{"id":13440601,"url":"https://github.com/concourse/oci-build-task","last_synced_at":"2026-04-02T20:27:24.541Z","repository":{"id":37031954,"uuid":"204168458","full_name":"concourse/oci-build-task","owner":"concourse","description":"a Concourse task for building OCI images","archived":false,"fork":false,"pushed_at":"2026-03-31T22:43:03.000Z","size":312,"stargazers_count":78,"open_issues_count":3,"forks_count":56,"subscribers_count":8,"default_branch":"master","last_synced_at":"2026-04-01T01:27:52.678Z","etag":null,"topics":["buildkit","concourse","concourse-task","docker","golang","oci","oci-image"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/concourse.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE.md","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["taylorsilva"]}},"created_at":"2019-08-24T14:29:23.000Z","updated_at":"2026-03-19T18:51:58.000Z","dependencies_parsed_at":"2024-02-26T19:47:30.452Z","dependency_job_id":"78ec333b-274e-4fbc-8ef7-d054336d4117","html_url":"https://github.com/concourse/oci-build-task","commit_stats":null,"previous_names":["vito/oci-build-task"],"tags_count":31,"template":false,"template_full_name":null,"purl":"pkg:github/concourse/oci-build-task","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/concourse%2Foci-build-task","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/concourse%2Foci-build-task/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/concourse%2Foci-build-task/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/concourse%2Foci-build-task/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/concourse","download_url":"https://codeload.github.com/concourse/oci-build-task/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/concourse%2Foci-build-task/sbom","scorecard":{"id":302199,"data":{"date":"2025-08-11","repo":{"name":"github.com/concourse/oci-build-task","commit":"333f11f98c66df5de8b70867d15993fe421b6814"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5,"checks":[{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 0/14 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE.md:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.14.0 not signed: https://api.github.com/repos/concourse/oci-build-task/releases/229916203","Warn: release artifact v0.13.1 not signed: https://api.github.com/repos/concourse/oci-build-task/releases/223713677","Warn: release artifact v0.13.0 not signed: https://api.github.com/repos/concourse/oci-build-task/releases/223485773","Warn: release artifact v0.12.0 not signed: https://api.github.com/repos/concourse/oci-build-task/releases/220428390","Warn: release artifact v0.14.0 does not have provenance: https://api.github.com/repos/concourse/oci-build-task/releases/229916203","Warn: release artifact v0.13.1 does not have provenance: https://api.github.com/repos/concourse/oci-build-task/releases/223713677","Warn: release artifact v0.13.0 does not have provenance: https://api.github.com/repos/concourse/oci-build-task/releases/223485773","Warn: release artifact v0.12.0 does not have provenance: https://api.github.com/repos/concourse/oci-build-task/releases/220428390"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":3,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'master'","Info: 'force pushes' disabled on branch 'master'","Info: 'branch protection settings apply to administrators' is required to merge on branch 'master'","Warn: could not determine whether codeowners review is allowed","Warn: no status checks found to merge onto branch 'master'","Warn: PRs are not required to make changes on branch 'master'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: containerImage not pinned by hash: Dockerfile:6","Warn: containerImage not pinned by hash: Dockerfile:26","Warn: containerImage not pinned by hash: Dockerfile:41","Info:   0 out of   3 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/concourse/.github/SECURITY.md:1","Info: Found linked content: github.com/concourse/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/concourse/.github/SECURITY.md:1","Info: Found text in security policy: github.com/concourse/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":-1,"reason":"internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: non-200 OK status code: 502 Bad Gateway body: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e502 Bad Gateway\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e502 Bad