Merge pull request #440 from drone-plugins/CI-12566

Fixed 'error getting ECR auth: WebIdentityErr: unable to read file at…' issue

.drone.yml

@@ -12,7 +12,7 @@ platform:
 
 steps:
   - name: vet
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - go vet ./...
     environment:
@@ -22,7 +22,7 @@ steps:
         path: /go
 
   - name: test
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - go test -cover ./...
     environment:
@@ -55,7 +55,7 @@ platform:
 
 steps:
   - name: go build
-    image: golang:1.21
+    image: golang:1.22
     environment:
       CGO_ENABLED: 0
     commands:
@@ -63,6 +63,8 @@ steps:
       - go build -o release/windows/amd64/drone-ecr.exe ./cmd/drone-ecr
       - go build -o release/windows/amd64/drone-gcr.exe ./cmd/drone-gcr
       - go build -o release/windows/amd64/drone-acr.exe ./cmd/drone-acr
+      - go build -o release/windows/amd64/drone-gar.exe ./cmd/drone-gar
+
   - name: build docker plugin
     image: plugins/docker@sha256:f0233d950ae87ee6cb5500b2d5497fe02aa338201c0bdce2619f443fd174cfa4
     settings:
@@ -123,7 +125,21 @@ steps:
       purge: false
     when:
       event: [push, tag]
-
+  - name: build gar plugin
+    image: plugins/docker@sha256:f0233d950ae87ee6cb5500b2d5497fe02aa338201c0bdce2619f443fd174cfa4
+    pull: never
+    settings:
+      dockerfile: docker/gar/Dockerfile.windows.amd64.1809
+      repo: plugins/gar
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+      auto_tag: true
+      auto_tag_suffix: windows-1809-amd64
+      purge: false
+    when:
+      event: [push, tag]
 depends_on:
   - testing
 
@@ -146,7 +162,7 @@ platform:
 
 steps:
   - name: go build
-    image: golang:1.21
+    image: golang:1.22
     environment:
       CGO_ENABLED: 0
     commands:
@@ -154,8 +170,9 @@ steps:
       - go build -o release/windows/amd64/drone-ecr.exe ./cmd/drone-ecr
       - go build -o release/windows/amd64/drone-gcr.exe ./cmd/drone-gcr
       - go build -o release/windows/amd64/drone-acr.exe ./cmd/drone-acr
+      - go build -o release/windows/amd64/drone-gar.exe ./cmd/drone-gar
   - name: build docker plugin
-    image: plugins/docker
+    image: plugins/docker@sha256:f0233d950ae87ee6cb5500b2d5497fe02aa338201c0bdce2619f443fd174cfa4
     settings:
       dockerfile: docker/docker/Dockerfile.windows.amd64.ltsc2022
       repo: plugins/docker
@@ -169,7 +186,7 @@ steps:
     when:
       event: [push, tag]
   - name: build ecr plugin
-    image: plugins/docker
+    image: plugins/docker@sha256:f0233d950ae87ee6cb5500b2d5497fe02aa338201c0bdce2619f443fd174cfa4
     settings:
       dockerfile: docker/ecr/Dockerfile.windows.amd64.ltsc2022
       repo: plugins/ecr
@@ -183,7 +200,7 @@ steps:
     when:
       event: [push, tag]
   - name: build gcr plugin
-    image: plugins/docker
+    image: plugins/docker@sha256:f0233d950ae87ee6cb5500b2d5497fe02aa338201c0bdce2619f443fd174cfa4
     settings:
       dockerfile: docker/gcr/Dockerfile.windows.amd64.ltsc2022
       repo: plugins/gcr
@@ -197,7 +214,7 @@ steps:
     when:
       event: [push, tag]
   - name: build acr plugin
-    image: plugins/docker
+    image: plugins/docker@sha256:f0233d950ae87ee6cb5500b2d5497fe02aa338201c0bdce2619f443fd174cfa4
     settings:
       dockerfile: docker/acr/Dockerfile.windows.amd64.ltsc2022
       repo: plugins/acr
@@ -210,7 +227,20 @@ steps:
       purge: false
     when:
       event: [push, tag]
-
+  - name: build gar plugin
+    image: plugins/docker@sha256:f0233d950ae87ee6cb5500b2d5497fe02aa338201c0bdce2619f443fd174cfa4
+    settings:
+      dockerfile: docker/gar/Dockerfile.windows.amd64.ltsc2022
+      repo: plugins/gar
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+      auto_tag: true
+      auto_tag_suffix: windows-ltsc2022-amd64
+      purge: false
+    when:
+      event: [push, tag]
 depends_on:
   - testing
 
@@ -234,7 +264,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/amd64/drone-docker ./cmd/drone-docker'
     environment:
@@ -245,7 +275,7 @@ steps:
           - tag
 
   - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/amd64/drone-docker ./cmd/drone-docker'
     environment:
@@ -255,7 +285,7 @@ steps:
         - tag
 
   - name: executable
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - ./release/linux/amd64/drone-docker --help
 
@@ -299,7 +329,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/arm64/drone-docker ./cmd/drone-docker'
     environment:
@@ -310,7 +340,7 @@ steps:
           - tag
 
   - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/arm64/drone-docker ./cmd/drone-docker'
     environment:
@@ -320,7 +350,7 @@ steps:
         - tag
 
   - name: executable
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - ./release/linux/arm64/drone-docker --help
 
@@ -399,7 +429,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/amd64/drone-gcr ./cmd/drone-gcr'
     environment:
@@ -410,7 +440,7 @@ steps:
           - tag
 
   - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/amd64/drone-gcr ./cmd/drone-gcr'
     environment:
@@ -444,7 +474,6 @@ trigger:
 
 depends_on:
   - linux-amd64-docker
-
 ---
 kind: pipeline
 name: linux-arm64-gcr
@@ -459,7 +488,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/arm64/drone-gcr ./cmd/drone-gcr'
     environment:
@@ -470,7 +499,7 @@ steps:
           - tag
 
   - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/arm64/drone-gcr ./cmd/drone-gcr'
     environment:
@@ -539,7 +568,158 @@ depends_on:
   - windows-ltsc2022
   - linux-amd64-gcr
   - linux-arm64-gcr
+---
+kind: pipeline
+name: linux-amd64-gar
+type: vm
 
+pool:
+  use: ubuntu
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+  - name: build-push
+    image: golang:1.22
+    commands:
+      - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/amd64/drone-gar ./cmd/drone-gar'
+    environment:
+      CGO_ENABLED: 0
+    when:
+      event:
+        exclude:
+          - tag
+
+  - name: build-tag
+    image: golang:1.22
+    commands:
+      - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/amd64/drone-gar ./cmd/drone-gar'
+    environment:
+      CGO_ENABLED: 0
+    when:
+      event:
+        - tag
+
+  - name: publish
+    image: plugins/docker:18
+    settings:
+      auto_tag: true
+      auto_tag_suffix: linux-amd64
+      daemon_off: false
+      dockerfile: docker/gar/Dockerfile.linux.amd64
+      password:
+        from_secret: docker_password
+      repo: plugins/gar
+      username:
+        from_secret: docker_username
+    when:
+      event:
+        exclude:
+          - pull_request
+
+trigger:
+  ref:
+    - refs/heads/master
+    - "refs/tags/**"
+    - "refs/pull/**"
+
+depends_on:
+  - linux-amd64-docker
+---
+kind: pipeline
+name: linux-arm64-gar
+type: vm
+
+pool:
+  use: ubuntu_arm64
+
+platform:
+  os: linux
+  arch: arm64
+
+steps:
+  - name: build-push
+    image: golang:1.22
+    commands:
+      - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/arm64/drone-gar ./cmd/drone-gar'
+    environment:
+      CGO_ENABLED: 0
+    when:
+      event:
+        exclude:
+          - tag
+
+  - name: build-tag
+    image: golang:1.22
+    commands:
+      - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/arm64/drone-gar ./cmd/drone-gar'
+    environment:
+      CGO_ENABLED: 0
+    when:
+      event:
+        - tag
+
+  - name: publish
+    image: plugins/docker:18
+    settings:
+      auto_tag: true
+      auto_tag_suffix: linux-arm64
+      daemon_off: false
+      dockerfile: docker/gar/Dockerfile.linux.arm64
+      password:
+        from_secret: docker_password
+      repo: plugins/gar
+      username:
+        from_secret: docker_username
+    when:
+      event:
+        exclude:
+          - pull_request
+
+trigger:
+  ref:
+    - refs/heads/master
+    - "refs/tags/**"
+    - "refs/pull/**"
+
+depends_on:
+  - linux-arm64-docker
+---
+kind: pipeline
+name: notifications-gar
+type: vm
+
+pool:
+  use: ubuntu
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+  - name: manifest
+    image: plugins/manifest
+    settings:
+      auto_tag: true
+      ignore_missing: true
+      password:
+        from_secret: docker_password
+      spec: docker/gar/manifest.tmpl
+      username:
+        from_secret: docker_username
+
+trigger:
+  ref:
+    - refs/heads/master
+    - "refs/tags/**"
+
+depends_on:
+  - windows-1809
+  - windows-ltsc2022
+  - linux-amd64-gar
+  - linux-arm64-gar
 ---
 kind: pipeline
 name: linux-amd64-ecr
@@ -554,7 +734,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/amd64/drone-ecr ./cmd/drone-ecr'
     environment:
@@ -564,7 +744,7 @@ steps:
         exclude:
           - tag
   - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/amd64/drone-ecr ./cmd/drone-ecr'
     environment:
@@ -612,7 +792,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/arm64/drone-ecr ./cmd/drone-ecr'
     environment:
@@ -622,7 +802,7 @@ steps:
         exclude:
           - tag
   - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/arm64/drone-ecr ./cmd/drone-ecr'
     environment:
@@ -705,7 +885,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/amd64/drone-heroku ./cmd/drone-heroku'
     environment:
@@ -715,7 +895,7 @@ steps:
         exclude:
           - tag
   - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/amd64/drone-heroku ./cmd/drone-heroku'
     environment:
@@ -764,7 +944,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/arm64/drone-heroku ./cmd/drone-heroku'
     environment:
@@ -774,7 +954,7 @@ steps:
         exclude:
           - tag
   - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/arm64/drone-heroku ./cmd/drone-heroku'
     environment:
@@ -855,7 +1035,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.build=${DRONE_BUILD_NUMBER}" -a -tags netgo -o release/linux/amd64/drone-acr ./cmd/drone-acr'
     environment:
@@ -865,7 +1045,7 @@ steps:
         exclude:
           - tag
   - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v} -X main.build=${DRONE_BUILD_NUMBER}" -a -tags netgo -o release/linux/amd64/drone-acr ./cmd/drone-acr'
     environment:
@@ -913,7 +1093,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.build=${DRONE_BUILD_NUMBER}" -a -tags netgo -o release/linux/arm64/drone-acr ./cmd/drone-acr'
     environment:
@@ -924,7 +1104,7 @@ steps:
           - tag
 
   - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v} -X main.build=${DRONE_BUILD_NUMBER}" -a -tags netgo -o release/linux/arm64/drone-acr ./cmd/drone-acr'
     environment:

README.md

@@ -10,6 +10,14 @@
 
 Drone plugin uses Docker-in-Docker to build and publish Docker images to a container registry. For the usage information and a listing of the available options please take a look at [the docs](http://plugins.drone.io/drone-plugins/drone-docker/).
 
+### Git Leaks
+
+Run the following script to install git-leaks support to this repo.
+```
+chmod +x ./git-hooks/install.sh
+./git-hooks/install.sh
+```
+
 ## Build
 
 Build the binaries with the following commands:
@@ -25,6 +33,7 @@ go build -v -a -tags netgo -o release/linux/amd64/drone-gcr ./cmd/drone-gcr
 go build -v -a -tags netgo -o release/linux/amd64/drone-ecr ./cmd/drone-ecr
 go build -v -a -tags netgo -o release/linux/amd64/drone-acr ./cmd/drone-acr
 go build -v -a -tags netgo -o release/linux/amd64/drone-heroku ./cmd/drone-heroku
+go build -v -a -tags netgo -o release/linux/amd64/drone-gar ./cmd/drone-gar
 ```
 
 ## Docker
@@ -56,6 +65,11 @@ docker build \
   --label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
   --label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
   --file docker/heroku/Dockerfile.linux.amd64 --tag plugins/heroku .
+  
+docker build \
+  --label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
+  --label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
+  --file docker/gar/Dockerfile.linux.amd64 --tag plugins/gar .
 ```
 
