{"id":43123390,"url":"https://github.com/docker/github-builder","last_synced_at":"2026-04-15T09:03:59.275Z","repository":{"id":323864511,"uuid":"1040055409","full_name":"docker/github-builder","owner":"docker","description":"Official Docker-maintained reusable GitHub Actions workflows to securely build container images","archived":false,"fork":false,"pushed_at":"2026-02-13T19:10:11.000Z","size":388,"stargazers_count":26,"open_issues_count":15,"forks_count":4,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-02-14T00:05:17.967Z","etag":null,"topics":["buildkit","buildx","docker","github-actions","github-actions-docker","reusable-workflows","sbom","security","security-hardening","slsa","slsa-provenance"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/docker.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-08-18T11:44:56.000Z","updated_at":"2026-02-13T15:34:22.000Z","dependencies_parsed_at":"2026-01-06T09:02:49.751Z","dependency_job_id":null,"html_url":"https://github.com/docker/github-builder","commit_stats":null,"previous_names":["docker/github-builder-experimental","docker/github-builder"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/docker/github-builder","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Fgithub-builder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Fgithub-builder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Fgithub-builder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Fgithub-builder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/docker","download_url":"https://codeload.github.com/docker/github-builder/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Fgithub-builder/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29901741,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-27T14:46:13.553Z","status":"ssl_error","status_checked_at":"2026-02-27T14:46:10.522Z","response_time":57,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["buildkit","buildx","docker","github-actions","github-actions-docker","reusable-workflows","sbom","security","security-hardening","slsa","slsa-provenance"],"created_at":"2026-01-31T20:04:18.781Z","updated_at":"2026-04-15T09:03:59.243Z","avatar_url":"https://github.com/docker.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Test build workflow](https://img.shields.io/github/actions/workflow/status/docker/github-builder/.test-build.yml?label=test%20build\u0026logo=github\u0026style=flat-square)](https://github.com/docker/github-builder/actions?workflow=.test-build)\n[![Test bake workflow](https://img.shields.io/github/actions/workflow/status/docker/github-builder/.test-bake.yml?label=test%20bake\u0026logo=github\u0026style=flat-square)](https://github.com/docker/github-builder/actions?workflow=.test-bake)\n\n___\n\n* [Overview](#overview)\n* [Key Advantages](#key-advantages)\n * [Performance](#performance)\n * [Security](#security)\n * [Isolation \u0026 Reliability](#isolation--reliability)\n* [Usage](#usage)\n * [Build reusable workflow](#build-reusable-workflow)\n * [Inputs](#inputs)\n * [Secrets](#secrets)\n * [Outputs](#outputs)\n * [Bake reusable workflow](#bake-reusable-workflow)\n * [Inputs](#inputs-1)\n * [Secrets](#secrets-1)\n * [Outputs](#outputs-1)\n\n## Overview\n\nThis repository provides official Docker-maintained [reusable GitHub Actions workflows](https://docs.github.com/en/actions/how-tos/reuse-automations/reuse-workflows)\nto securely build container images and artifacts using Docker best practices.\nThe reusable workflows incorporate functionality from our GitHub Actions like\n[`docker/build-push-action`](https://github.com/docker/build-push-action/),\n[`docker/metadata-action`](https://github.com/docker/metadata-action/), etc.,\ninto a single workflow:\n\n```yaml\nname: ci\n\npermissions:\n contents: read\n\non:\n push:\n branches:\n - 'main'\n tags:\n - 'v*'\n pull_request:\n\njobs:\n build:\n uses: docker/github-builder/.github/workflows/build.yml@v1\n permissions:\n contents: read # to fetch the repository content\n id-token: write # for signing attestation(s) with GitHub OIDC Token\n with:\n output: image\n push: ${{ github.event_name != 'pull_request' }}\n meta-images: name/app\n secrets:\n registry-auths: |\n - registry: docker.io\n username: ${{ vars.DOCKERHUB_USERNAME }}\n password: ${{ secrets.DOCKERHUB_TOKEN }}\n```\n\nThis workflow provides a trusted BuildKit instance and generates signed\nSLSA-compliant provenance attestations, guaranteeing the build happened from\nthe source commit and all build steps ran in isolated sandboxed environments\nfrom immutable sources. This enables GitHub projects to follow a seamless path\ntoward higher levels of security and trust.