@@ -94,23 +94,72 @@ jobs:
9494 echo "GIT_REVISION=${GITHUB_SHA}" >> $GITHUB_ENV
9595
9696name : Install registry CA certificate
97+ id : ca-cert
9798 env :
9899 REGISTRY_CA_CERT : ${{ secrets.REGISTRY_CA_CERT }}
100+ REGISTRY_HOST : ${{ inputs.registry_host }}
99101 run : |
100102 if [[ -z "$REGISTRY_CA_CERT" ]]; then
101103 echo "No CA certificate provided, skipping"
104+ echo "has_ca_cert=false" >> $GITHUB_OUTPUT
102105 exit 0
103106 fi
104107
108+ echo "has_ca_cert=true" >> $GITHUB_OUTPUT
109+
105110 # Add CA to system trust store
106- echo "$REGISTRY_CA_CERT" | sudo tee /usr/local/share/ca-certificates/registry-ca.crt
111+ echo "$REGISTRY_CA_CERT" | sudo tee /usr/local/share/ca-certificates/registry-ca.crt > /dev/null
107112 sudo update-ca-certificates
108113
109- # Add CA to Docker daemon for registry access
110- sudo mkdir -p /etc/docker/certs.d/${{ inputs.registry_host }}
111- echo "$REGISTRY_CA_CERT" | sudo tee /etc/docker/certs.d/${{ inputs.registry_host }}/ca.crt
114+ # Add CA to Docker daemon cert store for registry access
115+ # This is used by docker login and docker pull/push
116+ sudo mkdir -p "/etc/docker/certs.d/${REGISTRY_HOST}"
117+ echo "$REGISTRY_CA_CERT" | sudo tee "/etc/docker/certs.d/${REGISTRY_HOST}/ca.crt" > /dev/null
118+
119+ echo "✓ CA certificate installed for ${REGISTRY_HOST}"
120+
121+ # BuildKit in docker-container driver runs in an isolated container.
122+ # We configure it to trust the registry by providing the buildkitd config
123+ # that references certs from the host mounted via buildkitd-flags.
124+ - name : Set up Docker Buildx (with CA)
125+ if : steps.ca-cert.outputs.has_ca_cert == 'true'
126+ uses : docker/setup-buildx-action@v3
127+ with :
128+ driver : docker-container
129+ buildkitd-config-inline : |
130+ [registry."${{ inputs.registry_host }}"]
131+ insecure = false
132+ ca = ["/etc/docker-certs/ca.crt"]
133+ driver-opts : |
134+ image=moby/buildkit:buildx-stable-1
135+
136+ name : Configure BuildKit CA certificate
137+ if : steps.ca-cert.outputs.has_ca_cert == 'true'
138+ env :
139+ REGISTRY_HOST : ${{ inputs.registry_host }}
140+ run : |
141+ # Get the BuildKit container name
142+ BUILDKIT_CONTAINER=$(docker ps --filter "name=buildx_buildkit" --format "{{.Names}}" | head -1)
143+
144+ if [[ -z "$BUILDKIT_CONTAINER" ]]; then
145+ echo "ERROR: BuildKit container not found"
146+ exit 1
147+ fi
148+
149+ echo "Found BuildKit container: ${BUILDKIT_CONTAINER}"
150+
151+ # Create the certs directory inside the BuildKit container
152+ docker exec "$BUILDKIT_CONTAINER" mkdir -p /etc/docker-certs
153+
154+ # Copy the CA certificate into the BuildKit container
155+ docker cp "/etc/docker/certs.d/${REGISTRY_HOST}/ca.crt" "${BUILDKIT_CONTAINER}:/etc/docker-certs/ca.crt"
156+
157+ # Restart the BuildKit daemon to pick up the config
158+ # Note: buildkitd will re-read config on the next build
159+ echo "✓ CA certificate copied to BuildKit container"
112160
113- name : Set up Docker Buildx
161+ name : Set up Docker Buildx (without CA)
162+ if : steps.ca-cert.outputs.has_ca_cert != 'true'
114163 uses : docker/setup-buildx-action@v3
115164
116165 - name : Login to Artifactory
0 commit comments