 ## Usage
@@ -122,12 +136,11 @@ type: docker
 
 steps:
   - name: push-to-gar
-    image: plugins/gcr
+    image: plugins/gar
     pull: never
     settings:
       tag: latest
       repo: project-id/repo/image-name
-      registry_type: GAR
       location: us
       json_key:
         from_secret: gcr_json_key
@@ -138,12 +151,11 @@ steps:
 ```yaml
 steps:
   - name: push-to-gar
-    image: plugins/gcr
+    image: plugins/gar
     pull: never
     settings:
       tag: latest
       repo: project-id/repo/image-name
-      registry_type: GAR
       location: europe
       project_number: project-number
       pool_id: workload identity pool id

cmd/drone-ecr/main.go

@@ -42,6 +42,7 @@ func main() {
 		assumeRole       = getenv("PLUGIN_ASSUME_ROLE")
 		externalId       = getenv("PLUGIN_EXTERNAL_ID")
 		scanOnPush       = parseBoolOrDefault(false, getenv("PLUGIN_SCAN_ON_PUSH"))
+		idToken          = os.Getenv("PLUGIN_OIDC_TOKEN_ID")
 	)
 
 	// set the region
@@ -61,7 +62,7 @@ func main() {
 		log.Fatal(fmt.Sprintf("error creating aws session: %v", err))
 	}
 
-	svc := getECRClient(sess, assumeRole, externalId)
+	svc := getECRClient(sess, assumeRole, externalId, idToken)
 	username, password, defaultRegistry, err := getAuthInfo(svc)
 
 	if registry == "" {
@@ -213,11 +214,30 @@ func getenv(key ...string) (s string) {
 	return
 }
 
-func getECRClient(sess *session.Session, role string, externalId string) *ecr.ECR {
+func getECRClient(sess *session.Session, role string, externalId string, idToken string) *ecr.ECR {
 	if role == "" {
 		return ecr.New(sess)
 	}
-	if externalId != "" {
+
+	if idToken != "" {
+		tempFile, err := os.CreateTemp("/tmp", "idToken-*.jwt")
+		if err != nil {
+			log.Fatalf("Failed to create temporary file: %v", err)
+		}
+		defer tempFile.Close()
+
+		if err := os.Chmod(tempFile.Name(), 0600); err != nil {
+			log.Fatalf("Failed to set file permissions: %v", err)
+		}
+
+		if _, err := tempFile.WriteString(idToken); err != nil {
+			log.Fatalf("Failed to write ID token to temporary file: %v", err)
+		}
+
+		// Create credentials using the path to the ID token file
+		creds := stscreds.NewWebIdentityCredentials(sess, role, "", tempFile.Name())
+		return ecr.New(sess, &aws.Config{Credentials: creds})
+	} else if externalId != "" {
 		return ecr.New(sess, &aws.Config{
 			Credentials: stscreds.NewCredentials(sess, role, func(p *stscreds.AssumeRoleProvider) {
 				p.ExternalID = &externalId

cmd/drone-gar/main.go

@@ -0,0 +1,165 @@
+package main
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path"
+	"strconv"
+	"strings"
+
+	docker "github.com/drone-plugins/drone-docker"
+	"github.com/drone-plugins/drone-docker/internal/gcp"
+
+	"github.com/joho/godotenv"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google"
+)
+
+type Config struct {
+	Repo             string
+	Registry         string
+	Password         string
+	WorkloadIdentity bool
+	Username         string
+	AccessToken      string
+}
+
+type staticTokenSource struct {
+	token *oauth2.Token
+}
+
+func (s *staticTokenSource) Token() (*oauth2.Token, error) {
+	return s.token, nil
+}
+
+func loadConfig() Config {
+	// Default username
+	username := "_json_key"
+	var config Config
+
+	// Load env-file if it exists
+	if env := os.Getenv("PLUGIN_ENV_FILE"); env != "" {
+		if err := godotenv.Load(env); err != nil {
+			log.Fatalf("Error loading .env file: %v", err)
+		}
+	}
+
+	idToken := getenv("PLUGIN_OIDC_TOKEN_ID")
+	projectId := getenv("PLUGIN_PROJECT_NUMBER")
+	poolId := getenv("PLUGIN_POOL_ID")
+	providerId := getenv("PLUGIN_PROVIDER_ID")
+	serviceAccountEmail := getenv("PLUGIN_SERVICE_ACCOUNT_EMAIL")
+
+	if idToken != "" && projectId != "" && poolId != "" && providerId != "" && serviceAccountEmail != "" {
+		federalToken, err := gcp.GetFederalToken(idToken, projectId, poolId, providerId)
+		if err != nil {
+			logrus.Fatalf("Error (getFederalToken): %s", err)
+		}
+		accessToken, err := gcp.GetGoogleCloudAccessToken(federalToken, serviceAccountEmail)
+		if err != nil {
+			logrus.Fatalf("Error (getGoogleCloudAccessToken): %s", err)
+		}
+		config.AccessToken = accessToken
+	} else {
+		password := getenv(
+			"PLUGIN_JSON_KEY",
+			"GCR_JSON_KEY",
+			"GOOGLE_CREDENTIALS",
+			"TOKEN",
