Set version and revision at linked time

.dockerignore

@@ -1,2 +1 @@
 /bin
-/release

.github/workflows/build.yml

@@ -128,6 +128,8 @@ jobs:
       -
         name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v2
@@ -153,3 +155,16 @@ jobs:
           name: docker-credential-helpers
           path: ${{ env.DESTDIR }}/*
           if-no-files-found: error
+
+  build-deb:
+    runs-on: ubuntu-20.04
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      -
+        name: Build
+        run: |
+          make deb

.gitignore

@@ -1,2 +1 @@
 /bin
-/release

Dockerfile

@@ -5,7 +5,7 @@ ARG XX_VERSION=1.1.2
 ARG OSXCROSS_VERSION=11.3-r7-alpine
 ARG GOLANGCI_LINT_VERSION=v1.47.3
 
-ARG PKG=github.com/docker/docker-credential-helpers
+ARG PACKAGE=github.com/docker/docker-credential-helpers
 
 # xx is a helper for cross-compilation
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
@@ -15,7 +15,7 @@ FROM crazymax/osxcross:${OSXCROSS_VERSION} AS osxcross
 
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS gobase
 COPY --from=xx / /
-RUN apk add --no-cache clang file git lld llvm pkgconf rsync
+RUN apk add --no-cache clang file git lld llvm make pkgconf rsync
 ENV GOFLAGS="-mod=vendor"
 ENV CGO_ENABLED="1"
 WORKDIR /src
@@ -57,13 +57,6 @@ RUN --mount=type=bind,target=. \
     --mount=from=golangci-lint,source=/usr/bin/golangci-lint,target=/usr/bin/golangci-lint \
     golangci-lint run ./...
 
-FROM gobase AS version
-ARG PKG
-RUN --mount=target=. \
-    VERSION=$(git describe --match 'v[0-9]*' --dirty='.m' --always --tags); \
-    echo "-s -w -X ${PKG}/credentials.Version=${VERSION}" | tee /tmp/.ldflags; \
-    echo -n "${VERSION}" | tee /tmp/.version;
-
 FROM gobase AS base
 ARG TARGETPLATFORM
 RUN xx-apk add musl-dev gcc libsecret-dev pass
@@ -93,50 +86,49 @@ FROM scratch AS test-coverage
 COPY --from=test /out /
 
 FROM base AS build-linux
+ARG PACKAGE
 ARG TARGETOS
 ARG TARGETARCH
 ARG TARGETVARIANT
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
-    --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=bind,from=version,source=/tmp/.ldflags,target=/tmp/.ldflags <<EOT
+    --mount=type=cache,target=/go/pkg/mod <<EOT
   set -ex
-  mkdir /out
-  xx-go build -ldflags "$(cat /tmp/.ldflags)" -o /out/docker-credential-pass-${TARGETOS}-${TARGETARCH}${TARGETVARIANT} ./pass/cmd/
+  xx-go --wrap
+  make build-pass PACKAGE=$PACKAGE DESTDIR=/out BINNAME=docker-credential-pass-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
   xx-verify /out/docker-credential-pass-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
-  xx-go build -ldflags "$(cat /tmp/.ldflags)" -o /out/docker-credential-secretservice-${TARGETOS}-${TARGETARCH}${TARGETVARIANT} ./secretservice/cmd/
+  make build-secretservice PACKAGE=$PACKAGE DESTDIR=/out BINNAME=docker-credential-secretservice-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
   xx-verify /out/docker-credential-secretservice-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
 EOT
 
