Add new "bashbrew-buildkit-env-setup.sh" script for setting up bashbrew+buildkit environment variables

[tianon]

This script is intended to be invoked in order to generate values for BASHBREW_BUILDKIT_SYNTAX, BUILDX_BUILDER, and BASHBREW_BUILDKIT_SBOM_GENERATOR appropriately (including creating/updating the appropriate "builder" if necessary from the pinned buildkit image). For now, this only sets up BUILDX_BUILDER and BASHBREW_BUILDKIT_SBOM_GENERATOR for amd64 and arm64v8 as we test things out and ensure better ways to detect which architectures are supported by the relevant infrastructure-related images those features rely on (and gauge user interest in expanding that list).

This adds a new .bin directory for these scripts that I'd like to eventually move most of our scripts into so they're not polluting the top-level directory listing.

This also includes an update of docker/dockerfile from 1.4.3 to 1.5.2 (now using our same .external-pins scaffolding so we can more easily keep that up-to-date). See https://github.com/moby/buildkit/releases/tag/dockerfile%2F1.5.0, https://github.com/moby/buildkit/releases/tag/dockerfile%2F1.5.1, and https://github.com/moby/buildkit/releases/tag/dockerfile%2F1.5.2 for relevant release notes/changes between 1.4.3 and 1.5.2.

For now, I have left (and updated) the .bashbrew-buildkit-syntax so we can move things using it over before removing it, which will likely also include a new release of bashbrew (since the GHA scripts use it, I think).

[tianon]

Example output:

$ .bin/bashbrew-buildkit-envs.sh
export BASHBREW_BUILDKIT_SYNTAX=docker/dockerfile:1@sha256:39b85bbfa7536a5feceb7372a0817649ecb2724562a38360f4d6a7782a409b14

$ BASHBREW_ARCH=amd64 .bin/bashbrew-buildkit-envs.sh
bashbrew-amd64 removed
#1 [internal] booting buildkit
#1 pulling image moby/buildkit:buildx-stable-1@sha256:1480724af5b483e841319c6ed9417c4d6ca6f8154f236f8081c18b9f5a420dfb 0.1s done
#1 creating container buildx_buildkit_bashbrew-amd64
#1 creating container buildx_buildkit_bashbrew-amd64 0.4s done
#1 DONE 0.5s
bashbrew-amd64
buildx_buildkit_bashbrew-amd64
export BASHBREW_BUILDKIT_SYNTAX=docker/dockerfile:1@sha256:966d40f9ba8366e74c2fa353fc0bc7bbc167d2a0f3ad2420db8b9e633049462d
export BUILDX_BUILDER=bashbrew-amd64
export BASHBREW_BUILDKIT_SBOM_GENERATOR=docker/buildkit-syft-scanner:stable-1@sha256:72014b8aeb9983fd1d686600a7a12ac282a5637cf5166504a11bb34d7b6acb8f

$ BASHBREW_ARCH=amd64 .bin/bashbrew-buildkit-envs.sh

note: 'buildx_buildkit_bashbrew-amd64' container already exists and is running the correct image ('moby/buildkit:buildx-stable-1@sha256:1480724af5b483e841319c6ed9417c4d6ca6f8154f236f8081c18b9f5a420dfb'); bailing instead of recreating the 'bashbrew-amd64' builder (to avoid unnecessary churn)

export BASHBREW_BUILDKIT_SYNTAX=docker/dockerfile:1@sha256:966d40f9ba8366e74c2fa353fc0bc7bbc167d2a0f3ad2420db8b9e633049462d
export BUILDX_BUILDER=bashbrew-amd64
export BASHBREW_BUILDKIT_SBOM_GENERATOR=docker/buildkit-syft-scanner:stable-1@sha256:72014b8aeb9983fd1d686600a7a12ac282a5637cf5166504a11bb34d7b6acb8f

(the explicit export lines are multi-purpose - useful for debugging this script, useful for debugging consumers of this script, and useful for being able to capture the variables and pass them to something else like $GITHUB_ENV in a GHA)

[tianon]

More esoteric examples:

$ BASHBREW_ARCH=arm32v7 .bin/bashbrew-buildkit-envs.sh
export BASHBREW_BUILDKIT_SYNTAX=docker/dockerfile:1@sha256:758e352e41cda32ecee17d820d88a228f748e57f3a37e8a3bca924993c04df60

$ BASHBREW_ARCH=arm64v8 .bin/bashbrew-buildkit-envs.sh
bashbrew-arm64v8 removed
#1 [internal] booting buildkit
#1 pulling image moby/buildkit:buildx-stable-1@sha256:8e1ece3c63a79c9399c4f992d4d977c4617340394d83700e836035de9ebeeeb1
#1 pulling image moby/buildkit:buildx-stable-1@sha256:8e1ece3c63a79c9399c4f992d4d977c4617340394d83700e836035de9ebeeeb1 2.6s done
#1 creating container buildx_buildkit_bashbrew-arm64v8
#1 creating container buildx_buildkit_bashbrew-arm64v8 1.5s done
#1 DONE 4.1s
bashbrew-arm64v8
buildx_buildkit_bashbrew-arm64v8
export BASHBREW_BUILDKIT_SYNTAX=docker/dockerfile:1@sha256:7f44e51970d0422c2cbff3b20b6b5ef861f6244c396a06e1a96f7aa4fa83a4e6
export BUILDX_BUILDER=bashbrew-arm64v8
export BASHBREW_BUILDKIT_SBOM_GENERATOR=docker/buildkit-syft-scanner:stable-1@sha256:71c6aab70e25388abf054da2eaaf121727e3a4f464ddfb1987052b83c9419949

[yosifkit]

Not certain if bashbrew-buildkit-envs.sh should have the side effect of creating the builder or if the user should have to call both scripts. Or maybe just a slight misunderstanding of the envs script in that it seems named to be for "just" generating some env variables (some "envs").