+		)
+		config.WorkloadIdentity = parseBoolOrDefault(false, getenv("PLUGIN_WORKLOAD_IDENTITY"))
+		config.Username, config.Password = setUsernameAndPassword(username, password, config.WorkloadIdentity)
+	}
+
+	location := getenv("PLUGIN_LOCATION")
+	repo := getenv("PLUGIN_REPO")
+
+	registry := getenv("PLUGIN_REGISTRY")
+	if registry == "" {
+		registry = fmt.Sprintf("%s-docker.pkg.dev", location)
+	}
+
+	if !strings.HasPrefix(repo, registry) {
+		repo = path.Join(registry, repo)
+	}
+	config.Repo = repo
+	config.Registry = registry
+	return config
+}
+
+func main() {
+	config := loadConfig()
+	if config.AccessToken != "" {
+		os.Setenv("ACCESS_TOKEN", config.AccessToken)
+	} else if config.Username != "" && config.Password != "" {
+		os.Setenv("DOCKER_USERNAME", config.Username)
+		os.Setenv("DOCKER_PASSWORD", config.Password)
+	}
+
+	os.Setenv("PLUGIN_REPO", config.Repo)
+	os.Setenv("PLUGIN_REGISTRY", config.Registry)
+
+	// invoke the base docker plugin binary
+	cmd := exec.Command(docker.GetDroneDockerExecCmd())
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	err := cmd.Run()
+	if err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+func getOauthToken(data []byte) (s string) {
+	scopes := []string{
+		"https://www.googleapis.com/auth/cloud-platform",
+	}
+	ctx := context.Background()
+	credentials, err := google.CredentialsFromJSON(ctx, data, scopes...)
+	if err == nil {
+		token, err := credentials.TokenSource.Token()
+		if err == nil {
+			return token.AccessToken
+		}
+	}
+	return
+}
+
+func setUsernameAndPassword(user string, pass string, workloadIdentity bool) (u string, p string) {
+	// decode the token if base64 encoded
+	decoded, err := base64.StdEncoding.DecodeString(pass)
+	if err == nil {
+		pass = string(decoded)
+	}
+	// get oauth token and set username if using workload identity
+	if workloadIdentity {
+		data := []byte(pass)
+		pass = getOauthToken(data)
+		user = "oauth2accesstoken"
+	}
+	return user, pass
+}
+
+func parseBoolOrDefault(defaultValue bool, s string) (result bool) {
+	var err error
+	result, err = strconv.ParseBool(s)
+	if err != nil {
+		result = defaultValue
+	}
+
+	return
+}
+
+func getenv(key ...string) (s string) {
+	for _, k := range key {
+		s = os.Getenv(k)
+		if s != "" {
+			return
+		}
+	}
+	return
+}

cmd/drone-gcr/main.go

@@ -3,7 +3,6 @@ package main
 import (
 	"context"
 	"encoding/base64"
-	"fmt"
 	"log"
 	"os"
 	"os/exec"
@@ -12,14 +11,11 @@ import (
 	"strings"
 
 	docker "github.com/drone-plugins/drone-docker"
+	"github.com/drone-plugins/drone-docker/internal/gcp"
 
 	"github.com/joho/godotenv"
 	"github.com/sirupsen/logrus"
-	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
-	"google.golang.org/api/iamcredentials/v1"
-	"google.golang.org/api/option"
-	"google.golang.org/api/sts/v1"
 )
 
 type Config struct {
@@ -28,18 +24,9 @@ type Config struct {
 	Password         string
 	WorkloadIdentity bool
 	Username         string
-	RegistryType     string
 	AccessToken      string
 }
 
-type staticTokenSource struct {
-	token *oauth2.Token
-}
-
-func (s *staticTokenSource) Token() (*oauth2.Token, error) {
-	return s.token, nil
-}
-
 func loadConfig() Config {
 	// Default username
 	username := "_json_key"
@@ -59,11 +46,11 @@ func loadConfig() Config {
 	serviceAccountEmail := getenv("PLUGIN_SERVICE_ACCOUNT_EMAIL")
 
 	if idToken != "" && projectId != "" && poolId != "" && providerId != "" && serviceAccountEmail != "" {
-		federalToken, err := getFederalToken(idToken, projectId, poolId, providerId)
+		federalToken, err := gcp.GetFederalToken(idToken, projectId, poolId, providerId)
 		if err != nil {
 			logrus.Fatalf("Error (getFederalToken): %s", err)
 		}
-		accessToken, err := getGoogleCloudAccessToken(federalToken, serviceAccountEmail)
+		accessToken, err := gcp.GetGoogleCloudAccessToken(federalToken, serviceAccountEmail)
 		if err != nil {
 			logrus.Fatalf("Error (getGoogleCloudAccessToken): %s", err)
 		}
@@ -79,9 +66,7 @@ func loadConfig() Config {
 		config.Username, config.Password = setUsernameAndPassword(username, password, config.WorkloadIdentity)
 	}
 
-	location := getenv("PLUGIN_LOCATION")
 	repo := getenv("PLUGIN_REPO")
-
 	registryType := getenv("PLUGIN_REGISTRY_TYPE")
 	if registryType == "" {
