@@ -50,60 +50,63 @@ jobs:
5050 fields : platforms
5151
5252 binaries :
53+ uses : docker/github-builder-experimental/.github/workflows/bake.yml@7643588149117bf0ca3a906caa3968c70484027a
54+ permissions :
55+ contents : read # same as global permission
56+ id-token : write # for signing attestation(s) with GitHub OIDC Token
57+ with :
58+ runner : amd64
59+ setup-qemu : true
60+ artifact-name : buildkit-binaries
61+ artifact-upload : true
62+ cache : true
63+ cache-scope : binaries
64+ target : release
65+ output : local
66+ sbom : true
67+ sign : ${{ github.event_name != 'pull_request' }}
68+
69+ binaries-finalize :
5370 runs-on : ubuntu-24.04
5471 needs :
55- - prepare
56- strategy :
57- fail-fast : false
58- matrix :
59- include : ${{ fromJson(needs.prepare.outputs.binaries-platforms) }}
72+ - binaries
6073 steps :
6174 -
62- name : Prepare
63- run : |
64- platform=${{ matrix.platforms }}
65- echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
66-
67- name : Set up QEMU
68- uses : docker/setup-qemu-action@v3
69- -
70- name : Set up Docker Buildx
71- uses : docker/setup-buildx-action@v3
72- with :
73- version : ${{ env.SETUP_BUILDX_VERSION }}
74- driver-opts : image=${{ env.SETUP_BUILDKIT_IMAGE }}
75- buildkitd-flags : --debug
76- -
77- name : Build
78- uses : docker/bake-action@v6
75+ name : Download artifacts
76+ uses : actions/download-artifact@v6
7977 with :
80- # FIXME: remove context once git context with query string implemented in actions-toolkit
81- source : ${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}
82- targets : release
83- provenance : mode=max
84- sbom : true
85- set : |
86- *.platform=${{ matrix.platforms }}
87- *.cache-from=type=gha,scope=binaries
88- *.cache-to=type=gha,scope=binaries
89- *.no-cache-filter=${{ startsWith(github.ref, 'refs/tags/v') && 'gobuild-base' || '' }}
78+ path : /tmp/buildx-output
79+ name : ${{ needs.binaries.outputs.artifact-name }}
9080 -
9181 name : Rename provenance and sbom
82+ run : |
83+ for pdir in /tmp/buildx-output/*/; do
84+ (
85+ cd "$pdir"
86+ binname=$(find . -name 'buildkit-*')
87+ filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//')
88+ mv "provenance.json" "${filename}.provenance.json"
89+ mv "sbom-binaries.spdx.json" "${filename}.sbom.json"
90+ find . -name 'sbom*.json' -exec rm {} \;
91+ if [ -f "provenance.sigstore.json" ]; then
92+ mv "provenance.sigstore.json" "${filename}.sigstore.json"
93+ fi
94+ )
95+ done
96+ mkdir -p "${{ env.DESTDIR }}"
97+ mv /tmp/buildx-output/**/* "${{ env.DESTDIR }}/"
98+
99+ name : List artifacts
92100 working-directory : ${{ env.DESTDIR }}
93101 run : |
94- binname=$(find . -name 'buildkit-*')
95- filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//')
96- mv "provenance.json" "${filename}.provenance.json"
97- mv "sbom-binaries.spdx.json" "${filename}.sbom.json"
98- find . -name 'sbom*.json' -exec rm {} \;
102+ tree -nh .
99103
100- name : Upload artifacts
104+ name : Upload release binaries
101105 uses : actions/upload-artifact@v6
102106 with :
103- name : buildkit-${{ env.PLATFORM_PAIR }}
107+ name : buildkit-release
104108 path : ${{ env.DESTDIR }}/*
105109 if-no-files-found : error
106- retention-days : 1
107110
108111 test :
109112 uses : ./.github/workflows/.test.yml
@@ -164,128 +167,127 @@ jobs:
164167 with :
165168 sarif_file : ${{ env.DESTDIR }}/govulncheck.out
166169
167- image :
170+ image-prepare :
168171 runs-on : ubuntu-24.04
169- env :
170- DEFAULT_BASE : alpine
172+ outputs :
173+ includes : ${{ steps.set.outputs.includes }}
174+ steps :
175+ -
176+ name : Set outputs
177+ id : set
178+ uses : actions/github-script@v8
179+ env :
180+ INPUT_DEFAULT-BASE : alpine
181+ INPUT_REF : ${{ github.ref }}
182+ INPUT_IMAGE-NAME : ${{ env.IMAGE_NAME }}
183+ with :
184+ script : |
185+ const defaultBase = core.getInput('default-base');
186+ const ref = core.getInput('ref');
187+ const imageName = core.getInput('image-name');
188+
189+ function getTagSuffixAndLatest(base, target) {
