Docker Buildx: SSH, TLS, Standalone Mode, and Isolated Builders

To be able to connect to an SSH endpoint using the [`docker-container` driver](/manuals/build/builders/drivers/docker-container.md), you have to set up the SSH private key and configuration on the GitHub Runner: ```yaml name: ci on: push: jobs: buildx: runs-on: ubuntu-latest steps: - name: Set up SSH uses: MrSquaare/ssh-setup-action@2d028b70b5e397cf8314c6eaea229a6c3e34977a # v3.1.0 with: host: graviton2 private-key: ${{ secrets.SSH_PRIVATE_KEY }} private-key-name: aws_graviton2 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: endpoint: ssh://me@graviton2 ``` ### TLS authentication You can also [set up a remote BuildKit instance](/manuals/build/builders/drivers/remote.md#example-remote-buildkit-in-docker-container) using the remote driver. To ease the integration in your workflow, you can use an environment variables that sets up authentication using the BuildKit client certificates for the `tcp://`: - `BUILDER_NODE_<idx>_AUTH_TLS_CACERT` - `BUILDER_NODE_<idx>_AUTH_TLS_CERT` - `BUILDER_NODE_<idx>_AUTH_TLS_KEY` The `<idx>` placeholder is the position of the node in the list of nodes. ```yaml name: ci on: push: jobs: buildx: runs-on: ubuntu-latest steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: driver: remote endpoint: tcp://graviton2:1234 env: BUILDER_NODE_0_AUTH_TLS_CACERT: ${{ secrets.GRAVITON2_CA }} BUILDER_NODE_0_AUTH_TLS_CERT: ${{ secrets.GRAVITON2_CERT }} BUILDER_NODE_0_AUTH_TLS_KEY: ${{ secrets.GRAVITON2_KEY }} ``` ## Standalone mode If you don't have the Docker CLI installed on the GitHub Runner, the Buildx binary gets invoked directly, instead of calling it as a Docker CLI plugin. This can be useful if you want to use the `kubernetes` driver in your self-hosted runner: ```yaml name: ci on: push: jobs: buildx: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: driver: kubernetes - name: Build run: | buildx build . ``` ## Isolated builders The following example shows how you can select different builders for different jobs. An example scenario where this might be useful is when you are using a monorepo, and you want to pinpoint different packages to specific builders. For example, some packages may be particularly resource-intensive to build and require more compute. Or they require a builder equipped with a particular capability or hardware. For more information about remote builder, see [`remote` driver](/manuals/build/builders/drivers/remote.md) and the [append builder nodes example](#append-additional-nodes-to-the-builder). ```yaml name: ci on: push: jobs: docker: runs-on: ubuntu-latest steps: - name: Set up builder1 uses: docker/setup-buildx-action@v3 id: builder1 - name: Set up builder2 uses: docker/setup-buildx-action@v3 id: builder2 - name: Build against builder1 uses: docker/build-push-action@v6 with: builder: ${{ steps.builder1.outputs.name }} target: mytarget1 - name: Build against builder2 uses: docker/build-push-action@v6 with: builder: ${{ steps.builder2.outputs.name }} target: mytarget2 ```

This section covers several advanced usage scenarios for Docker Buildx in GitHub Actions. It demonstrates how to configure SSH and TLS authentication for remote builders, showing the necessary YAML configurations and environment variables. It also explains how to use Buildx in standalone mode when the Docker CLI is not installed, specifically highlighting the use of the `kubernetes` driver. Finally, it illustrates how to select different builders for different jobs, useful in monorepo setups where certain packages require specific build resources or hardware.