignoreReturnCode: true,
silent: true, silent: true,
input: Buffer.from(password), input: Buffer.from(regData.password)
env: envs })
}).then(res => { .then(res => {
if (res.stderr.length > 0 && res.exitCode != 0) { if (res.stderr.length > 0 && res.exitCode != 0) {
throw new Error(res.stderr.trim()); throw new Error(res.stderr.trim());
} }
core.info('Login Succeeded!'); core.info('Login Succeeded!');
}); });
}
} }

46
src/main.ts
View File

@ -1,38 +1,28 @@
import * as core from '@actions/core'; import * as core from '@actions/core';
import * as actionsToolkit from '@docker/actions-toolkit'; import * as context from './context';
import * as docker from './docker';
import * as stateHelper from './state-helper';
import * as context from './context.js'; export async function run(): Promise<void> {
import * as docker from './docker.js'; try {
import * as stateHelper from './state-helper.js'; const input: context.Inputs = context.getInputs();
stateHelper.setRegistry(input.registry);
export async function main(): Promise<void> { stateHelper.setLogout(input.logout);
const inputs: context.Inputs = context.getInputs(); await docker.login(input.registry, input.username, input.password, input.ecr);
stateHelper.setLogout(inputs.logout); } catch (error) {
core.setFailed(error.message);
const auths = context.getAuthList(inputs);
stateHelper.setRegistries(Array.from(new Map(auths.map(auth => [`${auth.registry}|${auth.configDir}`, {registry: auth.registry, configDir: auth.configDir} as stateHelper.RegistryState])).values()));
if (auths.length === 1) {
await docker.login(auths[0]);
return;
}
for (const auth of auths) {
await core.group(`Login to ${auth.registry}`, async () => {
await docker.login(auth);
});
} }
} }
async function post(): Promise<void> { async function logout(): Promise<void> {
if (!stateHelper.logout) { if (!stateHelper.logout) {
return; return;
} }
for (const registryState of stateHelper.registries) { await docker.logout(stateHelper.registry);
await core.group(`Logout from ${registryState.registry}`, async () => {
await docker.logout(registryState.registry, registryState.configDir);
});
}
} }
actionsToolkit.run(main, post); if (!stateHelper.IsPost) {
run();
} else {
logout();
}

16
src/state-helper.ts
View File

@ -1,17 +1,17 @@
import * as core from '@actions/core'; import * as core from '@actions/core';
export const registries = process.env['STATE_registries'] ? (JSON.parse(process.env['STATE_registries']) as Array<RegistryState>) : []; export const IsPost = !!process.env['STATE_isPost'];
export const registry = process.env['STATE_registry'] || '';
export const logout = /true/i.test(process.env['STATE_logout'] || ''); export const logout = /true/i.test(process.env['STATE_logout'] || '');
export interface RegistryState { export function setRegistry(registry: string) {
registry: string; core.saveState('registry', registry);
configDir: string;
}
export function setRegistries(registries: Array<RegistryState>) {
core.saveState('registries', JSON.stringify(registries));
} }
export function setLogout(logout: boolean) { export function setLogout(logout: boolean) {
core.saveState('logout', logout); core.saveState('logout', logout);
} }
if (!IsPost) {
core.saveState('isPost', 'true');
}

19
tsconfig.json
View File

@ -1,17 +1,18 @@
{ {
"compilerOptions": { "compilerOptions": {
"module": "nodenext", "target": "es6",
"moduleResolution": "nodenext", "module": "commonjs",
"esModuleInterop": true, "lib": [
"es6",
"dom"
],
"newLine": "lf", "newLine": "lf",
"outDir": "./lib", "outDir": "./lib",
"rootDir": "./src", "rootDir": "./src",
"forceConsistentCasingInFileNames": true, "strict": true,
"noImplicitAny": false, "noImplicitAny": false,
"resolveJsonModule": true, "esModuleInterop": true,
"useUnknownInCatchVariables": false, "sourceMap": true
}, },
"include": [ "exclude": ["node_modules", "**/*.test.ts"]
"src/**/*.ts"
]
} }

16
vitest.config.ts
View File

@ -1,16 +0,0 @@
import {defineConfig} from 'vitest/config';
export default defineConfig({
test: {
clearMocks: true,
environment: 'node',
setupFiles: ['./__tests__/setup.unit.ts'],
include: ['**/*.test.ts'],
coverage: {
provider: 'v8',
reporter: ['clover'],
include: ['src/**/*.ts'],
exclude: ['src/**/main.ts']
}
}
});

11554
yarn.lock
View File

File diff suppressed because it is too large Load Diff