Merge pull request #28 from docker/build-distributed

build: distributed builds

Author: crazy-max

.github/workflows/bake.yml

@@ -173,7 +173,7 @@ jobs:
         uses: actions/github-script@v8
         env:
           INPUT_MATRIX-SIZE-LIMIT: ${{ env.MATRIX_SIZE_LIMIT }}
-          INPUT_RUNS-ON: ${{ inputs.runs-on || 'ubuntu-latest' }}
+          INPUT_RUNS-ON: ${{ inputs.runs-on }}
           INPUT_CONTEXT: ${{ inputs.context }}
           INPUT_TARGET: ${{ inputs.target }}
           INPUT_BAKE-ALLOW: ${{ inputs.bake-allow }}
@@ -236,7 +236,7 @@ jobs:
               } else if (platforms.length === 0) {
                 includes.push({
                   index: 0,
-                  'runs-on': inpRunsOn
+                  'runs-on': inpRunsOn || 'ubuntu-latest'
                 });
               } else {
                 platforms.forEach((platform, index) => {
@@ -261,8 +261,8 @@ jobs:
       - prepare
     permissions:
       contents: read
-      id-token: write # for signing attestation manifests with GitHub OIDC Token
-      packages: write # only used if pushing to GHCR but needs to be defined as caller must provide permissions ≥ to those used in the reusable workflow
+      id-token: write # for signing attestation manifests and/or registry authentication with GitHub OIDC Token
+      packages: write # for pushing manifests to GHCR if needed
     strategy:
       fail-fast: false
       matrix:
@@ -633,7 +633,8 @@ jobs:
     runs-on: ${{ inputs.runs-on || 'ubuntu-latest' }}
     permissions:
       contents: read
-      packages: write # only used if pushing to GHCR but needs to be defined as caller must provide permissions ≥ to those used in the reusable workflow
+      id-token: write # for registry authentication with OIDC if needed
+      packages: write # for pushing to GHCR when merging manifests if needed
     outputs:
       cosign-version: ${{ env.COSIGN_VERSION }}
       cosign-verify-commands: ${{ steps.set.outputs.cosign-verify-commands }}