From 4f008129997a4495512f30c3192faadea1134554 Mon Sep 17 00:00:00 2001
From: estebanthi <esteban.thilliez@gmail.com>
Date: Mon, 5 Jan 2026 13:02:11 +0100
Subject: [PATCH] Allow ssh entitlement for bake

---
 .github/workflows/docker-build-publish.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker-build-publish.yml b/.github/workflows/docker-build-publish.yml
index 196c87c..5764b3a 100644
--- a/.github/workflows/docker-build-publish.yml
+++ b/.github/workflows/docker-build-publish.yml
@@ -111,6 +111,10 @@ jobs:
           if [ -n "${SSH_AUTH_SOCK:-}" ]; then
             SSH_BAKE_JSON='["default"]'
           fi
+          BAKE_ALLOW_FLAGS=()
+          if [ -n "${SSH_AUTH_SOCK:-}" ]; then
+            BAKE_ALLOW_FLAGS+=(--allow=ssh)
+          fi
 
           RAW_REF="${{ github.ref }}"
           SHA_FULL="${{ github.sha }}"
@@ -211,7 +215,7 @@ jobs:
               BAKE_FILE=$(mktemp)
               echo "$BAKE_JSON" > "$BAKE_FILE"
 
-              docker buildx bake --file "$BAKE_FILE" --push
+              docker buildx bake --file "$BAKE_FILE" --push "${BAKE_ALLOW_FLAGS[@]}"
               rm -f "$BAKE_FILE"
 
               while read -r img; do