Gateway\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003enginx\u003c/center\u003e\\r\\n\u003c/body\u003e\\r\\n\u003c/html\u003e\\r\\n\"","details":null,"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-17T20:58:01.794Z","repository_id":37031954,"created_at":"2025-08-17T20:58:01.794Z","updated_at":"2025-08-17T20:58:01.794Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31315951,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T12:59:32.332Z","status":"ssl_error","status_checked_at":"2026-04-02T12:54:48.875Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["buildkit","concourse","concourse-task","docker","golang","oci","oci-image"],"created_at":"2024-07-31T03:01:24.319Z","updated_at":"2026-04-02T20:27:24.528Z","avatar_url":"https://github.com/concourse.png","language":"Go","funding_links":["https://github.com/sponsors/taylorsilva"],"categories":["HarmonyOS"],"sub_categories":["Windows Manager"],"readme":"# `oci-build` task\n\nA Concourse task for building [OCI\nimages](https://github.com/opencontainers/image-spec). Currently uses\n[`buildkit`](http://github.com/moby/buildkit) for building.\n\n[![Build Job Status](https://ci.concourse-ci.org/api/v1/teams/main/pipelines/oci-build-task/jobs/build/badge)](https://ci.concourse-ci.org/teams/main/pipelines/oci-build-task/jobs/build)\n\nA stretch goal of this is to support running without `privileged: true`, though\nit currently still requires it.\n\n\u003c!-- toc --\u003e\n\n- [usage](#usage)\n  * [`image_resource`](#image_resource)\n  * [`params`](#params)\n  * [`inputs`](#inputs)\n  * [`outputs`](#outputs)\n  * [`caches`](#caches)\n  * [`run`](#run)\n- [migrating from the `docker-image` resource](#migrating-from-the-docker-image-resource)\n- [differences from `builder` task](#differences-from-builder-task)\n- [example](#example)\n\n\u003c!-- tocstop --\u003e\n\n## usage\n\nThe task implementation is available as an image on Docker Hub at\n[`concourse/oci-build-task`](http://hub.docker.com/r/concourse/oci-build-task).\n(This image is built from [`Dockerfile`](Dockerfile) using the `oci-build` task\nitself.)\n\nThis task implementation started as a spike to explore patterns around\n[reusable tasks](https://github.com/concourse/rfcs/issues/7) to hopefully lead\nto a proper RFC. Until that RFC is written and implemented, configuration is\nstill done by way of providing your own task config as follows:\n\n### `image_resource`\n\nFirst, your task needs to point to the `oci-build-task` image:\n\n```yaml\nimage_resource:\n  type: registry-image\n  source:\n    repository: concourse/oci-build-task\n```\n\n### `params`\n\nAny of the following optional parameters may be specified. These are all exposed\nas _environment variables_ to the task, therefore only string values are\nallowed. This is a pain point with re-usable tasks that will ideally be resolved\nby [prototypes](https://github.com/concourse/rfcs/blob/master/037-prototypes/proposal.md).\n\n* `CONTEXT` (default `.`): the path to the directory to provide as the context\n  for the build.\n\n* `DOCKERFILE` (default `$CONTEXT/Dockerfile`): the path to the `Dockerfile`\n  to build.\n\n* `BUILDKIT_SSH` your ssh key location that is mounted in your `Dockerfile`. This is\n  generally used for pulling dependencies from private repositories.\n\n  For Example. In your `Dockerfile`, you can mount a key as\n  ```\n  RUN --mount=type=ssh,id=github_ssh_key pip install -U -r ./hats/requirements-test.txt\n  ```\n\n  Then in your Concourse YAML configuration:\n  ```\n  params:\n    BUILDKIT_SSH: github_ssh_key=\u003cPATH-TO-YOUR-KEY\u003e\n  ```\n\n  Read more about ssh mount [here](https://docs.docker.com/develop/develop-images/build_enhancements/).\n\n* `BUILD_ARG_*`: params prefixed with `BUILD_ARG_` will be provided as build\n  args. For example `BUILD_ARG_foo=bar`, will set the `foo` build arg as `bar`.\n\n* `BUILD_ARGS_FILE` (default empty): path to a file containing build args. By\n    default the task will assume each line is in the form `foo=bar`, one per\n    line. Empty lines are skipped. If the file ends in `yml` or `yaml` it will\n    be parsed as a YAML file. The YAML file can only contain string keys and\n    values.\n\n  Example simple file contents:\n\n  ```\n  EMAIL=me@example.com\n  HOW_MANY_THINGS=1\n  DO_THING=false\n  ```\n  Example YAML file contents:\n\n  ```yaml\n  EMAIL: me@example.com\n  HOW_MANY_THINGS: \"1\"\n  DO_THING: \"false\"\n  MULTI_LINE_ARG: |\n    thing1\n    thing2\n  ```\n\n* `BUILDKIT_SECRET_*`: files with extra secrets which are made available via\n  `--mount=type=secret,id=...`. See [New Docker Build secret information](https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information) for more information on build secrets.\n\n  For example, running with `BUILDKIT_SECRET_config=my-repo/config` will allow\n  you to do the following...