From 45fc5ed3b37e99ce6c0a4d502fee33cbc19c3910 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Fri, 10 Jan 2025 10:09:02 +0100
Subject: [PATCH] bake: infer git auth token from remote files to build request

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 bake/bake.go | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/bake/bake.go b/bake/bake.go
index d98cd7be..b8885531 100644
--- a/bake/bake.go
+++ b/bake/bake.go
@@ -1179,6 +1179,16 @@ func updateContext(t *build.Inputs, inp *Input) {
 	t.ContextState = &st
 }
 
+func isRemoteContext(t build.Inputs, inp *Input) bool {
+	if build.IsRemoteURL(t.ContextPath) {
+		return true
+	}
+	if inp != nil && build.IsRemoteURL(inp.URL) && !strings.HasPrefix(t.ContextPath, "cwd://") {
+		return true
+	}
+	return false
+}
+
 func collectLocalPaths(t build.Inputs) []string {
 	var out []string
 	if t.ContextState == nil {
@@ -1338,7 +1348,23 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	}
 	bo.Platforms = platforms
 
-	bo.SecretSpecs = t.Secrets.ToPB()
+	secrets := t.Secrets
+	if isRemoteContext(bi, inp) {
+		if _, ok := os.LookupEnv("BUILDX_BAKE_GIT_AUTH_TOKEN"); ok {
+			secrets = append(secrets, &buildflags.Secret{
+				ID:  llb.GitAuthTokenKey,
+				Env: "BUILDX_BAKE_GIT_AUTH_TOKEN",
+			})
+		}
+		if _, ok := os.LookupEnv("BUILDX_BAKE_GIT_AUTH_HEADER"); ok {
+			secrets = append(secrets, &buildflags.Secret{
+				ID:  llb.GitAuthHeaderKey,
+				Env: "BUILDX_BAKE_GIT_AUTH_HEADER",
+			})
+		}
+	}
+	secrets = secrets.Normalize()
+	bo.SecretSpecs = secrets.ToPB()
 	secretAttachment, err := controllerapi.CreateSecrets(bo.SecretSpecs)
 	if err != nil {
 		return nil, err