bake: distributed builds

.github/workflows/.test.yml

@@ -223,6 +223,18 @@ jobs:
               await exec.exec(cmd);
             }
 
+  build-local-single:
+    uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    with:
+      output: ${{ github.event_name != 'pull_request' && 'local' || 'cacheonly' }}
+      artifact-name: build-output-single
+      build-file: test/hello.Dockerfile
+      build-sbom: true
+
   bake-aws:
     uses: ./.github/workflows/bake.yml
     permissions:
@@ -279,6 +291,66 @@ jobs:
               await exec.exec(cmd);
             }
 
+  bake-ghcr-and-aws:
+    uses: ./.github/workflows/bake.yml
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    with:
+      context: test
+      target: hello-cross
+      output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
+      cache: true
+      cache-scope: bake-aws
+      meta-images: |
+        ghcr.io/docker/github-builder-test
+        public.ecr.aws/q3b5f1u4/test-docker-action
+      meta-tags: |
+        type=raw,value=${{ github.run_id }},prefix=bake-ghcr-and-aws-
+      bake-sbom: true
+    secrets:
+      registry-auths: |
+        - registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+        - registry: public.ecr.aws
+          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+  bake-ghcr-and-aws-verify:
+    runs-on: ubuntu-latest
+    if: ${{ github.event_name != 'pull_request' }}
+    needs:
+      - bake-ghcr-and-aws
+    steps:
+      -
+        name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        with:
+          cosign-release: ${{ needs.bake-ghcr-and-aws.outputs.cosign-version }}
+      -
+        name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      -
+        name: Verify signatures
+        uses: actions/github-script@v8
+        env:
+          INPUT_COSIGN-VERSION: ${{ needs.bake-ghcr-and-aws.outputs.cosign-version }}
+          INPUT_COSIGN-VERIFY-COMMANDS: ${{ needs.bake-ghcr-and-aws.outputs.cosign-verify-commands }}
+        with:
+          script: |
+            const cosignVersion = core.getInput('cosign-version');
+            core.info(`Cosign version used by Docker GitHub Builder: ${cosignVersion}`);
+            const cosignVerifyCommands = core.getMultilineInput('cosign-verify-commands');
+            for (const cmd of cosignVerifyCommands) {
+              await exec.exec(cmd);
+            }
+
   bake-local:
     uses: ./.github/workflows/bake.yml
     permissions:
@@ -305,10 +377,11 @@ jobs:
         with:
           cosign-release: ${{ needs.bake-local.outputs.cosign-version }}
       -
-        name: Download artifact
+        name: Download artifacts
         uses: actions/download-artifact@v5
         with:
-          name: ${{ needs.bake-local.outputs.artifact-name }}
+          pattern: ${{ needs.bake-local.outputs.artifact-name }}*
+          merge-multiple: true
       -
         name: Verify signatures
         uses: actions/github-script@v8
@@ -323,3 +396,17 @@ jobs:
             for (const cmd of cosignVerifyCommands) {
               await exec.exec(cmd);
             }
+
+  bake-local-single:
+    uses: ./.github/workflows/bake.yml
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    with:
+      context: test
+      target: hello
+      output: ${{ github.event_name != 'pull_request' && 'local' || 'cacheonly' }}
+      cache: true
+      artifact-name: bake-output-single
+      bake-sbom: true