diff --git a/__tests__/context.test.ts b/__tests__/context.test.ts
index cb3f31c..f5f8cd5 100644
--- a/__tests__/context.test.ts
+++ b/__tests__/context.test.ts
@@ -95,6 +95,25 @@ describe('getInputs', () => {
     expect(gitContextSpy).toHaveBeenCalledTimes(1);
     gitContextSpy.mockRestore();
   });
+
+  test('requests untrimmed secrets input explicitly', async () => {
+    const gitContext = 'https://github.com/docker/build-push-action.git#refs/heads/master';
+    const gitContextSpy = vi.spyOn(Build.prototype, 'gitContext').mockResolvedValue(gitContext);
+    const getInputList = vi.fn().mockReturnValue([]);
+    vi.resetModules();
+    vi.doMock('@docker/actions-toolkit/lib/util.js', () => ({
+      Util: {
+        getInputList
+      }
+    }));
+    setRequiredBooleanInputs();
+    setInput('secrets', `"PRIVATE_SSH_KEY=test\n\n"`);
+    const context = await import('../src/context.js');
+    await context.getInputs();
+    expect(getInputList).toHaveBeenCalledWith('secrets', {ignoreComma: true, trimWhitespace: false});
+    vi.doUnmock('@docker/actions-toolkit/lib/util.js');
+    gitContextSpy.mockRestore();
+  });
 });
 
 describe('getArgs', () => {
diff --git a/dist/index.cjs b/dist/index.cjs
index 0c059f4..675f021 100644
--- a/dist/index.cjs
+++ b/dist/index.cjs
@@ -304,7 +304,7 @@ EOT
 
 FROM scratch
 COPY --from=builder /out /
-`;var k8=class t{githubToken;buildx;sigstore;constructor(e){this.githubToken=e?.githubToken||process.env.GITHUB_TOKEN,this.buildx=e?.buildx||new gr,this.sigstore=e?.sigstore||new lg}async download(e){let r=await t.getDownloadVersion(e.version);le(`Install.download version: ${r.version}`);let i=await t.getRelease(r,this.githubToken);le(`Install.download release tag name: ${i.tag_name}`);let n=await this.vspec(i.tag_name);le(`Install.download vspec: ${n}`);let s=wB.clean(n)||"";if(!wB.valid(s))throw new Error(`Invalid Cosign version "${n}".`);let o=new Kn({htcName:"cosign-dl-bin",htcVersion:n,baseCacheDir:bB.default.join(zu.default.homedir(),".bin"),cacheFile:zu.default.platform()=="win32"?"cosign.exe":"cosign",ghaNoCache:e.ghaNoCache}),a=await o.find();if(a)return ae(`Cosign binary found in ${a}`),a;let c=ope.format(r.downloadURL,n,this.filename());ae(`Downloading ${c}`);let l=await Kc(c,void 0,this.githubToken);le(`Install.download htcDownloadPath: ${l}`),e.verifySignature&&wB.satisfies(n,">=3.0.1")&&await this.verifySignature(l,c);let u=await o.save(l,e.skipState);return ae(`Cached to ${u}`),u}async build(e,r,i){let n=await this.vspec(e);le(`Install.build vspec: ${n}`);let s=new Kn({htcName:"cosign-build-bin",htcVersion:n,baseCacheDir:bB.default.join(zu.default.homedir(),".bin"),cacheFile:zu.default.platform()=="win32"?"cosign.exe":"cosign",ghaNoCache:r}),o=await s.find();if(o)return ae(`Cosign binary found in ${o}`),o;let a=bB.default.join(Zt.tmpDir(),"cosign-build-cache"),c=await this.buildCommand(e,a),l=await nt.getExecOutput(c.command,c.args,{ignoreReturnCode:!0,input:Buffer.from(Yit)}).then(f=>{if(f.stderr.length>0&&f.exitCode!=0)throw new Error(`build failed with: ${f.stderr.match(/(.*)\s*$/)?.[0]?.trim()??"unknown error"}`);return`${a}/cosign`}),u=await s.save(l,i);return ae(`Cached to ${u}`),u}async install(e,r){r=r||Zt.tmpDir();let i=bB.default.join(r,"cosign-bin");X1.default.existsSync(i)||X1.default.mkdirSync(i,{recursive:!0});let n=zu.default.platform()=="win32"?"cosign.exe":"cosign",s=bB.default.join(i,n);return X1.default.copyFileSync(e,s),ae("Fixing perms"),X1.default.chmodSync(s,"0755"),af(i),ae("Added Cosign to PATH"),ae(`Binary path: ${s}`),s}async buildCommand(e,r){let i=await new gr({standalone:!0}).isAvailable(),n=await new gr({standalone:!1}).isAvailable(),s=!1;if(await this.buildx.isStandalone()&&i)le("Install.buildCommand: Buildx standalone found, build with it"),s=!0;else if(!await this.buildx.isStandalone()&&n)le("Install.buildCommand: Buildx plugin found, build with it"),s=!1;else if(i)le("Install.buildCommand: Buildx plugin not found, but standalone found so trying to build with it"),s=!0;else if(n)le("Install.buildCommand: Buildx standalone not found, but plugin found so trying to build with it"),s=!1;else throw new Error(`Neither buildx standalone or plugin have been found to build from ref ${e}`);let o=["build","--platform","local","--build-arg","BUILDKIT_CONTEXT_KEEP_GIT_DIR=1","--output",`type=local,dest=${r}`];return process.env.GIT_AUTH_TOKEN&&o.push("--secret","id=GIT_AUTH_TOKEN"),o.push("-f-",e),await new gr({standalone:s}).getCommand(o)}async verifySignature(e,r){let i=`${r}.sigstore.json`;ae(`Downloading keyless verification bundle at ${i}`);let n=await Kc(i,void 0,this.githubToken);le(`Install.verifySignature bundlePath: ${n}`);let s=await this.sigstore.verifyArtifact(e,n,{subjectAlternativeName:"keyless@projectsigstore.iam.gserviceaccount.com",issuer:"https://accounts.google.com"});ae(`Cosign binary signature verified! ${s.tlogID?