Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add attests, provenance and sbom inputs #746

Merged
merged 9 commits into from Jan 12, 2023
Merged

add attests, provenance and sbom inputs #746

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
472ccdd
test: go project sample
crazy-max Dec 19, 2022
ed2672f
add `attests`, `provenance` and `sbom` inputs
crazy-max Jan 11, 2023
26ce4f3
provenance: set mode max and builder-id for public repos by default
crazy-max Dec 20, 2022
0149503
ci: inspect with json output
crazy-max Jan 11, 2023
74f883a
check BuildKit compatibility before setting default provenance opts
crazy-max Jan 11, 2023
ee7989d
always set builder-id attribute for provenance
crazy-max Jan 11, 2023
0cb700f
do not set default provenance if user wants to load the image
crazy-max Jan 11, 2023
fdafae7
update generated content
crazy-max Jan 11, 2023
223ed1e
ci: fix registry-cache job
crazy-max Jan 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
148 changes: 100 additions & 48 deletions .github/workflows/ci.yml
View file
Open in desktop
Expand Up @@ -84,7 +84,7 @@ jobs:
-
name: Inspect
run: |
docker buildx imagetools inspect localhost:5000/name/app:1.0.0
docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
-
name: Check digest
run: |
Expand Down Expand Up @@ -143,7 +143,7 @@ jobs:
-
name: Inspect
run: |
docker buildx imagetools inspect localhost:5000/name/app:1.0.0
docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
-
name: Check digest
run: |
Expand Down Expand Up @@ -190,7 +190,7 @@ jobs:
-
name: Inspect
run: |
docker buildx imagetools inspect localhost:5000/name/app:1.0.0
docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
-
name: Check digest
run: |
Expand Down Expand Up @@ -491,6 +491,97 @@ jobs:
cache-from: type=gha,scope=nocachefilter
cache-to: type=gha,scope=nocachefilter,mode=max

attests-compat:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- buildx: latest
buildkit: moby/buildkit:buildx-stable-1
- buildx: latest
buildkit: moby/buildkit:v0.10.6
- buildx: v0.9.1
buildkit: moby/buildkit:buildx-stable-1
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
version: ${{ matrix.buildx }}
driver-opts: |
network=host
image=${{ matrix.buildkit }}
-
name: Build
uses: ./
with:
context: ./test/go
file: ./test/go/Dockerfile
outputs: type=cacheonly

sbom:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- target: image
output: type=image,name=localhost:5000/name/app:latest,push=true
- target: binary
output: /tmp/buildx-build
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
driver-opts: |
network=host
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
-
name: Build
uses: ./
with:
context: ./test/go
file: ./test/go/Dockerfile
target: ${{ matrix.target }}
outputs: ${{ matrix.output }}
sbom: true
cache-from: type=gha,scope=attests-${{ matrix.target }}
cache-to: type=gha,scope=attests-${{ matrix.target }},mode=max
-
name: Inspect image
if: matrix.target == 'image'
run: |
docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
-
name: Check output folder
if: matrix.target == 'binary'
run: |
tree /tmp/buildx-build
-
name: Print provenance
if: matrix.target == 'binary'
run: |
cat /tmp/buildx-build/provenance.json | jq
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we also do some basic content validation for a build parameter and sbom pkg for example.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean schema validation?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Think we can add this as a follow-up?

-
name: Print SBOM
if: matrix.target == 'binary'
run: |
cat /tmp/buildx-build/sbom.spdx.json | jq

multi:
runs-on: ubuntu-latest
strategy:
Expand Down Expand Up @@ -536,7 +627,7 @@ jobs:
-
name: Inspect
run: |
docker buildx imagetools inspect localhost:5000/name/app:1.0.0
docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'
-
name: Check digest
run: |
Expand Down Expand Up @@ -649,15 +740,14 @@ jobs:
uses: docker/setup-qemu-action@v2
-
name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
with:
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
driver-opts: |
network=host
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
-
name: Build and push (1)
name: Build and push
id: docker_build
uses: ./
with:
Expand All @@ -672,54 +762,16 @@ jobs:
cache-from: type=registry,ref=localhost:5000/name/app
cache-to: type=inline
-
name: Inspect (1)
name: Inspect
run: |
docker buildx imagetools inspect localhost:5000/name/app:latest
docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
-
name: Check digest (1)
name: Check digest
run: |
if [ -z "${{ steps.docker_build.outputs.digest }}" ]; then
echo "::error::Digest should not be empty"
exit 1
fi
-
name: Prune
run: |
docker buildx prune -a -f --verbose
-
name: Build and push (2)
id: docker_build2
uses: ./
with:
context: ./test
file: ./test/multi.Dockerfile
builder: ${{ steps.buildx.outputs.name }}
platforms: linux/amd64,linux/arm64
push: true
tags: |
localhost:5000/name/app:latest
localhost:5000/name/app:1.0.0
cache-from: type=registry,ref=localhost:5000/name/app
cache-to: type=inline
-
name: Inspect (2)
run: |
docker buildx imagetools inspect localhost:5000/name/app:latest
-
name: Check digest (2)
run: |
if [ -z "${{ steps.docker_build2.outputs.digest }}" ]; then
echo "::error::Digest should not be empty"
exit 1
fi
-
name: Compare digests
run: |
echo Compare "${{ steps.docker_build.outputs.digest }}" with "${{ steps.docker_build2.outputs.digest }}"
if [ "${{ steps.docker_build.outputs.digest }}" != "${{ steps.docker_build2.outputs.digest }}" ]; then
echo "::error::Digests should be identical"
exit 1
fi

github-cache:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -760,7 +812,7 @@ jobs:
-
name: Inspect
run: |
docker buildx imagetools inspect localhost:5000/name/app:1.0.0
docker buildx imagetools inspect localhost:5000/name/app:1.0.0 --format '{{json .}}'

standalone:
runs-on: ubuntu-latest
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/e2e.yml
View file
Open in desktop
Expand Up @@ -120,4 +120,4 @@ jobs:
name: Check manifest
if: github.event_name != 'pull_request'
run: |
docker buildx imagetools inspect ${{ matrix.slug }}:${{ steps.meta.outputs.version }}
docker buildx imagetools inspect ${{ matrix.slug }}:${{ steps.meta.outputs.version }} --format '{{json .}}'
2 changes: 1 addition & 1 deletion .github/workflows/example.yml
View file
Open in desktop
Expand Up @@ -71,4 +71,4 @@ jobs:
name: Check manifest
if: github.event_name != 'pull_request'
run: |
docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }}
docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} --format '{{json .}}'