\n\n  ```\n  RUN --mount=type=secret,id=config cat /run/secrets/config\n  ```\n\n* `BUILDKIT_SECRETTEXT_*`: literal text of extra secrets to be made available\n  via the same mechanism described for `$BUILDKIT_SECRET_*` above. The\n  difference is that this is easier to use with credential managers:\n\n  `BUILDKIT_SECRETTEXT_mysecret=(( mysecret ))` puts the content that\n  `(( mysecret ))` expands to in `/run/secrets/mysecret`.\n\n* `IMAGE_ARG_*`: params prefixed with `IMAGE_ARG_*` point to image tarballs\n  (i.e. `docker save` format) or path to images in OCI layout format, to preload\n  so that they do not have to be fetched during the build. An image reference\n  will be provided as the given build arg name. For example,\n  `IMAGE_ARG_base_image=ubuntu/image.tar` will set `base_image` to a local image\n  reference for using `ubuntu/image.tar`.\n\n  This must be accepted as an argument for use; for example:\n\n  ```\n  ARG base_image\n  FROM ${base_image}\n  ```\n\n* `IMAGE_PLATFORM`: Specify the target platform(s) to build the image for. For\n  example `IMAGE_PLATFORM=linux/arm64,linux/amd64` will build the image for the\n  Linux OS and architectures `arm64` and `amd64`. By default, images will be\n  built for the current worker's platform that the task is running on. If\n  multiple platforms are specified, `OUTPUT_OCI` will be set to `true`\n  automatically, resulting in the output being a directory instead of a tarball.\n\n* `LABEL_*`: params prefixed with `LABEL_` will be set as image labels.\n  For example `LABEL_foo=bar`, will set the `foo` label to `bar`.\n\n* `LABELS_FILE` (default empty): path to a file containing labels in\n  the form `foo=bar`, one per line. Empty lines are skipped.\n\n* `TARGET` (default empty): a target build stage to build, as named with the\n  `FROM … AS \u003cNAME\u003e` syntax in your `Dockerfile`.\n\n* `TARGET_FILE` (default empty): path to a file containing the name of the\n  target build stage to build.\n\n* `ADDITIONAL_TARGETS` (default empty): a comma-separated (`,`) list of\n  additional target build stages to build.\n\n* `REGISTRY_MIRRORS` (default empty): a comma-separated (`,`) list of registry\n  mirrors to use for `docker.io`. If you need to specify authentication details\n  then consider using `BUILDKIT_EXTRA_CONFIG` instead.\n\n* `UNPACK_ROOTFS` (default `false`): unpack the image as Concourse's image\n  format (`rootfs/`, `metadata.json`) for use with the [`image` task step\n  option](https://concourse-ci.org/jobs.html#schema.step.task-step.image).\n\n* `OUTPUT_OCI` (default `false`): outputs an OCI image, allowing for multi-arch\n  image builds when setting `IMAGE_PLATFORM` to [multiple\n  platforms](https://docs.docker.com/desktop/extensions-sdk/extensions/multi-arch/).\n  The image output will be a directory (`image/image`) in OCI Image\n  Layout format when this flag is set to true.\n\n* `BUILDKIT_ADD_HOSTS` (default empty): extra host definitions for `buildkit`\n  to properly resolve custom hostnames. The value is as comma-separated\n  (`,`) list of key-value pairs (using syntax `hostname=ip-address`), each\n  defining an IP address for resolving some custom hostname.\n\n* `BUILDKIT_EXTRA_CONFIG` (default empty): a string written verbatim to builkit's\n  TOML config file. See [buildkitd.toml](https://docs.docker.com/build/buildkit/toml-configuration/).\n\n### `inputs`\n\nThere are no required inputs - your task should just list each artifact it\nneeds as an input. Typically this is in close correlation with `$CONTEXT`:\n\n```yaml\nparams:\n  CONTEXT: my-image\n\ninputs:\n- name: my-image\n```\n\nShould your build be dependent on multiple inputs, you may want to leave\n`CONTEXT` as its default (`.`) and set an explicit path to the `DOCKERFILE`:\n\n```yaml\nparams:\n  DOCKERFILE: my-repo/Dockerfile\n\ninputs:\n- name: my-repo\n- name: some-dependency\n```\n\nIt might also make sense to place one input under another, like so:\n\n```yaml\nparams:\n  CONTEXT: my-repo\n\ninputs:\n- name: my-repo\n- name: some-dependency\n  path: my-repo/some-dependency\n```\n\nOr, to fully rely on the default behavior and use `path` to wire up the context\naccordingly, you could set your primary context as `path: .` and set up any\nadditional inputs underneath:\n\n```yaml\ninputs:\n- name: my-repo\n  path: .\n- name: some-dependency\n```\n\n### `outputs`\n\nA single output named `image` may be configured:\n\n```yaml\noutputs:\n- name: image\n```\n\nUse [`output_mapping`] to map this output to a different name in your build plan.\nThis approach should be used if you're building multiple images in parallel so that\nthey can have distinct names.