 FROM base AS build-darwin
+ARG PACKAGE
 ARG TARGETOS
 ARG TARGETARCH
 ARG TARGETVARIANT
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
     --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=bind,from=osxcross,src=/osxsdk,target=/xx-sdk \
-    --mount=type=bind,from=version,source=/tmp/.ldflags,target=/tmp/.ldflags <<EOT
+    --mount=type=bind,from=osxcross,src=/osxsdk,target=/xx-sdk <<EOT
   set -ex
-  mkdir /out
-  xx-go install std
-  xx-go build -ldflags "$(cat /tmp/.ldflags)" -o /out/docker-credential-osxkeychain-${TARGETARCH}${TARGETVARIANT} ./osxkeychain/cmd/
+  xx-go --wrap
+  go install std
+  make build-osxkeychain PACKAGE=$PACKAGE DESTDIR=/out BINNAME=docker-credential-osxkeychain-${TARGETARCH}${TARGETVARIANT}
   xx-verify /out/docker-credential-osxkeychain-${TARGETARCH}${TARGETVARIANT}
-
-  xx-go build -ldflags "$(cat /tmp/.ldflags)" -o /out/docker-credential-pass-${TARGETOS}-${TARGETARCH}${TARGETVARIANT} ./pass/cmd/
+  make build-pass PACKAGE=$PACKAGE DESTDIR=/out BINNAME=docker-credential-pass-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
   xx-verify /out/docker-credential-pass-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
 EOT
 
 FROM base AS build-windows
+ARG PACKAGE
 ARG TARGETARCH
 ARG TARGETVARIANT
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
-    --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=bind,from=version,source=/tmp/.ldflags,target=/tmp/.ldflags <<EOT
+    --mount=type=cache,target=/go/pkg/mod <<EOT
   set -ex
-  mkdir /out
-  xx-go build -ldflags "$(cat /tmp/.ldflags)" -o /out/docker-credential-wincred-${TARGETARCH}${TARGETVARIANT}.exe ./wincred/cmd/
+  xx-go --wrap
+  make build-wincred PACKAGE=$PACKAGE DESTDIR=/out BINNAME=docker-credential-wincred-${TARGETARCH}${TARGETVARIANT}.exe
   xx-verify /out/docker-credential-wincred-${TARGETARCH}${TARGETVARIANT}.exe
 EOT
 

Makefile

@@ -1,77 +1,95 @@
-.PHONY: all osxkeychain secretservice test lint validate-vendor fmt validate wincred pass deb vendor
+PACKAGE ?= github.com/docker/docker-credential-helpers
+VERSION ?= $(shell git describe --match 'v[0-9]*' --dirty='.m' --always --tags)
+REVISION ?= $(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi)
 
-VERSION := $(shell grep 'const Version' credentials/version.go | awk -F'"' '{ print $$2 }')
+GO_PKG = github.com/docker/docker-credential-helpers
+GO_LDFLAGS = -s -w -X ${GO_PKG}/credentials.Version=${VERSION} -X ${GO_PKG}/credentials.Revision=${REVISION} -X ${GO_PKG}/credentials.Package=${PACKAGE}
 
-all: test
+BUILDX_CMD ?= docker buildx
+DESTDIR ?= ./bin/build
 
+.PHONY: all
+all: cross
+
+.PHONY: clean
 clean:
 	rm -rf bin
-	rm -rf release
-
-osxkeychain:
-	mkdir -p bin
-	go build -ldflags -s -o bin/docker-credential-osxkeychain ./osxkeychain/cmd/
-
-osxcodesign: osxkeychain
-	$(eval SIGNINGHASH = $(shell security find-identity -v -p codesigning | grep "Developer ID Application: Docker Inc" | cut -d ' ' -f 4))
-	xcrun -log codesign -s $(SIGNINGHASH) --force --verbose bin/docker-credential-osxkeychain
-	xcrun codesign --verify --deep --strict --verbose=2 --display bin/docker-credential-osxkeychain
 
-secretservice:
-	mkdir -p bin
-	go build -o bin/docker-credential-secretservice ./secretservice/cmd/
+.PHONY: build-%
+build-%: # build, can be one of build-osxkeychain build-pass build-secretservice build-wincred
+	$(eval BINNAME := docker-credential-$*)
+	go build -trimpath -ldflags="$(GO_LDFLAGS) -X ${GO_PKG}/credentials.Name=docker-credential-$*" -o $(DESTDIR)/$(BINNAME) ./$*/cmd/
 
