buildkit #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: buildkit | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| on: | |
| schedule: | |
| - cron: '0 10 * * *' | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - 'master' | |
| - 'v[0-9]+.[0-9]+' | |
| tags: | |
| - 'v*' | |
| pull_request: | |
| paths-ignore: | |
| - 'README.md' | |
| - 'docs/**' | |
| - 'frontend/dockerfile/docs/**' | |
| env: | |
| GO_VERSION: "1.26" | |
| SETUP_BUILDX_VERSION: "edge" | |
| SETUP_BUILDKIT_IMAGE: "moby/buildkit:latest" | |
| SCOUT_VERSION: "1.20.2" | |
| IMAGE_NAME: "moby/buildkit" | |
| DESTDIR: "./bin" | |
| jobs: | |
| prepare: | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| binaries-platforms: ${{ steps.platforms.outputs.matrix }} | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - | |
| name: Platforms matrix | |
| id: platforms | |
| uses: docker/bake-action/subaction/matrix@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 | |
| with: | |
| target: release | |
| fields: platforms | |
| binaries: | |
| uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0 | |
| permissions: | |
| contents: read # same as global permission | |
| id-token: write # for signing attestation(s) with GitHub OIDC Token | |
| with: | |
| runner: amd64 | |
| setup-qemu: true | |
| artifact-name: buildkit-binaries | |
| artifact-upload: true | |
| cache: true | |
| cache-scope: binaries | |
| target: release | |
| output: local | |
| sbom: true | |
| sign: ${{ github.event_name != 'pull_request' }} | |
| binaries-finalize: | |
| runs-on: ubuntu-24.04 | |
| needs: | |
| - binaries | |
| steps: | |
| - | |
| name: Download artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| path: /tmp/buildx-output | |
| name: ${{ needs.binaries.outputs.artifact-name }} | |
| - | |
| name: Rename provenance and sbom | |
| run: | | |
| for pdir in /tmp/buildx-output/*/; do | |
| ( | |
| cd "$pdir" | |
| binname=$(find . -name 'buildkit-*') | |
| filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//') | |
| mv "provenance.json" "${filename}.provenance.json" | |
| mv "sbom-binaries.spdx.json" "${filename}.sbom.json" | |
| find . -name 'sbom*.json' -exec rm {} \; | |
| if [ -f "provenance.sigstore.json" ]; then | |
| mv "provenance.sigstore.json" "${filename}.sigstore.json" | |
| fi | |
| ) | |
| done | |
| mkdir -p "${{ env.DESTDIR }}" | |
| mv /tmp/buildx-output/**/* "${{ env.DESTDIR }}/" | |
| - | |
| name: List artifacts | |
| working-directory: ${{ env.DESTDIR }} | |
| run: | | |
| tree -nh . | |
| - | |
| name: Upload release binaries | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: buildkit-release | |
| path: ${{ env.DESTDIR }}/* | |
| if-no-files-found: error | |
| test: | |
| uses: ./.github/workflows/.test.yml | |
| needs: | |
| - binaries | |
| with: | |
| cache_scope: build-integration-tests | |
| pkgs: ./client ./cmd/buildctl ./worker/containerd ./solver ./frontend | |
| kinds: integration | |
| codecov_flags: core | |
| includes: | | |
| - pkg: ./... | |
| skip-integration-tests: 1 | |
| typ: integration gateway | |
| - pkg: ./client | |
| worker: containerd | |
| tags: nydus | |
| typ: integration | |
| - pkg: ./client | |
| worker: oci | |
| tags: nydus | |
| typ: integration | |
| - pkg: ./... | |
| tags: nydus | |
| skip-integration-tests: 1 | |
| typ: integration | |
| - pkg: ./cache/remotecache/gha | |
| worker: oci | |
| typ: integration | |
| secrets: | |
| codecov_token: ${{ secrets.CODECOV_TOKEN }} | |
| govulncheck: | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read # same as global permission | |
| security-events: write # required to write sarif report | |
| steps: | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 | |
| with: | |
| version: ${{ env.SETUP_BUILDX_VERSION }} | |
| driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} | |
| buildkitd-flags: --debug | |
| - | |
| name: Run | |
| uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 | |
| with: | |
| targets: govulncheck | |
| env: | |
| GOVULNCHECK_FORMAT: sarif | |
| - | |
| name: Upload SARIF report | |
| if: ${{ github.ref == 'refs/heads/master' && github.repository == 'moby/buildkit' }} | |
| uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| with: | |
| sarif_file: ${{ env.DESTDIR }}/govulncheck.out | |
| image-prepare: | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| includes: ${{ steps.set.outputs.includes }} | |
| steps: | |
| - | |
| name: Set outputs | |
| id: set | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| INPUT_DEFAULT-BASE: alpine | |
| INPUT_REF: ${{ github.ref }} | |
| INPUT_IMAGE-NAME: ${{ env.IMAGE_NAME }} | |
| with: | |
| script: | | |
| const defaultBase = core.getInput('default-base'); | |
| const ref = core.getInput('ref'); | |
| const imageName = core.getInput('image-name'); | |
| function getTagSuffixAndLatest(base, target) { | |
