From 07b757e0a645024ae127180898e264a4a1479c9d Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Wed, 5 Nov 2025 18:11:27 +0100
Subject: [PATCH 1/3] ci: fix test workflow

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/.test.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/.test.yml b/.github/workflows/.test.yml
index a29dcda0..1d28eee7 100644
--- a/.github/workflows/.test.yml
+++ b/.github/workflows/.test.yml
@@ -18,7 +18,7 @@ on:
 
 jobs:
   build-aws-single:
-    uses: .github/workflows/build.yml
+    uses: ./.github/workflows/build.yml
     permissions:
       contents: read
       packages: write
@@ -38,7 +38,7 @@ jobs:
           password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
   build-aws:
-    uses: .github/workflows/build.yml
+    uses: ./.github/workflows/build.yml
     permissions:
       contents: read
       packages: write
@@ -59,7 +59,7 @@ jobs:
           password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
   build-ghcr:
-    uses: .github/workflows/build.yml
+    uses: ./.github/workflows/build.yml
     permissions:
       contents: read
       packages: write
@@ -79,7 +79,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
   build-dockerhub-stage:
-    uses: .github/workflows/build.yml
+    uses: ./.github/workflows/build.yml
     permissions:
       contents: read
       packages: write
@@ -99,7 +99,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
 
   build-ghcr-and-aws:
-    uses: .github/workflows/build.yml
+    uses: ./.github/workflows/build.yml
     permissions:
       contents: read
       packages: write
@@ -124,7 +124,7 @@ jobs:
           password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
   build-local:
-    uses: .github/workflows/build.yml
+    uses: ./.github/workflows/build.yml
     permissions:
       contents: read
       packages: write

From 20341faca676fbbd5b65f76e0c938ced1d307ff6 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Wed, 5 Nov 2025 18:13:49 +0100
Subject: [PATCH 2/3] build: todo comment for buildx release

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/build.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8ff36415..5180779b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -206,6 +206,7 @@ jobs:
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
+          # TODO: switch to latest once Buildx v0.30.0 is released
           version: https://github.com/docker/buildx.git#62857022a08552bee5cad0c3044a9a3b185f0b32
           buildkitd-flags: --debug
       -

From 454cc67ff111b8c1a9e1f5a4648a3e919f764bf3 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Wed, 5 Nov 2025 18:16:34 +0100
Subject: [PATCH 3/3] ci: add job for testing oidc auth on docker hub

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/.test.yml | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/.test.yml b/.github/workflows/.test.yml
index 1d28eee7..0e2e549d 100644
--- a/.github/workflows/.test.yml
+++ b/.github/workflows/.test.yml
@@ -27,7 +27,7 @@ jobs:
       meta-images: |
         public.ecr.aws/q3b5f1u4/test-docker-action
       meta-tags: |
-        type=raw,value=ghbuilder-${{ github.run_id }}
+        type=raw,value=ghbuilder-single-${{ github.run_id }}
       build-file: test/hello.Dockerfile
       build-output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
       build-sbom: true
@@ -98,6 +98,25 @@ jobs:
           username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
           password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
 
+  build-dockerhub-stage-oidc:
+    uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    with:
+      meta-images: registry-1-stage.docker.io/docker/github-builder-test
+      meta-tags: |
+        type=raw,value=${{ github.run_id }},prefix=oidc-
+      build-file: test/hello.Dockerfile
+      build-output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
+      build-sbom: true
+      build-platforms: linux/amd64,linux/arm64
+    secrets:
+      registry-auths: |
+        - registry: registry-1-stage.docker.io
+          username: docker:cdeb5882-30b7-4076-be92-bfdceb258e9c
+
   build-ghcr-and-aws:
     uses: ./.github/workflows/build.yml
     permissions:
@@ -109,7 +128,7 @@ jobs:
         ghcr.io/docker/github-builder-test
         public.ecr.aws/q3b5f1u4/test-docker-action
       meta-tags: |
-        type=raw,value=${{ github.run_id }}
+        type=raw,value=${{ github.run_id }},prefix=ghcr-and-aws-
       build-file: test/hello.Dockerfile
       build-output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
       build-sbom: true