-pass:
-	mkdir -p bin
-	go build -o bin/docker-credential-pass ./pass/cmd/
+# aliases for build-* targets
+.PHONY: osxkeychain secretservice pass wincred
+osxkeychain: build-osxkeychain
+secretservice: build-secretservice
+pass: build-pass
+wincred: build-wincred
 
-wincred:
-	mkdir -p bin
-	go build -o bin/docker-credential-wincred.exe ./wincred/cmd/
+.PHONY: osxcodesign
+osxcodesign: build-osxkeychain
+	$(eval SIGNINGHASH = $(shell security find-identity -v -p codesigning | grep "Developer ID Application: Docker Inc" | cut -d ' ' -f 4))
+	xcrun -log codesign -s $(SIGNINGHASH) --force --verbose bin/build/docker-credential-osxkeychain
+	xcrun codesign --verify --deep --strict --verbose=2 --display bin/build/docker-credential-osxkeychain
 
+.PHONY: linuxrelease
 linuxrelease:
 	mkdir -p release
-	cd bin && tar cvfz ../release/docker-credential-pass-v$(VERSION)-amd64.tar.gz docker-credential-pass
-	cd bin && tar cvfz ../release/docker-credential-secretservice-v$(VERSION)-amd64.tar.gz docker-credential-secretservice
+	cd bin && tar cvfz ../release/docker-credential-pass-$(VERSION)-amd64.tar.gz docker-credential-pass
+	cd bin && tar cvfz ../release/docker-credential-secretservice-$(VERSION)-amd64.tar.gz docker-credential-secretservice
 
+.PHONY: osxrelease
 osxrelease:
 	mkdir -p release
-	cd bin && tar cvfz ../release/docker-credential-osxkeychain-v$(VERSION)-amd64.tar.gz docker-credential-osxkeychain
-	cd bin && tar cvfz ../release/docker-credential-pass-v$(VERSION)-darwin-amd64.tar.gz docker-credential-pass
+	cd bin && tar cvfz ../release/docker-credential-osxkeychain-$(VERSION)-amd64.tar.gz docker-credential-osxkeychain
+	cd bin && tar cvfz ../release/docker-credential-pass-$(VERSION)-darwin-amd64.tar.gz docker-credential-pass
 
+.PHONY: winrelease
 winrelease:
 	mkdir -p release
-	cd bin && zip ../release/docker-credential-wincred-v$(VERSION)-amd64.zip docker-credential-wincred.exe
+	cd bin && zip ../release/docker-credential-wincred-$(VERSION)-amd64.zip docker-credential-wincred.exe
+
+.PHONY: cross
+cross: # cross build all supported credential helpers
+	$(BUILDX_CMD) bake cross
 
+.PHONY: test
 test:
 	# tests all packages except vendor
 	go test -v `go list ./... | grep -v /vendor/`
 
+.PHONY: lint
 lint:
-	docker buildx bake lint
+	$(BUILDX_CMD) bake lint
 
+.PHONY: validate-vendor
 validate-vendor:
-	docker buildx bake vendor-validate
+	$(BUILDX_CMD) bake vendor-validate
 
+.PHONY: fmt
 fmt:
 	gofmt -s -l `ls **/*.go | grep -v vendor`
 
+.PHONY: validate
 validate: lint validate-vendor fmt
 
 BUILDIMG:=docker-credential-secretservice-$(VERSION)
+.PHONY: deb
 deb:
 	mkdir -p release
 	docker build -f deb/Dockerfile \
-		--build-arg VERSION=$(VERSION) \
-		--build-arg DISTRO=xenial \
+		--build-arg VERSION=$(patsubst v%,%,$(VERSION)) \
+		--build-arg REVISION=$(REVISION) \
 		--tag $(BUILDIMG) \
 		.
 	docker run --rm --net=none $(BUILDIMG) tar cf - /release | tar xf -
 	docker rmi $(BUILDIMG)
 
