diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c3af7f413e8f..3b6705bed73b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -346,129 +346,111 @@ jobs: with: sarif_file: ${{ env.DESTDIR }}/govulncheck.out - prepare-binaries: + binaries: + uses: docker/github-builder-experimental/.github/workflows/bake.yml@af87571fd3347a8a760e6053efba57325c00b74b + permissions: + contents: read # same as global permission + id-token: write # for signing attestation(s) with GitHub OIDC Token + with: + runner: amd64 + artifact-name: buildx + artifact-upload: true + target: release + output: local + sbom: true + sign: ${{ github.event_name != 'pull_request' }} + + binaries-finalize: runs-on: ubuntu-24.04 - outputs: - matrix: ${{ steps.platforms.outputs.matrix }} + needs: + - binaries steps: - - name: Checkout - uses: actions/checkout@v6 + name: Download artifacts + uses: actions/download-artifact@v6 + with: + path: /tmp/buildx-output + name: ${{ needs.binaries.outputs.artifact-name }} - - name: Create matrix - id: platforms + name: Rename provenance and sbom run: | - echo "matrix=$(docker buildx bake binaries-cross --print | jq -cr '.target."binaries-cross".platforms')" >>${GITHUB_OUTPUT} + for pdir in /tmp/buildx-output/*/; do + ( + cd "$pdir" + binname=$(find . -name 'buildx-*') + filename=$(basename "${binname%.exe}") + mv "provenance.json" "${filename}.provenance.json" + mv "sbom-binaries.spdx.json" "${filename}.sbom.json" + find . -name 'sbom*.json' -exec rm {} \; + if [ -f "provenance.sigstore.json" ]; then + mv "provenance.sigstore.json" "${filename}.sigstore.json" + fi + ) + done + mkdir -p "${{ env.DESTDIR }}" + mv /tmp/buildx-output/**/* "${{ env.DESTDIR }}/" - - name: Show matrix + name: Create checksums + working-directory: ${{ env.DESTDIR }} run: | - echo ${{ steps.platforms.outputs.matrix }} - - binaries: - runs-on: ubuntu-24.04 - needs: - - prepare-binaries - strategy: - fail-fast: false - matrix: - platform: ${{ fromJson(needs.prepare-binaries.outputs.matrix) }} - steps: + sha256sum -b buildx-* > ./checksums.txt + sed -i '/darwin/d' ./checksums.txt + sha256sum -c --strict checksums.txt - - name: Prepare + name: List artifacts + working-directory: ${{ env.DESTDIR }} run: | - platform=${{ matrix.platform }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + tree -nh . - - name: Checkout - uses: actions/checkout@v6 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - version: ${{ env.SETUP_BUILDX_VERSION }} - driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} - buildkitd-flags: --debug - - - name: Build + name: Check artifacts + working-directory: ${{ env.DESTDIR }} run: | - make release - env: - PLATFORMS: ${{ matrix.platform }} - CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }} - CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max + find . -type f -exec file -e ascii -- {} + - - name: Upload artifacts + name: Upload release binaries uses: actions/upload-artifact@v6 with: - name: buildx-${{ env.PLATFORM_PAIR }} + name: release path: ${{ env.DESTDIR }}/* if-no-files-found: error - bin-image: + bin-image-prepare: runs-on: ubuntu-24.04 + outputs: + repo-slug: ${{ env.REPO_SLUG }} + steps: + # FIXME: can't use env object in reusable workflow inputs: https://github.com/orgs/community/discussions/26671 + - run: echo "Exposing env vars for reusable workflow" + + bin-image: + if: ${{ github.repository == 'docker/buildx' }} + uses: docker/github-builder-experimental/.github/workflows/bake.yml@af87571fd3347a8a760e6053efba57325c00b74b needs: + - bin-image-prepare - test-integration - test-unit - if: ${{ github.event_name != 'pull_request' && github.repository == 'docker/buildx' }} - steps: - - - name: Free disk space - uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 - with: - android: true - dotnet: true - haskell: true - large-packages: true - swap-storage: true - - - name: Checkout - uses: actions/checkout@v6 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - version: ${{ env.SETUP_BUILDX_VERSION }} - driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} - buildkitd-flags: --debug - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: | - ${{ env.REPO_SLUG }} - tags: | - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} - bake-target: meta-helper - - - name: Login to DockerHub - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: + permissions: + contents: read # same as global permission + id-token: write # for signing attestation(s) with GitHub OIDC Token + with: + runner: amd64 + target: image-cross + output: image + push: ${{ github.event_name != 'pull_request' }} + sbom: true + set-meta-labels: true + meta-images: | + ${{ needs.bin-image-prepare.outputs.repo-slug }} + meta-tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + meta-bake-target: meta-helper + secrets: + registry-auths: | + - registry: docker.io username: ${{ vars.DOCKERPUBLICBOT_USERNAME }} password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }} - - - name: Build and push image - uses: docker/bake-action@v6 - with: - source: . - files: | - ./docker-bake.hcl - ${{ steps.meta.outputs.bake-file }} - targets: image-cross - push: ${{ github.event_name != 'pull_request' }} - sbom: true - set: | - *.cache-from=type=gha,scope=bin-image - *.cache-to=type=gha,scope=bin-image,mode=max scout: runs-on: ubuntu-24.04 @@ -509,29 +491,14 @@ jobs: needs: - test-integration - test-unit - - binaries + - binaries-finalize steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Download binaries + name: Download release binaries uses: actions/download-artifact@v7 with: path: ${{ env.DESTDIR }} - pattern: buildx-* - merge-multiple: true - - - name: Create checksums - run: ./hack/hash-files - - - name: List artifacts - run: | - tree -nh ${{ env.DESTDIR }} - - - name: Check artifacts - run: | - find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} + + name: release - name: GitHub Release if: startsWith(github.ref, 'refs/tags/v') diff --git a/Makefile b/Makefile index bfd36db5ed20..8a1aeed262c8 100644 --- a/Makefile +++ b/Makefile @@ -30,10 +30,6 @@ install: binaries mkdir -p ~/.docker/cli-plugins install bin/build/buildx ~/.docker/cli-plugins/docker-buildx -.PHONY: release -release: - ./hack/release - .PHONY: validate-all validate-all: lint test validate-vendor validate-docs diff --git a/hack/hash-files b/hack/hash-files deleted file mode 100755 index 09832e97ff6f..000000000000 --- a/hack/hash-files +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/env bash - -set -eu -o pipefail - -: "${DESTDIR=./bin/release}" - -if [ ! -d "$DESTDIR" ]; then - exit 0 -fi - -# checksums -( - cd ${DESTDIR} - sha256sum -b buildx-* > ./checksums.txt - sed -i '/darwin/d' ./checksums.txt - sha256sum -c --strict checksums.txt -) diff --git a/hack/release b/hack/release deleted file mode 100755 index eb257edb700d..000000000000 --- a/hack/release +++ /dev/null @@ -1,57 +0,0 @@ -#!/usr/bin/env bash - -set -eu -o pipefail - -: "${GITHUB_ACTIONS=}" -: "${GITHUB_REPOSITORY=}" -: "${GITHUB_RUN_ID=}" - -: "${BUILDX_CMD=docker buildx}" -: "${DESTDIR=./bin/release}" -: "${CACHE_FROM=}" -: "${CACHE_TO=}" -: "${PLATFORMS=}" - -if [ -n "$CACHE_FROM" ]; then - for cfrom in $CACHE_FROM; do - setFlags+=(--set "*.cache-from=$cfrom") - done -fi -if [ -n "$CACHE_TO" ]; then - for cto in $CACHE_TO; do - setFlags+=(--set "*.cache-to=$cto") - done -fi -if [ -n "$PLATFORMS" ]; then - setFlags+=(--set "*.platform=$PLATFORMS") -fi -if ${BUILDX_CMD} build --help 2>&1 | grep -- '--attest' >/dev/null; then - prvattrs="mode=max" - if [ "$GITHUB_ACTIONS" = "true" ]; then - prvattrs="$prvattrs,builder-id=https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" - fi - setFlags+=(--set "*.attest=type=sbom") - setFlags+=(--set "*.attest=type=provenance,$prvattrs") -fi - -output=$(mktemp -d -t buildx-output.XXXXXXXXXX) - -( - set -x - ${BUILDX_CMD} bake "${setFlags[@]}" --set "*.args.BUILDKIT_MULTI_PLATFORM=true" --set "*.output=$output" release -) - -for pdir in "${output}"/*/; do - ( - cd "$pdir" - binname=$(find . -name 'buildx-*') - filename=$(basename "${binname%.exe}") - mv "provenance.json" "${filename}.provenance.json" - mv "sbom-binaries.spdx.json" "${filename}.sbom.json" - find . -name 'sbom*.json' -exec rm {} \; - ) -done - -mkdir -p "$DESTDIR" -mv "$output"/**/* "$DESTDIR/" -rm -rf "$output"