190+ let tagSuffix = '';
191+ if (target) {
192+ tagSuffix += `-${target}`;
193+ }
194+ if (base && base !== defaultBase) {
195+ tagSuffix += `-${base}`;
196+ }
197+ let tagLatest = '';
198+ if (ref && ref.startsWith('refs/tags/v')) {
199+ const version = ref.replace('refs/tags/', '');
200+ if (/^v[0-9]+\.[0-9]+\.[0-9]+$/.test(version)) {
201+ tagLatest = target ? target : 'latest';
202+ if (base && base !== defaultBase) {
203+ tagLatest += `-${base}`;
204+ }
205+ }
206+ }
207+ return { tagSuffix, tagLatest };
208+ }
209+
210+ const matrix = [
211+ { base: 'alpine' },
212+ { base: 'alpine', target: 'rootless'},
213+ { base: 'ubuntu', buildTags: 'nvidia venus' }
214+ ]
215+
216+ for (const entry of matrix) {
217+ const { tagSuffix, tagLatest } = getTagSuffixAndLatest(entry.base, entry.target);
218+ entry.imageName = imageName;
219+ entry.tagSuffix = tagSuffix;
220+ entry.tagLatest = tagLatest;
221+ }
222+
223+ core.info(JSON.stringify(matrix, null, 2));
224+ core.setOutput('includes', JSON.stringify(matrix));
225+
226+ image :
227+ uses : docker/github-builder-experimental/.github/workflows/bake.yml@7643588149117bf0ca3a906caa3968c70484027a
171228 needs :
229+ - image-prepare
172230 - test
173231 strategy :
174232 fail-fast : false
175233 matrix :
176- include :
177- -
178- base : ' alpine'
179- -
180- base : ' alpine'
181- target : ' rootless'
182- -
183- base : ' ubuntu'
184- build-tags : ' nvidia venus'
185- steps :
186- -
187- name : Prepare
188- run : |
189- tagSuffix=""
190- if [ -n "${{ matrix.target }}" ]; then
191- tagSuffix="${tagSuffix}-${{ matrix.target }}"
192- fi
193- if [ "${{ matrix.base }}" != "$DEFAULT_BASE" ]; then
194- tagSuffix="${tagSuffix}-${{ matrix.base }}"
195- fi
196- echo "TAG_SUFFIX=${tagSuffix}" >> $GITHUB_ENV
197- if [[ $GITHUB_REF == refs/tags/v* ]]; then
198- if [[ "${GITHUB_REF#refs/tags/}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
199- tagLatest=""
200- if [ -n "${{ matrix.target }}" ]; then
201- tagLatest=${{ matrix.target }}
202- else
203- tagLatest=latest
204- fi
205- if [ "${{ matrix.base }}" != "$DEFAULT_BASE" ]; then
206- tagLatest="${tagLatest}-${{ matrix.base }}"
207- fi
208- echo "TAG_LATEST=${tagLatest}" >> $GITHUB_ENV
209- fi
210- fi
211-
212- name : Set up QEMU
213- uses : docker/setup-qemu-action@v3
214- -
215- name : Set up Docker Buildx
216- uses : docker/setup-buildx-action@v3
217- with :
218- version : ${{ env.SETUP_BUILDX_VERSION }}
219- driver-opts : image=${{ env.SETUP_BUILDKIT_IMAGE }}
220- buildkitd-flags : --debug
221- -
222- name : Docker meta
223- id : meta
224- uses : docker/metadata-action@v5
225- with :
226- images : |
227- ${{ env.IMAGE_NAME }}
228- # versioning strategy
229- # # push semver tag v0.24.0
230- # ## moby/buildkit:v0.24.0
231- # ## moby/buildkit:latest
232- # ## moby/buildkit:v0.24.0-rootless
233- # ## moby/buildkit:rootless
234- # ## moby/buildkit:v0.24.0-ubuntu
235- # ## moby/buildkit:latest-ubuntu
236- # # push semver prerelease tag v0.24.0-rc1
237- # ## moby/buildkit:v0.24.0-rc1
238- # ## moby/buildkit:v0.24.0-rc1-rootless
239- # ## moby/buildkit:v0.24.0-rc1-ubuntu
240- # # push on master
241- # ## moby/buildkit:master
242- # ## moby/buildkit:master-rootless
243- # ## moby/buildkit:master-ubuntu
244- # # scheduled event on master
245- # ## moby/buildkit:nightly
246- # ## moby/buildkit:nightly-rootless
247- # ## moby/buildkit:nightly-ubuntu
248- tags : |
249- type=schedule,pattern=nightly,suffix=${{ env.TAG_SUFFIX }}
250- type=ref,event=branch,suffix=${{ env.TAG_SUFFIX }}
251- type=ref,event=pr,suffix=${{ env.TAG_SUFFIX }}
252- type=semver,pattern={{raw}},suffix=${{ env.TAG_SUFFIX }}
253- type=raw,value=${{ env.TAG_LATEST }}
254- flavor : |
255- latest=false
256- annotations : |
257- org.opencontainers.image.title=BuildKit
258- org.opencontainers.image.vendor=Moby
259- bake-target : meta-helper
260- -
261- name : Login to DockerHub
262- if : ${{ github.repository == 'moby/buildkit' && (github.event_name == 'schedule' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')) }}