If envs.sh keeps the side effect, in what instance would docker-buildx-ensure.sh be run separately?

[tianon]

Not certain if bashbrew-buildkit-envs.sh should have the side effect of creating the builder or if the user should have to call both scripts. Or maybe just a slight misunderstanding of the envs script in that it seems named to be for "just" generating some env variables (some "envs").

Yeah, I guess you're picking up on the disparity of my choosing the script name based on the information it provides, not on what it does (mostly because I chose the name before I wrote the script, in this case 😂).

If it were bashbrew-buildkit-env.sh or bashbrew-buildkit-env-setup.sh instead, would that help?

I don't want to have either of these scripts "accidentally" see a generic BUILDX_BUILDER variable and just clobber that builder. Maybe we should introduce a BASHBREW_BUILDX_BUILDER variable? (possibly even plumbed all the way down into bashbrew?)

It's not a "lightweight" script either way because it does a remote lookup and resolves the digest to a specific image manifest, so it seemed OK to me that it would also ensure the builder is running and configured appropriately, but that's probably because I'm looking at the output as the side effect of ensuring the environment is set up correctly (and the output / variables set if I source it are what I as the user of it have to more actively do in order to use/access that now set up environment correctly).

If envs.sh keeps the side effect, in what instance would docker-buildx-ensure.sh be run separately?

It's separate mostly to keep its behavior (especially the automatic recreation behavior) separate and isolated -- while developing it, I found it helpful to have separate so that I could more easily run it repeatedly (BASHBREW_ARCH=amd64 BASHBREW_BUILDKIT_IMAGE=moby/buildkit:buildx-stable-1 .bin/docker-buildx-ensure.sh), and I think that makes it easier to debug or even use locally, but I don't feel super strongly about it being separate if you'd rather it be a function in the other script.

[tianon]

I do think I need to reevaluate the "sourcing the script" behavior because both of the places I need to integrate it right off won't actually be sourcing it because GHA wants us to use $GITHUB_ENV and Jenkins would work with it better if we could pass it to something like withEnv([ ... ]) as a Groovy list and set it for all builds instead of sourcing it in every sh 'bashbrew build ...' shell block... 😞

Current thought is either to output JSON (so we can do whatever we need with the data via jq) or do some very basic flag parsing? Alternatively we could just rely on none of them needing any special characters and go entirely line-based, but that makes me queasy because it doesn't seem unimaginable that someday we'll need a variable that would require shell escaping (space, ', newline, etc). 😅

[yosifkit]

If it were bashbrew-buildkit-env.sh or bashbrew-buildkit-env-setup.sh instead, would that help?

👍 bashbrew-buildkit-env-setup.sh makes it a clear.

I don't want to have either of these scripts "accidentally" see a generic BUILDX_BUILDER variable and just clobber that builder. Maybe we should introduce a BASHBREW_BUILDX_BUILDER variable? (possibly even plumbed all the way down into bashbrew?)

That's fair. 🤔 Let's stick with BUILDX_BUILDER for now.

---

"sourcing the script" [...] output JSON

🙈 I'd always vote for JSON output. JSON is machine readable with versatility. jq everywhere! 🎉

[tianon]

$ BASHBREW_ARCH=amd64 .bin/bashbrew-buildkit-env-setup.sh
bashbrew-amd64 removed
#1 [internal] booting buildkit
#1 pulling image moby/buildkit:buildx-stable-1@sha256:1480724af5b483e841319c6ed9417c4d6ca6f8154f236f8081c18b9f5a420dfb 0.1s done
#1 creating container buildx_buildkit_bashbrew-amd64
#1 creating container buildx_buildkit_bashbrew-amd64 0.5s done
#1 DONE 0.6s
bashbrew-amd64
buildx_buildkit_bashbrew-amd64
{
  "BASHBREW_BUILDKIT_SYNTAX": "docker/dockerfile:1@sha256:966d40f9ba8366e74c2fa353fc0bc7bbc167d2a0f3ad2420db8b9e633049462d",
  "BUILDX_BUILDER": "bashbrew-amd64",
  "BASHBREW_BUILDKIT_SBOM_GENERATOR": "docker/buildkit-syft-scanner:stable-1@sha256:72014b8aeb9983fd1d686600a7a12ac282a5637cf5166504a11bb34d7b6acb8f"
}

👀

[github-actions]

Diff for e28a1ee:

diff --git a/.external-pins/docker/buildkit-syft-scanner___stable-1/bashbrew.json b/.external-pins/docker/buildkit-syft-scanner___stable-1/bashbrew.json
new file mode 100644
index 0000000..a683a1b
--- /dev/null
+++ b/.external-pins/docker/buildkit-syft-scanner___stable-1/bashbrew.json
@@ -0,0 +1,78 @@
+{
+	"arches": {
+		"amd64": [
+			{
+				"digest": "sha256:72014b8aeb9983fd1d686600a7a12ac282a5637cf5166504a11bb34d7b6acb8f",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "amd64",
+					"os": "linux"
+				},
+				"size": 482
+			}
+		],
+		"arm32v7": [
+			{
+				"digest": "sha256:3ca48d4a5c34b691ac84f9f6cf92d8900a959b489d81762c9e77d72c2870edc7",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "arm",
+					"os": "linux",
+					"variant": "v7"
+				},
+				"size": 482
+			}
+		],
+		"arm64v8": [
+			{
+				"digest": "sha256:71c6aab70e25388abf054da2eaaf121727e3a4f464ddfb1987052b83c9419949",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "arm64",
+					"os": "linux",
+					"variant": "v8"
+				},
+				"size": 482
+			}
+		],
+		"ppc64le": [
+			{
+				"digest": "sha256:daa88e485c0243929744fa73fadcb92d8257bfbbedca334ee6be6b7b405ccb56",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "ppc64le",
+					"os": "linux"
+				},
+				"size": 482
+			}
+		],
+		"riscv64": [
+			{
+				"digest": "sha256:7494557a1509ee72c9cb88a221e3d37c068ffe8c0146fad9d0d634770322e811",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "riscv64",
+					"os": "linux"
+				},
+				"size": 482
+			}
+		],
+		"s390x": [
+			{
+				"digest": "sha256:fcb446c04cd6ec6e345c751b94dfc6d3d3ebbf31e5c4c17ced915621e5b5e250",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "s390x",
+					"os": "linux"
+				},
+				"size": 482
+			}
+		]
+	},
+	"desc": {
+		"digest": "sha256:3397098bd8d3f22d626ccea8c55bd153dc6939c14087d03681f46ef10960241d",
+		"mediaType": "application/vnd.oci.image.index.v1+json",
+		"size": 4642
+	},
+	"ref": "docker.io/docker/buildkit-syft-scanner:stable-1@sha256:3397098bd8d3f22d626ccea8c55bd153dc6939c14087d03681f46ef10960241d"
+}
diff --git a/.external-pins/docker/buildkit-syft-scanner___stable-1/manifest-sha256_72014b8aeb9983fd1d686600a7a12ac282a5637cf5166504a11bb34d7b6acb8f-config.json b/.external-pins/docker/buildkit-syft-scanner___stable-1/manifest-sha256_72014b8aeb9983fd1d686600a7a12ac282a5637cf5166504a11bb34d7b6acb8f-config.json
new file mode 100644
index 0000000..b5ab602
--- /dev/null
+++ b/.external-pins/docker/buildkit-syft-scanner___stable-1/manifest-sha256_72014b8aeb9983fd1d686600a7a12ac282a5637cf5166504a11bb34d7b6acb8f-config.json
@@ -0,0 +1,53 @@
+{
+	"architecture": "amd64",
+	"config": {
+		"Entrypoint": [
+			"/bin/syft-scanner"
+		],
+		"Env": [
+			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+			"LOG_LEVEL=warn"
+		],
+		"Labels": {
+			"org.opencontainers.image.created": "2023-02-07T10:34:29.424Z",
+			"org.opencontainers.image.description": "SBOM generation for BuildKit images",
+			"org.opencontainers.image.licenses": "Apache-2.0",
+			"org.opencontainers.image.revision": "bb38c67787ae65b48c7292954ee19839a105f384",
+			"org.opencontainers.image.source": "https://github.com/docker/buildkit-syft-scanner",
+			"org.opencontainers.image.title": "BuildKit Syft scanner",
+			"org.opencontainers.image.url": "https://github.com/docker/buildkit-syft-scanner",
+			"org.opencontainers.image.vendor": "Docker Inc.",
+			"org.opencontainers.image.version": "1.1.0"
+		},
+		"OnBuild": null,
+		"WorkingDir": "/"
+	},
+	"created": "2023-02-07T10:40:22.679140539Z",
+	"history": [
+		{
+			"comment": "buildkit.dockerfile.v0",
+			"created": "2023-02-07T10:40:22.679140539Z",
+			"created_by": "COPY /usr/local/bin/syft-scanner /bin/syft-scanner # buildkit"
+		},
+		{
+			"comment": "buildkit.dockerfile.v0",
+			"created": "2023-02-07T10:40:22.679140539Z",
+			"created_by": "ENV LOG_LEVEL=warn",
+			"empty_layer": true
+		},
+		{
+			"comment": "buildkit.dockerfile.v0",
+			"created": "2023-02-07T10:40:22.679140539Z",
+			"created_by": "ENTRYPOINT [\"/bin/syft-scanner\"]",
+			"empty_layer": true
+		}
+	],