`${D0}?logIndex=${s.tlogID}`:""}`)}filename(){let e;switch(zu.default.arch()){case"x64":{e="amd64";break}case"ppc64":{e="ppc64le";break}default:{e=zu.default.arch();break}}let r=zu.default.platform()=="win32"?"windows":zu.default.platform(),i=zu.default.platform()=="win32"?".exe":"";return ope.format("cosign-%s-%s%s",r,e,i)}async vspec(e){if(!Be.isValidRef(e)){let l=e.replace(/^v+|v+$/g,"");return ae(`Use ${l} version spec cache key for ${e}`),l}let[r,i]=e.split("#");i.length==0&&(i="master");let n;i.match(/^[0-9a-fA-F]{40}$/)?n=i:n=await MI.remoteSha(r,i,process.env.GIT_AUTH_TOKEN);let[s,o]=r.substring(19).split("/"),a=`${s}/${Be.trimSuffix(o,".git")}/${n}`,c=Be.hash(a);return ae(`Use ${c} version spec cache key for ${a}`),c}static async getDownloadVersion(e){return{version:e,downloadURL:"https://github.com/sigstore/cosign/releases/download/v%s/%s",contentOpts:{owner:"docker",repo:"actions-toolkit",ref:"main",path:".github/cosign-releases.json"}}}static async getRelease(e,r){let n=await new Ot({token:r}).releases("Cosign",e.contentOpts);if(!n[e.version])throw new Error(`Cannot find Cosign release ${e.version} in releases JSON`);return n[e.version]}};var Kit=q(Iu(),1);var Q8=class{binPath;_version;_versionOnce;constructor(e){this.binPath=e?.binPath||"regctl",this._version="",this._versionOnce=!1}async blobGet(e){return await nt.getExecOutput(this.binPath,["blob","get",e.repository,e.digest],{ignoreReturnCode:!0,silent:!0}).then(r=>{if(r.stderr.length>0&&r.exitCode!=0)throw new Error(r.stderr.trim());return r.stdout})}async manifestGet(e){return await nt.getExecOutput(this.binPath,["manifest","get",e.image,`--platform=${e.platform??"local"}`,"--format={{json .}}"],{ignoreReturnCode:!0,silent:!0}).then(r=>{if(r.stderr.length>0&&r.exitCode!=0)throw new Error(r.stderr.trim());return JSON.parse(r.stdout.trim())})}async isAvailable(){let e=await nt.getExecOutput(this.binPath,[],{ignoreReturnCode:!0,silent:!0}).then(r=>r.stderr.length>0&&r.exitCode!=0?(le(`Regctl.isAvailable cmd err: ${r.stderr.trim()}`),!1):r.exitCode==0).catch(r=>(le(`Regctl.isAvailable error: ${r}`),!1));return le(`Regctl.isAvailable: ${e}`),e}async version(){return this._versionOnce?this._version:(this._versionOnce=!0,this._version=await nt.getExecOutput(this.binPath,["version","--format","{{.VCSTag}}"],{ignoreReturnCode:!0,silent:!0}).then(e=>{if(e.stderr.length>0&&e.exitCode!=0)throw new Error(e.stderr.trim());return e.stdout.trim()}),this._version)}async printVersion(){await nt.exec(this.binPath,["version"],{failOnStdErr:!1})}async versionSatisfies(e,r){let i=r??await this.version();if(!i)return le("Regctl.versionSatisfies false: undefined version"),!1;let n=Kit.satisfies(i,e)||/^[0-9a-f]{7}$/.exec(i)!==null;return le(`Regctl.versionSatisfies ${i} statisfies ${e}: ${n}`),n}};var Z1=q(require("fs"),1),em=q(require("os"),1),L8=q(require("path"),1);var M8=q(Iu(),1),ape=q(require("util"),1);var F8=class t{githubToken;constructor(e){this.githubToken=e?.githubToken||process.env.GITHUB_TOKEN}async download(e,r){let i=await t.getDownloadVersion(e);le(`Install.download version: ${i.version}`);let n=await t.getRelease(i,this.githubToken);le(`Install.download release tag name: ${n.tag_name}`);let s=await this.vspec(n.tag_name);le(`Install.download vspec: ${s}`);let o=M8.clean(s)||"";if(!M8.valid(o))throw new Error(`Invalid regclient version "${s}".`);let a=new Kn({htcName:"regctl-dl-bin",htcVersion:s,baseCacheDir:L8.default.join(em.default.homedir(),".bin"),cacheFile:em.default.platform()=="win32"?"regctl.exe":"regctl",ghaNoCache:r}),c=await a.find();if(c)return ae(`regctl binary found in ${c}`),c;let l=ape.format(i.downloadURL,s,this.filename());ae(`Downloading ${l}`);let u=await Kc(l,void 0,this.githubToken);le(`Install.download htcDownloadPath: ${u}`);let f=await a.save(u);return ae(`Cached to ${f}`),f}async install(e,r){r=r||Zt.tmpDir();let i=L8.default.join(r,"regctl-bin");Z1.default.existsSync(i)||Z1.default.mkdirSync(i,{recursive:!0});let n=em.default.platform()=="win32"?"regctl.exe":"regctl",s=L8.default.join(i,n);return Z1.default.copyFileSync(e,s),ae("Fixing perms"),Z1.default.chmodSync(s,"0755"),af(i),ae("Added regctl to PATH"),ae(`Binary path: ${s}`),s}filename(){let e;switch(em.default.arch()){case"x64":{e="amd64";break}case"ppc64":{e="ppc64le";break}case"arm":{let n=process.config.variables.arm_version;e=n?"armv"+n:"arm";break}default:{e=em.default.arch();break}}let r=em.default.platform()=="win32"?"windows":em.default.platform(),i=em.default.platform()=="win32"?".exe":"";return ape.format("regctl-%s-%s%s",r,e,i)}async vspec(e){let r=e.replace(/^v+|v+$/g,"");return ae(`Use ${r} version spec cache key for ${e}`),r}static async getDownloadVersion(e){return{version:e,downloadURL:"https://github.com/regclient/regclient/releases/download/v%s/%s",contentOpts:{owner:"docker",repo:"actions-toolkit",ref:"main",path:".github/regclient-releases.json"}}}static async getRelease(e,r){let n=await new Ot({token:r}).releases("regclient",e.contentOpts);if(!n[e.version])throw new Error(`Cannot find regclient release ${e.version} in releases JSON`);return n[e.version]}};var Xit=q(Iu(),1);var U8=class{binPath;_version;_versionOnce;constructor(e){this.binPath=e?.binPath||"undock",this._version="",this._versionOnce=!1}async run(e){if(!e.source)throw new Error("source is required");if(!e.dist)throw new Error("dist is required");let r=[];e.logLevel&&r.push(`--log-level=${e.logLevel}`),e.logCaller&&r.push("--log-caller"),e.cacheDir&&r.push(`--cachedir=${e.cacheDir}`),e.platform&&r.push(`--platform=${e.platform}`),e.all&&r.push("--all"),e.include&&e.include.forEach(i=>{r.push(`--include=${i}`)}),e.insecure&&r.push("--insecure"),e.rmDist&&r.push("--rm-dist"),e.wrap&&r.push("--wrap"),r.push(e.source,e.dist),await nt.exec(this.binPath,r,{failOnStdErr:!1})}async isAvailable(){let e=await nt.getExecOutput(this.binPath,[],{ignoreReturnCode:!0,silent:!0}).then(r=>r.stderr.length>0&&r.exitCode!=0?(le(`Undock.isAvailable cmd err: ${r.stderr.trim()}`),!1):r.exitCode==0).catch(r=>(le(`Undock.isAvailable error: ${r}`),!1));return le(`Undock.isAvailable: ${e}`),e}async version(){return this._versionOnce?this._version:(this._versionOnce=!0,this._version=await nt.getExecOutput(this.binPath,["--version"],{ignoreReturnCode:!0,silent:!0}).then(e=>{if(e.stderr.length>0&&e.exitCode!