\n\n## Key Advantages\n\n### Performance\n\n* **Native parallelization for multi-platform builds.** \n Workflows can automatically distribute builds across runners based on target\n platform to be built, improving throughput for other architectures without\n requiring emulation or [custom CI logic](https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners)\n or self-managed runners.\n\n* **Optimized cache warming \u0026 reuse.** \n The builder can use the GitHub Actions cache backend to persist layers across\n branches, PRs, and rebuilds. This significantly reduces cold-start times and\n avoids repeating expensive dependency installations, even for external\n contributors' pull requests.\n\n* **Centralized build configuration.** \n Repositories no longer need to configure buildx drivers, tune storage, or\n adjust resource limits. The reusable workflows encapsulate the recommended\n configuration, providing fast, consistent builds across any project that\n opts in.\n\n### Security\n\n* **Trusted workflows in the Docker organization.** \n Builds are executed by reusable workflows defined in the [**@docker**](https://github.com/docker)\n organization, not by arbitrary user-defined workflow steps. Consumers can\n rely on GitHub's trust model and repository protections on the Docker side\n (branch protection, code review, signing, etc.) to reason about who controls\n the build logic.\n\n* **Verifiable, immutable sources.** \n The workflows use the GitHub OIDC token and the exact commit SHA to obtain\n source and to bind it into SLSA provenance. This ensures that the build is\n tied to the repository contents as checked in—no additional CI step can\n silently swap out what is being built.\n\n* **Signed SLSA provenance for every build.** \n BuildKit generates [SLSA-compliant provenance attestation](https://docs.docker.com/build/metadata/attestations/slsa-provenance/)\n artifacts that are signed with an identity bound to the GitHub workflow.\n Downstream consumers can verify:\n - which builder commit produced the image \n - which source code commit produced the image \n - which workflow and job executed the build \n - what inputs and build parameters were used \n\n* **Protection from user workflow tampering.** \n The build steps are pre-defined and optimized in the reusable workflow, and\n cannot be altered by user configuration. This protects against tampering:\n preventing untrusted workflow steps from modifying build logic, injecting\n unexpected flags, or producing misleading provenance.\n\n### Isolation \u0026 Reliability\n\n* **Separation between user CI logic and build logic.** \n The user's workflow orchestrates *when* to build but not *how* to build.\n The actual build steps live in the Docker-maintained reusable workflows,\n which cannot be modified from the consuming repository.\n\n* **Immutable, reproducible build pipeline.** \n Builds are driven by declarative inputs (repository commit, build\n configuration, workflow version). This leads to:\n - reproducibility (same workflow + same inputs → same outputs) \n - auditability (inputs and workflow identity recorded in provenance) \n - reliability (less dependence on ad-hoc per-repo CI scripting) \n\n* **Reduced CI variability and config drift.** \n By reusing the same workflows, projects avoid maintaining custom build logic\n per repository. Caching, provenance, SBOM generation, and build settings\n behave uniformly across all adopters.\n\n* **Higher assurance for downstream consumers.** \n Because artifacts are produced by a workflow in the [**@docker**](https://github.com/docker)\n organization, with SLSA provenance attached, consumers can verify both the\n *source commit* and the *builder identity* before trusting or promoting an\n image, an essential part of supply-chain hardening.