263- uses : docker/login-action@v3
264- with :
234+ include : ${{ fromJson(needs.image-prepare.outputs.includes) }}
235+ permissions :
236+ contents : read # same as global permission
237+ id-token : write # for signing attestation(s) with GitHub OIDC Token
238+ with :
239+ runner : amd64
240+ setup-qemu : true
241+ target : image-cross
242+ cache : true
243+ cache-scope : image
244+ output : image
245+ push : ${{ github.repository == 'moby/buildkit' && (github.event_name == 'schedule' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')) }}
246+ sbom : true
247+ set : |
248+ *.args.IMAGE_TARGET=${{ matrix.target }}
249+ *.args.EXPORT_BASE=${{ matrix.base }}
250+ *.args.BUILDKITD_TAGS=${{ matrix.buildTags }}
251+ set-meta-annotations : true
252+ meta-images : |
253+ ${{ matrix.imageName }}
254+ # versioning strategy
255+ # # push semver tag v0.24.0
256+ # ## moby/buildkit:v0.24.0
257+ # ## moby/buildkit:latest
258+ # ## moby/buildkit:v0.24.0-rootless
259+ # ## moby/buildkit:rootless
260+ # ## moby/buildkit:v0.24.0-ubuntu
261+ # ## moby/buildkit:latest-ubuntu
262+ # # push semver prerelease tag v0.24.0-rc1
263+ # ## moby/buildkit:v0.24.0-rc1
264+ # ## moby/buildkit:v0.24.0-rc1-rootless
265+ # ## moby/buildkit:v0.24.0-rc1-ubuntu
266+ # # push on master
267+ # ## moby/buildkit:master
268+ # ## moby/buildkit:master-rootless
269+ # ## moby/buildkit:master-ubuntu
270+ # # scheduled event on master
271+ # ## moby/buildkit:nightly
272+ # ## moby/buildkit:nightly-rootless
273+ # ## moby/buildkit:nightly-ubuntu
274+ meta-tags : |
275+ type=schedule,pattern=nightly,suffix=${{ matrix.tagSuffix }}
276+ type=ref,event=branch,suffix=${{ matrix.tagSuffix }}
277+ type=ref,event=pr,suffix=${{ matrix.tagSuffix }}
278+ type=semver,pattern={{raw}},suffix=${{ matrix.tagSuffix }}
279+ type=raw,value=${{ matrix.tagLatest }}
280+ meta-flavor : |
281+ latest=false
282+ meta-annotations : |
283+ org.opencontainers.image.title=BuildKit
284+ org.opencontainers.image.vendor=Moby
285+ meta-bake-target : meta-helper
286+ secrets :
287+ registry-auths : |
288+ - registry: docker.io
265289 username: ${{ secrets.DOCKERHUB_USERNAME }}
266290 password: ${{ secrets.DOCKERHUB_TOKEN }}
267- -
268- name : Build
269- uses : docker/bake-action@v6
270- with :
271- # FIXME: remove context once git context with query string implemented in actions-toolkit
272- source : ${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}
273- files : |
274- ./docker-bake.hcl
275- cwd://${{ steps.meta.outputs.bake-file-tags }}
276- cwd://${{ steps.meta.outputs.bake-file-annotations }}
277- targets : image-cross
278- push : ${{ github.repository == 'moby/buildkit' && (github.event_name == 'schedule' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')) }}
279- provenance : mode=max,version=v1
280- sbom : true
281- set : |
282- *.cache-from=type=gha,scope=image${{ matrix.target }}-${{ matrix.base }}
283- *.cache-to=type=gha,scope=image${{ matrix.target }}-${{ matrix.base }}
284- *.no-cache-filter=${{ (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')) && 'buildkit-export-alpine,buildkit-export-ubuntu,gobuild-base,rootless' || '' }}
285- env :
286- IMAGE_TARGET : ${{ matrix.target }}
287- EXPORT_BASE : ${{ matrix.base }}
288- BUILDKITD_TAGS : ${{ matrix.build-tags }}
289291
290292scout :
291293 runs-on : ubuntu-24.04
@@ -338,20 +340,15 @@ jobs:
338340 contents : write
339341 needs :
340342 - test
341- - binaries
343+ - binaries-finalize
342344 - image
343345 steps :
344346 -
345- name : Download artifacts
347+ name : Download release binaries
346348 uses : actions/download-artifact@v7
347349 with :
348350 path : ${{ env.DESTDIR }}
349- pattern : buildkit-*
350- merge-multiple : true
351- -
352- name : List artifacts
353- run : |
354- tree -nh ${{ env.DESTDIR }}
351+ name : buildkit-release
355352 -
356353 name : GitHub Release
357354 if : startsWith(github.ref, 'refs/tags/v')
0 commit comments