+	"moby.buildkit.buildinfo.v1": "eyJmcm9udGVuZCI6ImdhdGV3YXkudjAiLCJzb3VyY2VzIjpbeyJ0eXBlIjoiZG9ja2VyLWltYWdlIiwicmVmIjoiZG9ja2VyLmlvL2RvY2tlci9idWlsZGtpdC1zeWZ0LXNjYW5uZXI6c3RhYmxlLTEiLCJwaW4iOiJzaGEyNTY6NWQ0NWJmOWY5ODhhN2VlZWQ2YmUwNTk5ZTFkMmMyN2JiYjcwMDlhNDMyM2IyMzZkNjhhZGQ4ZDg5OTZjOWQ3OSJ9LHsidHlwZSI6ImRvY2tlci1pbWFnZSIsInJlZiI6ImRvY2tlci5pby9kb2NrZXIvZG9ja2VyZmlsZS11cHN0cmVhbToxIiwicGluIjoic2hhMjU2OmQyZDc0ZmYyMmEwZTQ3YjIxZjRiYmRlMzM3ZTJhYzRjZDBhMDJhMjIyNmVmNzkyNjQ4NzhkYjNkYzdlODdkZjgifSx7InR5cGUiOiJkb2NrZXItaW1hZ2UiLCJyZWYiOiJkb2NrZXIuaW8vbGlicmFyeS9nb2xhbmc6MS4xOS1hbHBpbmUzLjE3IiwicGluIjoic2hhMjU2OjIzODFjMWU1ZjgzNTBhOTAxNTk3ZDYzM2IyZTUxNzc3NWVlYWM3YTY2ODJiZTM5MjI1YTkzYjIyY2ZkMGY4YmIifSx7InR5cGUiOiJkb2NrZXItaW1hZ2UiLCJyZWYiOiJkb2NrZXIuaW8vdG9uaXN0aWlnaS94eDoxLjEuMiIsInBpbiI6InNoYTI1Njo5ZGRlN2VkZWI5ZTRhOTU3Y2U3OGJlOWY4YzBmYmFiZTAxMjliZjUxMjY5MzNjZDM1NzQ4ODhmNDQzNzMxY2RhIn1dfQ==",
+	"os": "linux",
+	"rootfs": {
+		"diff_ids": [
+			"sha256:6aec7e14a00809dcde1c6b3fb6e9e805c0e6d6f2a88af005ff377ce2b1c2242b"
+		],
+		"type": "layers"
+	}
+}
diff --git a/.external-pins/docker/buildkit-syft-scanner___stable-1/manifest-sha256_72014b8aeb9983fd1d686600a7a12ac282a5637cf5166504a11bb34d7b6acb8f.json b/.external-pins/docker/buildkit-syft-scanner___stable-1/manifest-sha256_72014b8aeb9983fd1d686600a7a12ac282a5637cf5166504a11bb34d7b6acb8f.json
new file mode 100644
index 0000000..1d2f004
--- /dev/null
+++ b/.external-pins/docker/buildkit-syft-scanner___stable-1/manifest-sha256_72014b8aeb9983fd1d686600a7a12ac282a5637cf5166504a11bb34d7b6acb8f.json
@@ -0,0 +1,16 @@
+{
+	"config": {
+		"digest": "sha256:8586ab919e300a8bd868c7cc85555fe3c49be2908520995bfef85e23c8bf4944",
+		"mediaType": "application/vnd.oci.image.config.v1+json",
+		"size": 2299
+	},
+	"layers": [
+		{
+			"digest": "sha256:a150ac513caf9702a01130f750bf1bc3fab298e95f22fa5081d23db9ed233ec1",
+			"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+			"size": 16454939
+		}
+	],
+	"mediaType": "application/vnd.oci.image.manifest.v1+json",
+	"schemaVersion": 2
+}
diff --git a/.external-pins/docker/dockerfile___1/bashbrew.json b/.external-pins/docker/dockerfile___1/bashbrew.json
new file mode 100644
index 0000000..ec6fbc0
--- /dev/null
+++ b/.external-pins/docker/dockerfile___1/bashbrew.json
@@ -0,0 +1,100 @@
+{
+	"arches": {
+		"amd64": [
+			{
+				"digest": "sha256:966d40f9ba8366e74c2fa353fc0bc7bbc167d2a0f3ad2420db8b9e633049462d",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "amd64",
+					"os": "linux"
+				},
+				"size": 482
+			}
+		],
+		"arm32v7": [
+			{
+				"digest": "sha256:758e352e41cda32ecee17d820d88a228f748e57f3a37e8a3bca924993c04df60",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "arm",
+					"os": "linux",
+					"variant": "v7"
+				},
+				"size": 482
+			}
+		],
+		"arm64v8": [
+			{
+				"digest": "sha256:7f44e51970d0422c2cbff3b20b6b5ef861f6244c396a06e1a96f7aa4fa83a4e6",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "arm64",
+					"os": "linux",
+					"variant": "v8"
+				},
+				"size": 482
+			}
+		],
+		"i386": [
+			{
+				"digest": "sha256:48c88209c932700e607b259a646875ec592c74f3ce29597feb835621a049213a",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "386",
+					"os": "linux"
+				},
+				"size": 482
+			}
+		],
+		"mips64le": [
+			{
+				"digest": "sha256:3a148c6e792399f9c7ccd4c0d32ab3763ee88e99b3c26eca904e7cbb731aced8",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "mips64le",
+					"os": "linux"
+				},
+				"size": 482
+			}
+		],
+		"ppc64le": [
+			{
+				"digest": "sha256:870eb36dd5b7b2431fc43b38738abd48eb3fcb30cd3fe584a71ce16af67bf91c",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "ppc64le",
+					"os": "linux"
+				},
+				"size": 482
+			}
+		],
+		"riscv64": [
+			{
+				"digest": "sha256:e49e25e5ecc0caadc4ac33dac443d9e1a5a96f13f3aee169164b53f887e9b6da",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "riscv64",
+					"os": "linux"
+				},
+				"size": 482
+			}
+		],
+		"s390x": [
+			{
+				"digest": "sha256:bf1aec47a3bff6ce132cca9ac0e2b139d54d8287a49ee0008b5b4662edd5c7b9",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "s390x",
+					"os": "linux"
+				},
+				"size": 482
+			}
+		]
+	},
+	"desc": {
+		"digest": "sha256:39b85bbfa7536a5feceb7372a0817649ecb2724562a38360f4d6a7782a409b14",
+		"mediaType": "application/vnd.oci.image.index.v1+json",
+		"size": 8404
+	},
+	"ref": "docker.io/docker/dockerfile:1@sha256:39b85bbfa7536a5feceb7372a0817649ecb2724562a38360f4d6a7782a409b14"
+}
diff --git a/.external-pins/docker/dockerfile___1/manifest-sha256_966d40f9ba8366e74c2fa353fc0bc7bbc167d2a0f3ad2420db8b9e633049462d-config.json b/.external-pins/docker/dockerfile___1/manifest-sha256_966d40f9ba8366e74c2fa353fc0bc7bbc167d2a0f3ad2420db8b9e633049462d-config.json
