ci: fall back to local buildx builder for fork PRs

.github/workflows/gomodguard.yml

@@ -12,10 +12,16 @@ jobs:
       id-token: write
       pull-requests: write
       contents: write
+    env:
+      # Docker Hub credentials and the Docker Build Cloud builder are only
+      # available to same-repo events. Fork PRs run without secrets, so they
+      # fall back to a local buildx builder (slower, no shared cache).
+      IS_TRUSTED: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Hub login
+        if: env.IS_TRUSTED == 'true'
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: dockerpublicbot
@@ -25,8 +31,8 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
         with:
-          driver: cloud
-          endpoint: "docker/secrets-engine"
+          driver: ${{ env.IS_TRUSTED == 'true' && 'cloud' || 'docker-container' }}
+          endpoint: ${{ env.IS_TRUSTED == 'true' && 'docker/secrets-engine' || '' }}
           install: true
 
       - name: Lint

.github/workflows/govulncheck.yml

@@ -12,10 +12,16 @@ jobs:
       id-token: write
       pull-requests: write
       contents: write
+    env:
+      # Docker Hub credentials and the Docker Build Cloud builder are only
+      # available to same-repo events. Fork PRs run without secrets, so they
+      # fall back to a local buildx builder (slower, no shared cache).
+      IS_TRUSTED: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Hub login
+        if: env.IS_TRUSTED == 'true'
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: dockerpublicbot
@@ -25,8 +31,8 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
         with:
-          driver: cloud
-          endpoint: "docker/secrets-engine"
+          driver: ${{ env.IS_TRUSTED == 'true' && 'cloud' || 'docker-container' }}
+          endpoint: ${{ env.IS_TRUSTED == 'true' && 'docker/secrets-engine' || '' }}
           install: true
 
       - name: govulncheck

.github/workflows/keychain.yml

@@ -25,10 +25,16 @@ jobs:
           # headless environment... need to still fix this
           # - fedora-43-kdewallet
           # - ubuntu-24-kdewallet
+    env:
+      # Docker Hub credentials and the Docker Build Cloud builder are only
+      # available to same-repo events. Fork PRs run without secrets, so they
+      # fall back to a local buildx builder (slower, no shared cache).
+      IS_TRUSTED: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Hub login
+        if: env.IS_TRUSTED == 'true'
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: dockerpublicbot
@@ -37,8 +43,8 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
         with:
-          driver: cloud
-          endpoint: "docker/secrets-engine"
+          driver: ${{ env.IS_TRUSTED == 'true' && 'cloud' || 'docker-container' }}
+          endpoint: ${{ env.IS_TRUSTED == 'true' && 'docker/secrets-engine' || '' }}
           install: true
       - name: Test
         run: DOCKER_TARGET=${{ matrix.subtest }} make keychain-linux-ci-unit-tests

.github/workflows/lint.yml

@@ -20,6 +20,11 @@ jobs:
       id-token: write
       pull-requests: write
       contents: write
+    env:
+      # Docker Hub credentials and the Docker Build Cloud builder are only
+      # available to same-repo events. Fork PRs run without secrets, so they
+      # fall back to a local buildx builder (slower, no shared cache).
+      IS_TRUSTED: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
@@ -28,6 +33,7 @@ jobs:
         with:
           go-version-file: go.work
       - name: Hub login
+        if: env.IS_TRUSTED == 'true'
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: dockerpublicbot
@@ -36,8 +42,8 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
         with:
-          driver: cloud
-          endpoint: "docker/secrets-engine"
+          driver: ${{ env.IS_TRUSTED == 'true' && 'cloud' || 'docker-container' }}
+          endpoint: ${{ env.IS_TRUSTED == 'true' && 'docker/secrets-engine' || '' }}
           install: true
       - name: Lint
         run: make BUILDER=${{ steps.buildx.outputs.name }} ${{ matrix.target }}

