build: set provenance vcs details

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
docker · Dec 13, 2022 · bf65414 · bf65414
1 parent 5f4d463
commit bf65414
Show file tree

Hide file tree

Showing 9 changed files with 484 additions and 236 deletions.
diff --git a/build/build.go b/build/build.go
@@ -595,6 +595,41 @@ func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt Op
 		so.FrontendAttrs["attest:provenance"] = "mode=min,inline-only=true"
 	}
 
+	var prvmode string
+	if v, ok := opt.Attests["attest:provenance"]; ok {
+		if prvmode, err = getProvenanceMode(*v); err != nil {
+			return nil, nil, err
+		}
+	}
+	gitlabels := os.Getenv("BUILDX_GIT_LABELS")
+	if prvmode == "max" || gitlabels == "1" || gitlabels == "full" {
+		if prvdetails, err := getProvenanceDetails(ctx, opt.Inputs.ContextPath, opt.Inputs.DockerfilePath, prvmode == "max" || gitlabels == "full"); err != nil {
+			return nil, nil, err
+		} else if prvdetails != nil {
+			if prvdetails.Source != "" {
+				if gitlabels != "" {
+					so.FrontendAttrs["label:"+specs.AnnotationSource] = prvdetails.Source
+				}
+				if prvmode == "max" {
+					so.FrontendAttrs["vcs:source"] = prvdetails.Source
+				}
+			}
+			if prvdetails.Revision != "" {
+				if gitlabels != "" {
+					so.FrontendAttrs["label:"+specs.AnnotationRevision] = prvdetails.Revision
+				}
+				if prvmode == "max" {
+					so.FrontendAttrs["vcs:revision"] = prvdetails.Revision
+				}
+			}
+			if prvdetails.DockerfilePath != "" {
+				if gitlabels != "" {
+					so.FrontendAttrs["label:"+DockerfileLabel] = prvdetails.DockerfilePath
+				}
+			}
+		}
+	}
+
 	// set platforms
 	if len(opt.Platforms) != 0 {
 		pp := make([]string, len(opt.Platforms))
@@ -846,21 +881,6 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 
 	eg, ctx := errgroup.WithContext(ctx)
 
-	for _, opt := range opt {
-		gitLabels, err := addGitProvenance(ctx, opt.Inputs.ContextPath, opt.Inputs.DockerfilePath)
-		if err != nil {
-			return nil, err
-		}
-		for n, v := range gitLabels {
-			if _, ok := opt.Labels[n]; !ok {
-				if opt.Labels == nil {
-					opt.Labels = map[string]string{}
-				}
-				opt.Labels[n] = v
-			}
-		}
-	}
-
 	for k, opt := range opt {
 		multiDriver := len(m[k]) > 1
 		hasMobyDriver := false

diff --git a/build/git.go b/build/git.go
diff --git a/build/git_test.go b/build/git_test.go
diff --git a/build/provenance.go b/build/provenance.go
@@ -0,0 +1,83 @@
+package build
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/buildx/util/gitutil"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+const DockerfileLabel = "com.docker.image.source.entrypoint"
+
+type provenanceDetails struct {
+	Source         string
+	Revision       string
+	DockerfilePath string
+}
+
+func getProvenanceDetails(ctx context.Context, contextPath string, dockerfilePath string, full bool) (*provenanceDetails, error) {
+	if contextPath == "" {
+		return nil, nil
+	}
+
+	// figure out in which directory the git command needs to run in
+	var wd string
+	if filepath.IsAbs(contextPath) {
+		wd = contextPath
+	} else {
+		cwd, _ := os.Getwd()
+		wd, _ = filepath.Abs(filepath.Join(cwd, contextPath))
+	}
+
+	gitc, _ := gitutil.New(gitutil.WithContext(ctx), gitutil.WithWorkingDir(wd))
+	if !gitc.IsInsideWorkTree() {
+		logrus.Warnf("Unable to determine Git information")
+		return nil, nil
+	}
+
+	sha, err := gitc.FullCommit()
+	if err != nil {
+		return nil, errors.Wrap(err, "error obtaining git head")
+	}
+	if gitc.IsDirty() {
+		sha += "-dirty"
+	}
+
+	prvdetails := &provenanceDetails{
+		Revision: sha,
+	}
+
+	// add a remote url if full Git details are requested; if there aren't any remotes don't fail
+	if full {
+		if rurl, err := gitc.RemoteURL(); err == nil && rurl != "" {
+			prvdetails.Source = rurl
+		}
+	}
+
+	// add Dockerfile path; there is no org.opencontainers annotation for this
+	if dockerfilePath == "" {
+		dockerfilePath = filepath.Join(wd, "Dockerfile")
+	}
+
+	// obtain Git root directory
+	root, err := gitc.RootDir()
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get git root")
+	}
+
+	// record only Dockerfile paths that are within the Git root
+	if !filepath.IsAbs(dockerfilePath) {
+		cwd, _ := os.Getwd()
+		dockerfilePath = filepath.Join(cwd, dockerfilePath)
+	}
+	dockerfilePath, _ = filepath.Rel(root, dockerfilePath)
+	if !strings.HasPrefix(dockerfilePath, "..") {
+		prvdetails.DockerfilePath = dockerfilePath
+	}
+
+	return prvdetails, nil
+}