build: set provenance vcs details

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>

build/build.go

@@ -595,6 +595,10 @@ func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt Op
 		so.FrontendAttrs["attest:provenance"] = "mode=min,inline-only=true"
 	}
 
+	for k, v := range getGitAttributes(ctx, opt.Inputs.ContextPath, opt.Inputs.DockerfilePath) {
+		so.FrontendAttrs[k] = v
+	}
+
 	// set platforms
 	if len(opt.Platforms) != 0 {
 		pp := make([]string, len(opt.Platforms))
@@ -846,21 +850,6 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 
 	eg, ctx := errgroup.WithContext(ctx)
 
-	for _, opt := range opt {
-		gitLabels, err := addGitProvenance(ctx, opt.Inputs.ContextPath, opt.Inputs.DockerfilePath)
-		if err != nil {
-			return nil, err
-		}
-		for n, v := range gitLabels {
-			if _, ok := opt.Labels[n]; !ok {
-				if opt.Labels == nil {
-					opt.Labels = map[string]string{}
-				}
-				opt.Labels[n] = v
-			}
-		}
-	}
-
 	for k, opt := range opt {
 		multiDriver := len(m[k]) > 1
 		hasMobyDriver := false

build/git.go

@@ -3,23 +3,41 @@ package build
 import (
 	"context"
 	"os"
-	"os/exec"
 	"path/filepath"
+	"strconv"
 	"strings"
 
-	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
+	"github.com/docker/buildx/util/gitutil"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/sirupsen/logrus"
 )
 
 const DockerfileLabel = "com.docker.image.source.entrypoint"
 
-func addGitProvenance(ctx context.Context, contextPath string, dockerfilePath string) (map[string]string, error) {
-	v := os.Getenv("BUILDX_GIT_LABELS")
-	if (v != "1" && v != "full") || contextPath == "" {
-		return nil, nil
+func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath string) (res map[string]string) {
+	res = make(map[string]string)
+	if contextPath == "" {
+		return
+	}
+
+	setGitLabels := false
+	if v, ok := os.LookupEnv("BUILDX_GIT_LABELS"); ok {
+		if v == "full" { // backward compatibility with old "full" mode
+			setGitLabels = true
+		} else if v, _ := strconv.ParseBool(v); v {
+			setGitLabels = v
+		}
+	}
+	setGitInfo := true
+	if v, ok := os.LookupEnv("BUILDX_GIT_INFO"); ok {
+		if v, _ := strconv.ParseBool(v); v {
+			setGitInfo = v
+		}
+	}
+
+	if !setGitLabels && !setGitInfo {
+		return
 	}
-	labels := make(map[string]string, 0)
 
 	// figure out in which directory the git command needs to run in
 	var wd string
@@ -30,69 +48,62 @@ func addGitProvenance(ctx context.Context, contextPath string, dockerfilePath st
 		wd, _ = filepath.Abs(filepath.Join(cwd, contextPath))
 	}
 
-	// check if inside git working tree
-	cmd := exec.CommandContext(ctx, "git", "rev-parse", "--is-inside-work-tree")
-	cmd.Dir = wd
-	err := cmd.Run()
-	if err != nil {
+	gitc := gitutil.New(gitutil.WithContext(ctx), gitutil.WithWorkingDir(wd))
+	if !gitc.IsInsideWorkTree() {
 		logrus.Warnf("Unable to determine Git information")
-		return nil, nil
+		return
 	}
 
-	// obtain Git sha of current HEAD
-	cmd = exec.CommandContext(ctx, "git", "rev-parse", "HEAD")
-	cmd.Dir = wd
-	out, err := cmd.Output()
-	if err != nil {
-		return nil, errors.Wrap(err, "error obtaining git head")
-	}
-	sha := strings.TrimSpace(string(out))
+	var resRevision, resSource, resDockerfilePath string
 
-	// check if the current HEAD is clean
-	cmd = exec.CommandContext(ctx, "git", "status", "--porcelain", "--ignored")
-	cmd.Dir = wd
-	out, err = cmd.Output()
-	if err != nil {
-		return nil, errors.Wrap(err, "error obtaining git status")
-	}
-	if len(strings.TrimSpace(string(out))) != 0 {
-		sha += "-dirty"
-	}
-	labels[ocispecs.AnnotationRevision] = sha
-
-	// add a remote url if full Git details are requested; if there aren't any remotes don't fail
-	if v == "full" {
-		cmd = exec.CommandContext(ctx, "git", "ls-remote", "--get-url")
-		cmd.Dir = wd
-		out, _ := cmd.Output()
-		if len(out) > 0 {
-			labels[ocispecs.AnnotationSource] = strings.TrimSpace(string(out))
+	if sha, err := gitc.FullCommit(); err == nil && sha != "" {
+		resRevision = sha
+		if gitc.IsDirty() {
+			resRevision += "-dirty"
 		}
 	}
 