 		registryType = "GCR"
@@ -89,17 +74,7 @@ func loadConfig() Config {
 
 	registry := getenv("PLUGIN_REGISTRY")
 	if registry == "" {
-		switch registryType {
+		registry = "gcr.io"
-		case "GCR":
-			registry = "gcr.io"
-		case "GAR":
-			if location == "" {
-				logrus.Fatalf("Error: For REGISTRY_TYPE of GAR, LOCATION must be set")
-			}
-			registry = fmt.Sprintf("%s-docker.pkg.dev", location)
-		default:
-			logrus.Fatalf("Unsupported registry type: %s", registryType)
-		}
 	}
 
 	if !strings.HasPrefix(repo, registry) {
@@ -107,7 +82,6 @@ func loadConfig() Config {
 	}
 	config.Repo = repo
 	config.Registry = registry
-	config.RegistryType = registryType
 	return config
 }
 
@@ -118,12 +92,10 @@ func main() {
 	} else if config.Username != "" && config.Password != "" {
 		os.Setenv("DOCKER_USERNAME", config.Username)
 		os.Setenv("DOCKER_PASSWORD", config.Password)
-		os.Setenv("", strconv.FormatBool(config.WorkloadIdentity))
 	}
 
 	os.Setenv("PLUGIN_REPO", config.Repo)
 	os.Setenv("PLUGIN_REGISTRY", config.Registry)
-	os.Setenv("PLUGIN_REGISTRY_TYPE", config.RegistryType)
 
 	// invoke the base docker plugin binary
 	cmd := exec.Command(docker.GetDroneDockerExecCmd())
@@ -184,49 +156,3 @@ func getenv(key ...string) (s string) {
 	}
 	return
 }
-
-func getFederalToken(idToken, projectNumber, poolId, providerId string) (string, error) {
-	ctx := context.Background()
-	stsService, err := sts.NewService(ctx, option.WithoutAuthentication())
-	if err != nil {
-		return "", err
-	}
-	audience := fmt.Sprintf("//iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/%s/providers/%s", projectNumber, poolId, providerId)
-	tokenRequest := &sts.GoogleIdentityStsV1ExchangeTokenRequest{
-		GrantType:          "urn:ietf:params:oauth:grant-type:token-exchange",
-		SubjectToken:       idToken,
-		Audience:           audience,
-		Scope:              "https://www.googleapis.com/auth/cloud-platform",
-		RequestedTokenType: "urn:ietf:params:oauth:token-type:access_token",
-		SubjectTokenType:   "urn:ietf:params:oauth:token-type:id_token",
-	}
-	tokenResponse, err := stsService.V1.Token(tokenRequest).Do()
-	if err != nil {
-		return "", err
-	}
-
-	return tokenResponse.AccessToken, nil
-}
-
-func getGoogleCloudAccessToken(federatedToken string, serviceAccountEmail string) (string, error) {
-	ctx := context.Background()
-	tokenSource := &staticTokenSource{
-		token: &oauth2.Token{AccessToken: federatedToken},
-	}
-	service, err := iamcredentials.NewService(ctx, option.WithTokenSource(tokenSource))
-	if err != nil {
-		return "", err
-	}
-
-	name := "projects/-/serviceAccounts/" + serviceAccountEmail
-	rb := &iamcredentials.GenerateAccessTokenRequest{
-		Scope: []string{"https://www.googleapis.com/auth/cloud-platform"},
-	}
-
-	resp, err := service.Projects.ServiceAccounts.GenerateAccessToken(name, rb).Do()
-	if err != nil {
-		return "", err
-	}
-
-	return resp.AccessToken, nil
-}

docker/gar/Dockerfile.linux.amd64

@@ -0,0 +1,4 @@
+FROM plugins/docker:linux-amd64
+
+ADD release/linux/amd64/drone-gar /bin/
+ENTRYPOINT ["/usr/local/bin/dockerd-entrypoint.sh", "/bin/drone-gar"]

docker/gar/Dockerfile.linux.arm64

@@ -0,0 +1,4 @@
+FROM plugins/docker:linux-arm64
+
+ADD release/linux/arm64/drone-gar /bin/
+ENTRYPOINT ["/usr/local/bin/dockerd-entrypoint.sh", "/bin/drone-gar"]

docker/gar/Dockerfile.windows.amd64.1809

@@ -0,0 +1,10 @@
+# escape=`
+FROM plugins/docker:windows-1809-amd64
+
+LABEL maintainer="Drone.IO Community <drone-dev@googlegroups.com>" `
+  org.label-schema.name="Drone GAR" `
+  org.label-schema.vendor="Drone.IO Community" `
+  org.label-schema.schema-version="1.0"
+
+ADD release/windows/amd64/drone-gar.exe C:/bin/drone-gar.exe
+ENTRYPOINT [ "C:\\bin\\drone-gar.exe" ]

docker/gar/Dockerfile.windows.amd64.ltsc2022

@@ -0,0 +1,10 @@
+# escape=`
+FROM plugins/docker:windows-ltsc2022-amd64
+
+LABEL maintainer="Drone.IO Community <drone-dev@googlegroups.com>" `
+  org.label-schema.name="Drone GAR" `
+  org.label-schema.vendor="Drone.IO Community" `
+  org.label-schema.schema-version="1.0"
+
+ADD release/windows/amd64/drone-gar.exe C:/bin/drone-gar.exe
+ENTRYPOINT [ "C:\\bin\\drone-gar.exe" ]

docker/gar/manifest.tmpl

@@ -0,0 +1,31 @@
+image: plugins/gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  -
