Get artifact from security.insecure docker

[manio]

Hi,
I have a ready-to-go Dockerfile to run with docker buildx. It uses --allow security.insecure. It is working fine locally creating some output files with docker's "COPY directive".
Now I want create a workflow for this.
My plan is to use checkout then:
docker/setup-buildx-action@v3 - I probably need this for "security.insecure" builder, right?
Then I am wondering what next?
I only want to build it and upload-artifact, so my plan was to use:
build-push-action@v6
and actions/[email protected].
Is this a correct way?

[crazy-max]

docker/setup-buildx-action@v3 - I probably need this for "security.insecure" builder, right?

Builder created with docker/setup-buildx-action sets --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host by default, see callout in https://github.com/docker/setup-buildx-action?tab=readme-ov-file#inputs:

If you set the buildkitd-flags input, the default flags (--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host)
will be reset. If you want to retain the default behavior, make sure to
include these flags in your custom buildkitd-flags value.

[manio]

I need to do a loop-mount on image.

[manio]

Builder created with docker/setup-buildx-action sets --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host by default, see callout in https://github.com/docker/setup-buildx-action?tab=readme-ov-file#inputs:

Great!
So after the setup-buildx-action I need to build-push-action?
I don't need to push it elsewhere in internet - I only want to obtain the output files as assets.

[crazy-max]

I need to do a loop-mount on image.

There is no such thing, what you define as output in https://github.com/manio/aa-proxy-rs/blob/da32f6a95f7263c3b92d1b944c476a4911cfb3dc/.github/workflows/docker-image.yml#L21

    - name: Build and push
      uses: docker/build-push-action@v6
      with:
        tags: manio/aa-proxy-rs:latest
        allow: security.insecure
        outputs: build

Is just the path where build result will be output and in this case will be ./build. So no need security.insecure. This entitlement is just needed if you need to run privileged containers in your Dockerfile (RUN) and doesn't seem you need that looking at your Dockerfile: https://github.com/manio/aa-proxy-rs/blob/da32f6a95f7263c3b92d1b944c476a4911cfb3dc/Dockerfile

[manio]

There is no such thing, what you define as output in

From what I understand this line with output is the equivalent to docker buildx build --output build (https://docs.docker.com/reference/cli/docker/buildx/build/#output), so this means that my output files will end up in the build dir.

Is just the path where build result will be output and in this case will be ./build.

Exactly

So no need security.insecure. This entitlement is just needed if you need to run privileged containers in your Dockerfile (RUN) and doesn't seem you need that looking at your Dockerfile

nope - Look in my Dockerfile - I am running a script. Exactly this one. Without privileged (unsecure) container I've always got:
Permission denied. Are you root? even when I was root.

[crazy-max]

• I am running a script. Exactly this one.

Ah sorry I got confused, thought you were talking about the output as mount. All good then looking at your script

[manio]

Works at first try :)
For interested: https://github.com/manio/aa-proxy-rs/blob/main/.github/workflows/docker-image.yml