chore(deps): Bump github/codeql-action from 4.35.1 to 4.35.3

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.1 to 4.35.3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/c10b8064de6f491fea524254123dbe5e09572f13...e46ed2cbd01164d986452f91f178727624ae40d7)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/dependabot.yml

@@ -19,6 +19,8 @@ updates:
       interval: "daily"
     cooldown:
       default-days: 2
+      exclude:
+        - "@docker/actions-toolkit"
     versioning-strategy: "increase"
     allow:
       - dependency-type: "production"

.github/workflows/.e2e-run.yml

@@ -114,7 +114,7 @@ jobs:
       -
         name: Login to Registry
         if: github.event_name != 'pull_request' && (inputs.type == 'remote' || env.REGISTRY_USER != '')
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.REGISTRY_FQDN || inputs.registry }}
           username: ${{ env.REGISTRY_USER || secrets.registry_username }}

.github/workflows/ci.yml

@@ -101,6 +101,57 @@ jobs:
             exit 1
           fi
 
+  git-context-query:
+    runs-on: ubuntu-latest
+    env:
+      BUILDX_SEND_GIT_QUERY_AS_INPUT: true
+    services:
+      registry:
+        image: registry:2.8.3@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          path: action
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+      -
+        name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        with:
+          version: v0.29.0
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build and push
+        id: docker_build
+        uses: ./action
+        with:
+          file: ./test/Dockerfile
+          builder: ${{ steps.buildx.outputs.name }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            localhost:5000/name/app:latest
+            localhost:5000/name/app:1.0.0
+      -
+        name: Inspect
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
+      -
+        name: Check digest
+        run: |
+          if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then
+            echo "::error::Digest should not be empty"
+            exit 1
+          fi
+
   git-context-secret:
     runs-on: ubuntu-latest
     services:
@@ -394,6 +445,29 @@ jobs:
             MYSECRET=foo
             INVALID_SECRET=
 
+  secret-files:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: .
+          file: ./test/secret.Dockerfile
+          secret-files: |
+            MYSECRET=./test/secret.txt
+            INVALID_SECRET=
+
   secret-envs:
     runs-on: ubuntu-latest
     steps:
@@ -970,7 +1044,7 @@ jobs:
           buildkitd-flags: --debug
       -
         name: Cache Build
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-local-test-${{ github.sha }}

.github/workflows/codeql.yml

@@ -30,17 +30,17 @@ jobs:
           yarn --version
       -
         name: Set up Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
       -
         name: Initialize CodeQL
-        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
         with:
           languages: javascript-typescript
           build-mode: none
       -
         name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
         with:
           category: "/language:javascript-typescript"

.github/workflows/pr-assign-author.yml

@@ -11,7 +11,7 @@ on:
 
 jobs:
   run:
-    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0
+    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@64a0bfaf6e6bb1c448d6e4c42b11034ee7094f16 # v1.7.1
     permissions:
       contents: read
       pull-requests: write

.github/workflows/test.yml

@@ -23,7 +23,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Test
-        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
         with:
           source: .
           targets: test

.github/workflows/update-dist.yml

@@ -15,13 +15,13 @@ on:
 
 jobs:
   update-dist:
-    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
+    if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
     runs-on: ubuntu-latest
     steps:
       -
         name: GitHub auth token from GitHub App
         id: docker-read-app
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
           app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
           private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
@@ -35,7 +35,7 @@ jobs:
           token: ${{ steps.docker-read-app.outputs.token }}
       -
         name: Build
-        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
         with:
           source: .
           targets: build

.github/workflows/validate.yml

@@ -26,7 +26,7 @@ jobs:
       -
         name: Generate matrix
         id: generate
-        uses: docker/bake-action/subaction/matrix@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
+        uses: docker/bake-action/subaction/matrix@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
         with:
           target: validate
 
@@ -41,6 +41,6 @@ jobs:
     steps:
       -
         name: Validate
-        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
         with:
           targets: ${{ matrix.target }}

.github/workflows/zizmor.yml

@@ -19,7 +19,7 @@ on:
 
 jobs:
   zizmor:
-    uses: crazy-max/.github/.github/workflows/zizmor.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0
+    uses: crazy-max/.github/.github/workflows/zizmor.yml@64a0bfaf6e6bb1c448d6e4c42b11034ee7094f16 # v1.7.1
     permissions:
       contents: read
       security-events: write

.github/zizmor.yml

@@ -1,3 +0,0 @@
-rules:
-  secrets-outside-env: # FIXME: remove this rule when zizmor 1.24.0 is released, fixing the right persona attached to this rule: https://github.com/zizmorcore/zizmor/pull/1783
-    disable: true

__tests__/context.test.ts

@@ -12,8 +12,6 @@ import {Toolkit} from '@docker/actions-toolkit/lib/toolkit.js';
 
 import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder.js';
 
-import * as context from '../src/context.js';
-
 const tmpDir = fs.mkdtempSync(path.join(process.env.TEMP || os.tmpdir(), 'context-'));
 const tmpName = path.join(tmpDir, '.tmpname-vi');
 const fixturesDir = path.join(__dirname, 'fixtures');
@@ -52,6 +50,53 @@ vi.spyOn(Builder.prototype, 'inspect').mockImplementation(async (): Promise<Buil
   };
 });
 
+describe('getInputs', () => {
+  const originalEnv = process.env;
+
+  beforeEach(() => {
+    process.env = Object.keys(process.env).reduce((object, key) => {
+      if (!key.startsWith('INPUT_')) {
+        object[key] = process.env[key];
+      }
+      return object;
+    }, {});
+  });
+
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  function setRequiredBooleanInputs(): void {
+    setInput('load', 'false');
+    setInput('no-cache', 'false');
+    setInput('push', 'false');
+    setInput('pull', 'false');
+  }
+
+  test('uses Build git context when context input is empty', async () => {
+    const gitContext = 'https://github.com/docker/build-push-action.git?ref=refs/heads/master';
+    const gitContextSpy = vi.spyOn(Build.prototype, 'gitContext').mockResolvedValue(gitContext);
+    setRequiredBooleanInputs();
+    const context = await loadContextModule();
+    const inputs = await context.getInputs();
+    expect(inputs.context).toBe(gitContext);
+    expect(gitContextSpy).toHaveBeenCalledTimes(1);
+    gitContextSpy.mockRestore();
+  });
+
+  test('renders defaultContext templates from Build git context', async () => {
+    const gitContext = 'https://github.com/docker/build-push-action.git#refs/heads/master';
+    const gitContextSpy = vi.spyOn(Build.prototype, 'gitContext').mockResolvedValue(gitContext);
+    setRequiredBooleanInputs();
+    setInput('context', '{{defaultContext}}:subdir');
+    const context = await loadContextModule();
+    const inputs = await context.getInputs();
+    expect(inputs.context).toBe(`${gitContext}:subdir`);
+    expect(gitContextSpy).toHaveBeenCalledTimes(1);
+    gitContextSpy.mockRestore();
+  });
+});
+
 describe('getArgs', () => {
   const originalEnv = process.env;
   beforeEach(() => {
@@ -344,7 +389,7 @@ ccc`],
         'build',
         '--file', './test/Dockerfile',
         '--iidfile', imageIDFilePath,
-        '--secret', `id=MY_SECRET,src=${tmpName}`,
+        '--secret', `id=MY_SECRET,src=${path.join(fixturesDir, 'secret.txt')}`,
         '--builder', 'builder-git-context-2',
         '--network', 'host',
         '--push',
@@ -888,6 +933,46 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
         ['GITHUB_SERVER_URL', 'https://github.cds.internal.unity3d.com'],
       ])
     ],
+    [
+      37,
+      '0.29.0',
+      new Map<string, string>([
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', imageIDFilePath,
+        '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
+        '--metadata-file', metadataJson,
+        'https://github.com/docker/build-push-action.git?ref=refs/heads/master'
+      ],
+      new Map<string, string>([
+        ['BUILDX_SEND_GIT_QUERY_AS_INPUT', 'true']
+      ])
+    ],
+    [
+      38,
+      '0.28.0',
+      new Map<string, string>([
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', imageIDFilePath,
+        '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
+        '--metadata-file', metadataJson,
+        'https://github.com/docker/build-push-action.git#refs/heads/master'
+      ],
+      new Map<string, string>([
+        ['BUILDX_SEND_GIT_QUERY_AS_INPUT', 'true']
+      ])
+    ],
   ])(
     '[%d] given %o with %o as inputs, returns %o',
     async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>, envs: Map<string, string> | undefined) => {
@@ -903,6 +988,7 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
       vi.spyOn(Buildx.prototype, 'version').mockImplementation(async (): Promise<string> => {
         return buildxVersion;
       });
+      const context = await loadContextModule();
       const inp = await context.getInputs();
       const res = await context.getArgs(inp, toolkit);
       expect(res).toEqual(expected);
@@ -918,3 +1004,8 @@ function getInputName(name: string): string {
 function setInput(name: string, value: string): void {
   process.env[getInputName(name)] = value;
 }
+
+async function loadContextModule(): Promise<typeof import('../src/context.js')> {
+  vi.resetModules();
+  return await import('../src/context.js');
+}

action.yml

@@ -122,5 +122,5 @@ outputs:
 
 runs:
   using: 'node24'
-  main: 'dist/index.js'
+  main: 'dist/index.cjs'
-  post: 'dist/index.js'
+  post: 'dist/index.cjs'

dist/606.index.js

@@ -1,301 +0,0 @@
-export const id = 606;
-export const ids = [606];
-export const modules = {
-
-/***/ 606:
-/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
-
-/* harmony export */ __webpack_require__.d(__webpack_exports__, {
-/* harmony export */   "default": () => (/* binding */ pMap)
-/* harmony export */ });
-/* unused harmony exports pMapIterable, pMapSkip */
-async function pMap(
-	iterable,
-	mapper,
-	{
-		concurrency = Number.POSITIVE_INFINITY,
-		stopOnError = true,
-		signal,
-	} = {},
-) {
-	return new Promise((resolve_, reject_) => {
-		if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
-			throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
-		}
-
-		if (typeof mapper !== 'function') {
-			throw new TypeError('Mapper function is required');
-		}
-
-		if (!((Number.isSafeInteger(concurrency) && concurrency >= 1) || concurrency === Number.POSITIVE_INFINITY)) {
-			throw new TypeError(`Expected \`concurrency\` to be an integer from 1 and up or \`Infinity\`, got \`${concurrency}\` (${typeof concurrency})`);
-		}
-
-		const result = [];
-		const errors = [];
-		const skippedIndexesMap = new Map();
-		let isRejected = false;
-		let isResolved = false;
-		let isIterableDone = false;
-		let resolvingCount = 0;
-		let currentIndex = 0;
-		const iterator = iterable[Symbol.iterator] === undefined ? iterable[Symbol.asyncIterator]() : iterable[Symbol.iterator]();
-
-		const signalListener = () => {
-			reject(signal.reason);
-		};
-
-		const cleanup = () => {
-			signal?.removeEventListener('abort', signalListener);
-		};
-
-		const resolve = value => {
-			resolve_(value);
-			cleanup();
-		};
-
-		const reject = reason => {
-			isRejected = true;
-			isResolved = true;
-			reject_(reason);
-			cleanup();
-		};
-
-		if (signal) {
-			if (signal.aborted) {
-				reject(signal.reason);
-			}
-
-			signal.addEventListener('abort', signalListener, {once: true});
-		}
-
-		const next = async () => {
-			if (isResolved) {
-				return;
-			}
-
-			const nextItem = await iterator.next();
-
-			const index = currentIndex;
-			currentIndex++;
-
-			// Note: `iterator.next()` can be called many times in parallel.
-			// This can cause multiple calls to this `next()` function to
-			// receive a `nextItem` with `done === true`.
-			// The shutdown logic that rejects/resolves must be protected
-			// so it runs only one time as the `skippedIndex` logic is
-			// non-idempotent.
-			if (nextItem.done) {
-				isIterableDone = true;
-
-				if (resolvingCount === 0 && !isResolved) {
-					if (!stopOnError && errors.length > 0) {
-						reject(new AggregateError(errors)); // eslint-disable-line unicorn/error-message
-						return;
-					}
-
-					isResolved = true;
-
-					if (skippedIndexesMap.size === 0) {
-						resolve(result);
-						return;
-					}
-
-					const pureResult = [];
-
-					// Support multiple `pMapSkip`'s.
-					for (const [index, value] of result.entries()) {
-						if (skippedIndexesMap.get(index) === pMapSkip) {
-							continue;
-						}
-
-						pureResult.push(value);
-					}
-
-					resolve(pureResult);
-				}
-
-				return;
-			}
-
-			resolvingCount++;
-
-			// Intentionally detached
-			(async () => {
-				try {
-					const element = await nextItem.value;
-
-					if (isResolved) {
-						return;
-					}
-
-					const value = await mapper(element, index);
-
-					// Use Map to stage the index of the element.
-					if (value === pMapSkip) {
-						skippedIndexesMap.set(index, value);
-					}
-
-					result[index] = value;
-
-					resolvingCount--;
-					await next();
-				} catch (error) {
-					if (stopOnError) {
-						reject(error);
-					} else {
-						errors.push(error);
-						resolvingCount--;
-
-						// In that case we can't really continue regardless of `stopOnError` state
-						// since an iterable is likely to continue throwing after it throws once.
-						// If we continue calling `next()` indefinitely we will likely end up
-						// in an infinite loop of failed iteration.
-						try {
-							await next();
-						} catch (error) {
-							reject(error);
-						}
-					}
-				}
-			})();
-		};
-
-		// Create the concurrent runners in a detached (non-awaited)
-		// promise. We need this so we can await the `next()` calls
-		// to stop creating runners before hitting the concurrency limit
-		// if the iterable has already been marked as done.
-		// NOTE: We *must* do this for async iterators otherwise we'll spin up
-		// infinite `next()` calls by default and never start the event loop.
-		(async () => {
-			for (let index = 0; index < concurrency; index++) {
-				try {
-					// eslint-disable-next-line no-await-in-loop
-					await next();
-				} catch (error) {
-					reject(error);
-					break;
-				}
-
-				if (isIterableDone || isRejected) {
-					break;
-				}
-			}
-		})();
-	});
-}
-
-function pMapIterable(
-	iterable,
-	mapper,
-	{
-		concurrency = Number.POSITIVE_INFINITY,
-		backpressure = concurrency,
-	} = {},
-) {
-	if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
-		throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
-	}
-
-	if (typeof mapper !== 'function') {
-		throw new TypeError('Mapper function is required');
-	}
-
-	if (!((Number.isSafeInteger(concurrency) && concurrency >= 1) || concurrency === Number.POSITIVE_INFINITY)) {
-		throw new TypeError(`Expected \`concurrency\` to be an integer from 1 and up or \`Infinity\`, got \`${concurrency}\` (${typeof concurrency})`);
-	}
-
-	if (!((Number.isSafeInteger(backpressure) && backpressure >= concurrency) || backpressure === Number.POSITIVE_INFINITY)) {
-		throw new TypeError(`Expected \`backpressure\` to be an integer from \`concurrency\` (${concurrency}) and up or \`Infinity\`, got \`${backpressure}\` (${typeof backpressure})`);
-	}
-
-	return {
-		async * [Symbol.asyncIterator]() {
-			const iterator = iterable[Symbol.asyncIterator] === undefined ? iterable[Symbol.iterator]() : iterable[Symbol.asyncIterator]();
-
-			const promises = [];
-			let pendingPromisesCount = 0;
-			let isDone = false;
-			let index = 0;
-
-			function trySpawn() {
-				if (isDone || !(pendingPromisesCount < concurrency && promises.length < backpressure)) {
-					return;
-				}
-
-				pendingPromisesCount++;
-
-				const promise = (async () => {
-					const {done, value} = await iterator.next();
-
-					if (done) {
-						pendingPromisesCount--;
-						return {done: true};
-					}
-
-					// Spawn if still below concurrency and backpressure limit
-					trySpawn();
-
-					try {
-						const returnValue = await mapper(await value, index++);
-
-						pendingPromisesCount--;
-
-						if (returnValue === pMapSkip) {
-							const index = promises.indexOf(promise);
-
-							if (index > 0) {
-								promises.splice(index, 1);
-							}
-						}
-
-						// Spawn if still below backpressure limit and just dropped below concurrency limit
-						trySpawn();
-
-						return {done: false, value: returnValue};
-					} catch (error) {
-						pendingPromisesCount--;
-						isDone = true;
-						return {error};
-					}
-				})();
-
-				promises.push(promise);
-			}
-
-			trySpawn();
-
-			while (promises.length > 0) {
-				const {error, done, value} = await promises[0]; // eslint-disable-line no-await-in-loop
-
-				promises.shift();
-
-				if (error) {
-					throw error;
-				}
-
-				if (done) {
-					return;
-				}
-
-				// Spawn if just dropped below backpressure limit and below the concurrency limit
-				trySpawn();
-
-				if (value === pMapSkip) {
-					continue;
-				}
-
-				yield value;
-			}
-		},
-	};
-}
-
-const pMapSkip = Symbol('skip');
-
-
-/***/ })
-
-};
-
-//# sourceMappingURL=606.index.js.map

dist/package.json

@@ -1,3 +0,0 @@
-{
-  "type": "module"
-}

package.json

@@ -4,10 +4,11 @@
   "type": "module",
   "main": "src/main.ts",
   "scripts": {
-    "build": "ncc build --source-map --minify --license licenses.txt",
+    "build": "esbuild src/main.ts --bundle --platform=node --target=node24 --format=cjs --outfile=dist/index.cjs --sourcemap --minify && yarn run license",
     "lint": "eslint --max-warnings=0 .",
     "format": "eslint --fix .",
-    "test": "vitest run"
+    "test": "vitest run",
+    "license": "generate-license-file --input package.json --output dist/licenses.txt --overwrite --ci --no-spinner --eol lf"
   },
   "repository": {
     "type": "git",
@@ -24,20 +25,21 @@
   "packageManager": "yarn@4.9.2",
   "dependencies": {
     "@actions/core": "^3.0.0",
-    "@docker/actions-toolkit": "0.79.0",
+    "@docker/actions-toolkit": "0.87.0",
-    "handlebars": "^4.7.7"
+    "handlebars": "^4.7.9"
   },
   "devDependencies": {
     "@eslint/js": "^9.39.3",
     "@types/node": "^24.11.0",
     "@typescript-eslint/eslint-plugin": "^8.56.1",
     "@typescript-eslint/parser": "^8.56.1",
-    "@vercel/ncc": "^0.38.4",
     "@vitest/coverage-v8": "^4.0.18",
     "@vitest/eslint-plugin": "^1.6.9",
+    "esbuild": "^0.28.0",
     "eslint": "^9.39.3",
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-prettier": "^5.5.5",
+    "generate-license-file": "^4.1.1",
     "globals": "^17.3.0",
     "prettier": "^3.8.1",
     "typescript": "^5.9.3",

src/context.ts

@@ -2,11 +2,17 @@ import * as core from '@actions/core';
 import * as handlebars from 'handlebars';
 
 import {Build} from '@docker/actions-toolkit/lib/buildx/build.js';
-import {Context} from '@docker/actions-toolkit/lib/context.js';
 import {GitHub} from '@docker/actions-toolkit/lib/github/github.js';
 import {Toolkit} from '@docker/actions-toolkit/lib/toolkit.js';
 import {Util} from '@docker/actions-toolkit/lib/util.js';
 
+let defaultContextPromise: Promise<string> | undefined;
+
+async function getDefaultContext(): Promise<string> {
+  defaultContextPromise ??= new Build().gitContext();
+  return await defaultContextPromise;
+}
+
 export interface Inputs {
   'add-hosts': string[];
   allow: string[];
@@ -44,6 +50,7 @@ export interface Inputs {
 }
 
 export async function getInputs(): Promise<Inputs> {
+  const defaultContext = await getDefaultContext();
   return {
     'add-hosts': Util.getInputList('add-hosts'),
     allow: Util.getInputList('allow'),
@@ -56,7 +63,7 @@ export async function getInputs(): Promise<Inputs> {
     'cache-to': Util.getInputList('cache-to', {ignoreComma: true}),
     call: core.getInput('call'),
     'cgroup-parent': core.getInput('cgroup-parent'),
-    context: core.getInput('context') || Context.gitContext(),
+    context: handlebars.compile(core.getInput('context'))({defaultContext}) || defaultContext,
     file: core.getInput('file'),
     labels: Util.getInputList('labels', {ignoreComma: true}),
     load: core.getBooleanInput('load'),
@@ -82,18 +89,17 @@ export async function getInputs(): Promise<Inputs> {
 }
 
 export async function getArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<string>> {
-  const context = handlebars.compile(inputs.context)({
-    defaultContext: Context.gitContext()
-  });
   // prettier-ignore
   return [
-    ...await getBuildArgs(inputs, context, toolkit),
+    ...await getBuildArgs(inputs, inputs.context, toolkit),
     ...await getCommonArgs(inputs, toolkit),
-    context
+    inputs.context
   ];
 }
 
 async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit): Promise<Array<string>> {
+  const defaultContext = await getDefaultContext();
+
   const args: Array<string> = ['build'];
   await Util.asyncForEach(inputs['add-hosts'], async addHost => {
     args.push('--add-host', addHost);
@@ -116,7 +122,7 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
       args.push(
         '--build-context',
         handlebars.compile(buildContext)({
-          defaultContext: Context.gitContext()
+          defaultContext: defaultContext
         })
       );
     });
@@ -182,7 +188,7 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
       core.warning(err.message);
     }
   });
-  if (inputs['github-token'] && !Build.hasGitAuthTokenSecret(inputs.secrets) && context.startsWith(Context.gitContext())) {
+  if (inputs['github-token'] && !Build.hasGitAuthTokenSecret(inputs.secrets) && context.startsWith(defaultContext)) {
     args.push('--secret', Build.resolveSecretString(`GIT_AUTH_TOKEN.${new URL(GitHub.serverURL).host.trimEnd()}=${inputs['github-token']}`));
   }
   if (inputs['shm-size']) {

test/secret.txt

@@ -0,0 +1 @@
+foo