From 2ba0b6daba9e5f974d4630297ef8373d2dfa05f7 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Fri, 9 Jan 2026 15:32:36 +0100
Subject: [PATCH 1/2] cache: ignore error on cache export

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/bake.yml  | 2 +-
 .github/workflows/build.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
index 781d638..807ee0f 100644
--- a/.github/workflows/bake.yml
+++ b/.github/workflows/bake.yml
@@ -608,7 +608,7 @@ jobs:
               }
               if (inpCache) {
                 bakeOverrides.push(`*.cache-from=type=gha,scope=${inpCacheScope || target}${platformPairSuffix}`);
-                bakeOverrides.push(`*.cache-to=type=gha,scope=${inpCacheScope || target}${platformPairSuffix},mode=${inpCacheMode}`);
+                bakeOverrides.push(`*.cache-to=type=gha,ignore-error=true,scope=${inpCacheScope || target}${platformPairSuffix},mode=${inpCacheMode}`);
               }
               core.info(JSON.stringify(bakeOverrides, null, 2));
               core.setOutput('overrides', bakeOverrides.join(os.EOL));
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6fdfe5b..e2e3a93 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -498,7 +498,7 @@ jobs:
             
             if (inpCache) {
               core.setOutput('cache-from', `type=gha,scope=${inpCacheScope || inpTarget || 'buildkit'}${platformPairSuffix}`);
-              core.setOutput('cache-to', `type=gha,scope=${inpCacheScope || inpTarget || 'buildkit'}${platformPairSuffix},mode=${inpCacheMode}`);
+              core.setOutput('cache-to', `type=gha,ignore-error=true,scope=${inpCacheScope || inpTarget || 'buildkit'}${platformPairSuffix},mode=${inpCacheMode}`);
             }
             
             if (inpSetMetaAnnotations && inpMetaAnnotations.length > 0) {

From bc5fa9f5b55147c50daf47b0ebca4a667ffb0986 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Fri, 9 Jan 2026 16:42:58 +0100
Subject: [PATCH 2/2] cache: sign only if oidc token available

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/bake.yml  | 16 +++++++++++++---
 .github/workflows/build.yml | 15 +++++++++++++--
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
index 807ee0f..cde22e9 100644
--- a/.github/workflows/bake.yml
+++ b/.github/workflows/bake.yml
@@ -152,7 +152,7 @@ jobs:
     outputs:
       includes: ${{ steps.set.outputs.includes }}
       sign: ${{ steps.set.outputs.sign }}
-      privateRepo: ${{ steps.set.outputs.privateRepo }}
+      ghaCacheSign: ${{ steps.set.outputs.ghaCacheSign }}
     steps:
       -
         name: Install @docker/actions-toolkit
@@ -162,6 +162,9 @@ jobs:
         with:
           script: |
             await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]);
+      -
+        name: Expose GitHub Runtime
+        uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0
       -
         name: Set outputs
         id: set
@@ -169,6 +172,7 @@ jobs:
         env:
           INPUT_SBOM-IMAGE: ${{ env.SBOM_IMAGE }}
           INPUT_MATRIX-SIZE-LIMIT: ${{ env.MATRIX_SIZE_LIMIT }}
+          INPUT_ACTIONS-ID-TOKEN-SET:  ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN != '' && env.ACTIONS_ID_TOKEN_REQUEST_URL != '' }}
           INPUT_RUNNER: ${{ inputs.runner }}
           INPUT_ARTIFACT-UPLOAD: ${{ inputs.artifact-upload }}
           INPUT_CONTEXT: ${{ inputs.context }}
@@ -189,6 +193,7 @@ jobs:
 
             const inpSbomImage = core.getInput('sbom-image');
             const inpMatrixSizeLimit = parseInt(core.getInput('matrix-size-limit'), 10);
+            const inpActionsIdTokenSet = core.getBooleanInput('actions-id-token-set');
             