=0)throw new Error(e.stderr.trim());return e.stdout.trim()}),this._version)}async printVersion(){await nt.exec(this.binPath,["--version"],{failOnStdErr:!1})}async versionSatisfies(e,r){let i=r??await this.version();if(!i)return le("Undock.versionSatisfies false: undefined version"),!1;let n=Xit.satisfies(i,e)||/^[0-9a-f]{7}$/.exec(i)!==null;return le(`Undock.versionSatisfies ${i} statisfies ${e}: ${n}`),n}};var e2=q(require("fs"),1),Vu=q(require("os"),1),t2=q(require("path"),1);var G8=q(Iu(),1),cpe=q(require("util"),1);var q8=class t{githubToken;constructor(e){this.githubToken=e?.githubToken||process.env.GITHUB_TOKEN}async download(e,r){let i=await t.getDownloadVersion(e);le(`Install.download version: ${i.version}`);let n=await t.getRelease(i,this.githubToken);le(`Install.download release tag name: ${n.tag_name}`);let s=await this.vspec(n.tag_name);le(`Install.download vspec: ${s}`);let o=G8.clean(s)||"";if(!G8.valid(o))throw new Error(`Invalid Undock version "${s}".`);let a=new Kn({htcName:"undock-dl-bin",htcVersion:s,baseCacheDir:t2.default.join(Vu.default.homedir(),".bin"),cacheFile:Vu.default.platform()=="win32"?"undock.exe":"undock",ghaNoCache:r}),c=await a.find();if(c)return ae(`Undock binary found in ${c}`),c;let l=cpe.format(i.downloadURL,s,this.filename(s));ae(`Downloading ${l}`);let u=await Kc(l,void 0,this.githubToken);le(`Install.download htcDownloadPath: ${u}`);let f;Vu.default.platform()=="win32"?f=await bSe(u):f=await ESe(u),ae(`Extracted to ${f}`);let h=t2.default.join(f,Vu.default.platform()=="win32"?"undock.exe":"undock");le(`Install.download exePath: ${h}`);let d=await a.save(h);return ae(`Cached to ${d}`),d}async install(e,r){r=r||Zt.tmpDir();let i=t2.default.join(r,"undock-bin");e2.default.existsSync(i)||e2.default.mkdirSync(i,{recursive:!0});let n=Vu.default.platform()=="win32"?"undock.exe":"undock",s=t2.default.join(i,n);return e2.default.copyFileSync(e,s),ae("Fixing perms"),e2.default.chmodSync(s,"0755"),af(i),ae("Added Undock to PATH"),ae(`Binary path: ${s}`),s}filename(e){let r;switch(Vu.default.arch()){case"x64":{r="amd64";break}case"ppc64":{r="ppc64le";break}case"arm":{let s=process.config.variables.arm_version;r=s?"armv"+s:"arm";break}default:{r=Vu.default.arch();break}}let i=Vu.default.platform()=="win32"?"windows":Vu.default.platform(),n=Vu.default.platform()=="win32"?".zip":".tar.gz";return cpe.format("undock_%s_%s_%s%s",e,i,r,n)}async vspec(e){let r=e.replace(/^v+|v+$/g,"");return ae(`Use ${r} version spec cache key for ${e}`),r}static async getDownloadVersion(e){return{version:e,downloadURL:"https://github.com/crazy-max/undock/releases/download/v%s/%s",contentOpts:{owner:"docker",repo:"actions-toolkit",ref:"main",path:".github/undock-releases.json"}}}static async getRelease(e,r){let n=await new Ot({token:r}).releases("Undock",e.contentOpts);if(!n[e.version])throw new Error(`Cannot find Undock release ${e.version} in releases JSON`);return n[e.version]}};var H8=class{github;buildx;buildxBuild;buildxBake;buildxInstall;builder;buildkit;compose;composeInstall;cosign;cosignInstall;regctl;regctlInstall;sigstore;undock;undockInstall;constructor(e={}){this.github=new Ot({token:e.githubToken}),this.buildx=new gr,this.buildxBuild=new kr({buildx:this.buildx}),this.buildxBake=new s3({buildx:this.buildx}),this.buildxInstall=new _8,this.builder=new yB({buildx:this.buildx}),this.buildkit=new N8({buildx:this.buildx}),this.compose=new D8,this.composeInstall=new O8,this.cosign=new Kp,this.cosignInstall=new k8({buildx:this.buildx}),this.regctl=new Q8,this.regctlInstall=new F8,this.sigstore=new lg,this.undock=new U8,this.undockInstall=new q8}};var lpe=q(SZ(),1);var Zit;async function ent(){return Zit??=new kr().gitContext(),await Zit}async function tnt(){let t=await ent();return{"add-hosts":Be.getInputList("add-hosts"),allow:Be.getInputList("allow"),annotations:Be.getInputList("annotations",{ignoreComma:!0}),attests:Be.getInputList("attests",{ignoreComma:!0}),"build-args":Be.getInputList("build-args",{ignoreComma:!0}),"build-contexts":Be.getInputList("build-contexts",{ignoreComma:!0}),builder:Is("builder"),"cache-from":Be.getInputList("cache-from",{ignoreComma:!0}),"cache-to":Be.getInputList("cache-to",{ignoreComma:!0}),call:Is("call"),"cgroup-parent":Is("cgroup-parent"),context:lpe.compile(Is("context"))({defaultContext:t})||t,file:Is("file"),labels:Be.getInputList("labels",{ignoreComma:!0}),load:Jg("load"),network:Is("network"),"no-cache":Jg("no-cache"),"no-cache-filters":Be.getInputList("no-cache-filters"),outputs:Be.getInputList("outputs",{ignoreComma:!0,quote:!1}),platforms:Be.getInputList("platforms"),provenance:kr.getProvenanceInput("provenance"),pull:Jg("pull"),push:Jg("push"),sbom:Is("sbom"),secrets:Be.getInputList("secrets",{ignoreComma:!0}),"secret-envs":Be.getInputList("secret-envs"),"secret-files":Be.getInputList("secret-files",{ignoreComma:!0}),"shm-size":Is("shm-size"),ssh:Be.getInputList("ssh"),tags:Be.getInputList("tags"),target:Is("target"),ulimit:Be.getInputList("ulimit",{ignoreComma:!0}),"github-token":Is("github-token")}}async function rnt(t,e){return[...await FSr(t,t.context,e),...await MSr(t,e),t.context]}async function FSr(t,e,r){let i=await ent(),n=["build"];if(await Be.asyncForEach(t["add-hosts"],async s=>{n.push("--add-host",s)}),await Be.asyncForEach(t.allow,async s=>{n.push("--allow",s)}),await r.buildx.versionSatisfies(">=0.12.0")?await