docker
/
buildx
mirror of https://github.com/docker/buildx.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ci: generate provenance and sbom for release binaries 

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax 2022-12-15 14:05:49 +01:00
parent a49d28e00e
commit 477200d1f9
No known key found for this signature in database
GPG Key ID: 3248E46B6BB8C7F7
3 changed files with 59 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
.github/workflows/build.yml vendored
View File

@ -21,6 +21,8 @@ on:
- 'docs/**' - 'docs/**'
env: env:
BUILDX_VERSION: "v0.10.0-rc1"
BUILDKIT_IMAGE: "moby/buildkit:v0.11.0-rc2"
REPO_SLUG: "docker/buildx-bin" REPO_SLUG: "docker/buildx-bin"
DESTDIR: "./bin" DESTDIR: "./bin"
@ -35,7 +37,9 @@ jobs:
name: Set up Docker Buildx name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@v2
with: with:
version: latest version: ${{ env.BUILDX_VERSION }}
driver-opts: image=${{ env.BUILDKIT_IMAGE }}
buildkitd-flags: --debug
- -
name: Test name: Test
uses: docker/bake-action@v2 uses: docker/bake-action@v2
@ -92,22 +96,23 @@ jobs:
name: Set up Docker Buildx name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@v2
with: with:
version: latest version: ${{ env.BUILDX_VERSION }}
driver-opts: image=${{ env.BUILDKIT_IMAGE }}
buildkitd-flags: --debug
- -
name: Build name: Build
uses: docker/bake-action@v2 run: |
with: make release
targets: release env:
set: | PLATFORMS: ${{ matrix.platform }}
*.platform=${{ matrix.platform }} CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
*.cache-from=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }} CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
*.cache-to=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
- -
name: Upload artifacts name: Upload artifacts
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: buildx name: buildx
path: ${{ env.DESTDIR }}/release/* path: ${{ env.DESTDIR }}/*
if-no-files-found: error if-no-files-found: error
bin-image: bin-image:
@ -124,7 +129,9 @@ jobs:
name: Set up Docker Buildx name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@v2
with: with:
version: latest version: ${{ env.BUILDX_VERSION }}
driver-opts: image=${{ env.BUILDKIT_IMAGE }}
buildkitd-flags: --debug
- -
name: Docker meta name: Docker meta
id: meta id: meta
@ -206,7 +213,7 @@ jobs:
name: Set up Docker Buildx name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@v2
with: with:
version: latest version: ${{ env.BUILDX_VERSION }}
driver-opts: image=moby/buildkit:master driver-opts: image=moby/buildkit:master
buildkitd-flags: --debug buildkitd-flags: --debug
- -

4
Dockerfile
View File

@ -1,4 +1,4 @@
# syntax=docker/dockerfile:1.4 # syntax=docker/dockerfile-upstream:master
ARG GO_VERSION=1.19 ARG GO_VERSION=1.19
ARG XX_VERSION=1.1.2 ARG XX_VERSION=1.1.2
@ -58,6 +58,8 @@ FROM scratch AS binaries-windows
COPY --link --from=buildx-build /usr/bin/docker-buildx /buildx.exe COPY --link --from=buildx-build /usr/bin/docker-buildx /buildx.exe
FROM binaries-$TARGETOS AS binaries FROM binaries-$TARGETOS AS binaries
# enable scanning for this stage
ARG BUILDKIT_SBOM_SCAN_STAGE=true
# Release # Release
FROM --platform=$BUILDPLATFORM alpine AS releaser FROM --platform=$BUILDPLATFORM alpine AS releaser

45
hack/release
View File

@ -2,27 +2,56 @@
set -eu -o pipefail set -eu -o pipefail
: "${GITHUB_ACTIONS=}"
: "${GITHUB_REPOSITORY=}"
: "${GITHUB_RUN_ID=}"
: "${BUILDX_CMD=docker buildx}" : "${BUILDX_CMD=docker buildx}"
: "${DESTDIR=./bin/release}" : "${DESTDIR=./bin/release}"
: "${CACHE_FROM=}" : "${CACHE_FROM=}"
: "${CACHE_TO=}" : "${CACHE_TO=}"
: "${PLATFORMS=}"
if [ -n "$CACHE_FROM" ]; then if [ -n "$CACHE_FROM" ]; then
for cfrom in $CACHE_FROM; do for cfrom in $CACHE_FROM; do
cacheFlags+=(--set "*.cache-from=$cfrom") setFlags+=(--set "*.cache-from=$cfrom")
done done
fi fi
if [ -n "$CACHE_TO" ]; then if [ -n "$CACHE_TO" ]; then
for cto in $CACHE_TO; do for cto in $CACHE_TO; do
cacheFlags+=(--set "*.cache-to=$cto") setFlags+=(--set "*.cache-to=$cto")
done done
fi fi
if [ -n "$PLATFORMS" ]; then
setFlags+=(--set "*.platform=$PLATFORMS")
fi
if ${BUILDX_CMD} build --help 2>&1 | grep -- '--attest' >/dev/null; then
prvattrs="mode=max"
if [ "$GITHUB_ACTIONS" = "true" ]; then
prvattrs="$prvattrs,builder-id=https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
fi
setFlags+=(--set "*.attest=type=sbom")
setFlags+=(--set "*.attest=type=provenance,$prvattrs")
fi
# release output=$(mktemp -d -t buildx-output.XXXXXXXXXX)
(set -x ; ${BUILDX_CMD} bake "${cacheFlags[@]}" --set "*.output=$DESTDIR" release)
# wrap binaries (
mv -f ./${DESTDIR}/**/* ./${DESTDIR}/ set -x
find ./${DESTDIR} -type d -empty -delete ${BUILDX_CMD} bake "${setFlags[@]}" --set "*.args.BUILDKIT_MULTI_PLATFORM=true" --set "*.output=$output" release
)
source ./hack/hash-files for pdir in "${output}"/*/; do
(
cd "$pdir"
binname=$(find . -name 'buildx-*')
filename=$(basename "${binname%.exe}")
mv "provenance.json" "${filename}.provenance.json"
mv "sbom-binaries.spdx.json" "${filename}.sbom.json"
find . -name 'sbom*.json' -exec rm {} \;
)
done
mkdir -p "$DESTDIR"
mv "$output"/**/* "$DESTDIR/"
rm -rf "$output"