-	// add Dockerfile path; there is no org.opencontainers annotation for this
-	if dockerfilePath == "" {
-		dockerfilePath = filepath.Join(wd, "Dockerfile")
+	if rurl, err := gitc.RemoteURL(); err == nil && rurl != "" {
+		resSource = rurl
 	}
 
-	// obtain Git root directory
-	cmd = exec.CommandContext(ctx, "git", "rev-parse", "--show-toplevel")
-	cmd.Dir = wd
-	out, err = cmd.Output()
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to get git root")
-	}
-	root := strings.TrimSpace(string(out))
-
-	// record only Dockerfile paths that are within the Git root
-	if !filepath.IsAbs(dockerfilePath) {
-		cwd, _ := os.Getwd()
-		dockerfilePath = filepath.Join(cwd, dockerfilePath)
-	}
-	dockerfilePath, _ = filepath.Rel(root, dockerfilePath)
-	if !strings.HasPrefix(dockerfilePath, "..") {
-		labels[DockerfileLabel] = dockerfilePath
+	if setGitLabels {
+		if root, err := gitc.RootDir(); err == nil && root != "" {
+			if dockerfilePath == "" {
+				dockerfilePath = filepath.Join(wd, "Dockerfile")
+			}
+			if !filepath.IsAbs(dockerfilePath) {
+				cwd, _ := os.Getwd()
+				dockerfilePath = filepath.Join(cwd, dockerfilePath)
+			}
+			dockerfilePath, _ = filepath.Rel(root, dockerfilePath)
+			if !strings.HasPrefix(dockerfilePath, "..") {
+				resDockerfilePath = dockerfilePath
+			}
+		}
 	}
 
-	return labels, nil
+	if resSource != "" {
+		if setGitLabels {
+			res["label:"+specs.AnnotationSource] = resSource
+		}
+		if setGitInfo {
+			res["vcs:source"] = resSource
+		}
+	}
+	if resRevision != "" {
+		if setGitLabels {
+			res["label:"+specs.AnnotationRevision] = resRevision
+		}
+		if setGitInfo {
+			res["vcs:revision"] = resRevision
+		}
+	}
+	if resDockerfilePath != "" {
+		if setGitLabels {
+			res["label:"+DockerfileLabel] = resDockerfilePath
+		}
+	}
+
+	return
 }

build/git_test.go

@@ -2,122 +2,131 @@ package build
 
 import (
 	"context"
-	"fmt"
 	"os"
-	"os/exec"
 	"path/filepath"
-	"runtime"
 	"strings"
 	"testing"
 
-	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/docker/buildx/util/gitutil"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/stretchr/testify/assert"
 )
 
-var repoDir string
-
-func setupTest(tb testing.TB) func(tb testing.TB) {
-	repoDir = tb.TempDir()
-	// required for local testing on mac to avoid strange /private symlinks
-	if runtime.GOOS == "darwin" {
-		repoDir, _ = filepath.EvalSymlinks(repoDir)
-	}
-	cmd := exec.Command("git", "init")
-	cmd.Dir = repoDir
-	err := cmd.Run()
-	assert.Nilf(tb, err, "failed to init git repo: %v", err)
-
+func setupTest(tb testing.TB) {
+	gitutil.Mktmp(tb)
+	gitutil.GitInit(tb)
 	df := []byte("FROM alpine:latest\n")
-	err = os.WriteFile(filepath.Join(repoDir, "Dockerfile"), df, 0644)
-	assert.Nilf(tb, err, "failed to write file: %v", err)
+	assert.NoError(tb, os.WriteFile("Dockerfile", df, 0644))
+	gitutil.GitAdd(tb, "Dockerfile")
+	gitutil.GitCommit(tb, "initial commit")
+}
 
-	cmd = exec.Command("git", "add", "Dockerfile")
-	cmd.Dir = repoDir
-	err = cmd.Run()
-	assert.Nilf(tb, err, "failed to add file: %v", err)
+func TestGetGitAttributesNoContext(t *testing.T) {
+	setupTest(t)
 
