From 6a667ab93edb347489ac41c5191412a2e75ff06e Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Fri, 16 Sep 2022 15:05:08 +0200
Subject: [PATCH 1/3] ci: set up remote arm64 and s390x builders

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
---
 .../actions/setup-remote-builder/action.yml   | 55 +++++++++++++++++++
 .github/workflows/build.yml                   | 44 +++++++++++++++
 2 files changed, 99 insertions(+)
 create mode 100644 .github/actions/setup-remote-builder/action.yml

diff --git a/.github/actions/setup-remote-builder/action.yml b/.github/actions/setup-remote-builder/action.yml
new file mode 100644
index 00000000..2310bd31
--- /dev/null
+++ b/.github/actions/setup-remote-builder/action.yml
@@ -0,0 +1,55 @@
+name: 'Setup remote builder'
+description: 'Composite action to set up BuildKit remote builder'
+
+inputs:
+  name:
+    description: 'Node name'
+    required: true
+  builder_name:
+    description: 'Builder name to append to'
+    required: true
+  endpoint:
+    description: 'Host'
+    required: true
+  cacert:
+    description: 'CA Cert'
+    required: true
+  ca:
+    description: 'Cert'
+    required: true
+  key:
+    description: 'Key'
+    required: true
+  platforms:
+    description: 'Preferred platforms'
+    required: false
+
+runs:
+  using: composite
+  steps:
+    -
+      name: Set up certs
+      uses: actions/github-script@v6
+      with:
+        script: |
+          const fs = require('fs');
+          const homedir = require('os').homedir();
+          fs.mkdirSync(`${homedir}/.certs/${{ inputs.name }}`, { recursive: true });
+          fs.writeFileSync(`${homedir}/.certs/${{ inputs.name }}/ca.pem`, process.env.BUILDKIT_CACERT);
+          fs.writeFileSync(`${homedir}/.certs/${{ inputs.name }}/cert.pem`, process.env.BUILDKIT_CERT);
+          fs.writeFileSync(`${homedir}/.certs/${{ inputs.name }}/key.pem`, process.env.BUILDKIT_KEY);
+      env:
+        BUILDKIT_CACERT: ${{ inputs.cacert }}
+        BUILDKIT_CERT: ${{ inputs.ca }}
+        BUILDKIT_KEY: ${{ inputs.key }}
+    -
+      name: Set up remote builder
+      shell: bash
+      run: |
+        docker buildx create --bootstrap --append \
+          --name ${{ inputs.builder_name }} \
+          --node ${{ inputs.name }} \
+          --driver remote \
+          --driver-opt cacert=$HOME/.certs/${{ inputs.name }}/ca.pem,cert=$HOME/.certs/${{ inputs.name }}/cert.pem,key=$HOME/.certs/${{ inputs.name }}/key.pem \
+          --platform "${{ inputs.platforms }}" \
+          ${{ inputs.endpoint }}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6b660a3e..5df2b7ee 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -10,6 +10,9 @@ on:
       - 'main'
   pull_request:
 