new file mode 100644
index 0000000..68909b5
--- /dev/null
+++ b/.external-pins/docker/dockerfile___1/manifest-sha256_966d40f9ba8366e74c2fa353fc0bc7bbc167d2a0f3ad2420db8b9e633049462d-config.json
@@ -0,0 +1,51 @@
+{
+	"architecture": "amd64",
+	"config": {
+		"Entrypoint": [
+			"/bin/dockerfile-frontend"
+		],
+		"Env": [
+			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+		],
+		"Labels": {
+			"moby.buildkit.frontend.caps": "moby.buildkit.frontend.inputs,moby.buildkit.frontend.subrequests,moby.buildkit.frontend.contexts",
+			"moby.buildkit.frontend.network.none": "true"
+		},
+		"OnBuild": null,
+		"WorkingDir": "/"
+	},
+	"created": "2023-02-13T19:29:24.14214783Z",
+	"history": [
+		{
+			"comment": "buildkit.dockerfile.v0",
+			"created": "2023-02-13T19:29:24.14214783Z",
+			"created_by": "LABEL moby.buildkit.frontend.network.none=true",
+			"empty_layer": true
+		},
+		{
+			"comment": "buildkit.dockerfile.v0",
+			"created": "2023-02-13T19:29:24.14214783Z",
+			"created_by": "LABEL moby.buildkit.frontend.caps=moby.buildkit.frontend.inputs,moby.buildkit.frontend.subrequests,moby.buildkit.frontend.contexts",
+			"empty_layer": true
+		},
+		{
+			"comment": "buildkit.dockerfile.v0",
+			"created": "2023-02-13T19:29:24.14214783Z",
+			"created_by": "COPY /dockerfile-frontend /bin/dockerfile-frontend # buildkit"
+		},
+		{
+			"comment": "buildkit.dockerfile.v0",
+			"created": "2023-02-13T19:29:24.14214783Z",
+			"created_by": "ENTRYPOINT [\"/bin/dockerfile-frontend\"]",
+			"empty_layer": true
+		}
+	],
+	"moby.buildkit.buildinfo.v1": "eyJmcm9udGVuZCI6ImdhdGV3YXkudjAiLCJhdHRycyI6eyJidWlsZC1hcmc6QlVJTERLSVRfQ09OVEVYVF9LRUVQX0dJVF9ESVIiOiIxIiwiYnVpbGQtYXJnOkJVSUxEVEFHUyI6IiIsImJ1aWxkLWFyZzpDSEFOTkVMIjoibWFpbmxpbmUiLCJjbWRsaW5lIjoiZG9ja2VyL2RvY2tlcmZpbGUtdXBzdHJlYW06bWFzdGVyIiwiY29udGV4dCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tb2J5L2J1aWxka2l0LmdpdCNyZWZzL3RhZ3MvZG9ja2VyZmlsZS8xLjUuMiIsImZpbGVuYW1lIjoiLi9mcm9udGVuZC9kb2NrZXJmaWxlL2NtZC9kb2NrZXJmaWxlLWZyb250ZW5kL0RvY2tlcmZpbGUiLCJzb3VyY2UiOiJkb2NrZXIvZG9ja2VyZmlsZS11cHN0cmVhbTptYXN0ZXIifSwic291cmNlcyI6W3sidHlwZSI6ImRvY2tlci1pbWFnZSIsInJlZiI6ImRvY2tlci5pby9kb2NrZXIvYnVpbGRraXQtc3lmdC1zY2FubmVyOnN0YWJsZS0xIiwicGluIjoic2hhMjU2OjMzOTcwOThiZDhkM2YyMmQ2MjZjY2VhOGM1NWJkMTUzZGM2OTM5YzE0MDg3ZDAzNjgxZjQ2ZWYxMDk2MDI0MWQifSx7InR5cGUiOiJkb2NrZXItaW1hZ2UiLCJyZWYiOiJkb2NrZXIuaW8vZG9ja2VyL2RvY2tlcmZpbGUtdXBzdHJlYW06bWFzdGVyIiwicGluIjoic2hhMjU2OjRiZDM2ZGExOTIwZTNjYzJjZjUzYjAzOWJhMTJjZDUxYjk1YTIyNmU3MDQ0Zjg5NGZkNzExMDE3M2RiM2U5YmUifSx7InR5cGUiOiJkb2NrZXItaW1hZ2UiLCJyZWYiOiJkb2NrZXIuaW8vbGlicmFyeS9nb2xhbmc6MS4xOS1hbHBpbmUiLCJwaW4iOiJzaGEyNTY6YTAwYTAzYzcyZWNjMWEwMWU0Y2E3YjdjZmI2MjQ1OTA2MzkxMmZmNDVjY2IxMzAxMWY5ZmIwNjFlMjU5MTZlYiJ9LHsidHlwZSI6ImRvY2tlci1pbWFnZSIsInJlZiI6ImRvY2tlci5pby90b25pc3RpaWdpL3h4Om1hc3RlckBzaGEyNTY6ZDQyNTRkOTczOWNlMmRlOWZiODhlMDliZGM3MTZhYTBjNjVmMDQ0NmEyYTIxNDMzOTlmOTkxZDcxMTM2YTNkNCIsInBpbiI6InNoYTI1NjpkNDI1NGQ5NzM5Y2UyZGU5ZmI4OGUwOWJkYzcxNmFhMGM2NWYwNDQ2YTJhMjE0MzM5OWY5OTFkNzExMzZhM2Q0In0seyJ0eXBlIjoiZ2l0IiwicmVmIjoiaHR0cHM6Ly9naXRodWIuY29tL21vYnkvYnVpbGRraXQuZ2l0I3JlZnMvdGFncy9kb2NrZXJmaWxlLzEuNS4yIiwicGluIjoiNGRkZWU0MmEzMmFhYzRjZDMzYmY5YzJiZTRjODdjMmZmZDM0NzQ3YiJ9XX0=",
+	"os": "linux",
+	"rootfs": {
+		"diff_ids": [
+			"sha256:27729a323daf9e105a1e847ef7244a058293bb53ecc0b7619b56fb37d6b30366"
+		],
+		"type": "layers"
+	}
+}
diff --git a/.external-pins/docker/dockerfile___1/manifest-sha256_966d40f9ba8366e74c2fa353fc0bc7bbc167d2a0f3ad2420db8b9e633049462d.json b/.external-pins/docker/dockerfile___1/manifest-sha256_966d40f9ba8366e74c2fa353fc0bc7bbc167d2a0f3ad2420db8b9e633049462d.json
new file mode 100644
index 0000000..092d9ab
--- /dev/null
+++ b/.external-pins/docker/dockerfile___1/manifest-sha256_966d40f9ba8366e74c2fa353fc0bc7bbc167d2a0f3ad2420db8b9e633049462d.json
@@ -0,0 +1,16 @@
+{
+	"config": {
+		"digest": "sha256:dbdd11720762ad504260c66161c964e59eba06b95a7aa64a68634b598a830a91",
+		"mediaType": "application/vnd.oci.image.config.v1+json",
+		"size": 2902
+	},
+	"layers": [
+		{
+			"digest": "sha256:a47ff7046597eea0123ea02817165350e3680f75000dc5d69c9a310258e1bedd",
+			"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+			"size": 11547728
+		}
+	],