-	cmd = exec.Command("git", "config", "user.name", "buildx")
-	cmd.Dir = repoDir
-	err = cmd.Run()
-	assert.Nilf(tb, err, "failed to set git user.name: %v", err)
+	gitattrs := getGitAttributes(context.Background(), "", "Dockerfile")
+	assert.Empty(t, gitattrs)
+}
 
-	cmd = exec.Command("git", "config", "user.email", "buildx@docker.com")
-	cmd.Dir = repoDir
-	err = cmd.Run()
-	assert.Nilf(tb, err, "failed to set git user.email: %v", err)
-
-	cmd = exec.Command("git", "commit", "-m", "Initial commit")
-	cmd.Dir = repoDir
-	err = cmd.Run()
-	assert.Nilf(tb, err, "failed to commit: %v", err)
-
-	return func(tb testing.TB) {
-		os.Unsetenv("BUILDX_GIT_LABELS")
-		os.RemoveAll(repoDir)
+func TestGetGitAttributes(t *testing.T) {
+	cases := []struct {
+		name         string
+		envGitLabels string
+		envGitInfo   string
+		expected     []string
+	}{
+		{
+			name:         "default",
+			envGitLabels: "",
+			envGitInfo:   "",
+			expected: []string{
+				"vcs:revision",
+			},
+		},
+		{
+			name:         "gitinfo",
+			envGitLabels: "false",
+			envGitInfo:   "true",
+			expected: []string{
+				"vcs:revision",
+			},
+		},
+		{
+			name:         "gitlabels",
+			envGitLabels: "true",
+			envGitInfo:   "false",
+			expected: []string{
+				"label:" + DockerfileLabel,
+				"label:" + specs.AnnotationRevision,
+			},
+		},
+		{
+			name:         "both",
+			envGitLabels: "true",
+			envGitInfo:   "",
+			expected: []string{
+				"label:" + DockerfileLabel,
+				"label:" + specs.AnnotationRevision,
+				"vcs:revision",
+			},
+		},
+	}
+	for _, tt := range cases {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			setupTest(t)
+			if tt.envGitLabels != "" {
+				t.Setenv("BUILDX_GIT_LABELS", tt.envGitLabels)
+			}
+			if tt.envGitInfo != "" {
+				t.Setenv("BUILDX_GIT_INFO", tt.envGitInfo)
+			}
+			gitattrs := getGitAttributes(context.Background(), ".", "Dockerfile")
+			for _, e := range tt.expected {
+				assert.Contains(t, gitattrs, e)
+				assert.NotEmpty(t, gitattrs[e])
+				if e == "label:"+DockerfileLabel {
+					assert.Equal(t, "Dockerfile", gitattrs[e])
+				}
+			}
+		})
 	}
 }
 
-func TestAddGitProvenanceDataWithoutEnv(t *testing.T) {
-	defer setupTest(t)(t)
-	labels, err := addGitProvenance(context.Background(), repoDir, filepath.Join(repoDir, "Dockerfile"))
-	assert.Nilf(t, err, "No error expected")
-	assert.Nilf(t, labels, "No labels expected")
+func TestGetGitAttributesWithRemote(t *testing.T) {
+	setupTest(t)
+	gitutil.GitSetRemote(t, "git@github.com:docker/buildx.git")
+
+	t.Setenv("BUILDX_GIT_LABELS", "true")
+	gitattrs := getGitAttributes(context.Background(), ".", "Dockerfile")
+	assert.Equal(t, 5, len(gitattrs))
+	assert.Contains(t, gitattrs, "label:"+DockerfileLabel)
+	assert.Equal(t, "Dockerfile", gitattrs["label:"+DockerfileLabel])
+	assert.Contains(t, gitattrs, "label:"+specs.AnnotationRevision)
+	assert.NotEmpty(t, gitattrs["label:"+specs.AnnotationRevision])
+	assert.Contains(t, gitattrs, "label:"+specs.AnnotationSource)
+	assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs["label:"+specs.AnnotationSource])
+	assert.Contains(t, gitattrs, "vcs:revision")
+	assert.NotEmpty(t, gitattrs["vcs:revision"])
+	assert.Contains(t, gitattrs, "vcs:source")
+	assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs["vcs:source"])
 }
 