Be.asyncForEach(t.annotations,async s=>{n.push("--annotation",s)}):t.annotations.length>0&&Kr("Annotations are only supported by buildx >= 0.12.0; the input 'annotations' is ignored."),await Be.asyncForEach(t["build-args"],async s=>{n.push("--build-arg",s)}),await r.buildx.versionSatisfies(">=0.8.0")?await Be.asyncForEach(t["build-contexts"],async s=>{n.push("--build-context",lpe.compile(s)({defaultContext:i}))}):t["build-contexts"].length>0&&Kr("Build contexts are only supported by buildx >= 0.8.0; the input 'build-contexts' is ignored."),await Be.asyncForEach(t["cache-from"],async s=>{n.push("--cache-from",s)}),await Be.asyncForEach(t["cache-to"],async s=>{n.push("--cache-to",s)}),t.call){if(!await r.buildx.versionSatisfies(">=0.15.0"))throw new Error("Buildx >= 0.15.0 is required to use the call flag.");n.push("--call",t.call)}return t["cgroup-parent"]&&n.push("--cgroup-parent",t["cgroup-parent"]),await Be.asyncForEach(t["secret-envs"],async s=>{try{n.push("--secret",kr.resolveSecretEnv(s))}catch(o){Kr(o.message)}}),t.file&&n.push("--file",t.file),!kr.hasLocalExporter(t.outputs)&&!kr.hasTarExporter(t.outputs)&&(t.platforms.length==0||await r.buildx.versionSatisfies(">=0.4.2"))&&n.push("--iidfile",r.buildxBuild.getImageIDFilePath()),await Be.asyncForEach(t.labels,async s=>{n.push("--label",s)}),await Be.asyncForEach(t["no-cache-filters"],async s=>{n.push("--no-cache-filter",s)}),await Be.asyncForEach(t.outputs,async s=>{n.push("--output",s)}),t.platforms.length>0&&n.push("--platform",t.platforms.join(",")),await r.buildx.versionSatisfies(">=0.10.0")?n.push(...await USr(t,r)):Kr("Attestations are only supported by buildx >= 0.10.0; the inputs 'attests', 'provenance' and 'sbom' are ignored."),await Be.asyncForEach(t.secrets,async s=>{try{n.push("--secret",kr.resolveSecretString(s))}catch(o){Kr(o.message)}}),await Be.asyncForEach(t["secret-files"],async s=>{try{n.push("--secret",kr.resolveSecretFile(s))}catch(o){Kr(o.message)}}),t["github-token"]&&!kr.hasGitAuthTokenSecret(t.secrets)&&e.startsWith(i)&&n.push("--secret",kr.resolveSecretString(`GIT_AUTH_TOKEN.${new URL(Ot.serverURL).host.trimEnd()}=${t["github-token"]}`)),t["shm-size"]&&n.push("--shm-size",t["shm-size"]),await Be.asyncForEach(t.ssh,async s=>{n.push("--ssh",s)}),await Be.asyncForEach(t.tags,async s=>{n.push("--tag",s)}),t.target&&n.push("--target",t.target),await Be.asyncForEach(t.ulimit,async s=>{n.push("--ulimit",s)}),n}async function MSr(t,e){let r=[];return t.builder&&r.push("--builder",t.builder),t.load&&r.push("--load"),await e.buildx.versionSatisfies(">=0.6.0")&&r.push("--metadata-file",e.buildxBuild.getMetadataFilePath()),t.network&&r.push("--network",t.network),t["no-cache"]&&r.push("--no-cache"),t.pull&&r.push("--pull"),t.push&&r.push("--push"),r}async function USr(t,e){let r=[],i=!1;await Be.asyncForEach(t.attests,async o=>{kr.hasAttestationType("provenance",o)&&(i=!0)});let n=!1,s=!1;return t.provenance?(r.push("--attest",kr.resolveAttestationAttrs(`type=provenance,${t.provenance}`)),n=!0):!i&&!qSr()&&await e.buildkit.versionSatisfies(t.builder,">=0.11.0")&&!kr.hasDockerExporter(t.outputs,t.load)&&(Ot.context.payload.repository?.private??!1?r.push("--attest",`type=provenance,${kr.resolveProvenanceAttrs("mode=min,inline-only=true")}`):r.push("--attest",`type=provenance,${kr.resolveProvenanceAttrs("mode=max")}`)),t.sbom&&(r.push("--attest",kr.resolveAttestationAttrs(`type=sbom,${t.sbom}`)),s=!0),await Be.asyncForEach(t.attests,async o=>{!kr.hasAttestationType("provenance",o)&&!kr.hasAttestationType("sbom",o)?r.push("--attest",kr.resolveAttestationAttrs(o)):!n&&kr.hasAttestationType("provenance",o)?r.push("--attest",kr.resolveProvenanceAttrs(o)):!s&&kr.hasAttestationType("sbom",o)&&r.push("--attest",o)}),r}function qSr(){return process.env.BUILDX_NO_DEFAULT_ATTESTATIONS?Be.parseBool(process.env.BUILDX_NO_DEFAULT_ATTESTATIONS):!1}var r2=process.env.STATE_tmpDir||"",int=process.env.STATE_builderDriver||"",nnt=process.env.STATE_builderEndpoint||"",snt=process.env.STATE_summaryInputs?JSON.parse(process.env.STATE_summaryInputs):void 0,upe=process.env.STATE_buildRef||"",ont=!!process.env.STATE_isSummarySupported;function ant(t){au("tmpDir",t)}function cnt(t){au("builderDriver",t)}function lnt(t){au("builderEndpoint",t)}function unt(t){au("buildRef",t)}function fnt(){au("isSummarySupported","true")}function hnt(t){let e={};for(let r of Object.keys(t)){if(r==="github-token")continue;let i=t[r];if(!(typeof i=="boolean"&&!i)){if(Array.isArray(i)){if(i.length===0)continue;if(r==="secrets"&&i.length>0){let n=[];for(let s of i)try{let[o,a]=kr.parseSecretKvp(s,!0);n.push(o)}catch{}n.length>0&&(e[r]=n);continue}}else if(!i)continue;e[r]=i}}au("summaryInputs",JSON.stringify(e))}D2e(async()=>{let t=new Date,e=await tnt();hnt(e),le(`inputs: ${JSON.stringify(e)}`);let r=new H8;if(await Ri("GitHub Actions runtime token ACs",async()=>{try{await Ot.printActionsRuntimeTokenACs()}catch(f){Kr(f.message)}}),await Ri("Docker info",async()=>{try{await tn.printVersion(),await tn.printInfo()}catch(f){ae(f.message)}}),await Ri("Proxy configuration",async()=>{let f,h=!1;try{f=await tn.configFile()}catch(d){h=!0,Kr(`Unable to parse config file ${pnt.join(tn.configDir,"config.json")}: ${d}`)}if(f&&f.proxies)for(let d in f.proxies){let p="";Object.keys(f.proxies).length>1&&(p="  ",ae(d));for(let m in f.proxies[d])ae(`${p}${m}: ${f.proxies[d][m]}`)}else h||ae("No proxy configuration found")}),!await r.buildx.isAvailable()){CO("Docker buildx is required. See https://github.com/docker/setup-buildx-action to set up buildx.");return}ant(Zt.tmpDir()),await Ri("Buildx version",async()=>{await r.buildx.printVersion()});let i;await Ri("Builder info",async()=>{i=await r.builder.inspect(e.builder),cnt(i.driver??""),lnt(i.nodes?.[0]?.endpoint??""),ae(JSON.stringify(i,null,2))});let n=await rnt(e,r);le(`context.getArgs: ${JSON.stringify(n)}`);let s=await r.buildx.getCommand(n);le(`buildCmd.command: ${s.command}`),le(`buildCmd.args: ${JSON.stringify(s.args)}`);let o;await nt.getExecOutput(s.command,s.args,{ignoreReturnCode:!0,env:Object.assign({},process.env,{BUILDX_METADATA_WARNINGS:"true"})}).then(f=>{f.exitCode!=0&&(e.call&&e.call==="check"&&f.stdout.length>0?o=new Error(f.stdout.split(`