+	"mediaType": "application/vnd.oci.image.manifest.v1+json",
+	"schemaVersion": 2
+}
diff --git a/.external-pins/moby/buildkit___buildx-stable-1/bashbrew.json b/.external-pins/moby/buildkit___buildx-stable-1/bashbrew.json
new file mode 100644
index 0000000..681ff6a
--- /dev/null
+++ b/.external-pins/moby/buildkit___buildx-stable-1/bashbrew.json
@@ -0,0 +1,78 @@
+{
+	"arches": {
+		"amd64": [
+			{
+				"digest": "sha256:1480724af5b483e841319c6ed9417c4d6ca6f8154f236f8081c18b9f5a420dfb",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "amd64",
+					"os": "linux"
+				},
+				"size": 1054
+			}
+		],
+		"arm32v7": [
+			{
+				"digest": "sha256:02fe24fb5c9b7e23d627089ab246f4ceb36b8b18d716d73b078713be030ef7ca",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "arm",
+					"os": "linux",
+					"variant": "v7"
+				},
+				"size": 1054
+			}
+		],
+		"arm64v8": [
+			{
+				"digest": "sha256:8e1ece3c63a79c9399c4f992d4d977c4617340394d83700e836035de9ebeeeb1",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "arm64",
+					"os": "linux",
+					"variant": "v8"
+				},
+				"size": 1054
+			}
+		],
+		"ppc64le": [
+			{
+				"digest": "sha256:6262509a0d31260010b9e3bf0023f242956528869cf572f62af63f4fdb9cfcf4",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "ppc64le",
+					"os": "linux"
+				},
+				"size": 1054
+			}
+		],
+		"riscv64": [
+			{
+				"digest": "sha256:b111ef8bb5ca6b33f3696a666908d3a513c9fadb8b7888a70075175ed5373c20",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "riscv64",
+					"os": "linux"
+				},
+				"size": 1054
+			}
+		],
+		"s390x": [
+			{
+				"digest": "sha256:adeba94bbc2d14d18c61dc6c2de3da77c747617734cce4250e9d73412791cdf2",
+				"mediaType": "application/vnd.oci.image.manifest.v1+json",
+				"platform": {
+					"architecture": "s390x",
+					"os": "linux"
+				},
+				"size": 1054
+			}
+		]
+	},
+	"desc": {
+		"digest": "sha256:990e55e71c16281ed72f00b0308980865dae03d598b2cb8316da023d80336543",
+		"mediaType": "application/vnd.oci.image.index.v1+json",
+		"size": 4654
+	},
+	"ref": "docker.io/moby/buildkit:buildx-stable-1@sha256:990e55e71c16281ed72f00b0308980865dae03d598b2cb8316da023d80336543"
+}
diff --git a/.external-pins/moby/buildkit___buildx-stable-1/manifest-sha256_1480724af5b483e841319c6ed9417c4d6ca6f8154f236f8081c18b9f5a420dfb-config.json b/.external-pins/moby/buildkit___buildx-stable-1/manifest-sha256_1480724af5b483e841319c6ed9417c4d6ca6f8154f236f8081c18b9f5a420dfb-config.json
new file mode 100644
index 0000000..832f864
--- /dev/null
+++ b/.external-pins/moby/buildkit___buildx-stable-1/manifest-sha256_1480724af5b483e841319c6ed9417c4d6ca6f8154f236f8081c18b9f5a420dfb-config.json
@@ -0,0 +1,65 @@
+{
+	"architecture": "amd64",
+	"config": {
+		"Entrypoint": [
+			"buildkitd"
+		],
+		"Env": [
+			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+		],
+		"OnBuild": null,
+		"Volumes": {
+			"/var/lib/buildkit": {}
+		}
+	},
+	"created": "2023-03-06T15:36:48.502561066Z",
+	"history": [
+		{
+			"created": "2023-02-11T04:46:42.449083344Z",
+			"created_by": "/bin/sh -c #(nop) ADD file:40887ab7c06977737e63c215c9bd297c0c74de8d12d16ebdf1c3d40ac392f62d in / "
+		},
+		{
+			"created": "2023-02-11T04:46:42.558343068Z",
+			"created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+			"empty_layer": true
+		},
+		{
+			"comment": "buildkit.dockerfile.v0",
+			"created": "2023-03-06T15:25:48.370320585Z",
+			"created_by": "RUN /bin/sh -c apk add --no-cache fuse3 git openssh pigz xz   && ln -s fusermount3 /usr/bin/fusermount # buildkit"
+		},
+		{
+			"comment": "buildkit.dockerfile.v0",
+			"created": "2022-12-13T23:35:40.916355992Z",
+			"created_by": "COPY examples/buildctl-daemonless/buildctl-daemonless.sh /usr/bin/ # buildkit"
+		},
+		{
+			"comment": "buildkit.dockerfile.v0",
+			"created": "2023-03-06T15:36:48.502561066Z",
+			"created_by": "VOLUME [/var/lib/buildkit]",
+			"empty_layer": true
+		},
+		{
+			"comment": "buildkit.dockerfile.v0",
+			"created": "2023-03-06T15:36:48.502561066Z",
+			"created_by": "COPY / /usr/bin/ # buildkit"
+		},
+		{
+			"comment": "buildkit.dockerfile.v0",
+			"created": "2023-03-06T15:36:48.502561066Z",
+			"created_by": "ENTRYPOINT [\"buildkitd\"]",
+			"empty_layer": true
+		}
+	],