+env:
+  BUILDER_NAME: remote-builder
+
 jobs:
   validate:
     runs-on: ubuntu-20.04
@@ -49,7 +52,42 @@ jobs:
         uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
+        id: builder
         uses: docker/setup-buildx-action@v2
+      -
+        # necessary to be able to append remote builders
+        name: Set up container builder as remote
+        run: |
+          docker buildx create --use \
+            --name ${{ env.BUILDER_NAME }} \
+            --driver remote \
+            docker-container://buildx_buildkit_${{ steps.builder.outputs.name }}0
+      -
+        name: Set up AWS Graviton2 remote builder
+        uses: ./.github/actions/setup-remote-builder
+        with:
+          name: aws_graviton2
+          builder_name: ${{ env.BUILDER_NAME }}
+          endpoint: tcp://${{ secrets.AWS_ARM64_HOST }}:1234
+          cacert: ${{ secrets.AWS_ARM64_CACERT }}
+          ca: ${{ secrets.AWS_ARM64_CERT }}
+          key: ${{ secrets.AWS_ARM64_KEY }}
+          platforms: darwin/arm64,linux/arm64,linux/arm/v5,linux/arm/v6,linux/arm/v7,windows/arm64
+      -
+        name: Set up LinuxONE s390x remote builder
+        uses: ./.github/actions/setup-remote-builder
+        with:
+          name: linuxone_s390x
+          builder_name: ${{ env.BUILDER_NAME }}
+          endpoint: tcp://${{ secrets.LINUXONE_S390X_HOST }}:1234
+          cacert: ${{ secrets.LINUXONE_S390X_CACERT }}
+          ca: ${{ secrets.LINUXONE_S390X_CERT }}
+          key: ${{ secrets.LINUXONE_S390X_KEY }}
+          platforms: linux/s390x
+      -
+        name: List builders
+        run: |
+          docker buildx ls
       -
         # necessary to use gha cache export
         name: Expose GitHub Runtime
@@ -64,6 +102,12 @@ jobs:
         name: List artifacts
         run: |
           tree -nh ./pkg/${{ matrix.name }}/bin
+      -
+        name: Cleanup
+        if: always()
+        run: |
+          docker buildx rm ${{ env.BUILDER_NAME }}
+          rm -rf ~/.certs
 # FIXME: Uncomment when repo made public
 #      -
 #        name: Upload artifacts

From 439b42111fb6a9ae9fb9428eead434a99de0fc3b Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Fri, 16 Sep 2022 15:25:35 +0200
Subject: [PATCH 2/3] pkgs(buildx,compose): fix nfpm support for s390x arch

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
---
 pkg/buildx/Dockerfile  | 12 ++++++++----
 pkg/compose/Dockerfile | 12 ++++++++----
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/pkg/buildx/Dockerfile b/pkg/buildx/Dockerfile
index 22b66337..fc374425 100644
--- a/pkg/buildx/Dockerfile
+++ b/pkg/buildx/Dockerfile
@@ -15,7 +15,7 @@
 # limitations under the License.
 
 ARG ALPINE_VERSION="3.16"
-ARG NFPM_VERSION="2.15.1"
+ARG NFPM_VERSION="v2.15.1"
 ARG XX_VERSION="1.1.2"
 ARG MODE="download"
 
@@ -28,8 +28,12 @@ ARG PKG_SUITE="bullseye"
 # cross compilation helper
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
-# nFPM is Not FPM - a simple deb, rpm and apk packager
-FROM --platform=$BUILDPLATFORM goreleaser/nfpm:v${NFPM_VERSION} AS nfpm
+# nFPM
+FROM --platform=$BUILDPLATFORM golang:1.18-alpine AS nfpm
+RUN apk add --no-cache git
+ARG GO111MODULE="on"
+ARG NFPM_VERSION
+RUN go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${NFPM_VERSION}
 
 FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS base
 COPY --from=xx / /
@@ -83,7 +87,7 @@ ARG TARGETPLATFORM
 RUN --mount=type=bind,source=internal/pkg-build.sh,target=/usr/local/bin/pkg-build \
     --mount=type=bind,source=internal/nfpm.yml,target=nfpm.yml \
     --mount=type=bind,from=src,source=/src,target=/src \
-    --mount=type=bind,from=nfpm,source=/usr/bin/nfpm,target=/usr/bin/nfpm <<EOT
+    --mount=type=bind,from=nfpm,source=/go/bin/nfpm,target=/usr/bin/nfpm <<EOT
   set -e
   if [ "$MODE" != "download" ]; then
     export BUILDX_VERSION="$(git -C "/src" describe --match 'v[0-9]*' --dirty='.m' --always --tags)"
diff --git a/pkg/compose/Dockerfile b/pkg/compose/Dockerfile
index 453a521a..fe82efc8 100644
--- a/pkg/compose/Dockerfile
+++ b/pkg/compose/Dockerfile
@@ -15,7 +15,7 @@
 # limitations under the License.
 
