Add git provenance labels

[cdupuis]

As discussed in #1290, this PR adds opt-in labels for Git provenance.

The following labels will be added when BUILDX_GIT_LABELS=full is set:

      "Labels": {
        "com.docker.image.source.entrypoint": "Dockerfile",
        "org.opencontainers.image.revision": "5734329c6af43c2ae295010778cd308866b95d9b",
        "org.opencontainers.image.source": "git@github.com:atomisthq/kipz-docker-test.git"
      }

With only BUILDX_GIT_LABELS =1 the repository label will not be included:

      "Labels": {
        "com.docker.image.source.entrypoint": "Dockerfile",
        "org.opencontainers.image.revision": "5734329c6af43c2ae295010778cd308866b95d9b"
      }

If the cloned source is not clean, the revision label value will get a -dirty suffix:

      "Labels": {
        "com.docker.image.source.entrypoint": "Dockerfile",
        "org.opencontainers.image.revision": "5734329c6af43c2ae295010778cd308866b95d9b-dirty"
      }

fixes #1290

[tianon]

There should probably be another annotation for the context directory path, right?

(I am not a maintainer! Just an observation ❤️)

[AkihiroSuda]

There should probably be another annotation for the context directory path, right?

Could you elaborate "annotation for the context directory path"?

[cdupuis]

Sorry @tianon, somehow I missed your comment. Apologies for the late response.

There should probably be another annotation for the context directory path, right?

We are resolving the Dockerfile path against the root of the Git repository.

Meaning if you build with docker buildx build somepath -f Dockerfile -t some:tag then we would record somepath/Dockerfile if the current working directory is the root of Git repository.

Is that enough for what you had in mind?

[tianon]

I mean something like docker build -f dir1/Dockerfile dir2 (where both dir1/Dockerfile and dir2 are relevant bits of information, and both are required to figure out how the build happened).

Alternatively, something like docker build -f ../foo/Dockerfile . or docker build -f docker/Dockerfile . (which is probably a more common case) -- basically any instance where the Dockerfile does not sit at the root of the build context.

[cdupuis]

@tianon, we are currently not storing the context path. So far this wasn't really needed for any of our use cases; we aren't trying to store all args etc to recreate the build command. It would be interesting to understand if you had a use case in mind for this?

I mean something like docker build -f dir1/Dockerfile dir2 (where both dir1/Dockerfile and dir2 are relevant bits of information, and both are required to figure out how the build happened).

In this case we would store dir1/Dockerfile in the com.docker.image.dockerfile.path label, given current working directory is the root of the Git repository.

Alternatively, something like docker build -f ../foo/Dockerfile . or docker build -f docker/Dockerfile . (which is probably a more common case) -- basically any instance where the Dockerfile does not sit at the root of the build context.

We would store foo/Dockerfile or docker/Dockerfile in the com.docker.image.dockerfile.path label, given . is also the root of the Git repository.

[tianon]

The best I can come up with are use cases similar to wanting the Dockerfile path - imagine COPY foo.sh /... being able to link directly back to (the correct) foo.sh 😅

(I don't feel strongly about this, that's just the only thing I noticed while looking at the annotations 👍)

[tonistiigi]

Should buildx bake commands also pick up these labels? In that case the code should be moved to the build pkg from commands(or a shared package that can be called from commands/build and bake pkg). And an additional test added to bake/bake_test that checks that target picks up these labels.

[tonistiigi]

I think you missed #1297 (review) comment

[cdupuis]

Should buildx bake commands also pick up these labels? In that case the code should be moved to the build pkg from commands(or a shared package that can be called from commands/build and bake pkg). And an additional test added to bake/bake_test that checks that target picks up these labels.

@tonistiigi does this need to happen? In this PR or can this come after? If so, could you give some pointers?

[jedevc]

@cdupuis yup it should happen ideally - we want to avoid bake and buildx producing different results.

My recommendation for how to split it up:

• Add the git helpers to build/git.go, and the tests to build/git_test.go
• Call addGitProvenance from BuildWithResultHandler and modify all the opts structures in the opts map[string]BuildOpts with the correct labels, using the BuildOpts.Inputs

The code should pretty much stay the same, though the additional test in bake_test.go with an e2e test would be super useful (happy to take a look at that if you let me know).

[cdupuis]

Thanks @jedevc. I've made those changes. Let me know what you think.

[jedevc]

LGTM.

@tonistiigi I'm not sure how we'd do a test here, since the existing tests test for ReadTargets - we don't actually have an easy way to check the opts sent to the builder, either in BuildWithResultHandler or in bake and commands/build - we don't have any tests for that at all anywhere in buildx. Loading them in ReadTargets definitely doesn't feel right, since then the LABELs would appear in the --print results. I'd be happy to merge without the test for now (we could revisit later).

[tonistiigi]

Loading them in ReadTargets definitely doesn't feel right, since then the LABELs would appear in the --print results.

Why isn't it correct to show these in --print results? That should show the configuration of the build that is sent to the daemon, doesn't matter if it is loaded from files, --set or from environment variables.

[tonistiigi]

I think the bake part is wrong and should be handed in ReadTargets so users see what config bake produces. If these labels are already set by the config itself, then the environment variables do not override them. I'm fine with merging the current implementation and creating follow-up PR for the bake refactor and test.

[cdupuis]

I think the bake part is wrong and should be handed in ReadTargets so users see what config bake produces. If these labels are already set by the config itself, then the environment variables do not override them. I'm fine with merging the current implementation and creating follow-up PR for the bake refactor and test.

@tonistiigi, I'm happy to work on this in a subsequent PR.