| let tagSuffix = ''; | |
| if (target) { | |
| tagSuffix += `-${target}`; | |
| } | |
| if (base && base !== defaultBase) { | |
| tagSuffix += `-${base}`; | |
| } | |
| let tagLatest = ''; | |
| if (ref && ref.startsWith('refs/tags/v')) { | |
| const version = ref.replace('refs/tags/', ''); | |
| if (/^v[0-9]+\.[0-9]+\.[0-9]+$/.test(version)) { | |
| tagLatest = target ? target : 'latest'; | |
| if (base && base !== defaultBase) { | |
| tagLatest += `-${base}`; | |
| } | |
| } | |
| } | |
| return { tagSuffix, tagLatest }; | |
| } | |
| const matrix = [ | |
| { base: 'alpine' }, | |
| { base: 'alpine', target: 'rootless'}, | |
| { base: 'ubuntu', buildTags: 'nvidia venus' } | |
| ] | |
| for (const entry of matrix) { | |
| const { tagSuffix, tagLatest } = getTagSuffixAndLatest(entry.base, entry.target); | |
| entry.imageName = imageName; | |
| entry.tagSuffix = tagSuffix; | |
| entry.tagLatest = tagLatest; | |
| } | |
| core.info(JSON.stringify(matrix, null, 2)); | |
| core.setOutput('includes', JSON.stringify(matrix)); | |
| image: | |
| uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0 | |
| needs: | |
| - image-prepare | |
| - test | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJson(needs.image-prepare.outputs.includes) }} | |
| permissions: | |
| contents: read # same as global permission | |
| id-token: write # for signing attestation(s) with GitHub OIDC Token | |
| with: | |
| runner: amd64 | |
| setup-qemu: true | |
| target: image-cross | |
| cache: true | |
| cache-scope: image | |
| output: image | |
| push: ${{ github.repository == 'moby/buildkit' && (github.event_name == 'schedule' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')) }} | |
| sbom: true | |
| vars: | | |
| IMAGE_TARGET=${{ matrix.target }} | |
| EXPORT_BASE=${{ matrix.base }} | |
| BUILDKITD_TAGS=${{ matrix.buildTags }} | |
| set-meta-annotations: true | |
| meta-images: | | |
| ${{ matrix.imageName }} | |
| # versioning strategy | |
| ## push semver tag v0.24.0 | |
| ### moby/buildkit:v0.24.0 | |
| ### moby/buildkit:latest | |
| ### moby/buildkit:v0.24.0-rootless | |
| ### moby/buildkit:rootless | |
| ### moby/buildkit:v0.24.0-ubuntu | |
| ### moby/buildkit:latest-ubuntu | |
| ## push semver prerelease tag v0.24.0-rc1 | |
| ### moby/buildkit:v0.24.0-rc1 | |
| ### moby/buildkit:v0.24.0-rc1-rootless | |
| ### moby/buildkit:v0.24.0-rc1-ubuntu | |
| ## push on master | |
| ### moby/buildkit:master | |
| ### moby/buildkit:master-rootless | |
| ### moby/buildkit:master-ubuntu | |
| ## scheduled event on master | |
| ### moby/buildkit:nightly | |
| ### moby/buildkit:nightly-rootless | |
| ### moby/buildkit:nightly-ubuntu | |
| meta-tags: | | |
| type=schedule,pattern=nightly,suffix=${{ matrix.tagSuffix }} | |
| type=ref,event=branch,suffix=${{ matrix.tagSuffix }} | |
| type=ref,event=pr,suffix=${{ matrix.tagSuffix }} | |
| type=semver,pattern={{raw}},suffix=${{ matrix.tagSuffix }} | |
| type=raw,value=${{ matrix.tagLatest }} | |
| meta-flavor: | | |
| latest=false | |
| meta-annotations: | | |
| org.opencontainers.image.title=BuildKit | |
| org.opencontainers.image.vendor=Moby | |
| meta-bake-target: meta-helper | |
| secrets: | |
| registry-auths: | | |
| - registry: docker.io | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| scout: | |
| runs-on: ubuntu-24.04 | |
| if: ${{ github.ref == 'refs/heads/master' && github.repository == 'moby/buildkit' }} | |
| permissions: | |
| # same as global permission | |
| contents: read | |
| # required to write sarif report | |
| security-events: write | |
| needs: | |
| - image | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| tag: | |
| - master | |
| - master-rootless | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - | |
| name: Login to DockerHub | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - | |
| name: Scout | |
| id: scout | |
| uses: crazy-max/.github/.github/actions/docker-scout@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0 | |
| with: | |
| version: ${{ env.SCOUT_VERSION }} | |
| format: sarif | |
| image: registry://${{ env.IMAGE_NAME }}:${{ matrix.tag }} | |
| - | |
| name: Result output | |
| run: | | |
| jq . ${{ steps.scout.outputs.result-file }} | |
| - | |
| name: Upload SARIF report | |
| uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| with: | |
| sarif_file: ${{ steps.scout.outputs.result-file }} | |
| release: | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| # required to create GitHub release | |
| contents: write | |
| needs: | |
| - test | |
| - binaries-finalize | |
| - image | |
| steps: | |
| - | |
| name: Download release binaries | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| path: ${{ env.DESTDIR }} | |
| name: buildkit-release | |
| - | |
| name: GitHub Release | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| draft: true | |
| files: ${{ env.DESTDIR }}/* |