+.PHONY: vendor
 vendor:
 	$(eval $@_TMP_OUT := $(shell mktemp -d -t docker-output.XXXXXXXXXX))
-	docker buildx bake --set "*.output=type=local,dest=$($@_TMP_OUT)" vendor
+	$(BUILDX_CMD) bake --set "*.output=type=local,dest=$($@_TMP_OUT)" vendor
 	rm -rf ./vendor
 	cp -R "$($@_TMP_OUT)"/* .
 	rm -rf "$($@_TMP_OUT)"

credentials/credentials.go

@@ -181,6 +181,6 @@ func List(helper Helper, writer io.Writer) error {
 
 // PrintVersion outputs the current version.
 func PrintVersion(writer io.Writer) error {
-	fmt.Fprintln(writer, Version)
+	fmt.Fprintf(writer, "%s (%s) %s\n", Name, Package, Version)
 	return nil
 }

credentials/version.go

@@ -1,4 +1,16 @@
 package credentials
 
-// Version holds a string describing the current version
-const Version = "0.6.4"
+var (
+	// Name is filled at linking time
+	Name = ""
+
+	// Package is filled at linking time
+	Package = "github.com/docker/docker-credential-helpers"
+
+	// Version holds the complete version number. Filled in at linking time.
+	Version = "v0.0.0+unknown"
+
+	// Revision is filled with the VCS (e.g. git) revision being used to build
+	// the program at linking time.
+	Revision = ""
+)

deb/Dockerfile

@@ -1,13 +1,21 @@
-FROM ubuntu:xenial
+ARG GO_VERSION=1.18.5
+ARG DISTRO=ubuntu
+ARG SUITE=focal
 
-ARG VERSION
-ARG DISTRO
+FROM golang:${GO_VERSION}-buster AS golang
+
+FROM ${DISTRO}:${SUITE}
 
-RUN apt-get update && apt-get install -yy debhelper dh-make golang-go libsecret-1-dev
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -yy debhelper dh-make libsecret-1-dev
 RUN mkdir -p /build
 
 WORKDIR /build
-ENV GOPATH /build
+ENV GOPROXY=https://proxy.golang.org|direct
+ENV GO111MODULE=off
+ENV GOPATH=/build
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+COPY --from=golang /usr/local/go /usr/local/go
 
 COPY Makefile .
 COPY credentials credentials
@@ -16,4 +24,12 @@ COPY pass pass
 COPY deb/debian ./debian
 COPY deb/build-deb .
 
-RUN /build/build-deb ${VERSION} ${DISTRO}
+ARG VERSION
+ENV VERSION=${VERSION}
+ARG REVISION
+ENV REVISION=${REVISION}
+ARG DISTRO
+ENV DISTRO=${DISTRO}
+ARG SUITE
+ENV SUITE=${SUITE}
+RUN /build/build-deb

deb/build-deb

@@ -1,14 +1,10 @@
 #!/usr/bin/env bash
-set -x
-set -e
-
-version=$1
-distro=$2
+set -ex
 
 maintainer=$(awk -F ': ' '$1 == "Maintainer" { print $2; exit }' debian/control)
 
 cat > "debian/changelog" <<-EOF
-docker-credential-helpers ($version) $DISTRO; urgency=low
+docker-credential-helpers ($VERSION) $DISTRO-$SUITE; urgency=low
 
   * New upstream version
 

deb/debian/rules

@@ -3,7 +3,8 @@
 DESTDIR := $(CURDIR)/debian/tmp
 
 override_dh_auto_build:
-	make secretservice pass
+	make build-secretservice DESTDIR=bin
+	make build-pass DESTDIR=bin
 
 override_dh_auto_install:
 	install -D bin/docker-credential-secretservice $(DESTDIR)/usr/bin/docker-credential-secretservice