.github/workflows/proto-check.yml

@@ -15,11 +15,18 @@ jobs:
       pull-requests: write
       contents: write
 
+    env:
+      # Docker Hub credentials and the Docker Build Cloud builder are only
+      # available to same-repo events. Fork PRs run without secrets, so they
+      # fall back to a local buildx builder (slower, no shared cache).
+      IS_TRUSTED: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+
     steps:
       - name: Checkout code
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Hub login
+        if: env.IS_TRUSTED == 'true'
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: dockerpublicbot
@@ -29,8 +36,8 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
         with:
-          driver: cloud
-          endpoint: "docker/secrets-engine"
+          driver: ${{ env.IS_TRUSTED == 'true' && 'cloud' || 'docker-container' }}
+          endpoint: ${{ env.IS_TRUSTED == 'true' && 'docker/secrets-engine' || '' }}
           install: true
 
       - name: Check if protobuf generate is clean

.github/workflows/proto-lint.yml

@@ -15,11 +15,18 @@ jobs:
       pull-requests: write
       contents: write
 
+    env:
+      # Docker Hub credentials and the Docker Build Cloud builder are only
+      # available to same-repo events. Fork PRs run without secrets, so they
+      # fall back to a local buildx builder (slower, no shared cache).
+      IS_TRUSTED: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+
     steps:
       - name: Checkout code
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Hub login
+        if: env.IS_TRUSTED == 'true'
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: dockerpublicbot
@@ -29,8 +36,8 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
         with:
-          driver: cloud
-          endpoint: "docker/secrets-engine"
+          driver: ${{ env.IS_TRUSTED == 'true' && 'cloud' || 'docker-container' }}
+          endpoint: ${{ env.IS_TRUSTED == 'true' && 'docker/secrets-engine' || '' }}
           install: true
 
       - name: Lint

client/go.mod

@@ -1,6 +1,6 @@
 module github.com/docker/secrets-engine/client
 
-go 1.25.10
+go 1.25.11
 
 // This `replace` is only for CI to function.
 // The correct version will get resolved from below when this module is

go.work

@@ -1,4 +1,4 @@
-go 1.25.10
+go 1.25.11
 
 use (
 	./client

plugin/go.mod

@@ -1,6 +1,6 @@
 module github.com/docker/secrets-engine/plugin
 
-go 1.25.10
+go 1.25.11
 
 // This `replace` is only for CI to function.
 // The correct version will get resolved from below when this module is

plugins/credentialhelper/go.mod

@@ -1,6 +1,6 @@
 module github.com/docker/secrets-engine/plugins/credentialhelper
 
-go 1.25.10
+go 1.25.11
 
 // This `replace` is only for CI to function.
 // The correct version will get resolved from below when this module is

plugins/pass/go.mod

@@ -1,6 +1,6 @@
 module github.com/docker/secrets-engine/plugins/pass
 
-go 1.25.10
+go 1.25.11
 
 replace github.com/docker/secrets-engine/client => ./../../client
 

store/go.mod

@@ -1,6 +1,6 @@
 module github.com/docker/secrets-engine/store
 
-go 1.25.10
+go 1.25.11
 
 // This `replace` is only for CI to function.
 // The correct version will get resolved from below when this module is

vendor/modules.txt

@@ -40,13 +40,13 @@ github.com/davecgh/go-spew/spew
 github.com/docker/docker-credential-helpers/client
 github.com/docker/docker-credential-helpers/credentials
 # github.com/docker/secrets-engine/client v0.0.9 => ./client
-## explicit; go 1.25.10
+## explicit; go 1.25.11
 # github.com/docker/secrets-engine/plugin v0.0.22 => ./plugin
-## explicit; go 1.25.10
+## explicit; go 1.25.11
 # github.com/docker/secrets-engine/store v0.0.27 => ./store
-## explicit; go 1.25.10
+## explicit; go 1.25.11
 # github.com/docker/secrets-engine/x v0.0.32-do.not.use => ./x
-## explicit; go 1.25.10
+## explicit; go 1.25.11
 # github.com/go-logr/logr v1.4.3
 ## explicit; go 1.18
 github.com/go-logr/logr

x/go.mod

@@ -1,6 +1,6 @@
 module github.com/docker/secrets-engine/x
 
-go 1.25.10
+go 1.25.11
 
 require (
 	connectrpc.com/connect v1.19.1