Merge pull request #2 from crazy-max/gha

Update bake def and workflow to release image
docker · Nov 21, 2022 · 460ae1a · 460ae1a
2 parents 2ce714e + 113d479
commit 460ae1a
Show file tree

Hide file tree

Showing 6 changed files with 119 additions and 35 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -1,9 +1,19 @@
 name: ci
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   push:
     branches:
       - 'master'
+    tags:
+      - 'v*'
+  pull_request:
+
+env:
+  DOCKERHUB_SLUG: docker/buildkit-syft-scanner
 
 jobs:
   build:
@@ -12,6 +22,25 @@ jobs:
       -
         name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.DOCKERHUB_SLUG }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=ref,event=pr
+            type=edge
+          labels: |
+            org.opencontainers.image.title=BuildKit Syft scanner
+            org.opencontainers.image.description=SBOM generation for BuildKit images
+            org.opencontainers.image.vendor=Docker Inc.
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v2
@@ -20,16 +49,18 @@ jobs:
         uses: docker/setup-buildx-action@v2
       -
         name: Login to DockerHub
+        if: github.event_name != 'pull_request'
         uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
-        name: Build and push
-        uses: docker/build-push-action@v3
+        name: Build
+        uses: docker/bake-action@v2
         with:
-          push: true
-          tags: jedevc/buildkit-syft-scanner:latest
-          cache-to: type=inline
-          cache-from: type=registry,ref=jedevc/buildkit-syft-scanner:latest
-          platforms: linux/amd64
+          files: |
+            ./docker-bake.hcl
+            ${{ steps.meta.outputs.bake-file }}
+          targets: image
+          # TODO: enable push when hup repo created
+          #push: ${{ github.event_name != 'pull_request' }}
diff --git a/Dockerfile b/Dockerfile
@@ -1,24 +1,43 @@
 #syntax=docker/dockerfile:1
 
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.1.2 AS xx
+ARG GO_VERSION="1.19"
+ARG ALPINE_VERSION="3.16"
+ARG XX_VERSION="1.1.2"
 
-FROM --platform=$BUILDPLATFORM golang:alpine as build-base
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
+
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS base
 COPY --link --from=xx / /
 ENV CGO_ENABLED=0
-
-FROM build-base as build
-ARG TARGETPLATFORM
+RUN apk add --no-cache file git
 WORKDIR /src
-RUN \
-  --mount=type=bind,target=. \
-  --mount=type=cache,target=/root/.cache <<EOF
+
+FROM base AS version
+ARG GIT_REF
+RUN --mount=target=. <<EOT
   set -e
+  case "$GIT_REF" in
+    refs/tags/v*) version="${GIT_REF#refs/tags/}" ;;
+    *) version=$(git describe --match 'v[0-9]*' --dirty='.m' --always --tags) ;;
+  esac
+  pkg=github.com/docker/buildkit-syft-scanner
+  echo "${version}" | tee /tmp/.version
+  echo "-extldflags -static -X ${pkg}/version.Version=${version} -X ${pkg}/version.SyftVersion=$(go list -mod=mod -u -m -f '{{.Version}}' 'github.com/anchore/syft')" | tee /tmp/.ldflags
+EOT
 
-  PKG=github.com/docker/buildkit-syft-scanner
-  echo "-X ${PKG}/internal.SyftVersion=$(go list -mod=mod -u -m -f '{{.Version}}' 'github.com/anchore/syft')" | tee /tmp/.ldflags
-  xx-go build -ldflags "$(cat /tmp/.ldflags) -extldflags -static" -o /usr/local/bin/syft-scanner ./cmd/syft-scanner
+FROM base as build
+RUN --mount=type=bind,target=. \
+    --mount=type=cache,target=/go/pkg/mod \
+    go mod download
+ARG TARGETPLATFORM
+RUN --mount=type=bind,target=. \
+    --mount=type=bind,from=version,source=/tmp/.ldflags,target=/tmp/.ldflags \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache <<EOT
+  set -e
+  xx-go build -trimpath -ldflags "$(cat /tmp/.ldflags)" -o /usr/local/bin/syft-scanner ./cmd/syft-scanner
   xx-verify --static /usr/local/bin/syft-scanner
-EOF
+EOT
 
