authentication token scopes support

Signed-off-by: CrazyMax <[email protected]>

Author: crazy-max

.github/workflows/.test-bake.yml

@@ -179,6 +179,55 @@ jobs:
             const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
             core.info(JSON.stringify(builderOutputs, null, 2));
 
+  bake-dockerhub-stage:
+    uses: ./.github/workflows/bake.yml
+    permissions:
+      contents: read
+      id-token: write
+    with:
+      context: test
+      output: image
+      push: ${{ github.event_name != 'pull_request' }}
+      sbom: true
+      target: hello-cross
+      meta-images: |
+        registry-1-stage.docker.io/docker/github-builder-test
+      meta-tags: |
+        type=raw,value=bake-ghbuilder-${{ github.run_id }}
+    secrets:
+      registry-auths: |
+        - registry: registry-1-stage.docker.io
+          username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
+
+  bake-dockerhub-stage-verify:
+    uses: ./.github/workflows/verify.yml
+    if: ${{ github.event_name != 'pull_request' }}
+    needs:
+      - bake-dockerhub-stage
+    with:
+      builder-outputs: ${{ toJSON(needs.bake-dockerhub-stage.outputs) }}
+    secrets:
+      registry-auths: |
+        - registry: registry-1-stage.docker.io
+          username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
+
+  bake-dockerhub-stage-outputs:
+    runs-on: ubuntu-24.04
+    needs:
+      - bake-dockerhub-stage
+    steps:
+      -
+        name: Builder outputs
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-dockerhub-stage.outputs) }}
+        with:
+          script: |
+            const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
+            core.info(JSON.stringify(builderOutputs, null, 2));
+
   bake-ghcr-and-aws:
     uses: ./.github/workflows/bake.yml
     permissions:
@@ -447,3 +496,38 @@ jobs:
       sbom: true
       sign: ${{ github.event_name != 'pull_request' }}
       target: hello-cross
+
+  bake-auth-scope:
+    uses: ./.github/workflows/bake.yml
+    permissions:
+      contents: read
+      id-token: write
+    with:
+      context: test
+      output: image
+      push: ${{ github.event_name != 'pull_request' }}
+      sbom: true
+      target: hello-cross
+      meta-images: |
+        registry-1-stage.docker.io/docker/github-builder-test
+      meta-tags: |
+        type=raw,value=bake-ghbuilder-scope-${{ github.run_id }}
+    secrets:
+      registry-auths: |
+        - registry: registry-1-stage.docker.io
+          username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
+          scope: '@push'
+
+  bake-auth-scope-verify:
+    uses: ./.github/workflows/verify.yml
+    if: ${{ github.event_name != 'pull_request' }}
+    needs:
+      - bake-auth-scope
+    with:
+      builder-outputs: ${{ toJSON(needs.bake-auth-scope.outputs) }}
+    secrets:
+      registry-auths: |
+        - registry: registry-1-stage.docker.io
+          username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}

.github/workflows/.test-build.yml

@@ -542,3 +542,37 @@ jobs:
       platforms: linux/amd64,linux/arm64
       sbom: true
       sign: ${{ github.event_name != 'pull_request' }}
+
+  build-auth-scope:
+    uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+      id-token: write
+    with:
+      file: test/hello.Dockerfile
+      output: image
+      platforms: linux/amd64,linux/arm64
+      push: ${{ github.event_name != 'pull_request' }}
+      sbom: true
+      meta-images: registry-1-stage.docker.io/docker/github-builder-test
+      meta-tags: |
+        type=raw,value=build-scope-${{ github.run_id }}
+    secrets:
+      registry-auths: |
+        - registry: registry-1-stage.docker.io
+          username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
+          scope: '@push'
+
+  build-auth-scope-verify:
+    uses: ./.github/workflows/verify.yml
+    if: ${{ github.event_name != 'pull_request' }}
+    needs:
+      - build-auth-scope
+    with:
+      builder-outputs: ${{ toJSON(needs.build-auth-scope.outputs) }}
+    secrets:
+      registry-auths: |
+        - registry: registry-1-stage.docker.io
+          username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}

.github/workflows/bake.yml

@@ -632,7 +632,7 @@ jobs:
       -
         name: Login to registry
         if: ${{ inputs.push && inputs.output == 'image' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported
         with:
           registry-auth: ${{ secrets.registry-auths }}
       -
@@ -663,6 +663,14 @@ jobs:
             const imageDigest = inpMetadata[inpTarget]['containerimage.digest'];
             core.info(imageDigest);
             core.setOutput('digest', imageDigest);
+      -
+        name: Login to registry for signing
+        if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }}
+        uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported
+        with:
+          registry-auth: ${{ secrets.registry-auths }}
+        env:
+          DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login
       -
         name: Signing attestation manifests
         id: signing-attestation-manifests
@@ -812,9 +820,11 @@ jobs:
       -
         name: Login to registry
         if: ${{ inputs.push && inputs.output == 'image' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported
         with:
           registry-auth: ${{ secrets.registry-auths }}
+        env:
+          DOCKER_LOGIN_SCOPE_DISABLED: true # FIXME: scope feature is not yet supported by Buildx imagetools command
       -
         name: Set up Docker Buildx
         if: ${{ inputs.push && inputs.output == 'image' }}

.github/workflows/build.yml

@@ -545,7 +545,7 @@ jobs:
       -
         name: Login to registry
         if: ${{ inputs.push && inputs.output == 'image' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported
         with:
           registry-auth: ${{ secrets.registry-auths }}
       -
@@ -571,6 +571,14 @@ jobs:
         env:
           BUILDKIT_MULTI_PLATFORM: 1
           GIT_AUTH_TOKEN: ${{ secrets.github-token || github.token }}
+      -
+        name: Login to registry for signing
+        if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }}
+        uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported
+        with:
+          registry-auth: ${{ secrets.registry-auths }}
+        env:
+          DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login
       -
         name: Signing attestation manifests
         id: signing-attestation-manifests
@@ -719,9 +727,11 @@ jobs:
       -
         name: Login to registry
         if: ${{ inputs.push && inputs.output == 'image' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@scope # TODO: pin to a specific version when scope feature is supported
         with:
           registry-auth: ${{ secrets.registry-auths }}
+        env:
+          DOCKER_LOGIN_SCOPE_DISABLED: true # FIXME: scope feature is not yet supported by Buildx imagetools command
       -
         name: Set up Docker Buildx
         if: ${{ inputs.push && inputs.output == 'image' }}

.github/workflows/verify.yml

@@ -84,6 +84,8 @@ jobs:
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry-auth: ${{ secrets.registry-auths }}
+        env:
+          DOCKER_LOGIN_SCOPE_DISABLED: true # make sure the scope feature is disabled to avoid interfering with cosign OIDC login
       -
         name: Download artifacts
         if: ${{ steps.vars.outputs.signed == 'true' && steps.vars.outputs.output-type == 'local' }}