add `attests`, `provenance` and `sbom` inputs
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>pull/746/head
parent
472ccddef1
commit
ed2672fc33
|
@ -491,6 +491,70 @@ jobs:
|
||||||
cache-from: type=gha,scope=nocachefilter
|
cache-from: type=gha,scope=nocachefilter
|
||||||
cache-to: type=gha,scope=nocachefilter,mode=max
|
cache-to: type=gha,scope=nocachefilter,mode=max
|
||||||
|
|
||||||
|
attests:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
strategy:
|
||||||
|
fail-fast: false
|
||||||
|
matrix:
|
||||||
|
include:
|
||||||
|
- target: image
|
||||||
|
output: type=image,name=localhost:5000/name/app:latest,push=true
|
||||||
|
- target: binary
|
||||||
|
output: /tmp/buildx-build
|
||||||
|
services:
|
||||||
|
registry:
|
||||||
|
image: registry:2
|
||||||
|
ports:
|
||||||
|
- 5000:5000
|
||||||
|
env:
|
||||||
|
BUILDX_VERSION: v0.10.0-rc2 # TODO: remove when Buildx v0.10.0 is released
|
||||||
|
BUILDKIT_IMAGE: moby/buildkit:v0.11.0-rc3 # TODO: remove when BuildKit v0.11.0 is released
|
||||||
|
steps:
|
||||||
|
-
|
||||||
|
name: Checkout
|
||||||
|
uses: actions/checkout@v3
|
||||||
|
-
|
||||||
|
name: Set up Docker Buildx
|
||||||
|
uses: docker/setup-buildx-action@v2
|
||||||
|
with:
|
||||||
|
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
|
||||||
|
driver-opts: |
|
||||||
|
network=host
|
||||||
|
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
|
||||||
|
-
|
||||||
|
name: Build
|
||||||
|
uses: ./
|
||||||
|
with:
|
||||||
|
context: ./test/go
|
||||||
|
file: ./test/go/Dockerfile
|
||||||
|
target: ${{ matrix.target }}
|
||||||
|
outputs: ${{ matrix.output }}
|
||||||
|
attests: |
|
||||||
|
type=sbom
|
||||||
|
type=provenance,mode=max,builder-id=https://github.com/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}
|
||||||
|
cache-from: type=gha,scope=attests-${{ matrix.target }}
|
||||||
|
cache-to: type=gha,scope=attests-${{ matrix.target }},mode=max
|
||||||
|
-
|
||||||
|
name: Inspect image
|
||||||
|
if: matrix.target == 'image'
|
||||||
|
run: |
|
||||||
|
docker buildx imagetools inspect --format "{{json .}}" localhost:5000/name/app:latest | jq
|
||||||
|
-
|
||||||
|
name: Check output folder
|
||||||
|
if: matrix.target == 'binary'
|
||||||
|
run: |
|
||||||
|
tree /tmp/buildx-build
|
||||||
|
-
|
||||||
|
name: Print provenance
|
||||||
|
if: matrix.target == 'binary'
|
||||||
|
run: |
|
||||||
|
cat /tmp/buildx-build/provenance.json | jq
|
||||||
|
-
|
||||||
|
name: Print SBOM
|
||||||
|
if: matrix.target == 'binary'
|
||||||
|
run: |
|
||||||
|
cat /tmp/buildx-build/sbom.spdx.json | jq
|
||||||
|
|
||||||
multi:
|
multi:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
strategy:
|
strategy:
|
||||||
|
|
61
README.md
61
README.md
|
@ -190,35 +190,38 @@ Following inputs can be used as `step.with` keys
|
||||||
> tags: name/app:latest,name/app:1.0.0
|
> tags: name/app:latest,name/app:1.0.0
|
||||||
> ```
|
> ```
|
||||||
|
|
||||||
| Name | Type | Description |
|
| Name | Type | Description |
|
||||||
|--------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|--------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||||
| `add-hosts` | List/CSV | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`) |
|
| `add-hosts` | List/CSV | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`) |
|
||||||
| `allow` | List/CSV | List of [extra privileged entitlement](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow) (e.g., `network.host,security.insecure`) |
|
| `allow` | List/CSV | List of [extra privileged entitlement](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow) (e.g., `network.host,security.insecure`) |
|
||||||
| `builder` | String | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action) |
|