\n\n## Usage\n\n### Build reusable workflow\n\nThe [`build.yml` reusable workflow](.github/workflows/build.yml) lets you build\ncontainer images and artifacts from a Dockerfile with a user experience similar\nto [`docker/build-push-action`](https://github.com/docker/build-push-action/).\nIt provides a Docker-maintained, opinionated build pipeline that applies best\npractices for security, performance, and reliability by default, including\nisolated execution and signed SLSA provenance while keeping per-repository\nconfiguration minimal.\n\n```yaml\nname: ci\n\npermissions:\n contents: read\n\non:\n push:\n branches:\n - 'main'\n tags:\n - 'v*'\n pull_request:\n\njobs:\n build:\n uses: docker/github-builder/.github/workflows/build.yml@v1\n permissions:\n contents: read # to fetch the repository content\n id-token: write # for signing attestation(s) with GitHub OIDC Token\n with:\n output: image\n push: ${{ github.event_name != 'pull_request' }}\n platforms: linux/amd64,linux/arm64\n meta-images: name/app\n meta-tags: |\n type=ref,event=branch\n type=ref,event=pr\n type=semver,pattern={{version}}\n secrets:\n registry-auths: |\n - registry: docker.io\n username: ${{ vars.DOCKERHUB_USERNAME }}\n password: ${{ secrets.DOCKERHUB_TOKEN }}\n\n # Optional job to verify the pushed images' signatures. This is already done\n # in the `build` job and can be omitted. It's provided here as an example of\n # how to use the `verify.yml` reusable workflow.\n build-verify:\n uses: docker/github-builder/.github/workflows/verify.yml@v1\n if: ${{ github.event_name != 'pull_request' }}\n needs:\n - build\n with:\n builder-outputs: ${{ toJSON(needs.build.outputs) }}\n secrets:\n registry-auths: |\n - registry: docker.io\n username: ${{ vars.DOCKERHUB_USERNAME }}\n password: ${{ secrets.DOCKERHUB_TOKEN }}\n```\n\n#### Inputs\n\n\u003e [!NOTE]\n\u003e `List` type is a newline-delimited string\n\u003e ```yaml\n\u003e cache-from: |\n\u003e user/app:cache\n\u003e type=local,src=path/to/dir\n\u003e ```\n\u003e \n\u003e `CSV` type is a comma-delimited string\n\u003e ```yaml\n\u003e tags: name/app:latest,name/app:1.0.0\n\u003e ```\n\n| Name | Type | Default | Description |\n|------------------------|----------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `runner` | String | `auto` | [Ubuntu GitHub Hosted Runner](https://github.com/actions/runner-images?tab=readme-ov-file#available-images) to build on (one of `auto`, `amd64`, `arm64`). The `auto` runner selects the best-matching runner based on target `platforms`. You can set it to `amd64` if your build doesn't require emulation (e.g. cross-compilation) |\n| `distribute` | Bool | `true` | Whether to distribute the build across multiple runners (one platform per runner) |\n| `fail-fast` | Bool | `false` | Whether to cancel all in-progress and queued jobs in the matrix if any job fails |\n| `setup-qemu` | Bool | `false` | Runs the `setup-qemu-action` step to install QEMU static binaries |\n| `artifact-name` | String | `docker-github-builder-assets` | Name of the uploaded GitHub artifact (for `local` output) |\n| `artifact-upload` | Bool | `false` | Upload build output GitHub artifact (for `local` output) |\n| `annotations` | List | | List of annotations to set to the image (for `image` output) |\n| `build-args` | List | `auto` | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg). If you want to set a build-arg through an environment variable, use the `envs` input |\n| `cache` | Bool | `false` | Enable [GitHub Actions cache](https://docs.docker.com/build/cache/backends/gha/) exporter |\n| `cache-scope` | String | target name or `buildkit` | Which [scope cache object belongs to](https://docs.docker.com/build/cache/backends/gha/#scope) if `cache` is enabled. This is the cache blob prefix name used when pushing cache to GitHub Actions cache backend |\n| `cache-mode` | String | `min` | [Cache layers to export](https://docs.docker.com/build/cache/backends/#cache-mode) if cache enabled (`min` or `max`). In `min` cache mode, only layers that are exported into the resulting image are cached, while in `max` cache mode, all layers are cached, even those of intermediate steps |\n| `context` | String | `.