diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c588a502..1b9081e0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,6 +21,8 @@ on: - 'docs/**' env: + BUILDX_VERSION: "v0.10.0-rc1" + BUILDKIT_IMAGE: "moby/buildkit:v0.11.0-rc3" REPO_SLUG: "docker/buildx-bin" DESTDIR: "./bin" @@ -35,7 +37,9 @@ jobs: name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 with: - version: latest + version: ${{ env.BUILDX_VERSION }} + driver-opts: image=${{ env.BUILDKIT_IMAGE }} + buildkitd-flags: --debug - name: Test uses: docker/bake-action@v2 @@ -92,22 +96,23 @@ jobs: name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 with: - version: latest + version: ${{ env.BUILDX_VERSION }} + driver-opts: image=${{ env.BUILDKIT_IMAGE }} + buildkitd-flags: --debug - name: Build - uses: docker/bake-action@v2 - with: - targets: release - set: | - *.platform=${{ matrix.platform }} - *.cache-from=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }} - *.cache-to=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max + run: | + make release + env: + PLATFORMS: ${{ matrix.platform }} + CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }} + CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max - name: Upload artifacts uses: actions/upload-artifact@v3 with: name: buildx - path: ${{ env.DESTDIR }}/release/* + path: ${{ env.DESTDIR }}/* if-no-files-found: error bin-image: @@ -124,7 +129,9 @@ jobs: name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 with: - version: latest + version: ${{ env.BUILDX_VERSION }} + driver-opts: image=${{ env.BUILDKIT_IMAGE }} + buildkitd-flags: --debug - name: Docker meta id: meta @@ -156,6 +163,8 @@ jobs: set: | *.cache-from=type=gha,scope=bin-image *.cache-to=type=gha,scope=bin-image,mode=max + *.attest=type=sbom + *.attest=type=provenance,mode=max,builder-id=https://github.com/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }} release: runs-on: ubuntu-22.04 @@ -206,7 +215,7 @@ jobs: name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 with: - version: latest + version: ${{ env.BUILDX_VERSION }} driver-opts: image=moby/buildkit:master buildkitd-flags: --debug - diff --git a/Dockerfile b/Dockerfile index ebf05c31..07d9cc35 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -# syntax=docker/dockerfile:1.4 +# syntax=docker/dockerfile-upstream:master ARG GO_VERSION=1.19 ARG XX_VERSION=1.1.2 @@ -58,6 +58,8 @@ FROM scratch AS binaries-windows COPY --link --from=buildx-build /usr/bin/docker-buildx /buildx.exe FROM binaries-$TARGETOS AS binaries +# enable scanning for this stage +ARG BUILDKIT_SBOM_SCAN_STAGE=true # Release FROM --platform=$BUILDPLATFORM alpine AS releaser diff --git a/hack/release b/hack/release index de82e865..eb257edb 100755 --- a/hack/release +++ b/hack/release @@ -2,27 +2,56 @@ set -eu -o pipefail +: "${GITHUB_ACTIONS=}" +: "${GITHUB_REPOSITORY=}" +: "${GITHUB_RUN_ID=}" + : "${BUILDX_CMD=docker buildx}" : "${DESTDIR=./bin/release}" : "${CACHE_FROM=}" : "${CACHE_TO=}" +: "${PLATFORMS=}" if [ -n "$CACHE_FROM" ]; then for cfrom in $CACHE_FROM; do - cacheFlags+=(--set "*.cache-from=$cfrom") + setFlags+=(--set "*.cache-from=$cfrom") done fi if [ -n "$CACHE_TO" ]; then for cto in $CACHE_TO; do - cacheFlags+=(--set "*.cache-to=$cto") + setFlags+=(--set "*.cache-to=$cto") done fi +if [ -n "$PLATFORMS" ]; then + setFlags+=(--set "*.platform=$PLATFORMS") +fi +if ${BUILDX_CMD} build --help 2>&1 | grep -- '--attest' >/dev/null; then + prvattrs="mode=max" + if [ "$GITHUB_ACTIONS" = "true" ]; then + prvattrs="$prvattrs,builder-id=https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" + fi + setFlags+=(--set "*.attest=type=sbom") + setFlags+=(--set "*.attest=type=provenance,$prvattrs") +fi + +output=$(mktemp -d -t buildx-output.XXXXXXXXXX) -# release -(set -x ; ${BUILDX_CMD} bake "${cacheFlags[@]}" --set "*.output=$DESTDIR" release) +( + set -x + ${BUILDX_CMD} bake "${setFlags[@]}" --set "*.args.BUILDKIT_MULTI_PLATFORM=true" --set "*.output=$output" release +) -# wrap binaries -mv -f ./${DESTDIR}/**/* ./${DESTDIR}/ -find ./${DESTDIR} -type d -empty -delete +for pdir in "${output}"/*/; do + ( + cd "$pdir" + binname=$(find . -name 'buildx-*') + filename=$(basename "${binname%.exe}") + mv "provenance.json" "${filename}.provenance.json" + mv "sbom-binaries.spdx.json" "${filename}.sbom.json" + find . -name 'sbom*.json' -exec rm {} \; + ) +done -source ./hack/hash-files +mkdir -p "$DESTDIR" +mv "$output"/**/* "$DESTDIR/" +rm -rf "$output"