 ARG ALPINE_VERSION="3.16"
-ARG NFPM_VERSION="2.15.1"
+ARG NFPM_VERSION="v2.15.1"
 ARG XX_VERSION="1.1.2"
 ARG MODE="download"
 
@@ -28,8 +28,12 @@ ARG PKG_SUITE="bullseye"
 # cross compilation helper
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
-# nFPM is Not FPM - a simple deb, rpm and apk packager
-FROM --platform=$BUILDPLATFORM goreleaser/nfpm:v${NFPM_VERSION} AS nfpm
+# nFPM
+FROM --platform=$BUILDPLATFORM golang:1.18-alpine AS nfpm
+RUN apk add --no-cache git
+ARG GO111MODULE="on"
+ARG NFPM_VERSION
+RUN go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${NFPM_VERSION}
 
 FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS base
 COPY --from=xx / /
@@ -86,7 +90,7 @@ ARG TARGETPLATFORM
 RUN --mount=type=bind,source=internal/pkg-build.sh,target=/usr/local/bin/pkg-build \
     --mount=type=bind,source=internal/nfpm.yml,target=nfpm.yml \
     --mount=type=bind,from=src,source=/src,target=/src \
-    --mount=type=bind,from=nfpm,source=/usr/bin/nfpm,target=/usr/bin/nfpm <<EOT
+    --mount=type=bind,from=nfpm,source=/go/bin/nfpm,target=/usr/bin/nfpm <<EOT
   set -e
   if [ "$MODE" != "download" ]; then
     export COMPOSE_VERSION="$(git -C "/src" describe --match 'v[0-9]*' --dirty='.m' --always --tags)"

From 9116e82532ba47d3dbc48ae79463e106e4f190ce Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Mon, 19 Sep 2022 11:42:10 +0200
Subject: [PATCH 3/3] ci: use append input (edge)

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
---
 .../actions/setup-remote-builder/action.yml   | 55 ----------------
 .github/workflows/build.yml                   | 63 +++++++------------
 2 files changed, 24 insertions(+), 94 deletions(-)
 delete mode 100644 .github/actions/setup-remote-builder/action.yml