` | Context to build from in the Git working tree |\n| `file` | String | `{context}/Dockerfile` | Path to the Dockerfile |\n| `labels` | List | | List of labels for an image (for `image` output) |\n| `output` | String | | Build output destination (one of [`image`](https://docs.docker.com/build/exporters/image-registry/) or [`local`](https://docs.docker.com/build/exporters/local-tar/)). Unlike the `build-push-action`, it only accepts `image` or `local`. The reusable workflow takes care of setting the `outputs` attribute |\n| `platforms` | List/CSV | | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) to build |\n| `push` | Bool | `false` | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) image to the registry (for `image` output) |\n| `sbom` | Bool | `false` | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build |\n| `shm-size` | String | | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) |\n| `sign` | String | `auto` | Sign attestation manifest for `image` output or artifacts for `local` output, can be one of `auto`, `true` or `false`. The `auto` mode will enable signing if `push` is enabled for pushing the `image` or if `artifact-upload` is enabled for uploading the `local` build output as GitHub Artifact |\n| `target` | String | | Sets the target stage to build |\n| `ulimit` | List | | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`) |\n| `set-meta-annotations` | Bool | `false` | Append OCI Image Format Specification annotations generated by `docker/metadata-action` |\n| `set-meta-labels` | Bool | `false` | Append OCI Image Format Specification labels generated by `docker/metadata-action` |\n| `meta-images` | List | | [List of images](https://github.com/docker/metadata-action?tab=readme-ov-file#images-input) to use as base name for tags (required for image output) |\n| `meta-tags` | List | | [List of tags](https://github.com/docker/metadata-action?tab=readme-ov-file#tags-input) as key-value pair attributes |\n| `meta-flavor` | List | | [Flavor](https://github.com/docker/metadata-action?tab=readme-ov-file#flavor-input) defines a global behavior for `meta-tags` |\n\n\u003e [!TIP]\n\u003e When `output=image`, following inputs support Handlebars templates rendered\n\u003e from selected `docker/metadata-action` outputs:\n\u003e - `annotations`\n\u003e - `build-args`\n\u003e - `labels`\n\u003e \n\u003e The template context is exposed as `meta` with:\n\u003e - `meta.version`\n\u003e - `meta.tags`\n\u003e \n\u003e Example:\n\u003e ```yaml\n\u003e jobs:\n\u003e build:\n\u003e uses: docker/github-builder/.github/workflows/build.yml@v1\n\u003e with:\n\u003e output: image\n\u003e build-args: |\n\u003e VERSION={{meta.version}}\n\u003e meta-images: name/app\n\u003e ```\n\n#### Secrets\n\n| Name | Default | Description |\n|------------------|-----------------------|--------------------------------------------------------------------------------|\n| `registry-auths` | | Raw authentication to registries, defined as YAML objects (for `image` output) |\n| `github-token` | `${{ github.token }}` | GitHub Token used to authenticate against the repository for Git context |\n\n#### Outputs\n\nThese outputs are available as `needs.\u003cjob_id\u003e.outputs.*` and can be passed\ndirectly to the [`verify.yml` reusable workflow](.github/workflows/verify.yml)\nwith `builder-outputs: ${{ toJSON(needs.\u003cjob_id\u003e.outputs) }}`.\n\n| Name | Type | Description |\n|--------------------------|--------|------------------------------------------------------------------------------|\n| `meta-json` | JSON | Metadata JSON output from `docker/metadata-action` (for `image` output) |\n| `cosign-version` | String | Cosign version used for verification |\n| `cosign-verify-commands` | List | Newline-delimited `cosign verify` commands generated when signing is enabled |\n| `artifact-name` | String | Name of the uploaded merged artifact (for `local` output) |\n| `digest` | String | Digest of the image pushed or artifact uploaded |\n| `output-type` | String | Output type selected for the workflow (`image` or `local`) |\n| `signed` | Bool | Whether attestation manifests or local artifacts were signed |\n\n### Bake reusable workflow\n\nThe [`bake.yml` reusable workflow](.github/workflows/bake.yml) lets you build\ncontainer images and artifacts from a [Bake definition](https://docs.docker.com/build/bake/)\nwith a user experience similar to [`docker/bake-action`](https://github.com/docker/bake-action/).