build: add gha ssh example

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>

.github/vale/config/vocabularies/Docker/accept.txt

@@ -92,6 +92,7 @@ SLES
 SLSA
 SPDX
 SQLite
+SSH
 SSO
 Slack
 Snyk

content/build/ci/github-actions/secrets.md

@@ -4,6 +4,18 @@ description: Example using secret mounts with GitHub Actions
 keywords: ci, github actions, gha, buildkit, buildx, secret
 ---
 
+A build secret is sensitive information, such as a password or API token, consumed as part of the build process.
+Docker Build supports two forms of secrets:
+
+- [Secret mounts](#secret-mounts) add secrets as files in the build container
+  (under `/run/secrets` by default).
+- [SSH mounts](#ssh-mounts) add SSH agent sockets or keys into the build container.
+
+This page shows how to use secrets with GitHub Actions.
+For an introduction to secrets in general, see [Build secrets](../../building/secrets.md).
+
+## Secret mounts
+
 In the following example uses and exposes the [`GITHUB_TOKEN` secret](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret)
 as provided by GitHub in your workflow.
 
@@ -87,3 +99,137 @@ secrets: |
 > **Note**
 >
 > Double escapes are needed for quote signs.
+
+## SSH mounts
+
+SSH mounts let you authenticate with SSH servers.
+For example to perform a `git clone`,
+or to fetch application packages from a private repository.
+
+The following Dockerfile example uses an SSH mount
+to fetch Go modules from a private GitHub repository.
+
+{{< accordion title="Dockerfile" >}}
+
+```dockerfile
+# syntax=docker/dockerfile:1
+
+ARG GO_VERSION="{{% param example_go_version %}}"
+
+FROM golang:${GO_VERSION}-alpine AS base
+ENV CGO_ENABLED=0
+ENV GOPRIVATE="github.com/foo/*"
+RUN apk add --no-cache file git rsync openssh-client
+RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
+WORKDIR /src
+
+FROM base AS vendor
+# this step configure git and checks the ssh key is loaded
+RUN --mount=type=ssh <<EOT
+  set -e
+  echo "Setting Git SSH protocol"
+  git config --global url."git@github.com:".insteadOf "https://github.com/"
+  (
+    set +e
+    ssh -T git@github.com
+    if [ ! "$?" = "1" ]; then
+      echo "No GitHub SSH key loaded exiting..."
+      exit 1
+    fi
+  )
+EOT
+# this one download go modules
+RUN --mount=type=bind,target=. \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=ssh \
+    go mod download -x
+
+FROM vendor AS build
+RUN --mount=type=bind,target=. \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache \
+    go build ...
+```
+
+{{< /accordion >}}
+
+To build this Dockerfile, you must specify an SSH mount that the builder can
+use in the steps with `--mount=type=ssh`.
+
+The following GitHub Action workflow uses the `MrSquaare/ssh-setup-action`
+third-party action to bootstrap SSH setup on the GitHub runner. The action
+creates a private key defined by the GitHub Action secret `SSH_GITHUB_PPK` and
+adds it to the SSH agent socket file at `SSH_AUTH_SOCK`. The SSH mount in the
+build step assume `SSH_AUTH_SOCK` by default, so there's no need to specify the
+ID or path for the SSH agent socket explicitly.
+
+{{< tabs >}}
+{{< tab name="`docker/build-push-action`" >}}
+
+```yaml
+name: ci
+
+on:
+  push:
+    branches:
+      - "main"
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up SSH
+        uses: MrSquaare/ssh-setup-action@7bfdda6ef6839504e3a5b2625ad971b17461a0db # v3.0.0
+        with:
+          host: github.com
+          private-key: ${{ secrets.SSH_GITHUB_PPK }}
+          private-key-name: github-ppk
+      -
+        name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          ssh: default
+          push: true
+          tags: user/app:latest
+```
+
+{{< /tab >}}
+{{< tab name="`docker/bake-action`" >}}
+
+```yaml
+name: ci
+
+on:
+  push:
+    branches:
+      - "main"
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up SSH
+        uses: MrSquaare/ssh-setup-action@7bfdda6ef6839504e3a5b2625ad971b17461a0db # v3.0.0
+        with:
+          host: github.com
+          private-key: ${{ secrets.SSH_GITHUB_PPK }}
+          private-key-name: github-ppk
+      -
+        name: Build
+        uses: docker/bake-action@v4
+        with:
+          set: |
+            *.ssh=default
+```
+
+{{< /tab >}}
+{{< /tabs >}}

hugo_stats.json

@@ -20,12 +20,12 @@
       "Before",
       "Buildkite",
       "CLI",
-      "CLI-Mac-/-Linux",
-      "CLI-Windows",
       "CentOS-7-and-RHEL-7",
       "CentOS-8-RHEL-8-and-Fedora",
       "Circle-CI",
       "Clone-with-git",
+      "Command-Prompt",
+      "Command-Prompt-CLI",
       "Compliant",
       "Debian",
       "Debian-GNU/Linux",
@@ -40,6 +40,8 @@
       "For-Mac-with-Apple-silicon",
       "For-Mac-with-Intel-chip",
       "For-all-platforms",
+      "Git-Bash",
+      "Git-Bash-CLI",
       "GitHub-Actions",
       "GitLab",
       "Go",
@@ -58,13 +60,17 @@
       "Linux",
       "Mac",
       "Mac-/-Linux",
+      "Mac-/-Linux-/-Git-Bash",
+      "Mac-/-Linux-/-PowerShell",
       "Mac-/-Linux-/-Windows-Git-Bash",
+      "Mac-/-Linux-CLI",
       "Mac-and-Linux",
       "Mac-with-Apple-silicon",
       "Mac-with-Intel-chip",
       "Node",
       "Non-compliant",
       "PowerShell",
+      "PowerShell-CLI",
       "Python",
       "Raw",
       "React",
@@ -175,6 +181,8 @@
       "dark:to-magenta-dark-400",
       "decoration-2",
       "decoration-blue-light",
+      "docker/bake-action",
+      "docker/build-push-action",
       "drop-shadow",
       "drop-shadow-sm",
       "duration-300",