 FROM scratch
 COPY --from=build /usr/local/bin/syft-scanner /bin/syft-scanner

diff --git a/cmd/syft-scanner/main.go b/cmd/syft-scanner/main.go
@@ -5,17 +5,21 @@ import (
 	"os"
 
 	"github.com/anchore/go-logger"
-	"github.com/anchore/go-logger/adapter/logrus"
+	alogrus "github.com/anchore/go-logger/adapter/logrus"
 	"github.com/anchore/stereoscope"
 	"github.com/anchore/syft/syft"
 	"github.com/docker/buildkit-syft-scanner/internal"
+	"github.com/docker/buildkit-syft-scanner/version"
+	"github.com/sirupsen/logrus"
 )
 
 func main() {
 	if err := enableLogs(); err != nil {
 		panic(fmt.Sprintf("unable to initialize logger: %+v", err))
 	}
 
+	logrus.Infof("starting syft scanner for buildkit %s", version.Version)
+
 	scanner, err := internal.NewScannerFromEnvironment()
 	if err != nil {
 		panic(err)
@@ -35,11 +39,11 @@ func enableLogs() error {
 		level = "warn"
 	}
 
-	cfg := logrus.Config{
+	cfg := alogrus.Config{
 		EnableConsole: true,
 		Level:         logger.Level(level),
 	}
-	logWrapper, err := logrus.New(cfg)
+	logWrapper, err := alogrus.New(cfg)
 	if err != nil {
 		return err
 	}

diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -1,11 +1,37 @@
-group "default" {
-    targets = ["buildkit-syft-scanner"]
+variable "GO_VERSION" {
+  default = "1.19"
+}
+
+# GITHUB_REF is the actual ref that triggers the workflow and used as version
+# when tag is pushed: https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables
+variable "GITHUB_REF" {
+  default = ""
+}
+
+target "_common" {
+  args = {
+    GO_VERSION = GO_VERSION
+    GIT_REF = GITHUB_REF
+  }
 }
 
-target "buildkit-syft-scanner" {
-    context = "."
-    dockerfile = "Dockerfile"
+# Special target: https://github.com/docker/metadata-action#bake-definition
+target "docker-metadata-action" {
+  tags = ["buildkit-syft-scanner:local"]
+}
 
-    tags = ["jedevc/buildkit-syft-scanner:latest"]
-    platforms = ["linux/amd64"]
-}
+group "default" {
+  targets = ["image"]
+}
+
+target "image" {
+  inherits = ["_common", "docker-metadata-action"]
+  platforms = [
+    "linux/amd64",
+    "linux/arm/v7",
+    "linux/arm64",
+    "linux/ppc64le",
+    "linux/riscv64",
+    "linux/s390x"
+  ]
+}
diff --git a/internal/target.go b/internal/target.go
@@ -8,6 +8,7 @@ import (
 	"github.com/anchore/syft/syft/pkg/cataloger"
 	"github.com/anchore/syft/syft/sbom"
 	"github.com/anchore/syft/syft/source"
+	"github.com/docker/buildkit-syft-scanner/version"
 )
 
 type Target struct {
@@ -37,7 +38,7 @@ func (t Target) Scan() (sbom.SBOM, error) {
 		Source: src.Metadata,
 		Descriptor: sbom.Descriptor{
 			Name:    "syft",
-			Version: SyftVersion,
+			Version: version.SyftVersion,
 		},
 	}
 
@@ -52,7 +53,3 @@ func (t Target) Scan() (sbom.SBOM, error) {
 
 	return result, nil
 }
-
-var (
-	SyftVersion = "[not provided]"
-)
diff --git a/version/version.go b/version/version.go
@@ -0,0 +1,7 @@
+package version
+
+var (
+	Package     = "github.com/docker/buildkit-syft-scanner"
+	Version     = "v0.0.0+unknown"
+	SyftVersion = "[not provided]"
+)