+	"moby.buildkit.buildinfo.v1": "eyJmcm9udGVuZCI6ImdhdGV3YXkudjAiLCJzb3VyY2VzIjpbeyJ0eXBlIjoiZG9ja2VyLWltYWdlIiwicmVmIjoiZG9ja2VyLmlvL2RvY2tlci9idWlsZGtpdC1zeWZ0LXNjYW5uZXI6c3RhYmxlLTEiLCJwaW4iOiJzaGEyNTY6MzM5NzA5OGJkOGQzZjIyZDYyNmNjZWE4YzU1YmQxNTNkYzY5MzljMTQwODdkMDM2ODFmNDZlZjEwOTYwMjQxZCJ9LHsidHlwZSI6ImRvY2tlci1pbWFnZSIsInJlZiI6ImRvY2tlci5pby9kb2NrZXIvZG9ja2VyZmlsZS11cHN0cmVhbTptYXN0ZXIiLCJwaW4iOiJzaGEyNTY6Y2VmNGI1ZWZmZWU5ODY2ODRhNzc3ZmI4YjAzODFhNWE1OTcxODc2NWNkNGZhMjliMWVhZjk0MjdlOWFjMDBkZiJ9LHsidHlwZSI6ImRvY2tlci1pbWFnZSIsInJlZiI6ImRvY2tlci5pby9saWJyYXJ5L2FscGluZTozLjE3IiwicGluIjoic2hhMjU2OjY5NjY1ZDAyY2IzMjE5MmU1MmUwNzY0NGQ3NmJjNmYyNWFiZWI1NDEwZWRjMWM3YTgxYTEwYmEzZjBlZmI5MGEifSx7InR5cGUiOiJkb2NrZXItaW1hZ2UiLCJyZWYiOiJkb2NrZXIuaW8vbGlicmFyeS9hbHBpbmU6My4xNyIsInBpbiI6InNoYTI1Njo2OTY2NWQwMmNiMzIxOTJlNTJlMDc2NDRkNzZiYzZmMjVhYmViNTQxMGVkYzFjN2E4MWExMGJhM2YwZWZiOTBhIn0seyJ0eXBlIjoiZG9ja2VyLWltYWdlIiwicmVmIjoiZG9ja2VyLmlvL2xpYnJhcnkvYWxwaW5lOjMuMTciLCJwaW4iOiJzaGEyNTY6Njk2NjVkMDJjYjMyMTkyZTUyZTA3NjQ0ZDc2YmM2ZjI1YWJlYjU0MTBlZGMxYzdhODFhMTBiYTNmMGVmYjkwYSJ9LHsidHlwZSI6ImRvY2tlci1pbWFnZSIsInJlZiI6ImRvY2tlci5pby9saWJyYXJ5L2FscGluZTozLjE3IiwicGluIjoic2hhMjU2OjY5NjY1ZDAyY2IzMjE5MmU1MmUwNzY0NGQ3NmJjNmYyNWFiZWI1NDEwZWRjMWM3YTgxYTEwYmEzZjBlZmI5MGEifSx7InR5cGUiOiJkb2NrZXItaW1hZ2UiLCJyZWYiOiJkb2NrZXIuaW8vbGlicmFyeS9hbHBpbmU6My4xNyIsInBpbiI6InNoYTI1Njo2OTY2NWQwMmNiMzIxOTJlNTJlMDc2NDRkNzZiYzZmMjVhYmViNTQxMGVkYzFjN2E4MWExMGJhM2YwZWZiOTBhIn0seyJ0eXBlIjoiZG9ja2VyLWltYWdlIiwicmVmIjoiZG9ja2VyLmlvL2xpYnJhcnkvYWxwaW5lOmVkZ2VAc2hhMjU2OmMyMjNmODRlMDVjMjNjMDU3MWNlOGRlY2VmZWY4MTg4NjQ4NjkxODdlMWEzZWE0NzcxOTQxMmUyMDVjOGM2NGUiLCJwaW4iOiJzaGEyNTY6YzIyM2Y4NGUwNWMyM2MwNTcxY2U4ZGVjZWZlZjgxODg2NDg2OTE4N2UxYTNlYTQ3NzE5NDEyZTIwNWM4YzY0ZSJ9LHsidHlwZSI6ImRvY2tlci1pbWFnZSIsInJlZiI6ImRvY2tlci5pby9saWJyYXJ5L2dvbGFuZzoxLjE5LWFscGluZTMuMTciLCJwaW4iOiJzaGEyNTY6NjJhMmM4NDJlOWU1OWQ5ODg4M2NiN2IxMzA3MjY1MTgzZWU1ZmRlZGE2ZjRkMDYyNjBmNmJjNDBlYTcxMjg5MCJ9LHsidHlwZSI6ImRvY2tlci1pbWFnZSIsInJlZiI6ImRvY2tlci5pby90b25pc3RpaWdpL2JpbmZtdDpidWlsZGtpdC12Ny4xLjAtMzBAc2hhMjU2OjQ1ZGQ1N2I0YmEyZjI0ZTIzNTRmNzFmMWU0ZTUxZjA3M2NiN2EyOGZkODQ4Y2U2ZjVmMmE3NzAxMTQyYTZiZjAiLCJwaW4iOiJzaGEyNTY6NDVkZDU3YjRiYTJmMjRlMjM1NGY3MWYxZTRlNTFmMDczY2I3YTI4ZmQ4NDhjZTZmNWYyYTc3MDExNDJhNmJmMCJ9LHsidHlwZSI6ImRvY2tlci1pbWFnZSIsInJlZiI6ImRvY2tlci5pby90b25pc3RpaWdpL3h4OjEuMi4xIiwicGluIjoic2hhMjU2Ojg4NzlhMzk4ZGVkZjBhYWRhYWNmYmQzMzJiMjlmZjJmODRiYzM5YWU2ZDRlOWMwYTExMDlkYjI3YWM1YmEwMTIifSx7InR5cGUiOiJnaXQiLCJyZWYiOiJodHRwczovL2dpdGh1Yi5jb20vbW9ieS9idWlsZGtpdC5naXQjcmVmcy90YWdzL3YwLjExLjQiLCJwaW4iOiIzYWJkMWVmMGMxOTVjZGMwNzhkMTY1N2NiNTBmNjJhMmNkYzI2ZjhmIn1dfQ==",
+	"os": "linux",
+	"rootfs": {
+		"diff_ids": [
+			"sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39",
+			"sha256:3935e1a224f8711e4d4094db7d470886e3df0c9a0fdfd15679b4c1424ee4bf9f",
+			"sha256:95bebdc893c557a349f01fe7b3352825f3e5cb20d41d55e06e48167d9be66018",
+			"sha256:8093a3b80cae68abf00bf8b6b6040bce3bbc7c63f771669ba73cdbdc88b9f7d4"
+		],
+		"type": "layers"
+	}
+}
diff --git a/.external-pins/moby/buildkit___buildx-stable-1/manifest-sha256_1480724af5b483e841319c6ed9417c4d6ca6f8154f236f8081c18b9f5a420dfb.json b/.external-pins/moby/buildkit___buildx-stable-1/manifest-sha256_1480724af5b483e841319c6ed9417c4d6ca6f8154f236f8081c18b9f5a420dfb.json
new file mode 100644
index 0000000..731a87a
--- /dev/null
+++ b/.external-pins/moby/buildkit___buildx-stable-1/manifest-sha256_1480724af5b483e841319c6ed9417c4d6ca6f8154f236f8081c18b9f5a420dfb.json
@@ -0,0 +1,31 @@
+{
+	"config": {
+		"digest": "sha256:477ce8a5e273935690ace0bac46c60e65beffc634b34643ada3fd0a11ea44316",
+		"mediaType": "application/vnd.oci.image.config.v1+json",
+		"size": 4271
+	},
+	"layers": [
+		{
+			"digest": "sha256:63b65145d645c1250c391b2d16ebe53b3747c295ca8ba2fcb6b0cf064a4dc21c",
+			"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+			"size": 3374446
+		},
+		{
+			"digest": "sha256:2fc379c7cd9129479855ff5884d67d5d6a8baa6b2f97ba403ad373e9a3d01ef8",
+			"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+			"size": 7158148
+		},
+		{
+			"digest": "sha256:69fca8b08af324af67c263771b9117b8cd4e0720d2bf11d67c688d9eb9bfd9c5",
+			"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+			"size": 947
+		},
+		{
+			"digest": "sha256:8fabcbd00648359bc2db5a93dd0808b9731489434cadca9de0f6d9f8fccc59cf",
+			"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+			"size": 65799312
+		}
+	],
+	"mediaType": "application/vnd.oci.image.manifest.v1+json",
+	"schemaVersion": 2
+}