+    image: plugins/gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
+    platform:
+      architecture: amd64
+      os: linux
+  -
+    image: plugins/gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
+    platform:
+      architecture: arm64
+      os: linux
+      variant: v8
+  -
+    image: plugins/gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}windows-1809-amd64
+    platform:
+      architecture: amd64
+      os: windows
+      version: 1809
+  -
+    image: plugins/gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}windows-ltsc2022-amd64
+    platform:
+      architecture: amd64
+      os: windows
+      version: ltsc2022

git-hooks/README.md

@@ -0,0 +1,8 @@
+This document explains on how to install certain git hooks globally for all repositories in your machine.
+
+Step 1: git clone https://github.com/drone-plugins/drone-docker.git
+Step 2: cd git-hooks
+Step 3: Run install.sh
+
+"install.sh" script will create .git_template in the user directory and will put the git hook and its dependent scripts in it. Along with the .git_template folder, it will add 2 sections "init" and "hooks boolean" in the .gitconfig file in the same user's root directory.
+After running "install.sh" if you create/clone a new git repository then all the hooks will get install automatically for the git repository. In case of existing git repository copy the contents of ~/.git_template/hooks into the .git/hooks directory of existing git repository.

git-hooks/hooks/git-leaks-pre-commit.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+#Helper script to be used as a pre-commit hook.
+
+echo "This hook checks for any secrets getting pushed as part of commit. If you feel that scan is false positive. \
+Then add the exclusion in .gitleaksignore file. For more info visit: https://github.com/zricethezav/gitleaks"
+
+GIT_LEAKS_PRE_COMMIT=s$(git config --bool hook.pre-commit.gitleak)
+
+echo "INFO: Scanning Commits information for any GIT LEAKS"
+gitleaks protect --staged -v --exit-code=100
+STATUS=$?
+if [ $STATUS = 100  ]; then
+    echo "WARNING: GIT LEAKS has detected sensitive information in your changes. Please remove them or add them (IF NON-SENSITIVE) in .gitleaksignore file."
+else
+    exit 0
+fi

git-hooks/hooks/git-leaks.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+#Helper script to be used as a pre-commit hook.
+
+echo "This hook checks for any secrets getting pushed as part of commit. If you feel that scan is false positive. \
+Then add the exclusion in .gitleaksignore file. For more info visit: https://github.com/zricethezav/gitleaks"
+
+GIT_LEAKS=$(git config --bool hook.pre-push.gitleaks)
+
+echo "INFO: Scanning Commits information for any GIT LEAKS"
+gitleaks detect -s ./ --log-level=debug --log-opts=-1 -v
+STATUS=$?
+if [ $STATUS != 0  ]; then
+    echo "WARNING: GIT LEAKS has detected sensitive information in your changes. Please remove them or add them (IF NON-SENSITIVE) in .gitleaksignore file."
+    exit $STATUS
+else
+    exit 0
+fi

git-hooks/hooks/pre-commit

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+GL_SCRIPT_PATH="$HOME/.git_template/hooks/git-leaks-pre-commit.sh"
+
+pushd `dirname $0` > /dev/null && cd ../.. && BASEDIR=$(pwd -L) && popd > /dev/null
+BASENAME=`basename $0`
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+    against=HEAD
+else
+    #Initial commit : diff against an empty tree object
+    against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
+fi
+
+GIT_LEAKS_PRE_COMMIT=hook.pre-commit.gitleaks
+if [ "`git config $GIT_LEAKS_PRE_COMMIT`" == "false" ]
+then
+    echo -e '\033[0;31m' checking git leaks is disabled - to enable: '\033[0;37m'git config --unset $GIT_LEAKS_PRE_COMMIT '\033[0m'
+    echo -e '\033[0;34m' checking git leaks  ... to enable: '\033[0;37m'git config --add $GIT_LEAKS_PRE_COMMIT true '\033[0m'
+else
+    echo -e '\033[0;34m' checking for git leaks...
+    [ -f "${GL_SCRIPT_PATH}" ] && . ${GL_SCRIPT_PATH} || echo "ERROR: Hook Script Not Found..." && exit 404
+fi

git-hooks/hooks/pre-push

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+GL_SCRIPT_PATH="$HOME/.git_template/hooks/git-leaks.sh"
+
+pushd `dirname $0` > /dev/null && cd ../.. && BASEDIR=$(pwd -L) && popd > /dev/null