\n\n[`output_mapping`]: https://concourse-ci.org/jobs.html#schema.step.task-step.output_mapping\n\nThe output will contain the following files:\n\n* `image.tar`: the OCI image tarball. This tarball can be uploaded to a registry\n  using the [Registry Image\n  resource](https://github.com/concourse/registry-image-resource#out-push-an-image-up-to-the-registry-under-the-given-tags).\n  Only present if `OUTPUT_OCI` is `false`, which is the default.\n\n* `image/`: a directory containing the OCI image(s) in OCI Image Layout format.\n  Only present if `OUTPUT_OCI` is `true`.\n\n* `digest`: the digest of the OCI config. This file can be used to tag the\n  image after it has been loaded with `docker load`, like so:\n\n  ```sh\n  docker load -i image/image.tar\n  docker tag $(cat image/digest) my-name\n  ```\n\nIf `$UNPACK_ROOTFS` is configured, the following additional entries will be\ncreated:\n\n* `rootfs/*`: the unpacked contents of the image's filesystem.\n\n* `metadata.json`: a JSON file containing the image's env and user\n  configuration.\n\nThis is a Concourse-specific format to support using the newly built image for\na subsequent task by pointing the task step's [`image`\noption](https://concourse-ci.org/task-step.html#task-step-image) to the output,\nlike so:\n\n```yaml\nplan:\n- task: build-image\n  params:\n    UNPACK_ROOTFS: true\n  output_mapping: {image: my-built-image}\n- task: use-image\n  image: my-built-image\n```\n\n(The `output_mapping` here is just for clarity; alternatively you could just\nset `image: image`.)\n\n\u003e Note: at some point Concourse will likely standardize on OCI instead.\n\n### `caches`\n\nCaching can be enabled by caching the `cache` path on the task:\n\n```yaml\ncaches:\n- path: cache\n```\n\nThis only caches the build layers that Buildkit makes and will only be hit if\nthe same worker is used between one build and the next.\n\nNOTE: the contents of `--mount=type=cache` directories are not cached, see https://github.com/concourse/oci-build-task/issues/87\n\n### `run`\n\nYour task should run the `build` executable:\n\n```yaml\nrun:\n  path: build\n```\n\n\n## migrating from the `docker-image` resource\n\nThe `docker-image` resource was previously used for building and pushing a\nDocker image to a registry in one fell swoop.\n\nThe `oci-build` task, in contrast, only supports building images - it does not\nsupport pushing or even tagging the image. It can be used to build an image and\nuse it for a subsequent task image without pushing it to a registry, by\nconfiguring `$UNPACK_ROOTFS`.\n\nIn order to push the newly built image, you can use a resource like the\n[`registry-image`\nresource](https://github.com/concourse/registry-image-resource) like so:\n\n```yaml\nresources:\n- name: my-image-src\n  type: git\n  source:\n    uri: https://github.com/...\n\n- name: my-image\n  type: registry-image\n  source:\n    repository: my-user/my-repo\n\njobs:\n- name: build-and-push\n  plan:\n  # fetch repository source (containing Dockerfile)\n  - get: my-image-src\n\n  # build using `oci-build` task\n  #\n  # note: this task config could be pushed into `my-image-src` and loaded using\n  # `file:` instead\n  - task: build\n    privileged: true\n    config:\n      platform: linux\n\n      image_resource:\n        type: registry-image\n        source:\n          repository: concourse/oci-build-task\n\n      inputs:\n      - name: my-image-src\n        path: .\n\n      outputs:\n      - name: image\n\n      run:\n        path: build\n\n  # push using `registry-image` resource\n  - put: my-image\n    params: {image: image/image.tar}\n```\n\n\n## example\n\nThis repo contains an `example.yml`, which builds the image for the task\nitself:\n\n```sh\nfly -t dev execute -c example.yml -i context=. -o image=. -p\ndocker load -i image.tar\n```\n\nThat `-p` at the end is not a typo; it runs the task with elevated privileges.\n\n## Providing Custom CA Certificates\n\nAssuming your custom CA cert is passed in as an input to the oci-build task,\nyou can use a task config like this to load your custom CA certificate:\n\n```yaml\nplatform: linux\n\ninputs:\n- name: certs\n  path: /var/certs #Absolute path only works on Concourse \u003e=7.5.0\n#..other inputs\n\noutputs:\n- name: image\n\nparams:\n  BUILDKIT_EXTRA_CONFIG: |\n    [registry.\"my-registry.com\"]\n      ca=[\"/var/certs/my-ca.pem\"]\n\nrun:\n  path: build\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fconcourse%2Foci-build-task","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fconcourse%2Foci-build-task","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fconcourse%2Foci-build-task/lists"}