[tianon]

$ BASHBREW_ARCH=amd64 .bin/bashbrew-buildkit-env-setup.sh | jq 'to_entries | map((.key | @sh) + "=" + (.value | @sh)) | join("\n")' -r

note: 'buildx_buildkit_bashbrew-amd64' container already exists and is running the correct image ('moby/buildkit:buildx-stable-1@sha256:1480724af5b483e841319c6ed9417c4d6ca6f8154f236f8081c18b9f5a420dfb'); bailing instead of recreating the 'bashbrew-amd64' builder (to avoid unnecessary churn)

'BASHBREW_BUILDKIT_SYNTAX'='docker/dockerfile:1@sha256:966d40f9ba8366e74c2fa353fc0bc7bbc167d2a0f3ad2420db8b9e633049462d'
'BUILDX_BUILDER'='bashbrew-amd64'
'BASHBREW_BUILDKIT_SBOM_GENERATOR'='docker/buildkit-syft-scanner:stable-1@sha256:72014b8aeb9983fd1d686600a7a12ac282a5637cf5166504a11bb34d7b6acb8f'

We probably need to do something more defensive than just @sh on the left-hand-side, and I don't know if GitHub's $GITHUB_ENV file even supports quoting (they only document heredoc-style; https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-of-writing-an-environment-variable-to-github_env), but this is promising. 😄