From 3058b622a9bffb71764b4d6e07ef6f6910b7d9fe Mon Sep 17 00:00:00 2001
From: pexcn <pexcn97@gmail.com>
Date: Wed, 22 Apr 2026 15:09:26 +0800
Subject: [PATCH] add ssh and secrets inputs to build workflow

Expose ssh and secrets inputs in workflow_call and pass them through
to docker/build-push-action.

Set up ssh-agent when ssh is configured so SSH_AUTH_SOCK is available
for BuildKit SSH mounts.
---
 .github/workflows/build.yml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8179f9f..27d4d1e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -76,6 +76,10 @@ on:
         type: string
         description: "List of target platforms to build"
         required: false
+      secrets:
+        type: string
+        description: "List of secrets to expose to the build"
+        required: false
       push:
         type: boolean
         description: "Push image to the registry (for image output)"
@@ -90,6 +94,10 @@ on:
         type: string
         description: "Size of /dev/shm (e.g., 2g)"
         required: false
+      ssh:
+        type: string
+        description: "List of SSH agent socket or keys to expose to the build"
+        required: false
       sign:
         type: string
         description: "Sign attestation manifest for image output or artifacts for local output, can be one of auto, true or false. The auto mode will enable signing if push is enabled for pushing the image or if artifact-upload is enabled for uploading the local build output as GitHub Artifact"
@@ -133,6 +141,9 @@ on:
       github-token:
         description: "GitHub Token used to authenticate against the repository for Git context"
         required: false
+      ssh-private-key:
+        description: "SSH private key used to populate SSH_AUTH_SOCK for buildx SSH mounts"
+        required: false
     outputs:
       meta-json:
         description: "Metadata JSON output (for image output)"
@@ -653,6 +664,14 @@ jobs:
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry-auth: ${{ secrets.registry-auths }}
+      -
+        name: Set up ssh-agent
+        if: ${{ inputs.ssh }}
+        shell: bash
+        run: |
+          eval "$(ssh-agent -s)"
+          echo "${{ secrets.ssh-private-key }}" | tr -d '\r' | ssh-add -
+          echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> "$GITHUB_ENV"
       -
         name: Build
         id: build
@@ -669,8 +688,10 @@ jobs:
           platforms: ${{ steps.prepare.outputs.platform }}
           provenance: ${{ steps.prepare.outputs.provenance }}
           sbom: ${{ steps.prepare.outputs.sbom }}
+          secrets: ${{ inputs.secrets }}
           secret-envs: GIT_AUTH_TOKEN=GIT_AUTH_TOKEN
           shm-size: ${{ inputs.shm-size }}
+          ssh: ${{ inputs.ssh }}
           target: ${{ inputs.target }}
           ulimit: ${{ inputs.ulimit }}
         env: