add ssh and secrets inputs to build workflow

pexcn · pexcn · commit 3058b622a9bf · 2026-04-22T15:13:13.000+08:00
Expose ssh and secrets inputs in workflow_call and pass them through
to docker/build-push-action.

Set up ssh-agent when ssh is configured so SSH_AUTH_SOCK is available
for BuildKit SSH mounts.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -76,6 +76,10 @@ on:
         type: string
         description: "List of target platforms to build"
         required: false
+      secrets:
+        type: string
+        description: "List of secrets to expose to the build"
+        required: false
       push:
         type: boolean
         description: "Push image to the registry (for image output)"
@@ -90,6 +94,10 @@ on:
         type: string
         description: "Size of /dev/shm (e.g., 2g)"
         required: false
+      ssh:
+        type: string
+        description: "List of SSH agent socket or keys to expose to the build"
+        required: false
       sign:
         type: string
         description: "Sign attestation manifest for image output or artifacts for local output, can be one of auto, true or false. The auto mode will enable signing if push is enabled for pushing the image or if artifact-upload is enabled for uploading the local build output as GitHub Artifact"
@@ -133,6 +141,9 @@ on:
       github-token:
         description: "GitHub Token used to authenticate against the repository for Git context"
         required: false
+      ssh-private-key:
+        description: "SSH private key used to populate SSH_AUTH_SOCK for buildx SSH mounts"
+        required: false
     outputs:
       meta-json:
         description: "Metadata JSON output (for image output)"
@@ -653,6 +664,14 @@ jobs:
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry-auth: ${{ secrets.registry-auths }}
+      -
+        name: Set up ssh-agent
+        if: ${{ inputs.ssh }}
+        shell: bash
+        run: |
+          eval "$(ssh-agent -s)"
+          echo "${{ secrets.ssh-private-key }}" | tr -d '\r' | ssh-add -
+          echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> "$GITHUB_ENV"
       -
         name: Build
         id: build
@@ -669,8 +688,10 @@ jobs:
           platforms: ${{ steps.prepare.outputs.platform }}
           provenance: ${{ steps.prepare.outputs.provenance }}
           sbom: ${{ steps.prepare.outputs.sbom }}
+          secrets: ${{ inputs.secrets }}
           secret-envs: GIT_AUTH_TOKEN=GIT_AUTH_TOKEN
           shm-size: ${{ inputs.shm-size }}
+          ssh: ${{ inputs.ssh }}
           target: ${{ inputs.target }}
           ulimit: ${{ inputs.ulimit }}
         env:
