feat: [CI-18552]: add Docker Buildx Bake support with multi-registry capabilities (#74)

* feat: add support for Docker Buildx Bake mode with multi-registry push

* Update BUILDX_URL for ARM64 architecture

* Update docker.go

* fix: improve PLUGIN_CONFIG handling with JSON-first validation

- Use JSON validation to distinguish between config content and file paths
- Prevents sensitive data exposure in error logs
- Provides clearer, user-friendly error messages
- Maintains full backward compatibility

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: Claude <[email protected]>

Author: Ompragash

README.md

@@ -145,6 +145,50 @@ envVariables:
   PLUGIN_BUILDX_OPTIONS_SEMICOLON: "--platform=linux/amd64,linux/arm64;--provenance=false;--output=type=tar,dest=image.tar"
 ```
 
+### Buildx Bake mode (opt-in)
+
+Use Docker Buildx Bake when you have a bake file (HCL/JSON/Compose) and want build orchestration across multiple targets and registries.
+
+Inputs:
+- PLUGIN_BAKE_FILE: Path to your bake file. When set, the plugin runs `docker buildx bake` instead of classic `buildx build`.
+- PLUGIN_BAKE_OPTIONS: Semicolon-delimited extra bake CLI args and/or target names. Example: `--progress=plain;web;api` or `--set=*.platform=linux/amd64`.
+
+Behavior:
+- Do not include `--push` or `--load` in PLUGIN_BAKE_OPTIONS. The plugin adds these implicitly:
+  - `--push` when PLUGIN_DRY_RUN=false (default).
+  - `--load` when PLUGIN_DRY_RUN=true.
+- The existing `builder-name` is passed as `--builder` to bake if set.
+- The plugin does not auto-switch the builder driver in Bake mode. If your bake file uses `cache-to` (registry exports), set `PLUGIN_BUILDER_DRIVER=docker-container` explicitly.
+- If PLUGIN_METADATA_FILE is set, it is forwarded to bake as `--metadata-file`.
+- Bake mode ignores classic cache envs (PLUGIN_CACHE_FROM / PLUGIN_CACHE_TO / PLUGIN_NO_CACHE). Define cache in the bake file instead.
+- Bake mode and Push-only mode (PLUGIN_PUSH_ONLY) are mutually exclusive.
+- Classic tar export (PLUGIN_TAR_PATH) is not applied in Bake; define outputs in the bake file.
+
+Examples:
+
+Basic Bake with multi-registry push
+```yaml
+envVariables:
+  PLUGIN_BAKE_FILE: docker-bake.hcl
+  # Either pass a config file path or JSON content for multi-registry auth
+  PLUGIN_CONFIG: /path/to/docker-config.json
+  # PLUGIN_CONFIG: '{"auths":{"docker.io":{"auth":"..."},"ghcr.io":{"auth":"..."}}}'
+```
+
+Bake with specific targets and progress
+```yaml
+envVariables:
+  PLUGIN_BAKE_FILE: docker-bake.hcl
+  PLUGIN_BAKE_OPTIONS: "--progress=plain;web;api"
+```
+
+Bake with platform override
+```yaml
+envVariables:
+  PLUGIN_BAKE_FILE: docker-bake.hcl
+  PLUGIN_BAKE_OPTIONS: "--set=*.platform=linux/amd64"
+```
+
 ## Developer Notes
 
 - When updating the base image, you will need to update for each architecture and OS.

app.go

@@ -430,6 +430,16 @@ func Run() {
 			Usage:  "additional options to pass directly to the buildx command, separated by semicolons",
 			EnvVar: "PLUGIN_BUILDX_OPTIONS_SEMICOLON",
 		},
+		cli.StringFlag{
+			Name:   "bake-file",
+			Usage:  "Buildx Bake definition file (HCL/JSON/Compose). When set, plugin runs docker buildx bake",
+			EnvVar: "PLUGIN_BAKE_FILE",
+		},
+		cli.StringFlag{
+			Name:   "bake-options",
+			Usage:  "Semicolon-delimited extra bake CLI args and/or target names",
+			EnvVar: "PLUGIN_BAKE_OPTIONS",
+		},
 		cli.BoolFlag{
 			Name:   "push-only",
 			Usage:  "skip build and only push images",
@@ -515,6 +525,8 @@ func run(c *cli.Context) error {
 			HarnessSelfHostedGcpJsonKey:  c.String("harness-self-hosted-gcp-json-key"),
 			BuildxOptions:                c.StringSlice("buildx-options"),
 			BuildxOptionsSemicolon:       c.String("buildx-options-semicolon"),
+			BakeFile:                     c.String("bake-file"),
+			BakeOptions:                  c.String("bake-options"),
 		},
 		Daemon: Daemon{
 			Registry:         c.String("docker.registry"),

docker.go

@@ -98,6 +98,9 @@ type (
 		HarnessSelfHostedGcpJsonKey  string   // Harness self hosted gcp json region
 		BuildxOptions                []string // Generic buildx options passed directly to the buildx command
 		BuildxOptionsSemicolon       string   // Buildx options separated by semicolons instead of commas
+		// Buildx Bake (opt-in)
+		BakeFile                     string // Buildx Bake definition file (HCL/JSON/Compose). If set, Bake mode is active
+		BakeOptions                  string // Semicolon-delimited Bake options and/or target names
 	}
 
 	// Plugin defines the Docker plugin parameters.
@@ -199,8 +202,24 @@ func (p Plugin) Exec() error {
 		os.MkdirAll(dockerHome, 0600)
 
 		path := filepath.Join(dockerHome, "config.json")
-		err := os.WriteFile(path, []byte(p.Login.Config), 0600)
-		if err != nil {
+		var content []byte
+		// Try to parse as JSON first to determine if it's content or file path
+		var jsonTest interface{}
+		if json.Unmarshal([]byte(p.Login.Config), &jsonTest) == nil {
+			// Valid JSON, treat as content
+			content = []byte(p.Login.Config)
+		} else if _, err := os.Stat(p.Login.Config); err == nil {
+			// Not JSON but file exists, read it
+			data, err := os.ReadFile(p.Login.Config)
+			if err != nil {
+				return fmt.Errorf("Error reading docker config file '%s': %s", p.Login.Config, err)
+			}
+			content = data
+		} else {
+			// Neither valid JSON nor existing file
+			return fmt.Errorf("Docker config must be either valid JSON content or a path to an existing config file")
+		}
+		if err := os.WriteFile(path, content, 0600); err != nil {
 			return fmt.Errorf("Error writing config.json: %s", err)
 		}
 	}
@@ -257,7 +276,8 @@ func (p Plugin) Exec() error {
 	}
 
 	// cache export feature is currently not supported for docker driver hence we have to create docker-container driver
-	if len(p.Build.CacheTo) > 0 && (p.Builder.Driver == "" || p.Builder.Driver == defaultDriver) {
+	// NOTE: skip this auto-switch when Bake mode is active
+	if p.Build.BakeFile == "" && len(p.Build.CacheTo) > 0 && (p.Builder.Driver == "" || p.Builder.Driver == defaultDriver) {
 		p.Builder.Driver = dockerContainerDriver
 	}
 
@@ -359,21 +379,38 @@ func (p Plugin) Exec() error {
 		}()
 	}
 
+	// Enforce mutual exclusivity: Bake mode and Push-only mode cannot be used together
+	if p.Build.BakeFile != "" && p.PushOnly {
+		return fmt.Errorf("conflict: Bake mode (PLUGIN_BAKE_FILE) and Push-only mode (PLUGIN_PUSH_ONLY) cannot be used together")
+	}
+
 	// Handle push-only mode if requested
 	if p.PushOnly {
 		return p.pushOnly()
 	}
 
-	// add proxy build args
-	addProxyBuildArgs(&p.Build)
-
 	var cmds []*exec.Cmd
 
 	cmds = append(cmds, commandVersion()) // docker version
 	cmds = append(cmds, commandInfo())    // docker info
 
-	// Command to build, tag and push
-	cmds = append(cmds, commandBuildx(p.Build, p.Builder, p.Dryrun, p.MetadataFile, p.TarPath)) // docker build
+	// Determine execution path: Bake mode vs Classic buildx build
+	if p.Build.BakeFile != "" {
+		// Inform about ignored classic cache settings
+		if len(p.Build.CacheFrom) > 0 || len(p.Build.CacheTo) > 0 || p.Build.NoCache {
+			fmt.Println("Bake mode: ignoring PLUGIN_CACHE_*; define cache in the bake file.")
+		}
+		// Tar export is not applied in Bake mode
+		if p.TarPath != "" {
+			fmt.Println("Bake mode: ignoring PLUGIN_TAR_PATH; define outputs in the bake file.")
+		}
+		// Command to run buildx bake
+		cmds = append(cmds, commandBuildxBake(p.Build, p.Builder, p.Dryrun, p.MetadataFile))
+	} else {
+		// Classic path: add proxy build args and run buildx build
+		addProxyBuildArgs(&p.Build)
+		cmds = append(cmds, commandBuildx(p.Build, p.Builder, p.Dryrun, p.MetadataFile, p.TarPath)) // docker build
+	}
 
 	// execute all commands in batch mode.
 	for _, cmd := range cmds {
@@ -425,7 +462,7 @@ func (p Plugin) Exec() error {
 		}
 	}
 
-	if p.TarPath != "" && p.Dryrun {
+	if p.Build.BakeFile == "" && p.TarPath != "" && p.Dryrun {
 		if len(p.Build.Tags) > 0 {
 			tag := p.Build.Tags[0]
 			fullImageName := fmt.Sprintf("%s:%s", p.Build.Repo, tag)
@@ -457,11 +494,13 @@ func (p Plugin) Exec() error {
 		}
 	}
 
-	// output the adaptive card
-	if p.Builder.Driver == defaultDriver {
+	// output the adaptive card (skipped in Bake mode)
+	if p.Build.BakeFile == "" && p.Builder.Driver == defaultDriver {
 		if err := p.writeCard(); err != nil {
 			fmt.Printf("Could not create adaptive card. %s\n", err)
 		}
+	} else if p.Build.BakeFile != "" {
+		fmt.Println("Bake mode: skipping adaptive card output.")
 	}
 
 	// write to artifact file
@@ -729,6 +768,44 @@ func commandBuildx(build Build, builder Builder, dryrun bool, metadataFile strin
 	return exec.Command(dockerExe, args...)
 }
 
+// helper function to create the docker buildx bake command.
+func commandBuildxBake(build Build, builder Builder, dryrun bool, metadataFile string) *exec.Cmd {
+    args := []string{"buildx", "bake"}
+
+    if build.BakeFile != "" {
+        args = append(args, "-f", build.BakeFile)
+    }
+    if builder.Name != "" {
+        args = append(args, "--builder", builder.Name)
+    }
+
+    if dryrun {
+        args = append(args, "--load")
+    } else {
+        args = append(args, "--push")
+    }
+
+    if metadataFile != "" {
+        args = append(args, "--metadata-file", metadataFile)
+    }
+
+    if build.BakeOptions != "" {
+        tokens := strings.Split(build.BakeOptions, ";")
+        for _, t := range tokens {
+            t = strings.TrimSpace(t)
+            if t == "" {
+                continue
+            }
+            if t == "--push" || t == "--load" {
+                continue
+            }
+            args = append(args, t)
+        }
+    }
+
+    return exec.Command(dockerExe, args...)
+}
+
 func sanitizeCacheCommand(build *Build) {
 	// Helper function to sanitize cache arguments
 	sanitizeCacheArgs := func(args []string) []string {

docker/docker/Dockerfile.linux.arm64

@@ -7,7 +7,7 @@ ENV BUILDKIT_PROGRESS=plain
 ENV DOCKER_CLI_EXPERIMENTAL=enabled
 ENV PLUGIN_BUILDKIT_ASSETS_DIR=/buildkit
 
-ARG BUILDX_URL=https://github.com/docker/buildx/releases/download/v0.23.0/buildx-v0.23.0.linux-amd64
+ARG BUILDX_URL=https://github.com/docker/buildx/releases/download/v0.23.0/buildx-v0.23.0.linux-arm64
 
 RUN mkdir -p $HOME/.docker/cli-plugins && \
     wget -O $HOME/.docker/cli-plugins/docker-buildx $BUILDX_URL && \

docker_test.go

@@ -247,6 +247,99 @@ func TestCommandBuildx(t *testing.T) {
 	}
 }
 
+func TestCommandBuildxBake(t *testing.T) {
+	tcs := []struct {
+		name     string
+		build    Build
+		builder  Builder
+		dryrun   bool
+		metadata string
+		want     *exec.Cmd
+	}{
+		{
+			name: "basic bake with file, push by default",
+			build: Build{
+				BakeFile:    "docker-bake.hcl",
+				BakeOptions: "",
+			},
+			want: exec.Command(
+				dockerExe,
+				"buildx",
+				"bake",
+				"-f",
+				"docker-bake.hcl",
+				"--push",
+			),
+		},
+		{
+			name: "with builder and dryrun -> load",
+			build: Build{
+				BakeFile: "docker-bake.hcl",
+			},
+			builder: Builder{
+				Name: "mybuilder",
+			},
+			dryrun: true,
+			want: exec.Command(
+				dockerExe,
+				"buildx",
+				"bake",
+				"-f",
+				"docker-bake.hcl",
+				"--builder",
+				"mybuilder",
+				"--load",
+			),
+		},
+		{
+			name: "options and targets parsed; ignore push/load in options",
+			build: Build{
+				BakeFile:    "docker-bake.hcl",
+				BakeOptions: "--progress=plain;web;--push;api;--load",
+			},
+			// dryrun false -> plugin adds --push
+			want: exec.Command(
+				dockerExe,
+				"buildx",
+				"bake",
+				"-f",
+				"docker-bake.hcl",
+				"--push",
+				"--progress=plain",
+				"web",
+				"api",
+			),
+		},
+		{
+			name: "with metadata file",
+			build: Build{
+				BakeFile: "docker-bake.hcl",
+			},
+			metadata: "/tmp/meta.json",
+			want: exec.Command(
+				dockerExe,
+				"buildx",
+				"bake",
+				"-f",
+				"docker-bake.hcl",
+				"--push",
+				"--metadata-file",
+				"/tmp/meta.json",
+			),
+		},
+	}
+
+	for _, tc := range tcs {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			cmd := commandBuildxBake(tc.build, tc.builder, tc.dryrun, tc.metadata)
+			if !reflect.DeepEqual(cmd.String(), tc.want.String()) {
+				t.Errorf("Got cmd %v, want %v", cmd, tc.want)
+			}
+		})
+	}
+}
+
 func TestSanitizeCacheCommand(t *testing.T) {
 	tests := []struct {
 		name              string