\nIt provides a Docker-maintained, opinionated build pipeline that applies best\npractices for security, performance, and reliability by default, including\nisolated execution and signed SLSA provenance while keeping per-repository\nconfiguration minimal.\n\n```yaml\nname: ci\n\npermissions:\n contents: read\n\non:\n push:\n branches:\n - 'main'\n tags:\n - 'v*'\n pull_request:\n\njobs:\n bake:\n uses: docker/github-builder/.github/workflows/bake.yml@v1\n permissions:\n contents: read # to fetch the repository content\n id-token: write # for signing attestation(s) with GitHub OIDC Token\n with:\n output: image\n push: ${{ github.event_name != 'pull_request' }}\n meta-images: name/app\n meta-tags: |\n type=ref,event=branch\n type=ref,event=pr\n type=semver,pattern={{version}}\n secrets:\n registry-auths: |\n - registry: docker.io\n username: ${{ vars.DOCKERHUB_USERNAME }}\n password: ${{ secrets.DOCKERHUB_TOKEN }}\n\n # Optional job to verify the pushed images' signatures. This is already done\n # in the `bake` job and can be omitted. It's provided here as an example of\n # how to use the `verify.yml` reusable workflow.\n bake-verify:\n uses: docker/github-builder/.github/workflows/verify.yml@v1\n if: ${{ github.event_name != 'pull_request' }}\n needs:\n - bake\n with:\n builder-outputs: ${{ toJSON(needs.bake.outputs) }}\n secrets:\n registry-auths: |\n - registry: docker.io\n username: ${{ vars.DOCKERHUB_USERNAME }}\n password: ${{ secrets.DOCKERHUB_TOKEN }}\n```\n\n#### Inputs\n\n\u003e `List` type is a newline-delimited string\n\u003e ```yaml\n\u003e set: target.args.mybuildarg=value\n\u003e ```\n\u003e ```yaml\n\u003e set: |\n\u003e target.args.mybuildarg=value\n\u003e foo*.args.mybuildarg=value\n\u003e ```\n\n| Name | Type | Default | Description |\n|------------------------|--------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `runner` | String | `auto` | [Ubuntu GitHub Hosted Runner](https://github.com/actions/runner-images?tab=readme-ov-file#available-images) to build on (one of `auto`, `amd64`, `arm64`). The `auto` runner selects the best-matching runner based on target `platforms`. You can set it to `amd64` if your build doesn't require emulation (e.g. cross-compilation) |\n| `distribute` | Bool | `true` | Whether to distribute the build across multiple runners (one platform per runner) |\n| `fail-fast` | Bool | `false` | Whether to cancel all in-progress and queued jobs in the matrix if any job fails |\n| `setup-qemu` | Bool | `false` | Runs the `setup-qemu-action` step to install QEMU static binaries |\n| `artifact-name` | String | `docker-github-builder-assets` | Name of the uploaded GitHub artifact (for `local` output) |\n| `artifact-upload` | Bool | `false` | Upload build output GitHub artifact (for `local` output) |\n| `cache` | Bool | `false` | Enable [GitHub Actions cache](https://docs.docker.com/build/cache/backends/gha/) exporter |\n| `cache-scope` | String | target name or `buildkit` | Which [scope cache object belongs to](https://docs.docker.com/build/cache/backends/gha/#scope) if `cache` is enabled. This is the cache blob prefix name used when pushing cache to GitHub Actions cache backend |\n| `cache-mode` | String | `min` | [Cache layers to export](https://docs.docker.com/build/cache/backends/#cache-mode) if cache enabled (`min` or `max`). In `min` cache mode, only layers that are exported into the resulting image are cached, while in `max` cache mode, all layers are cached, even those of intermediate steps |\n| `context` | String | `.