diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fb684a8e5..023c0db27 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -28,7 +28,6 @@ jobs: runs-on: ubuntu-latest outputs: validate-includes: ${{ steps.validate.outputs.matrix }} - artifact-includes: ${{ steps.artifact.outputs.matrix }} steps: - name: Checkout @@ -42,13 +41,6 @@ jobs: fields: platforms env: GOLANGCI_LINT_MULTIPLATFORM: 1 - - - name: Artifact matrix - id: artifact - uses: docker/bake-action/subaction/matrix@v7 - with: - target: artifact-all - fields: platforms validate: runs-on: ubuntu-latest @@ -128,62 +120,65 @@ jobs: with: sarif_file: ${{ env.DESTDIR }}/govulncheck.out - artifact: + artifacts: + uses: docker/github-builder/.github/workflows/bake.yml@git-query-fetch-depth + permissions: + contents: read # same as global permission + id-token: write # for signing attestation(s) with GitHub OIDC Token + with: + runner: amd64 + output: local + artifact-name: diun + push: ${{ github.event_name != 'pull_request' }} + sbom: true + target: artifact-all + + artifacts-finalize: runs-on: ubuntu-latest needs: - - prepare - - validate - strategy: - fail-fast: false - matrix: - include: ${{ fromJson(needs.prepare.outputs.artifact-includes) }} + - artifacts steps: - - name: Prepare - run: | - platform=${{ matrix.platforms }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - - - name: Checkout - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 - - - name: Build - uses: docker/bake-action@v7 + name: Download artifacts + uses: actions/download-artifact@v6 with: - source: . - targets: artifact - provenance: mode=max - sbom: true - pull: true - set: | - *.platform=${{ matrix.platforms }} + path: /tmp/buildx-output + pattern: ${{ needs.artifacts.outputs.artifact-name }}* + merge-multiple: true - name: Rename provenance and sbom - working-directory: ${{ env.DESTDIR }}/artifact run: | - binname=$(find . -name 'diun_*') - filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//') - mv "provenance.json" "${filename}.provenance.json" - mv "sbom-binary.spdx.json" "${filename}.sbom.json" - find . -name 'sbom*.json' -exec rm {} \; + for pdir in /tmp/buildx-output/*/; do + ( + cd "$pdir" + binname=$(find . -name 'diun_*') + filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//') + mv "provenance.json" "${filename}.provenance.json" + mv "sbom-binary.spdx.json" "${filename}.sbom.json" + find . -name 'sbom*.json' -exec rm {} \; + if [ -f "provenance.sigstore.json" ]; then + mv "provenance.sigstore.json" "${filename}.provenance.sigstore.json" + fi + ) + done + mkdir -p "${{ env.DESTDIR }}" + mv /tmp/buildx-output/**/* "${{ env.DESTDIR }}/" - name: List artifacts + working-directory: ${{ env.DESTDIR }} run: | - tree -nh ${{ env.DESTDIR }} + tree -nh . - - name: Upload artifact - uses: actions/upload-artifact@v7 + name: Check artifacts + working-directory: ${{ env.DESTDIR }} + run: | + find . -type f -exec file -e ascii -- {} + + - + name: Upload release binaries + uses: actions/upload-artifact@v5 with: - name: diun-${{ env.PLATFORM_PAIR }} - path: ${{ env.DESTDIR }} + name: release + path: ${{ env.DESTDIR }}/* if-no-files-found: error release: @@ -192,23 +187,18 @@ jobs: # required to create GitHub release contents: write needs: - - artifact + - artifacts-finalize - test steps: - name: Checkout uses: actions/checkout@v6 - - name: Download artifacts + name: Download release binaries uses: actions/download-artifact@v8 with: - path: ${{ env.DESTDIR }} - pattern: diun-* - merge-multiple: true - - - name: List artifacts - run: | - tree -nh ${{ env.DESTDIR }} + path: ${{ env.DESTDIR }}/artifact + name: release - name: Set up Docker Buildx uses: docker/setup-buildx-action@v4 @@ -219,6 +209,11 @@ jobs: source: . targets: release provenance: false + - + name: List artifacts + working-directory: ${{ env.DESTDIR }}/release + run: | + tree -nh . - name: GitHub Release uses: softprops/action-gh-release@v2 @@ -230,88 +225,52 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - image: + image-prepare: runs-on: ubuntu-latest + outputs: + repo-slugs: | + ${{ env.DOCKERHUB_SLUG }} + ${{ env.GHCR_SLUG }} + steps: + # FIXME: can't use env object in reusable workflow inputs: https://github.com/orgs/community/discussions/26671 + - run: echo "Exposing env vars for reusable workflow" + + image: + uses: docker/github-builder/.github/workflows/bake.yml@git-query-fetch-depth permissions: - # same as global permissions - contents: read - # required to push to GHCR - packages: write + contents: read # same as global permission + id-token: write # for signing attestation(s) with GitHub OIDC Token needs: - - artifact + - image-prepare + - artifacts-finalize - test - steps: - - - name: Checkout - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - - name: Docker meta - id: meta - uses: docker/metadata-action@v6 - with: - images: | - ${{ env.DOCKERHUB_SLUG }} - ${{ env.GHCR_SLUG }} - tags: | - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=ref,event=pr - type=edge - labels: | - org.opencontainers.image.title=Diun - org.opencontainers.image.description=Docker image update notifier - org.opencontainers.image.vendor=CrazyMax - - - name: Set up QEMU - uses: docker/setup-qemu-action@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 - - - name: Login to DockerHub - if: github.event_name != 'pull_request' - uses: docker/login-action@v4 - with: + with: + runner: amd64 + output: image + target: image-all + push: ${{ github.event_name != 'pull_request' }} + sbom: true + set-meta-labels: true + meta-images: | + ${{ needs.image-prepare.outputs.repo-slugs }} + meta-tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=ref,event=pr + type=edge + meta-labels: | + org.opencontainers.image.title=Diun + org.opencontainers.image.description=Docker image update notifier + org.opencontainers.image.vendor=CrazyMax + secrets: + registry-auths: | + - registry: docker.io username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Login to GHCR - if: github.event_name != 'pull_request' - uses: docker/login-action@v4 - with: - registry: ghcr.io + - registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build - uses: docker/bake-action@v7 - with: - source: . - files: | - ./docker-bake.hcl - ${{ steps.meta.outputs.bake-file }} - targets: image-all - provenance: mode=max - sbom: true - pull: true - push: ${{ github.event_name != 'pull_request' }} - - - name: Check manifest - if: github.event_name != 'pull_request' - run: | - docker buildx imagetools inspect ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }} - docker buildx imagetools inspect ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }} - - - name: Inspect image - if: github.event_name != 'pull_request' - run: | - docker pull ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }} - docker image inspect ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }} - docker pull ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }} - docker image inspect ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }} scout: runs-on: ubuntu-latest diff --git a/Dockerfile b/Dockerfile index 8dbbf847f..d651bc272 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,3 @@ -# syntax=docker/dockerfile:1 - ARG GO_VERSION="1.25" ARG ALPINE_VERSION="3.23" ARG XX_VERSION="1.9.0" @@ -14,14 +12,9 @@ RUN apk add --no-cache file git WORKDIR /src FROM base AS version -ARG GIT_REF RUN --mount=target=. <