ci: use docker github builder to build bin image and binaries

.github/workflows/build.yml

@@ -346,129 +346,111 @@ jobs:
         with:
           sarif_file: ${{ env.DESTDIR }}/govulncheck.out
 
-  prepare-binaries:
+  binaries:
+    uses: docker/github-builder-experimental/.github/workflows/bake.yml@af87571fd3347a8a760e6053efba57325c00b74b
+    permissions:
+      contents: read # same as global permission
+      id-token: write # for signing attestation(s) with GitHub OIDC Token
+    with:
+      runner: amd64
+      artifact-name: buildx
+      artifact-upload: true
+      target: release
+      output: local
+      sbom: true
+      sign: ${{ github.event_name != 'pull_request' }}
+
+  binaries-finalize:
     runs-on: ubuntu-24.04
-    outputs:
-      matrix: ${{ steps.platforms.outputs.matrix }}
+    needs:
+      - binaries
     steps:
       -
-        name: Checkout
-        uses: actions/checkout@v6
+        name: Download artifacts
+        uses: actions/download-artifact@v6
+        with:
+          path: /tmp/buildx-output
+          name: ${{ needs.binaries.outputs.artifact-name }}
       -
-        name: Create matrix
-        id: platforms
+        name: Rename provenance and sbom
         run: |
-          echo "matrix=$(docker buildx bake binaries-cross --print | jq -cr '.target."binaries-cross".platforms')" >>${GITHUB_OUTPUT}
+          for pdir in /tmp/buildx-output/*/; do
+            (
+              cd "$pdir"
+              binname=$(find . -name 'buildx-*')
+              filename=$(basename "${binname%.exe}")
+              mv "provenance.json" "${filename}.provenance.json"
+              mv "sbom-binaries.spdx.json" "${filename}.sbom.json"
+              find . -name 'sbom*.json' -exec rm {} \;
+              if [ -f "provenance.sigstore.json" ]; then
+                mv "provenance.sigstore.json" "${filename}.sigstore.json"
+              fi
+            )
+          done
+          mkdir -p "${{ env.DESTDIR }}"
+          mv /tmp/buildx-output/**/* "${{ env.DESTDIR }}/"
       -
-        name: Show matrix
+        name: Create checksums
+        working-directory: ${{ env.DESTDIR }}
         run: |
-          echo ${{ steps.platforms.outputs.matrix }}
-
-  binaries:
-    runs-on: ubuntu-24.04
-    needs:
-      - prepare-binaries
-    strategy:
-      fail-fast: false
-      matrix:
-        platform: ${{ fromJson(needs.prepare-binaries.outputs.matrix) }}
-    steps:
+          sha256sum -b buildx-* > ./checksums.txt
+          sed -i '/darwin/d' ./checksums.txt
+          sha256sum -c --strict checksums.txt
       -
-        name: Prepare
+        name: List artifacts
+        working-directory: ${{ env.DESTDIR }}
         run: |
-          platform=${{ matrix.platform }}
-          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+          tree -nh .
       -
-        name: Checkout
-        uses: actions/checkout@v6
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Build
+        name: Check artifacts
+        working-directory: ${{ env.DESTDIR }}
         run: |
-          make release
-        env:
-          PLATFORMS: ${{ matrix.platform }}
-          CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
-          CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
+          find . -type f -exec file -e ascii -- {} +
       -
-        name: Upload artifacts
+        name: Upload release binaries
         uses: actions/upload-artifact@v6
         with:
-          name: buildx-${{ env.PLATFORM_PAIR }}
+          name: release
           path: ${{ env.DESTDIR }}/*
           if-no-files-found: error
 
-  bin-image:
+  bin-image-prepare:
     runs-on: ubuntu-24.04
+    outputs:
+      repo-slug: ${{ env.REPO_SLUG }}
+    steps:
+      # FIXME: can't use env object in reusable workflow inputs: https://github.com/orgs/community/discussions/26671
+      - run: echo "Exposing env vars for reusable workflow"
+
+  bin-image:
+    if: ${{ github.repository == 'docker/buildx' }}
+    uses: docker/github-builder-experimental/.github/workflows/bake.yml@af87571fd3347a8a760e6053efba57325c00b74b
     needs:
+      - bin-image-prepare
       - test-integration
       - test-unit
-    if: ${{ github.event_name != 'pull_request' && github.repository == 'docker/buildx' }}
-    steps:
-      -
-        name: Free disk space
-        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
-        with:
-          android: true
-          dotnet: true
-          haskell: true
-          large-packages: true
-          swap-storage: true
-      -
-        name: Checkout
-        uses: actions/checkout@v6
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.REPO_SLUG }}
-          tags: |
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-          bake-target: meta-helper
-      -
-        name: Login to DockerHub
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
-        with:
+    permissions:
+      contents: read # same as global permission
+      id-token: write # for signing attestation(s) with GitHub OIDC Token
+    with:
+      runner: amd64
+      target: image-cross
+      output: image
+      push: ${{ github.event_name != 'pull_request' }}
+      sbom: true
+      set-meta-labels: true
+      meta-images: |
+        ${{ needs.bin-image-prepare.outputs.repo-slug }}
+      meta-tags: |
+        type=ref,event=branch
+        type=ref,event=pr
+        type=semver,pattern={{version}}
+      meta-bake-target: meta-helper
+    secrets:
+      registry-auths: |
+        - registry: docker.io
           username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
           password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
-      -
-        name: Build and push image
-        uses: docker/bake-action@v6
-        with:
-          source: .
-          files: |
-            ./docker-bake.hcl
-            ${{ steps.meta.outputs.bake-file }}
-          targets: image-cross
-          push: ${{ github.event_name != 'pull_request' }}
-          sbom: true
-          set: |
-            *.cache-from=type=gha,scope=bin-image
-            *.cache-to=type=gha,scope=bin-image,mode=max
 
   scout:
     runs-on: ubuntu-24.04
@@ -509,29 +491,14 @@ jobs:
     needs:
       - test-integration
       - test-unit
-      - binaries
+      - binaries-finalize
     steps:
       -
-        name: Checkout
-        uses: actions/checkout@v6
-      -
-        name: Download binaries
+        name: Download release binaries
         uses: actions/download-artifact@v7
         with:
           path: ${{ env.DESTDIR }}
-          pattern: buildx-*
-          merge-multiple: true
-      -
-        name: Create checksums
-        run: ./hack/hash-files
-      -
-        name: List artifacts
-        run: |
-          tree -nh ${{ env.DESTDIR }}
-      -
-        name: Check artifacts
-        run: |
-          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +
+          name: release
       -
         name: GitHub Release
         if: startsWith(github.ref, 'refs/tags/v')

Makefile

@@ -30,10 +30,6 @@ install: binaries
 	mkdir -p ~/.docker/cli-plugins
 	install bin/build/buildx ~/.docker/cli-plugins/docker-buildx
 
-.PHONY: release
-release:
-	./hack/release
-
 .PHONY: validate-all
 validate-all: lint test validate-vendor validate-docs