+`;var k8=class t{githubToken;buildx;sigstore;constructor(e){this.githubToken=e?.githubToken||process.env.GITHUB_TOKEN,this.buildx=e?.buildx||new gr,this.sigstore=e?.sigstore||new lg}async download(e){let r=await t.getDownloadVersion(e.version);le(`Install.download version: ${r.version}`);let i=await t.getRelease(r,this.githubToken);le(`Install.download release tag name: ${i.tag_name}`);let n=await this.vspec(i.tag_name);le(`Install.download vspec: ${n}`);let s=wB.clean(n)||"";if(!wB.valid(s))throw new Error(`Invalid Cosign version "${n}".`);let o=new Kn({htcName:"cosign-dl-bin",htcVersion:n,baseCacheDir:bB.default.join(zu.default.homedir(),".bin"),cacheFile:zu.default.platform()=="win32"?"cosign.exe":"cosign",ghaNoCache:e.ghaNoCache}),a=await o.find();if(a)return ae(`Cosign binary found in ${a}`),a;let c=ope.format(r.downloadURL,n,this.filename());ae(`Downloading ${c}`);let l=await Kc(c,void 0,this.githubToken);le(`Install.download htcDownloadPath: ${l}`),e.verifySignature&&wB.satisfies(n,">=3.0.1")&&await this.verifySignature(l,c);let u=await o.save(l,e.skipState);return ae(`Cached to ${u}`),u}async build(e,r,i){let n=await this.vspec(e);le(`Install.build vspec: ${n}`);let s=new Kn({htcName:"cosign-build-bin",htcVersion:n,baseCacheDir:bB.default.join(zu.default.homedir(),".bin"),cacheFile:zu.default.platform()=="win32"?"cosign.exe":"cosign",ghaNoCache:r}),o=await s.find();if(o)return ae(`Cosign binary found in ${o}`),o;let a=bB.default.join(Zt.tmpDir(),"cosign-build-cache"),c=await this.buildCommand(e,a),l=await nt.getExecOutput(c.command,c.args,{ignoreReturnCode:!0,input:Buffer.from(Yit)}).then(f=>{if(f.stderr.length>0&&f.exitCode!=0)throw new Error(`build failed with: ${f.stderr.match(/(.*)\s*$/)?.[0]?.trim()??"unknown error"}`);return`${a}/cosign`}),u=await s.save(l,i);return ae(`Cached to ${u}`),u}async install(e,r){r=r||Zt.tmpDir();let i=bB.default.join(r,"cosign-bin");X1.default.existsSync(i)||X1.default.mkdirSync(i,{recursive:!0});let n=zu.default.platform()=="win32"?"cosign.exe":"cosign",s=bB.default.join(i,n);return X1.default.copyFileSync(e,s),ae("Fixing perms"),X1.default.chmodSync(s,"0755"),af(i),ae("Added Cosign to PATH"),ae(`Binary path: ${s}`),s}async buildCommand(e,r){let i=await new gr({standalone:!0}).isAvailable(),n=await new gr({standalone:!1}).isAvailable(),s=!1;if(await this.buildx.isStandalone()&&i)le("Install.buildCommand: Buildx standalone found, build with it"),s=!0;else if(!await this.buildx.isStandalone()&&n)le("Install.buildCommand: Buildx plugin found, build with it"),s=!1;else if(i)le("Install.buildCommand: Buildx plugin not found, but standalone found so trying to build with it"),s=!0;else if(n)le("Install.buildCommand: Buildx standalone not found, but plugin found so trying to build with it"),s=!1;else throw new Error(`Neither buildx standalone or plugin have been found to build from ref ${e}`);let o=["build","--platform","local","--build-arg","BUILDKIT_CONTEXT_KEEP_GIT_DIR=1","--output",`type=local,dest=${r}`];return process.env.GIT_AUTH_TOKEN&&o.push("--secret","id=GIT_AUTH_TOKEN"),o.push("-f-",e),await new gr({standalone:s}).getCommand(o)}async verifySignature(e,r){let i=`${r}.sigstore.json`;ae(`Downloading keyless verification bundle at ${i}`);let n=await Kc(i,void 0,this.githubToken);le(`Install.verifySignature bundlePath: ${n}`);let s=await this.sigstore.verifyArtifact(e,n,{subjectAlternativeName:"keyless@projectsigstore.iam.gserviceaccount.com",issuer:"https://accounts.google.com"});ae(`Cosign binary signature verified! ${s.tlogID?`${D0}?logIndex=${s.tlogID}`:""}`)}filename(){let e;switch(zu.default.arch()){case"x64":{e="amd64";break}case"ppc64":{e="ppc64le";break}default:{e=zu.default.arch();break}}let r=zu.default.platform()=="win32"?"windows":zu.default.platform(),i=zu.default.platform()=="win32"?".exe":"";return ope.format("cosign-%s-%s%s",r,e,i)}async vspec(e){if(!Be.isValidRef(e)){let l=e.replace(/^v+|v+$/g,"");return ae(`Use ${l} version spec cache key for ${e}`),l}let[r,i]=e.split("#");i.length==0&&(i="master");let n;i.match(/^[0-9a-fA-F]{40}$/)?n=i:n=await MI.remoteSha(r,i,process.env.GIT_AUTH_TOKEN);let[s,o]=r.substring(19).split("/"),a=`${s}/${Be.trimSuffix(o,".git")}/${n}`,c=Be.hash(a);return ae(`Use ${c} version spec cache key for ${a}`),c}static async getDownloadVersion(e){return{version:e,downloadURL:"https://github.com/sigstore/cosign/releases/download/v%s/%s",contentOpts:{owner:"docker",repo:"actions-toolkit",ref:"main",path:".github/cosign-releases.json"}}}static async getRelease(e,r){let n=await new Ot({token:r}).releases("Cosign",e.contentOpts);if(!n[e.version])throw new Error(`Cannot find Cosign release ${e.version} in releases JSON`);return n[e.version]}};var Kit=q(Iu(),1);var Q8=class{binPath;_version;_versionOnce;constructor(e){this.binPath=e?.binPath||"regctl",this._version="",this._versionOnce=!1}async blobGet(e){return await nt.getExecOutput(this.binPath,["blob","get",e.repository,e.digest],{ignoreReturnCode:!0,silent:!0}).then(r=>{if(r.stderr.length>0&&r.exitCode!=0)throw new Error(r.stderr.trim());return r.stdout})}async manifestGet(e){return await nt.getExecOutput(this.binPath,["manifest","get",e.image,`--platform=${e.platform??"local"}`,"--format={{json .}}"],{ignoreReturnCode:!0,silent:!0}).then(r=>{if(r.stderr.length>0&&r.exitCode!=0)throw new Error(r.stderr.trim());return JSON.parse(r.stdout.trim())})}async isAvailable(){let e=await nt.getExecOutput(this.binPath,[],{ignoreReturnCode:!0,silent:!0}).then(r=>r.stderr.length>0&&r.exitCode!=0?(le(`Regctl.isAvailable cmd err: ${r.stderr.trim()}`),!1):r.exitCode==0).catch(r=>(le(`Regctl.isAvailable error: ${r}`),!1));return le(`Regctl.isAvailable: ${e}`),e}async version(){return this._versionOnce?this._version:(this._versionOnce=!0,this._version=await nt.getExecOutput(this.binPath,["version","--format","{{.VCSTag}}"],{ignoreReturnCode:!0,silent:!0}).then(e=>{if(e.stderr.length>0&&e.exitCode!=0)throw new Error(e.stderr.trim());return e.stdout.trim()}),this._version)}async printVersion(){await nt.exec(this.binPath,["version"],{failOnStdErr:!1})}async versionSatisfies(e,r){let i=r??await this.version();if(!i)return le("Regctl.versionSatisfies false: undefined version"),!1;let n=Kit.satisfies(i,e)||/^[0-9a-f]{7}$/.exec(i)!==null;return le(`Regctl.versionSatisfies ${i} statisfies ${e}: ${n}`),n}};var Z1=q(require("fs"),1),em=q(require("os"),1),L8=q(require("path"),1);var M8=q(Iu(),1),ape=q(require("util"),1);var F8=class t{githubToken;constructor(e){this.githubToken=e?.githubToken||process.env.GITHUB_TOKEN}async download(e,r){let i=await t.getDownloadVersion(e);le(`Install.download version: ${i.version}`);let n=await t.getRelease(i,this.githubToken);le(`Install.download release tag name: ${n.tag_name}`);let s=await this.vspec(n.tag_name);le(`Install.download vspec: ${s}`);let o=M8.clean(s)||"";if(!M8.valid(o))throw new Error(`Invalid regclient version "${s}".`);let a=new Kn({htcName:"regctl-dl-bin",htcVersion:s,baseCacheDir:L8.default.join(em.default.homedir(),".bin"),cacheFile:em.default.platform()=="win32"?"regctl.exe":"regctl",ghaNoCache:r}),c=await a.find();if(c)return ae(`regctl binary found in ${c}`),c;let l=ape.format(i.downloadURL,s,this.filename());ae(`Downloading ${l}`);let u=await Kc(l,void 0,this.githubToken);le(`Install.download htcDownloadPath: ${u}`);let f=await a.save(u);return ae(`Cached to ${f}`),f}async install(e,r){r=r||Zt.tmpDir();let i=L8.default.join(r,"regctl-bin");Z1.default.existsSync(i)||Z1.default.mkdirSync(i,{recursive:!0});let n=em.default.platform()=="win32"?"regctl.exe":"regctl",s=L8.default.join(i,n);return Z1.default.copyFileSync(e,s),ae("Fixing perms"),Z1.default.chmodSync(s,"0755"),af(i),ae("Added regctl to PATH"),ae(`Binary path: ${s}`),s}filename(){let e;switch(em.default.arch()){case"x64":{e="amd64";break}case"ppc64":{e="ppc64le";break}case"arm":{let n=process.config.variables.arm_version;e=n?"armv"+n:"arm";break}default:{e=em.default.arch();break}}let r=em.default.platform()=="win32"?"windows":em.default.platform(),i=em.default.platform()=="win32"?".exe":"";return ape.format("regctl-%s-%s%s",r,e,i)}async vspec(e){let r=e.replace(/^v+|v+$/g,"");return ae(`Use ${r} version spec cache key for ${e}`),r}static async getDownloadVersion(e){return{version:e,downloadURL:"https://github.com/regclient/regclient/releases/download/v%s/%s",contentOpts:{owner:"docker",repo:"actions-toolkit",ref:"main",path:".github/regclient-releases.json"}}}static async getRelease(e,r){let n=await new Ot({token:r}).releases("regclient",e.contentOpts);if(!n[e.version])throw new Error(`Cannot find regclient release ${e.version} in releases JSON`);return n[e.version]}};var Xit=q(Iu(),1);var U8=class{binPath;_version;_versionOnce;constructor(e){this.binPath=e?.binPath||"undock",this._version="",this._versionOnce=!1}async run(e){if(!e.source)throw new Error("source is required");if(!e.dist)throw new Error("dist is required");let r=[];e.logLevel&&r.push(`--log-level=${e.logLevel}`),e.logCaller&&r.push("--log-caller"),e.cacheDir&&r.push(`--cachedir=${e.cacheDir}`),e.platform&&r.push(`--platform=${e.platform}`),e.all&&r.push("--all"),e.include&&e.include.forEach(i=>{r.push(`--include=${i}`)}),e.insecure&&r.push("--insecure"),e.rmDist&&r.push("--rm-dist"),e.wrap&&r.push("--wrap"),r.push(e.source,e.dist),await nt.exec(this.binPath,r,{failOnStdErr:!1})}async isAvailable(){let e=await nt.getExecOutput(this.binPath,[],{ignoreReturnCode:!0,silent:!0}).then(r=>r.stderr.length>0&&r.exitCode!=0?(le(`Undock.isAvailable cmd err: ${r.stderr.trim()}`),!1):r.exitCode==0).catch(r=>(le(`Undock.isAvailable error: ${r}`),!1));return le(`Undock.isAvailable: ${e}`),e}async version(){return this._versionOnce?this._version:(this._versionOnce=!0,this._version=await nt.getExecOutput(this.binPath,["--version"],{ignoreReturnCode:!0,silent:!0}).then(e=>{if(e.stderr.length>0&&e.exitCode!=0)throw new Error(e.stderr.trim());return e.stdout.trim()}),this._version)}async printVersion(){await nt.exec(this.binPath,["--version"],{failOnStdErr:!1})}async versionSatisfies(e,r){let i=r??await this.version();if(!i)return le("Undock.versionSatisfies false: undefined version"),!1;let n=Xit.satisfies(i,e)||/^[0-9a-f]{7}$/.exec(i)!