docker · tonistiigi · Dec 16, 2022 · Dec 15, 2022 · Dec 15, 2022 · Dec 16, 2022
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -21,6 +21,8 @@ on:
       - 'docs/**'
 
 env:
+  BUILDX_VERSION: "v0.10.0-rc1"
+  BUILDKIT_IMAGE: "moby/buildkit:v0.11.0-rc3"
   REPO_SLUG: "docker/buildx-bin"
   DESTDIR: "./bin"
 
@@ -35,7 +37,9 @@ jobs:
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
         with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
       -
         name: Test
         uses: docker/bake-action@v2
@@ -92,22 +96,23 @@ jobs:
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
         with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
       -
         name: Build
-        uses: docker/bake-action@v2
-        with:
-          targets: release
-          set: |
-            *.platform=${{ matrix.platform }}
-            *.cache-from=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
-            *.cache-to=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
+        run: |
+          make release
+        env:
+          PLATFORMS: ${{ matrix.platform }}
+          CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
+          CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
       -
         name: Upload artifacts
         uses: actions/upload-artifact@v3
         with:
           name: buildx
-          path: ${{ env.DESTDIR }}/release/*
+          path: ${{ env.DESTDIR }}/*
           if-no-files-found: error
 
   bin-image:
@@ -124,7 +129,9 @@ jobs:
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
         with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
       -
         name: Docker meta
         id: meta
@@ -156,6 +163,8 @@ jobs:
           set: |
             *.cache-from=type=gha,scope=bin-image
             *.cache-to=type=gha,scope=bin-image,mode=max
+            *.attest=type=sbom
+            *.attest=type=provenance,mode=max,builder-id=https://github.com/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}
 
   release:
     runs-on: ubuntu-latest
@@ -206,7 +215,7 @@ jobs:
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
         with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
           driver-opts: image=moby/buildkit:master
           buildkitd-flags: --debug
       -

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile-upstream:master
 
 ARG GO_VERSION=1.19
 ARG XX_VERSION=1.1.2
@@ -58,6 +58,8 @@ FROM scratch AS binaries-windows
 COPY --link --from=buildx-build /usr/bin/docker-buildx /buildx.exe
 
 FROM binaries-$TARGETOS AS binaries
+# enable scanning for this stage
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
 
 # Release
 FROM --platform=$BUILDPLATFORM alpine AS releaser

diff --git a/hack/release b/hack/release
@@ -2,27 +2,56 @@
 
 set -eu -o pipefail
 
+: "${GITHUB_ACTIONS=}"
+: "${GITHUB_REPOSITORY=}"
+: "${GITHUB_RUN_ID=}"
+
 : "${BUILDX_CMD=docker buildx}"
 : "${DESTDIR=./bin/release}"
 : "${CACHE_FROM=}"
 : "${CACHE_TO=}"
+: "${PLATFORMS=}"
 
 if [ -n "$CACHE_FROM" ]; then
   for cfrom in $CACHE_FROM; do
-    cacheFlags+=(--set "*.cache-from=$cfrom")
+    setFlags+=(--set "*.cache-from=$cfrom")
   done
 fi
 if [ -n "$CACHE_TO" ]; then
   for cto in $CACHE_TO; do
-    cacheFlags+=(--set "*.cache-to=$cto")
+    setFlags+=(--set "*.cache-to=$cto")
   done
 fi
+if [ -n "$PLATFORMS" ]; then
+  setFlags+=(--set "*.platform=$PLATFORMS")
+fi
+if ${BUILDX_CMD} build --help 2>&1 | grep -- '--attest' >/dev/null; then
+  prvattrs="mode=max"
+  if [ "$GITHUB_ACTIONS" = "true" ]; then
+    prvattrs="$prvattrs,builder-id=https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
+  fi
+  setFlags+=(--set "*.attest=type=sbom")
+  setFlags+=(--set "*.attest=type=provenance,$prvattrs")
+fi
+
+output=$(mktemp -d -t buildx-output.XXXXXXXXXX)
 
-# release
-(set -x ; ${BUILDX_CMD} bake "${cacheFlags[@]}" --set "*.output=$DESTDIR" release)
+(
+  set -x
+  ${BUILDX_CMD} bake "${setFlags[@]}" --set "*.args.BUILDKIT_MULTI_PLATFORM=true" --set "*.output=$output" release
+)
 
-# wrap binaries
-mv -f ./${DESTDIR}/**/* ./${DESTDIR}/
-find ./${DESTDIR} -type d -empty -delete
+for pdir in "${output}"/*/; do
+  (
+    cd "$pdir"
+    binname=$(find . -name 'buildx-*')
+    filename=$(basename "${binname%.exe}")
+    mv "provenance.json" "${filename}.provenance.json"
+    mv "sbom-binaries.spdx.json" "${filename}.sbom.json"
+    find . -name 'sbom*.json' -exec rm {} \;
+  )
+done
 
-source ./hack/hash-files
+mkdir -p "$DESTDIR"
+mv "$output"/**/* "$DESTDIR/"
+rm -rf "$output"