| `attests` | List | List of [attestation](https://docs.docker.com/build/attestations/) parameters (e.g., `type=sbom,generator=image`) |
|
||||||
| `build-args` | List | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg) |
|
| `builder` | String | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action) |
|
||||||
| `build-contexts` | List | List of additional [build contexts](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context) (e.g., `name=path`) |
|
| `build-args` | List | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg) |
|
||||||
| `cache-from` | List | List of [external cache sources](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from) (e.g., `type=local,src=path/to/dir`) |
|
| `build-contexts` | List | List of additional [build contexts](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context) (e.g., `name=path`) |
|
||||||
| `cache-to` | List | List of [cache export destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-to) (e.g., `type=local,dest=path/to/dir`) |
|
| `cache-from` | List | List of [external cache sources](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from) (e.g., `type=local,src=path/to/dir`) |
|
||||||
| `cgroup-parent` | String | Optional [parent cgroup](https://docs.docker.com/engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent) for the container used in the build |
|
| `cache-to` | List | List of [cache export destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-to) (e.g., `type=local,dest=path/to/dir`) |
|
||||||
| `context` | String | Build's context is the set of files located in the specified [`PATH` or `URL`](https://docs.docker.com/engine/reference/commandline/build/) (default [Git context](#git-context)) |
|
| `cgroup-parent` | String | Optional [parent cgroup](https://docs.docker.com/engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent) for the container used in the build |
|
||||||
| `file` | String | Path to the Dockerfile. (default `{context}/Dockerfile`) |
|
| `context` | String | Build's context is the set of files located in the specified [`PATH` or `URL`](https://docs.docker.com/engine/reference/commandline/build/) (default [Git context](#git-context)) |
|
||||||
| `labels` | List | List of metadata for an image |
|
| `file` | String | Path to the Dockerfile. (default `{context}/Dockerfile`) |
|
||||||
| `load` | Bool | [Load](https://docs.docker.com/engine/reference/commandline/buildx_build/#load) is a shorthand for `--output=type=docker` (default `false`) |
|
| `labels` | List | List of metadata for an image |
|
||||||
| `network` | String | Set the networking mode for the `RUN` instructions during build |
|
| `load` | Bool | [Load](https://docs.docker.com/engine/reference/commandline/buildx_build/#load) is a shorthand for `--output=type=docker` (default `false`) |
|
||||||
| `no-cache` | Bool | Do not use cache when building the image (default `false`) |
|
| `network` | String | Set the networking mode for the `RUN` instructions during build |
|
||||||
| `no-cache-filters` | List/CSV | Do not cache specified stages |
|
| `no-cache` | Bool | Do not use cache when building the image (default `false`) |
|
||||||
| `outputs`¹ | List | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`) |
|
| `no-cache-filters` | List/CSV | Do not cache specified stages |
|
||||||
| `platforms` | List/CSV | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build |
|
| `outputs`¹ | List | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`) |
|
||||||
| `pull` | Bool | Always attempt to pull all referenced images (default `false`) |
|
| `platforms` | List/CSV | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build |
|
||||||
| `push` | Bool | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`) |
|
| `provenance` | Bool/String | Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build (shorthand for `--attest=type=provenance`) |