==null;return le(`Undock.versionSatisfies ${i} statisfies ${e}: ${n}`),n}};var e2=q(require("fs"),1),Vu=q(require("os"),1),t2=q(require("path"),1);var G8=q(Iu(),1),cpe=q(require("util"),1);var q8=class t{githubToken;constructor(e){this.githubToken=e?.githubToken||process.env.GITHUB_TOKEN}async download(e,r){let i=await t.getDownloadVersion(e);le(`Install.download version: ${i.version}`);let n=await t.getRelease(i,this.githubToken);le(`Install.download release tag name: ${n.tag_name}`);let s=await this.vspec(n.tag_name);le(`Install.download vspec: ${s}`);let o=G8.clean(s)||"";if(!G8.valid(o))throw new Error(`Invalid Undock version "${s}".`);let a=new Kn({htcName:"undock-dl-bin",htcVersion:s,baseCacheDir:t2.default.join(Vu.default.homedir(),".bin"),cacheFile:Vu.default.platform()=="win32"?"undock.exe":"undock",ghaNoCache:r}),c=await a.find();if(c)return ae(`Undock binary found in ${c}`),c;let l=cpe.format(i.downloadURL,s,this.filename(s));ae(`Downloading ${l}`);let u=await Kc(l,void 0,this.githubToken);le(`Install.download htcDownloadPath: ${u}`);let f;Vu.default.platform()=="win32"?f=await bSe(u):f=await ESe(u),ae(`Extracted to ${f}`);let h=t2.default.join(f,Vu.default.platform()=="win32"?"undock.exe":"undock");le(`Install.download exePath: ${h}`);let d=await a.save(h);return ae(`Cached to ${d}`),d}async install(e,r){r=r||Zt.tmpDir();let i=t2.default.join(r,"undock-bin");e2.default.existsSync(i)||e2.default.mkdirSync(i,{recursive:!0});let n=Vu.default.platform()=="win32"?"undock.exe":"undock",s=t2.default.join(i,n);return e2.default.copyFileSync(e,s),ae("Fixing perms"),e2.default.chmodSync(s,"0755"),af(i),ae("Added Undock to PATH"),ae(`Binary path: ${s}`),s}filename(e){let r;switch(Vu.default.arch()){case"x64":{r="amd64";break}case"ppc64":{r="ppc64le";break}case"arm":{let s=process.config.variables.arm_version;r=s?"armv"+s:"arm";break}default:{r=Vu.default.arch();break}}let i=Vu.default.platform()=="win32"?"windows":Vu.default.platform(),n=Vu.default.platform()=="win32"?".zip":".tar.gz";return cpe.format("undock_%s_%s_%s%s",e,i,r,n)}async vspec(e){let r=e.replace(/^v+|v+$/g,"");return ae(`Use ${r} version spec cache key for ${e}`),r}static async getDownloadVersion(e){return{version:e,downloadURL:"https://github.com/crazy-max/undock/releases/download/v%s/%s",contentOpts:{owner:"docker",repo:"actions-toolkit",ref:"main",path:".github/undock-releases.json"}}}static async getRelease(e,r){let n=await new Ot({token:r}).releases("Undock",e.contentOpts);if(!n[e.version])throw new Error(`Cannot find Undock release ${e.version} in releases JSON`);return n[e.version]}};var H8=class{github;buildx;buildxBuild;buildxBake;buildxInstall;builder;buildkit;compose;composeInstall;cosign;cosignInstall;regctl;regctlInstall;sigstore;undock;undockInstall;constructor(e={}){this.github=new Ot({token:e.githubToken}),this.buildx=new gr,this.buildxBuild=new kr({buildx:this.buildx}),this.buildxBake=new s3({buildx:this.buildx}),this.buildxInstall=new _8,this.builder=new yB({buildx:this.buildx}),this.buildkit=new N8({buildx:this.buildx}),this.compose=new D8,this.composeInstall=new O8,this.cosign=new Kp,this.cosignInstall=new k8({buildx:this.buildx}),this.regctl=new Q8,this.regctlInstall=new F8,this.sigstore=new lg,this.undock=new U8,this.undockInstall=new q8}};var lpe=q(SZ(),1);var Zit;async function ent(){return Zit??=new kr().gitContext(),await Zit}async function tnt(){let t=await ent();return{"add-hosts":Be.getInputList("add-hosts"),allow:Be.getInputList("allow"),annotations:Be.getInputList("annotations",{ignoreComma:!0}),attests:Be.getInputList("attests",{ignoreComma:!0}),"build-args":Be.getInputList("build-args",{ignoreComma:!0}),"build-contexts":Be.getInputList("build-contexts",{ignoreComma:!0}),builder:Is("builder"),"cache-from":Be.getInputList("cache-from",{ignoreComma:!0}),"cache-to":Be.getInputList("cache-to",{ignoreComma:!0}),call:Is("call"),"cgroup-parent":Is("cgroup-parent"),context:lpe.compile(Is("context"))({defaultContext:t})||t,file:Is("file"),labels:Be.getInputList("labels",{ignoreComma:!0}),load:Jg("load"),network:Is("network"),"no-cache":Jg("no-cache"),"no-cache-filters":Be.getInputList("no-cache-filters"),outputs:Be.getInputList("outputs",{ignoreComma:!0,quote:!1}),platforms:Be.getInputList("platforms"),provenance:kr.getProvenanceInput("provenance"),pull:Jg("pull"),push:Jg("push"),sbom:Is("sbom"),secrets:Be.getInputList("secrets",{ignoreComma:!0,trimWhitespace:!1}),"secret-envs":Be.getInputList("secret-envs"),"secret-files":Be.getInputList("secret-files",{ignoreComma:!0}),"shm-size":Is("shm-size"),ssh:Be.getInputList("ssh"),tags:Be.getInputList("tags"),target:Is("target"),ulimit:Be.getInputList("ulimit",{ignoreComma:!0}),"github-token":Is("github-token")}}async function rnt(t,e){return[...await FSr(t,t.context,e),...await MSr(t,e),t.context]}async function FSr(t,e,r){let i=await ent(),n=["build"];if(await Be.asyncForEach(t["add-hosts"],async s=>{n.push("--add-host",s)}),await Be.asyncForEach(t.allow,async s=>{n.push("--allow",s)}),await r.buildx.versionSatisfies(">=0.12.0")?await Be.asyncForEach(t.annotations,async s=>{n.push("--annotation",s)}):t.annotations.length>0&&Kr("Annotations are only supported by buildx >= 0.12.0; the input 'annotations' is ignored."),await Be.asyncForEach(t["build-args"],async s=>{n.push("--build-arg",s)}),await r.buildx.versionSatisfies(">=0.8.0")?await Be.asyncForEach(t["build-contexts"],async s=>{n.push("--build-context",lpe.compile(s)({defaultContext:i}))}):t["build-contexts"].length>0&&Kr("Build contexts are only supported by buildx >= 0.8.0; the input 'build-contexts' is ignored."),await Be.asyncForEach(t["cache-from"],async s=>{n.push("--cache-from",s)}),await Be.asyncForEach(t["cache-to"],async s=>{n.push("--cache-to",s)}),t.call){if(!await