diff --git a/.github/actions/setup-remote-builder/action.yml b/.github/actions/setup-remote-builder/action.yml
deleted file mode 100644
index 2310bd31..00000000
--- a/.github/actions/setup-remote-builder/action.yml
+++ /dev/null
@@ -1,55 +0,0 @@
-name: 'Setup remote builder'
-description: 'Composite action to set up BuildKit remote builder'
-
-inputs:
-  name:
-    description: 'Node name'
-    required: true
-  builder_name:
-    description: 'Builder name to append to'
-    required: true
-  endpoint:
-    description: 'Host'
-    required: true
-  cacert:
-    description: 'CA Cert'
-    required: true
-  ca:
-    description: 'Cert'
-    required: true
-  key:
-    description: 'Key'
-    required: true
-  platforms:
-    description: 'Preferred platforms'
-    required: false
-
-runs:
-  using: composite
-  steps:
-    -
-      name: Set up certs
-      uses: actions/github-script@v6
-      with:
-        script: |
-          const fs = require('fs');
-          const homedir = require('os').homedir();
-          fs.mkdirSync(`${homedir}/.certs/${{ inputs.name }}`, { recursive: true });
-          fs.writeFileSync(`${homedir}/.certs/${{ inputs.name }}/ca.pem`, process.env.BUILDKIT_CACERT);
-          fs.writeFileSync(`${homedir}/.certs/${{ inputs.name }}/cert.pem`, process.env.BUILDKIT_CERT);
-          fs.writeFileSync(`${homedir}/.certs/${{ inputs.name }}/key.pem`, process.env.BUILDKIT_KEY);
-      env:
-        BUILDKIT_CACERT: ${{ inputs.cacert }}
-        BUILDKIT_CERT: ${{ inputs.ca }}
-        BUILDKIT_KEY: ${{ inputs.key }}
-    -
-      name: Set up remote builder
-      shell: bash
-      run: |
-        docker buildx create --bootstrap --append \
-          --name ${{ inputs.builder_name }} \
-          --node ${{ inputs.name }} \
-          --driver remote \
-          --driver-opt cacert=$HOME/.certs/${{ inputs.name }}/ca.pem,cert=$HOME/.certs/${{ inputs.name }}/cert.pem,key=$HOME/.certs/${{ inputs.name }}/key.pem \
-          --platform "${{ inputs.platforms }}" \
-          ${{ inputs.endpoint }}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5df2b7ee..b4704622 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -51,43 +51,30 @@ jobs:
         name: Set up QEMU
         uses: docker/setup-qemu-action@v2
       -
-        name: Set up Docker Buildx
+        name: Set up BuildKit container
         id: builder
         uses: docker/setup-buildx-action@v2
       -
-        # necessary to be able to append remote builders
-        name: Set up container builder as remote
-        run: |
-          docker buildx create --use \
-            --name ${{ env.BUILDER_NAME }} \
-            --driver remote \
-            docker-container://buildx_buildkit_${{ steps.builder.outputs.name }}0
-      -
-        name: Set up AWS Graviton2 remote builder
-        uses: ./.github/actions/setup-remote-builder
-        with:
-          name: aws_graviton2
-          builder_name: ${{ env.BUILDER_NAME }}
-          endpoint: tcp://${{ secrets.AWS_ARM64_HOST }}:1234
-          cacert: ${{ secrets.AWS_ARM64_CACERT }}
-          ca: ${{ secrets.AWS_ARM64_CERT }}
-          key: ${{ secrets.AWS_ARM64_KEY }}
-          platforms: darwin/arm64,linux/arm64,linux/arm/v5,linux/arm/v6,linux/arm/v7,windows/arm64
-      -
-        name: Set up LinuxONE s390x remote builder
-        uses: ./.github/actions/setup-remote-builder
+        name: Set up Docker Buildx
+        # FIXME: use docker/setup-buildx-action@v2 when https://github.com/docker/setup-buildx-action/pull/165 merged
+        uses: crazy-max/docker-setup-buildx-action@append
         with:
-          name: linuxone_s390x
-          builder_name: ${{ env.BUILDER_NAME }}
-          endpoint: tcp://${{ secrets.LINUXONE_S390X_HOST }}:1234
-          cacert: ${{ secrets.LINUXONE_S390X_CACERT }}
-          ca: ${{ secrets.LINUXONE_S390X_CERT }}
-          key: ${{ secrets.LINUXONE_S390X_KEY }}
-          platforms: linux/s390x
-      -
-        name: List builders
-        run: |
-          docker buildx ls
+          driver: remote
+          endpoint: docker-container://buildx_buildkit_${{ steps.builder.outputs.name }}0
+          append: |
+            - name: aws_graviton2
+              endpoint: tcp://${{ secrets.AWS_ARM64_HOST }}:1234
+              platforms: darwin/arm64,linux/arm64,linux/arm/v5,linux/arm/v6,linux/arm/v7,windows/arm64
+            - name: linuxone_s390x
+              endpoint: tcp://${{ secrets.LINUXONE_S390X_HOST }}:1234
+              platforms: linux/s390x
+        env:
+          BUILDER_NODE_1_AUTH_TLS_CACERT: ${{ secrets.AWS_ARM64_CACERT }}
+          BUILDER_NODE_1_AUTH_TLS_CERT: ${{ secrets.AWS_ARM64_CERT }}
+          BUILDER_NODE_1_AUTH_TLS_KEY: ${{ secrets.AWS_ARM64_KEY }}
+          BUILDER_NODE_2_AUTH_TLS_CACERT: ${{ secrets.LINUXONE_S390X_CACERT }}
+          BUILDER_NODE_2_AUTH_TLS_CERT: ${{ secrets.LINUXONE_S390X_CERT }}
+          BUILDER_NODE_2_AUTH_TLS_KEY: ${{ secrets.LINUXONE_S390X_KEY }}
       -
         # necessary to use gha cache export
         name: Expose GitHub Runtime
@@ -102,12 +89,10 @@ jobs:
         name: List artifacts
         run: |
           tree -nh ./pkg/${{ matrix.name }}/bin
-      -
-        name: Cleanup
-        if: always()
-        run: |
-          docker buildx rm ${{ env.BUILDER_NAME }}
-          rm -rf ~/.certs
+
+
+
+
 # FIXME: Uncomment when repo made public
 #      -
 #        name: Upload artifacts