             const inpRunner = core.getInput('runner');
             const inpArtifactUpload = core.getBooleanInput('artifact-upload');
@@ -294,6 +299,11 @@ jobs:
               core.info(`sign: ${sign}`);
               core.setOutput('sign', sign);
             });
+            await core.group(`Set ghaCacheSign output`, async () => {
+              const ghaCacheSign = inpActionsIdTokenSet ? 'true' : 'false';
+              core.info(`ghaCacheSign: ${ghaCacheSign}`);
+              core.setOutput('ghaCacheSign', ghaCacheSign);
+            });
 
   build:
     runs-on: ${{ matrix.runner }}
@@ -373,9 +383,9 @@ jobs:
             [cache]
               [cache.gha]
                 [cache.gha.sign]
-                  command = ["ghacache-sign-script.sh"]
+                  command = [${{ needs.prepare.outputs.ghaCacheSign == 'true' && '"ghacache-sign-script.sh"' || '' }}]
                 [cache.gha.verify]
-                  required = true
+                  required = ${{ needs.prepare.outputs.ghaCacheSign }}
                   [cache.gha.verify.policy]
                     timestampThreshold = 1
                     tlogThreshold = ${{ needs.prepare.outputs.privateRepo == 'true' && '0' || '1' }}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e2e3a93..8f9780e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -160,6 +160,7 @@ jobs:
       includes: ${{ steps.set.outputs.includes }}
       sign: ${{ steps.set.outputs.sign }}
       privateRepo: ${{ steps.set.outputs.privateRepo }}
+      ghaCacheSign: ${{ steps.set.outputs.ghaCacheSign }}
     steps:
       -
         name: Install @docker/actions-toolkit
@@ -169,12 +170,16 @@ jobs:
         with:
           script: |
             await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]);
+      -
+        name: Expose GitHub Runtime
+        uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0
       -
         name: Set outputs
         id: set
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           INPUT_MATRIX-SIZE-LIMIT: ${{ env.MATRIX_SIZE_LIMIT }}
+          INPUT_ACTIONS-ID-TOKEN-SET:  ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN != '' && env.ACTIONS_ID_TOKEN_REQUEST_URL != '' }}
           INPUT_RUNNER: ${{ inputs.runner }}
           INPUT_ARTIFACT-UPLOAD: ${{ inputs.artifact-upload }}
           INPUT_OUTPUT: ${{ inputs.output }}
@@ -187,6 +192,7 @@ jobs:
             const { Util } = require('@docker/actions-toolkit/lib/util');
             
             const inpMatrixSizeLimit = parseInt(core.getInput('matrix-size-limit'), 10);
+            const inpActionsIdTokenSet = core.getBooleanInput('actions-id-token-set');
             
             const inpRunner = core.getInput('runner');
             const inpArtifactUpload = core.getBooleanInput('artifact-upload');
@@ -254,6 +260,11 @@ jobs:
               core.info(`sign: ${sign}`);
               core.setOutput('sign', sign);
             });
+            await core.group(`Set ghaCacheSign output`, async () => {
+              const ghaCacheSign = inpActionsIdTokenSet ? 'true' : 'false';
+              core.info(`ghaCacheSign: ${ghaCacheSign}`);
+              core.setOutput('ghaCacheSign', ghaCacheSign);
+            });
 
   build:
     runs-on: ${{ matrix.runner }}
@@ -332,9 +343,9 @@ jobs:
             [cache]
               [cache.gha]
                 [cache.gha.sign]
-                  command = ["ghacache-sign-script.sh"]
+                  command = [${{ needs.prepare.outputs.ghaCacheSign == 'true' && '"ghacache-sign-script.sh"' || '' }}]
                 [cache.gha.verify]
-                  required = true
+                  required = ${{ needs.prepare.outputs.ghaCacheSign }}
                   [cache.gha.verify.policy]
                     timestampThreshold = 1
                     tlogThreshold = ${{ needs.prepare.outputs.privateRepo == 'true' && '0' || '1' }}