+BASENAME=`basename $0`
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+    against=HEAD
+else
+    #Initial commit : diff against an empty tree object
+    against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
+fi
+
+GIT_LEAKS=hook.pre-push.gitleaks
+if [ "`git config $GIT_LEAKS`" == "false" ]
+then
+    echo -e '\033[0;31m' checking git leaks is disabled - to enable: '\033[0;37m'git config --unset $GIT_LEAKS '\033[0m'
+    echo -e '\033[0;34m' checking git leaks  ... to enable: '\033[0;37m'git config --add $GIT_LEAKS true '\033[0m'
+else
+    echo -e '\033[0;34m' checking for git leaks...
+    [ -f "${GL_SCRIPT_PATH}" ] && . ${GL_SCRIPT_PATH} || echo "ERROR: Hook Script Not Found..." && exit 404
+fi

git-hooks/install.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+#Function to check if package is installed or not
+#args: $1: Name of the Package
+function check_package_installed() {
+  LOCAL_PACKAGE_NAME=$1
+  echo "Checking if $LOCAL_PACKAGE_NAME is installed or not..."
+  brew list $LOCAL_PACKAGE_NAME
+  if [ "$?" -eq 1 ];then
+    echo "Installing $LOCAL_PACKAGE_NAME package..."
+    brew install $LOCAL_PACKAGE_NAME
+  fi
+}
+
+function create_git_template() {
+    cd $BASEDIR
+    mkdir -p ~/.git_template/hooks
+    git config --global init.templatedir ${GIT_TEMPLATE}
+    git config --global --add $GIT_LEAKS true
+    git config --global --add $GIT_LEAKS_PRE_COMMIT true
+    find hooks/ -type f -exec cp "{}" ~/.git_template/hooks \;
+    #cp -f hooks/* ~/.git_template/hooks
+    cat ~/.gitconfig
+}
+
+GIT_TEMPLATE="~/.git_template"
+GIT_LEAKS=hook.pre-push.gitleaks
+GIT_LEAKS_PRE_COMMIT=hook.pre-commit.gitleaks
+
+pushd `dirname $0` && BASEDIR=$(pwd -L) && popd
+
+echo This script will install hooks that run scripts that could be updated without notice.
+
+while true; do
+    read -p "Do you wish to install these hooks?" yn
+    case $yn in
+        [Yy]* ) check_package_installed "gitleaks";
+                break;;
+        [Nn]* ) exit;;
+        * ) echo "Please answer yes or no.";;
+    esac
+done
+
+create_git_template

go.mod

@@ -39,4 +39,4 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
-go 1.21
+go 1.22

internal/gcp/tokenutil.go

@@ -0,0 +1,65 @@
+package gcp
+
+import (
+	"context"
+	"fmt"
+
+	"golang.org/x/oauth2"
+	"google.golang.org/api/iamcredentials/v1"
+	"google.golang.org/api/option"
+	"google.golang.org/api/sts/v1"
+)
+
+type staticTokenSource struct {
+	token *oauth2.Token
+}
+
+func (s *staticTokenSource) Token() (*oauth2.Token, error) {
+	return s.token, nil
+}
+
+func GetFederalToken(idToken, projectNumber, poolId, providerId string) (string, error) {
+	ctx := context.Background()
+	stsService, err := sts.NewService(ctx, option.WithoutAuthentication())
+	if err != nil {
+		return "", err
+	}
+	audience := fmt.Sprintf("//iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/%s/providers/%s", projectNumber, poolId, providerId)
+	tokenRequest := &sts.GoogleIdentityStsV1ExchangeTokenRequest{
+		GrantType:          "urn:ietf:params:oauth:grant-type:token-exchange",
+		SubjectToken:       idToken,
+		Audience:           audience,
+		Scope:              "https://www.googleapis.com/auth/cloud-platform",
+		RequestedTokenType: "urn:ietf:params:oauth:token-type:access_token",
+		SubjectTokenType:   "urn:ietf:params:oauth:token-type:id_token",
+	}
+	tokenResponse, err := stsService.V1.Token(tokenRequest).Do()
+	if err != nil {
+		return "", err
+	}
+
+	return tokenResponse.AccessToken, nil
+}
+
+func GetGoogleCloudAccessToken(federatedToken string, serviceAccountEmail string) (string, error) {
+	ctx := context.Background()
+	tokenSource := &staticTokenSource{
+		token: &oauth2.Token{AccessToken: federatedToken},
+	}
+	service, err := iamcredentials.NewService(ctx, option.WithTokenSource(tokenSource))
+	if err != nil {
+		return "", err
+	}
+
+	name := "projects/-/serviceAccounts/" + serviceAccountEmail
+	rb := &iamcredentials.GenerateAccessTokenRequest{
+		Scope: []string{"https://www.googleapis.com/auth/cloud-platform"},
+	}
+
+	resp, err := service.Projects.ServiceAccounts.GenerateAccessToken(name, rb).Do()
+	if err != nil {
+		return "", err
+	}
+
+	return resp.AccessToken, nil
+}