Add ssh to build

build.md

@@ -155,6 +155,31 @@ args:
   - GIT_COMMIT
 ```
 
+### ssh
+
+`ssh` defines an SSH authentication that the image builder SHOULD use during image build (e.g., cloning private repository)
+
+`ssh` property syntax can be either:
+* `default` - let the builder connect to the ssh-agent.
+* `ID=path` - a key/value definition of an ID and the associated path. Can be either a [PEM](https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail) file, or path to ssh-agent socket
+
+Simple`default` sample
+```yaml
+build:
+  context: .
+  ssh: default   # mount the default ssh agent
+```
+Using a custom id `myproject` with path to a local SSH key:
+```yaml
+build:
+  context: .
+  ssh: myproject=~/.ssh/myproject.pem
+```
+Image builder can then rely on this to mount SSH key during build.
+For illustration, [Buildkit extended syntax](https://github.com/compose-spec/compose-spec/pull/234/%5Bmoby/buildkit@master/frontend/dockerfile/docs/syntax.md#run---mounttypessh%5D(https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#run---mounttypessh)) can be used to mount ssh key set by ID and access a secured resource:
+
+`RUN --mount=type=ssh,id=myproject git clone ...`
+
 ### cache_from
 
 `cache_from` defines a list of sources the Image builder SHOULD use for cache resolution.

schema/compose-spec.json

@@ -91,6 +91,12 @@
                 "context": {"type": "string"},
                 "dockerfile": {"type": "string"},
                 "args": {"$ref": "#/definitions/list_or_dict"},
+                "ssh": {
+                  "oneOf": [
+                    {"type": "string"},
+                    {"$ref": "#/definitions/list_or_dict"}
+                  ]
+                },
                 "labels": {"$ref": "#/definitions/list_or_dict"},
                 "cache_from": {"type": "array", "items": {"type": "string"}},
                 "cache_to": {"type": "array", "items": {"type": "string"}},