Merge pull request #1472 from crazy-max/ci-attest

ci: opt-in sbom and provenance
2025-07-31 23:58:03 +08:00 · 2022-12-15 17:38:13 -08:00
parent 53d88a79ef 1a85745bf1
commit fbbe1c1b91
3 changed files with 61 additions and 21 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -21,6 +21,8 @@ on:
      - 'docs/**'

 env:
+  BUILDX_VERSION: "v0.10.0-rc1"
+  BUILDKIT_IMAGE: "moby/buildkit:v0.11.0-rc3"
  REPO_SLUG: "docker/buildx-bin"
  DESTDIR: "./bin"

@@ -35,7 +37,9 @@ jobs:
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
      -
        name: Test
        uses: docker/bake-action@v2
@@ -92,22 +96,23 @@ jobs:
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
      -
        name: Build
-        uses: docker/bake-action@v2
-        with:
-          targets: release
-          set: |
-            *.platform=${{ matrix.platform }}
-            *.cache-from=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
-            *.cache-to=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
+        run: |
+          make release
+        env:
+          PLATFORMS: ${{ matrix.platform }}
+          CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
+          CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
      -
        name: Upload artifacts
        uses: actions/upload-artifact@v3
        with:
          name: buildx
-          path: ${{ env.DESTDIR }}/release/*
+          path: ${{ env.DESTDIR }}/*
          if-no-files-found: error

  bin-image:
@@ -124,7 +129,9 @@ jobs:
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
      -
        name: Docker meta
        id: meta
@@ -156,6 +163,8 @@ jobs:
          set: |
            *.cache-from=type=gha,scope=bin-image
            *.cache-to=type=gha,scope=bin-image,mode=max
+            *.attest=type=sbom
+            *.attest=type=provenance,mode=max,builder-id=https://github.com/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}

  release:
    runs-on: ubuntu-22.04
@@ -206,7 +215,7 @@ jobs:
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
          driver-opts: image=moby/buildkit:master
          buildkitd-flags: --debug
      -