|
||||||
| `secrets` | List | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`) |
|
| `pull` | Bool | Always attempt to pull all referenced images (default `false`) |
|
||||||
| `secret-files` | List | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`) |
|
| `push` | Bool | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`) |
|
||||||
| `shm-size` | String | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) |
|
| `sbom` | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`) |
|
||||||
| `ssh` | List | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build |
|
| `secrets` | List | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`) |
|
||||||
| `tags` | List/CSV | List of tags |
|
| `secret-files` | List | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`) |
|
||||||
| `target` | String | Sets the target stage to build |
|
| `shm-size` | String | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) |
|
||||||
| `ulimit` | List | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`) |
|
| `ssh` | List | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build |
|
||||||
| `github-token` | String | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`) |
|
| `tags` | List/CSV | List of tags |
|
||||||
|
| `target` | String | Sets the target stage to build |
|
||||||
|
| `ulimit` | List | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`) |
|
||||||
|
| `github-token` | String | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`) |
|
||||||
|
|
||||||
> **Note**
|
> **Note**
|
||||||
>
|
>
|
||||||
|
|
|
@ -13,6 +13,9 @@ inputs:
|
||||||
allow:
|
allow:
|
||||||
description: "List of extra privileged entitlement (e.g., network.host,security.insecure)"
|
description: "List of extra privileged entitlement (e.g., network.host,security.insecure)"
|
||||||
required: false
|
required: false
|
||||||
|
attests:
|
||||||
|
description: "List of attestation parameters (e.g., type=sbom,generator=image)"
|
||||||
|
required: false
|
||||||
build-args:
|
build-args:
|
||||||
description: "List of build-time variables"
|
description: "List of build-time variables"
|
||||||
required: false
|
required: false
|
||||||
|
@ -60,6 +63,9 @@ inputs:
|
||||||
platforms:
|
platforms:
|
||||||
description: "List of target platforms for build"
|
description: "List of target platforms for build"
|
||||||
required: false
|
required: false
|
||||||
|
provenance:
|
||||||
|
description: "Generate provenance attestation for the build (shorthand for --attest=type=provenance)"
|
||||||
|
required: false
|
||||||
pull:
|
pull:
|
||||||
description: "Always attempt to pull all referenced images"
|
description: "Always attempt to pull all referenced images"
|
||||||
required: false
|
required: false
|
||||||
|
@ -68,6 +74,9 @@ inputs:
|
||||||
description: "Push is a shorthand for --output=type=registry"
|
description: "Push is a shorthand for --output=type=registry"
|
||||||
required: false
|
required: false
|
||||||
default: 'false'
|
default: 'false'
|
||||||
|
sbom:
|
||||||
|
description: "Generate SBOM attestation for the build (shorthand for --attest=type=sbom)"
|
||||||
|
required: false
|
||||||
secrets:
|
secrets:
|
||||||
description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)"
|
description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)"
|
||||||
required: false
|
required: false
|
||||||
|
|
|
@ -13,6 +13,7 @@ let _defaultContext, _tmpDir: string;
|
||||||
export interface Inputs {
|
export interface Inputs {
|
||||||
addHosts: string[];
|
addHosts: string[];
|
||||||
allow: string[];
|
allow: string[];
|
||||||
|
attests: string[];
|
||||||
buildArgs: string[];
|
buildArgs: string[];
|
||||||
buildContexts: string[];
|
buildContexts: string[];
|
||||||
builder: string;
|
