feat(docker): supports custom buildkit config

.github/workflows/__test-action-docker-build-image.yml

@@ -250,4 +250,98 @@ jobs:
             exit 1
           fi
 
+  tests-with-buildkitd-config-inline:
+    name: Test for "docker/build-image" action with BuildKit daemon config
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Arrange - Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Arrange - Ensure token is set
+        run: |
+          if [ -z "${{ github.token }}" ]; then
+            echo "GitHub token is not set"
+            exit 1
+          fi
+
+      - name: Act - Build image
+        id: build-image
+        uses: ./actions/docker/build-image
+        with:
+          oci-registry: ghcr.io
+          oci-registry-password: ${{ github.token }}
+          context: "."
+          dockerfile: "./tests/application/Dockerfile"
+          target: "prod"
+          platform: "linux/amd64"
+          image: application-test
+          buildkitd-config-inline: |
+            debug = true
+            [worker.oci]
+              max-parallelism = 2
+
+      - name: Assert - Check BuildKit daemon config
+        run: |
+          BUILDKIT_CONTAINER=$(docker ps --filter 'name=buildx_buildkit_' --format '{{.Names}}' | head -n 1)
+          if [ -z "$BUILDKIT_CONTAINER" ]; then
+            echo "Failed to find BuildKit container"
+            docker ps -a
+            exit 1
+          fi
+
+          BUILDKIT_CONFIG=$(docker exec "$BUILDKIT_CONTAINER" cat /etc/buildkit/buildkitd.toml)
+          printf '%s\n' "$BUILDKIT_CONFIG"
+
+          echo "$BUILDKIT_CONFIG" | grep -F 'debug = true'
+          echo "$BUILDKIT_CONFIG" | grep -F '[worker.oci]'
+          echo "$BUILDKIT_CONFIG" | grep -F 'max-parallelism = 2'
+
+      - name: Assert - Check built image output
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            const assert = require("assert");
+
+            const builtImageOutput = ${{ toJSON(steps.build-image.outputs.built-image) }};
+            assert(builtImageOutput, `"built-image" output is empty`);
+
+            let builtImage;
+            try {
+              builtImage = JSON.parse(builtImageOutput);
+            } catch (error) {
+              assert.fail(`Failed to parse built image output: ${error}`);
+            }
+
+            assert(builtImage, `"built-image" output is empty`);
+            assert.equal(builtImage.name, "application-test", `"name" output is not valid`);
+            assert.match(
+              builtImage.digest,
+              /^sha256:[a-f0-9]{64}$/,
+              `"digest" output is not valid`
+            );
+
+      - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ github.token }}
+
+      - name: Assert - Check docker image
+        run: |
+          IMAGE=$(echo '${{ steps.build-image.outputs.built-image }}' | jq -r '.image')
+          if ! docker pull "$IMAGE"; then
+            echo "Failed to pull $IMAGE"
+            exit 1
+          fi
+
+          if ! docker manifest inspect "$IMAGE"; then
+            echo "Failed to inspect $IMAGE"
+            exit 1
+          fi
+
 # jscpd:ignore-end

.github/workflows/docker-build-images.yml

@@ -104,6 +104,18 @@ on: # yamllint disable-line rule:truthy
         default: "gha"
         type: string
         required: false
+      buildkitd-config-inline:
+        description: |
+          Inline BuildKit daemon configuration.
+          See https://github.com/docker/setup-buildx-action#inputs.
+          Example for insecure registry:
+            ```ini
+            [registry."my-registry.local:5000"]
+              http = true
+              insecure = true
+            ```
+        type: string
+        required: false
       sign:
         description: |
           Sign built images.
@@ -427,6 +439,7 @@ jobs:
           secret-envs: ${{ steps.prepare-secret-envs.outputs.secret-envs }}
           secrets: ${{ secrets.build-secrets }}
           cache-type: ${{ inputs.cache-type }}
+          buildkitd-config-inline: ${{ inputs.buildkitd-config-inline }}
           multi-platform: ${{ matrix.image.multi-platform }}
 
       # FIXME: Set built images infos in file to be uploaded as artifacts, because github action does not handle job outputs for matrix

actions/docker/build-image/action.yml

@@ -101,6 +101,17 @@ inputs:
       See https://docs.docker.com/build/cache/backends.
     default: "gha"
     required: false
+  buildkitd-config-inline:
+    description: |
+      Inline BuildKit daemon configuration.
+      See https://github.com/docker/setup-buildx-action#inputs.
+      Example for insecure registry:
+        ```ini
+        [registry."my-registry.local:5000"]
+          http = true
+          insecure = true
+        ```
+    required: false
   multi-platform:
     description: |
       Whether this build participates in a multi-platform image publication.
@@ -153,6 +164,7 @@ runs:
         oci-registry: ${{ inputs.oci-registry }}
         oci-registry-username: ${{ inputs.oci-registry-username }}
         oci-registry-password: ${{ inputs.oci-registry-password }}
+        buildkitd-config-inline: ${{ inputs.buildkitd-config-inline }}
 
     - id: metadata
       uses: ./self-actions/docker/get-image-metadata

actions/docker/setup/action.yml

@@ -25,6 +25,16 @@ inputs:
       Password or personal access token configuration used to log against OCI registries.
       Accepts either a single password/token string (default format) or a JSON object using the same keys as `oci-registry`.
     required: false
+  buildkitd-config-inline:
+    description: |
+      Inline BuildKit daemon configuration.
+      See https://github.com/docker/setup-buildx-action#inputs.
+      Example for insecure registry:
+        ```ini
+        [registry."my-registry.local:5000"]
+          http = true
+          insecure = true
+        ```
   built-images:
     description: |
       Optional built images payload used to resolve manifest publication registries.
@@ -387,6 +397,7 @@ runs:
         # FIXME: upgrade version when available (https://hub.docker.com/r/moby/buildkit)
         driver-opts: |
           image=moby/buildkit:v0.27.0
+        buildkitd-config-inline: ${{ inputs.buildkitd-config-inline }}
 
     - if: steps.resolve-oci-registries.outputs.has-registry-auth == 'true'
       uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0