` | Context to build from in the Git working tree |\n| `files` | List | `{context}/docker-bake.hcl` | List of bake definition files |\n| `output` | String | | Build output destination (one of [`image`](https://docs.docker.com/build/exporters/image-registry/) or [`local`](https://docs.docker.com/build/exporters/local-tar/)). |\n| `push` | Bool | `false` | Push image to the registry (for `image` output) |\n| `sbom` | Bool | `false` | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build |\n| `set` | List | | List of [target values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (e.g., `targetpattern.key=value`) |\n| `sign` | String | `auto` | Sign attestation manifest for `image` output or artifacts for `local` output, can be one of `auto`, `true` or `false`. The `auto` mode will enable signing if `push` is enabled for pushing the `image` or if `artifact-upload` is enabled for uploading the `local` build output as GitHub Artifact |\n| `target` | String | `default` | Bake target to build |\n| `vars` | List | | [Variables](https://docs.docker.com/build/bake/variables/) to set in the Bake definition as list of key-value pair |\n| `set-meta-annotations` | Bool | `false` | Append OCI Image Format Specification annotations generated by `docker/metadata-action` |\n| `set-meta-labels` | Bool | `false` | Append OCI Image Format Specification labels generated by `docker/metadata-action` |\n| `meta-images` | List | | [List of images](https://github.com/docker/metadata-action?tab=readme-ov-file#images-input) to use as base name for tags (required for image output) |\n| `meta-tags` | List | | [List of tags](https://github.com/docker/metadata-action?tab=readme-ov-file#tags-input) as key-value pair attributes |\n| `meta-labels` | List | | [List of custom labels](https://github.com/docker/metadata-action?tab=readme-ov-file#overwrite-labels-and-annotations) |\n| `meta-annotations` | List | | [List of custom annotations](https://github.com/docker/metadata-action?tab=readme-ov-file#overwrite-labels-and-annotations) |\n| `meta-flavor` | List | | [Flavor](https://github.com/docker/metadata-action?tab=readme-ov-file#flavor-input) defines a global behavior for `meta-tags` |\n\n\u003e [!TIP]\n\u003e When `output=image`, the `set` input supports Handlebars templates rendered\n\u003e from selected `docker/metadata-action` outputs.\n\u003e \n\u003e The template context is exposed as `meta` with:\n\u003e - `meta.version`\n\u003e - `meta.tags`\n\u003e \n\u003e Example:\n\u003e ```yaml\n\u003e jobs:\n\u003e bake:\n\u003e uses: docker/github-builder/.github/workflows/bake.yml@v1\n\u003e with:\n\u003e output: image\n\u003e set: |\n\u003e *.args.VERSION={{meta.version}}\n\u003e meta-images: name/app\n\u003e ```\n\n#### Secrets\n\n| Name | Default | Description |\n|------------------|-----------------------|--------------------------------------------------------------------------------|\n| `registry-auths` | | Raw authentication to registries, defined as YAML objects (for `image` output) |\n| `github-token` | `${{ github.token }}` | GitHub Token used to authenticate against the repository for Git context |\n\n#### Outputs\n\nThese outputs are available as `needs.\u003cjob_id\u003e.outputs.*` and can be passed\ndirectly to the [`verify.yml` reusable workflow](.github/workflows/verify.yml)\nwith `builder-outputs: ${{ toJSON(needs.\u003cjob_id\u003e.outputs) }}`.\n\n| Name | Type | Description |\n|--------------------------|--------|------------------------------------------------------------------------------|\n| `meta-json` | JSON | Metadata JSON output from `docker/metadata-action` (for `image` output) |\n| `cosign-version` | String | Cosign version used for verification |\n| `cosign-verify-commands` | List | Newline-delimited `cosign verify` commands generated when signing is enabled |\n| `artifact-name` | String | Name of the uploaded merged artifact (for `local` output) |\n| `digest` | String | Digest of the image pushed or artifact uploaded |\n| `output-type` | String | Output type selected for the workflow (`image` or `local`) |\n| `signed` | Bool | Whether attestation manifests or local artifacts were signed |\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdocker%2Fgithub-builder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdocker%2Fgithub-builder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdocker%2Fgithub-builder/lists"}