builder: string;
|
||||||
|
@ -28,8 +29,10 @@ export interface Inputs {
|
||||||
noCacheFilters: string[];
|
noCacheFilters: string[];
|
||||||
outputs: string[];
|
outputs: string[];
|
||||||
platforms: string[];
|
platforms: string[];
|
||||||
|
provenance: string;
|
||||||
pull: boolean;
|
pull: boolean;
|
||||||
push: boolean;
|
push: boolean;
|
||||||
|
sbom: string;
|
||||||
secrets: string[];
|
secrets: string[];
|
||||||
secretFiles: string[];
|
secretFiles: string[];
|
||||||
shmSize: string;
|
shmSize: string;
|
||||||
|
@ -69,6 +72,7 @@ export async function getInputs(defaultContext: string): Promise<Inputs> {
|
||||||
return {
|
return {
|
||||||
addHosts: await getInputList('add-hosts'),
|
addHosts: await getInputList('add-hosts'),
|
||||||
allow: await getInputList('allow'),
|
allow: await getInputList('allow'),
|
||||||
|
attests: await getInputList('attests', true),
|
||||||
buildArgs: await getInputList('build-args', true),
|
buildArgs: await getInputList('build-args', true),
|
||||||
buildContexts: await getInputList('build-contexts', true),
|
buildContexts: await getInputList('build-contexts', true),
|
||||||
builder: core.getInput('builder'),
|
builder: core.getInput('builder'),
|
||||||
|
@ -84,8 +88,10 @@ export async function getInputs(defaultContext: string): Promise<Inputs> {
|
||||||
noCacheFilters: await getInputList('no-cache-filters'),
|
noCacheFilters: await getInputList('no-cache-filters'),
|
||||||
outputs: await getInputList('outputs', true),
|
outputs: await getInputList('outputs', true),
|
||||||
platforms: await getInputList('platforms'),
|
platforms: await getInputList('platforms'),
|
||||||
|
provenance: core.getInput('provenance'),
|
||||||
pull: core.getBooleanInput('pull'),
|
pull: core.getBooleanInput('pull'),
|
||||||
push: core.getBooleanInput('push'),
|
push: core.getBooleanInput('push'),
|
||||||
|
sbom: core.getInput('sbom'),
|
||||||
secrets: await getInputList('secrets', true),
|
secrets: await getInputList('secrets', true),
|
||||||
secretFiles: await getInputList('secret-files', true),
|
secretFiles: await getInputList('secret-files', true),
|
||||||
shmSize: core.getInput('shm-size'),
|
shmSize: core.getInput('shm-size'),
|
||||||
|
@ -115,6 +121,11 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, context: str
|
||||||
if (inputs.allow.length > 0) {
|
if (inputs.allow.length > 0) {
|
||||||
args.push('--allow', inputs.allow.join(','));
|
args.push('--allow', inputs.allow.join(','));
|
||||||
}
|
}
|
||||||
|
if (buildx.satisfies(buildxVersion, '>=0.10.0')) {
|
||||||
|
await asyncForEach(inputs.attests, async attest => {
|
||||||
|
args.push('--attest', attest);
|
||||||
|
});
|
||||||
|
}
|
||||||
await asyncForEach(inputs.buildArgs, async buildArg => {
|
await asyncForEach(inputs.buildArgs, async buildArg => {
|
||||||
args.push('--build-arg', buildArg);
|
args.push('--build-arg', buildArg);
|
||||||
});
|
});
|
||||||
|
@ -150,6 +161,14 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, context: str
|
||||||
if (inputs.platforms.length > 0) {
|
if (inputs.platforms.length > 0) {
|
||||||
args.push('--platform', inputs.platforms.join(','));
|
args.push('--platform', inputs.platforms.join(','));
|
||||||
}
|
}
|
||||||
|
if (buildx.satisfies(buildxVersion, '>=0.10.0')) {
|
||||||
|
if (inputs.provenance) {
|
||||||
|
args.push('--provenance', inputs.provenance);
|
||||||
|
}
|
||||||
|
if (inputs.sbom) {
|
||||||
|
args.push('--sbom', inputs.sbom);
|
||||||
|
}
|
||||||
|
}
|
||||||
await asyncForEach(inputs.secrets, async secret => {
|
await asyncForEach(inputs.secrets, async secret => {
|
||||||
try {
|
try {
|
||||||
args.push('--secret', await buildx.getSecretString(secret));
|
args.push('--secret', await buildx.getSecretString(secret));
|
||||||
|
|
Loading…
Reference in New Issue