r.buildx.versionSatisfies(">=0.15.0"))throw new Error("Buildx >= 0.15.0 is required to use the call flag.");n.push("--call",t.call)}return t["cgroup-parent"]&&n.push("--cgroup-parent",t["cgroup-parent"]),await Be.asyncForEach(t["secret-envs"],async s=>{try{n.push("--secret",kr.resolveSecretEnv(s))}catch(o){Kr(o.message)}}),t.file&&n.push("--file",t.file),!kr.hasLocalExporter(t.outputs)&&!kr.hasTarExporter(t.outputs)&&(t.platforms.length==0||await r.buildx.versionSatisfies(">=0.4.2"))&&n.push("--iidfile",r.buildxBuild.getImageIDFilePath()),await Be.asyncForEach(t.labels,async s=>{n.push("--label",s)}),await Be.asyncForEach(t["no-cache-filters"],async s=>{n.push("--no-cache-filter",s)}),await Be.asyncForEach(t.outputs,async s=>{n.push("--output",s)}),t.platforms.length>0&&n.push("--platform",t.platforms.join(",")),await r.buildx.versionSatisfies(">=0.10.0")?n.push(...await USr(t,r)):Kr("Attestations are only supported by buildx >= 0.10.0; the inputs 'attests', 'provenance' and 'sbom' are ignored."),await Be.asyncForEach(t.secrets,async s=>{try{n.push("--secret",kr.resolveSecretString(s))}catch(o){Kr(o.message)}}),await Be.asyncForEach(t["secret-files"],async s=>{try{n.push("--secret",kr.resolveSecretFile(s))}catch(o){Kr(o.message)}}),t["github-token"]&&!kr.hasGitAuthTokenSecret(t.secrets)&&e.startsWith(i)&&n.push("--secret",kr.resolveSecretString(`GIT_AUTH_TOKEN.${new URL(Ot.serverURL).host.trimEnd()}=${t["github-token"]}`)),t["shm-size"]&&n.push("--shm-size",t["shm-size"]),await Be.asyncForEach(t.ssh,async s=>{n.push("--ssh",s)}),await Be.asyncForEach(t.tags,async s=>{n.push("--tag",s)}),t.target&&n.push("--target",t.target),await Be.asyncForEach(t.ulimit,async s=>{n.push("--ulimit",s)}),n}async function MSr(t,e){let r=[];return t.builder&&r.push("--builder",t.builder),t.load&&r.push("--load"),await e.buildx.versionSatisfies(">=0.6.0")&&r.push("--metadata-file",e.buildxBuild.getMetadataFilePath()),t.network&&r.push("--network",t.network),t["no-cache"]&&r.push("--no-cache"),t.pull&&r.push("--pull"),t.push&&r.push("--push"),r}async function USr(t,e){let r=[],i=!1;await Be.asyncForEach(t.attests,async o=>{kr.hasAttestationType("provenance",o)&&(i=!0)});let n=!1,s=!1;return t.provenance?(r.push("--attest",kr.resolveAttestationAttrs(`type=provenance,${t.provenance}`)),n=!0):!i&&!qSr()&&await e.buildkit.versionSatisfies(t.builder,">=0.11.0")&&!kr.hasDockerExporter(t.outputs,t.load)&&(Ot.context.payload.repository?.private??!1?r.push("--attest",`type=provenance,${kr.resolveProvenanceAttrs("mode=min,inline-only=true")}`):r.push("--attest",`type=provenance,${kr.resolveProvenanceAttrs("mode=max")}`)),t.sbom&&(r.push("--attest",kr.resolveAttestationAttrs(`type=sbom,${t.sbom}`)),s=!0),await Be.asyncForEach(t.attests,async o=>{!kr.hasAttestationType("provenance",o)&&!kr.hasAttestationType("sbom",o)?r.push("--attest",kr.resolveAttestationAttrs(o)):!n&&kr.hasAttestationType("provenance",o)?r.push("--attest",kr.resolveProvenanceAttrs(o)):!s&&kr.hasAttestationType("sbom",o)&&r.push("--attest",o)}),r}function qSr(){return process.env.BUILDX_NO_DEFAULT_ATTESTATIONS?Be.parseBool(process.env.BUILDX_NO_DEFAULT_ATTESTATIONS):!1}var r2=process.env.STATE_tmpDir||"",int=process.env.STATE_builderDriver||"",nnt=process.env.STATE_builderEndpoint||"",snt=process.env.STATE_summaryInputs?JSON.parse(process.env.STATE_summaryInputs):void 0,upe=process.env.STATE_buildRef||"",ont=!!process.env.STATE_isSummarySupported;function ant(t){au("tmpDir",t)}function cnt(t){au("builderDriver",t)}function lnt(t){au("builderEndpoint",t)}function unt(t){au("buildRef",t)}function fnt(){au("isSummarySupported","true")}function hnt(t){let e={};for(let r of Object.keys(t)){if(r==="github-token")continue;let i=t[r];if(!(typeof i=="boolean"&&!i)){if(Array.isArray(i)){if(i.length===0)continue;if(r==="secrets"&&i.length>0){let n=[];for(let s of i)try{let[o,a]=kr.parseSecretKvp(s,!0);n.push(o)}catch{}n.length>0&&(e[r]=n);continue}}else if(!i)continue;e[r]=i}}au("summaryInputs",JSON.stringify(e))}D2e(async()=>{let t=new Date,e=await tnt();hnt(e),le(`inputs: ${JSON.stringify(e)}`);let r=new H8;if(await Ri("GitHub Actions runtime token ACs",async()=>{try{await Ot.printActionsRuntimeTokenACs()}catch(f){Kr(f.message)}}),await Ri("Docker info",async()=>{try{await tn.printVersion(),await tn.printInfo()}catch(f){ae(f.message)}}),await Ri("Proxy configuration",async()=>{let f,h=!1;try{f=await tn.configFile()}catch(d){h=!0,Kr(`Unable to parse config file ${pnt.join(tn.configDir,"config.json")}: ${d}`)}if(f&&f.proxies)for(let d in f.proxies){let p="";Object.keys(f.proxies).length>1&&(p="  ",ae(d));for(let m in f.proxies[d])ae(`${p}${m}: ${f.proxies[d][m]}`)}else h||ae("No proxy configuration found")}),!await r.buildx.isAvailable()){CO("Docker buildx is required. See https://github.com/docker/setup-buildx-action to set up buildx.");return}ant(Zt.tmpDir()),await Ri("Buildx version",async()=>{await r.buildx.printVersion()});let i;await Ri("Builder info",async()=>{i=await r.builder.inspect(e.builder),cnt(i.driver??""),lnt(i.nodes?.[0]?.endpoint??""),ae(JSON.stringify(i,null,2))});let n=await rnt(e,r);le(`context.getArgs: ${JSON.stringify(n)}`);let s=await r.buildx.getCommand(n);le(`buildCmd.command: ${s.command}`),le(`buildCmd.args: ${JSON.stringify(s.args)}`);let o;await nt.getExecOutput(s.command,s.args,{ignoreReturnCode:!0,env:Object.assign({},process.env,{BUILDX_METADATA_WARNINGS:"true"})}).then(f=>{f.exitCode!=0&&(e.call&&e.call==="check"&&f.stdout.length>0?o=new Error(f.stdout.split(`