-func TestAddGitProvenanceDataWitEmptyEnv(t *testing.T) {
-	defer setupTest(t)(t)
-	os.Setenv("BUILDX_GIT_LABELS", "")
-	labels, err := addGitProvenance(context.Background(), repoDir, filepath.Join(repoDir, "Dockerfile"))
-	assert.Nilf(t, err, "No error expected")
-	assert.Nilf(t, labels, "No labels expected")
-}
+func TestGetGitAttributesDirty(t *testing.T) {
+	setupTest(t)
 
-func TestAddGitProvenanceDataWithoutLabels(t *testing.T) {
-	defer setupTest(t)(t)
-	os.Setenv("BUILDX_GIT_LABELS", "full")
-	labels, err := addGitProvenance(context.Background(), repoDir, filepath.Join(repoDir, "Dockerfile"))
-	assert.Nilf(t, err, "No error expected")
-	assert.Equal(t, 2, len(labels), "Exactly 2 git provenance labels expected")
-	assert.Equal(t, "Dockerfile", labels[DockerfileLabel], "Expected a dockerfile path provenance label")
-
-	cmd := exec.Command("git", "rev-parse", "HEAD")
-	cmd.Dir = repoDir
-	out, _ := cmd.Output()
-	assert.Equal(t, strings.TrimSpace(string(out)), labels[ocispecs.AnnotationRevision], "Expected a sha provenance label")
-}
-
-func TestAddGitProvenanceDataWithLabels(t *testing.T) {
-	defer setupTest(t)(t)
 	// make a change to test dirty flag
 	df := []byte("FROM alpine:edge\n")
-	os.Mkdir(filepath.Join(repoDir, "dir"), 0755)
-	os.WriteFile(filepath.Join(repoDir, "dir", "Dockerfile"), df, 0644)
-	// add a remote
-	cmd := exec.Command("git", "remote", "add", "origin", "git@github.com:docker/buildx.git")
-	cmd.Dir = repoDir
-	cmd.Run()
+	assert.NoError(t, os.Mkdir("dir", 0755))
+	assert.NoError(t, os.WriteFile(filepath.Join("dir", "Dockerfile"), df, 0644))
 
-	os.Setenv("BUILDX_GIT_LABELS", "full")
-	labels, err := addGitProvenance(context.Background(), repoDir, filepath.Join(repoDir, "Dockerfile"))
-	assert.Nilf(t, err, "No error expected")
-	assert.Equal(t, 3, len(labels), "Exactly 3 git provenance labels expected")
-	assert.Equal(t, "Dockerfile", labels[DockerfileLabel], "Expected a dockerfile path provenance label")
-	assert.Equal(t, "git@github.com:docker/buildx.git", labels[ocispecs.AnnotationSource], "Expected a remote provenance label")
-
-	cmd = exec.Command("git", "rev-parse", "HEAD")
-	cmd.Dir = repoDir
-	out, _ := cmd.Output()
-	assert.Equal(t, fmt.Sprintf("%s-dirty", strings.TrimSpace(string(out))), labels[ocispecs.AnnotationRevision], "Expected a sha provenance label")
-}
-
-func TestAddGitProvenanceDataOutsideOfGitRepository(t *testing.T) {
-	defer setupTest(t)(t)
-	os.Setenv("BUILDX_GIT_LABELS", "full")
-	parentDir := filepath.Dir(repoDir)
-	cwd, _ := os.Getwd()
-	os.Chdir(parentDir)
-	labels, err := addGitProvenance(context.Background(), filepath.Base(repoDir), "")
-	assert.Nilf(t, err, "No error expected")
-	assert.Equal(t, "Dockerfile", labels[DockerfileLabel], "Expected a dockerfile path provenance label")
-	os.Chdir(cwd)
+	t.Setenv("BUILDX_GIT_LABELS", "true")
+	gitattrs := getGitAttributes(context.Background(), ".", "Dockerfile")
+	assert.Equal(t, 3, len(gitattrs))
+	assert.Contains(t, gitattrs, "label:"+DockerfileLabel)
+	assert.Equal(t, "Dockerfile", gitattrs["label:"+DockerfileLabel])
+	assert.Contains(t, gitattrs, "label:"+specs.AnnotationRevision)
+	assert.True(t, strings.HasSuffix(gitattrs["label:"+specs.AnnotationRevision], "-dirty"))
+	assert.Contains(t, gitattrs, "vcs:revision")
+	assert.True(t, strings.HasSuffix(gitattrs["vcs:revision"], "-dirty"))
 }