From 477200d1f9bdd0d4de15e12204bf12e3aaa34065 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Thu, 15 Dec 2022 14:05:49 +0100 Subject: [PATCH 1/3] ci: generate provenance and sbom for release binaries Signed-off-by: CrazyMax --- .github/workflows/build.yml | 31 +++++++++++++++---------- Dockerfile | 4 +++- hack/release | 45 ++++++++++++++++++++++++++++++------- 3 files changed, 59 insertions(+), 21 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8a97caca..d18ea5ac 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,6 +21,8 @@ on: - 'docs/**' env: + BUILDX_VERSION: "v0.10.0-rc1" + BUILDKIT_IMAGE: "moby/buildkit:v0.11.0-rc2" REPO_SLUG: "docker/buildx-bin" DESTDIR: "./bin" @@ -35,7 +37,9 @@ jobs: name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 with: - version: latest + version: ${{ env.BUILDX_VERSION }} + driver-opts: image=${{ env.BUILDKIT_IMAGE }} + buildkitd-flags: --debug - name: Test uses: docker/bake-action@v2 @@ -92,22 +96,23 @@ jobs: name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 with: - version: latest + version: ${{ env.BUILDX_VERSION }} + driver-opts: image=${{ env.BUILDKIT_IMAGE }} + buildkitd-flags: --debug - name: Build - uses: docker/bake-action@v2 - with: - targets: release - set: | - *.platform=${{ matrix.platform }} - *.cache-from=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }} - *.cache-to=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max + run: | + make release + env: + PLATFORMS: ${{ matrix.platform }} + CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }} + CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max - name: Upload artifacts uses: actions/upload-artifact@v3 with: name: buildx - path: ${{ env.DESTDIR }}/release/* + path: ${{ env.DESTDIR }}/* if-no-files-found: error bin-image: @@ -124,7 +129,9 @@ jobs: name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 with: - version: latest + version: ${{ env.BUILDX_VERSION }} + driver-opts: image=${{ env.BUILDKIT_IMAGE }} + buildkitd-flags: --debug - name: Docker meta id: meta @@ -206,7 +213,7 @@ jobs: name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 with: - version: latest + version: ${{ env.BUILDX_VERSION }} driver-opts: image=moby/buildkit:master buildkitd-flags: --debug - diff --git a/Dockerfile b/Dockerfile index ebf05c31..07d9cc35 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -# syntax=docker/dockerfile:1.4 +# syntax=docker/dockerfile-upstream:master ARG GO_VERSION=1.19 ARG XX_VERSION=1.1.2 @@ -58,6 +58,8 @@ FROM scratch AS binaries-windows COPY --link --from=buildx-build /usr/bin/docker-buildx /buildx.exe FROM binaries-$TARGETOS AS binaries +# enable scanning for this stage +ARG BUILDKIT_SBOM_SCAN_STAGE=true # Release FROM --platform=$BUILDPLATFORM alpine AS releaser diff --git a/hack/release b/hack/release index de82e865..eb257edb 100755 --- a/hack/release +++ b/hack/release @@ -2,27 +2,56 @@ set -eu -o pipefail +: "${GITHUB_ACTIONS=}" +: "${GITHUB_REPOSITORY=}" +: "${GITHUB_RUN_ID=}" + : "${BUILDX_CMD=docker buildx}" : "${DESTDIR=./bin/release}" : "${CACHE_FROM=}" : "${CACHE_TO=}" +: "${PLATFORMS=}" if [ -n "$CACHE_FROM" ]; then for cfrom in $CACHE_FROM; do - cacheFlags+=(--set "*.cache-from=$cfrom") + setFlags+=(--set "*.cache-from=$cfrom") done fi if [ -n "$CACHE_TO" ]; then for cto in $CACHE_TO; do - cacheFlags+=(--set "*.cache-to=$cto") + setFlags+=(--set "*.cache-to=$cto") done fi +if [ -n "$PLATFORMS" ]; then + setFlags+=(--set "*.platform=$PLATFORMS") +fi +if ${BUILDX_CMD} build --help 2>&1 | grep -- '--attest' >/dev/null; then + prvattrs="mode=max" + if [ "$GITHUB_ACTIONS" = "true" ]; then + prvattrs="$prvattrs,builder-id=https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" + fi + setFlags+=(--set "*.attest=type=sbom") + setFlags+=(--set "*.attest=type=provenance,$prvattrs") +fi + +output=$(mktemp -d -t buildx-output.XXXXXXXXXX) -# release -(set -x ; ${BUILDX_CMD} bake "${cacheFlags[@]}" --set "*.output=$DESTDIR" release) +( + set -x + ${BUILDX_CMD} bake "${setFlags[@]}" --set "*.args.BUILDKIT_MULTI_PLATFORM=true" --set "*.output=$output" release +) -# wrap binaries -mv -f ./${DESTDIR}/**/* ./${DESTDIR}/ -find ./${DESTDIR} -type d -empty -delete +for pdir in "${output}"/*/; do + ( + cd "$pdir" + binname=$(find . -name 'buildx-*') + filename=$(basename "${binname%.exe}") + mv "provenance.json" "${filename}.provenance.json" + mv "sbom-binaries.spdx.json" "${filename}.sbom.json" + find . -name 'sbom*.json' -exec rm {} \; + ) +done -source ./hack/hash-files +mkdir -p "$DESTDIR" +mv "$output"/**/* "$DESTDIR/" +rm -rf "$output" From ba8e3f9bc5c7e98bcfeefa6f034b3de20f3c9b95 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Thu, 15 Dec 2022 14:08:35 +0100 Subject: [PATCH 2/3] ci: generate provenance and sbom for bin image Signed-off-by: CrazyMax --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d18ea5ac..0166bc02 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -163,6 +163,8 @@ jobs: set: | *.cache-from=type=gha,scope=bin-image *.cache-to=type=gha,scope=bin-image,mode=max + *.attest=type=sbom + *.attest=type=provenance,mode=max,builder-id=https://github.com/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }} release: runs-on: ubuntu-latest From 1a85745bf1b9c85a015bd5e77e78f4f2d1912433 Mon Sep 17 00:00:00 2001 From: Tonis Tiigi Date: Thu, 15 Dec 2022 16:54:32 -0800 Subject: [PATCH 3/3] github: update buildkit image to v0.11-rc3 Signed-off-by: Tonis Tiigi --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0166bc02..386700bf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,7 +22,7 @@ on: env: BUILDX_VERSION: "v0.10.0-rc1" - BUILDKIT_IMAGE: "moby/buildkit:v0.11.0-rc2" + BUILDKIT_IMAGE: "moby/buildkit:v0.11.0-rc3" REPO_SLUG: "docker/buildx-bin" DESTDIR: "./bin"