add attests, provenance and sbom inputs

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax 2023-01-11 12:12:09 +01:00
parent 472ccddef1
commit ed2672fc33
No known key found for this signature in database
GPG Key ID: 3248E46B6BB8C7F7
4 changed files with 124 additions and 29 deletions

@ -491,6 +491,70 @@ jobs:
cache-from: type=gha,scope=nocachefilter cache-from: type=gha,scope=nocachefilter
cache-to: type=gha,scope=nocachefilter,mode=max cache-to: type=gha,scope=nocachefilter,mode=max
attests:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- target: image
output: type=image,name=localhost:5000/name/app:latest,push=true
- target: binary
output: /tmp/buildx-build
services:
registry:
image: registry:2
ports:
- 5000:5000
env:
BUILDX_VERSION: v0.10.0-rc2 # TODO: remove when Buildx v0.10.0 is released
BUILDKIT_IMAGE: moby/buildkit:v0.11.0-rc3 # TODO: remove when BuildKit v0.11.0 is released
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
driver-opts: |
network=host
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
-
name: Build
uses: ./
with:
context: ./test/go
file: ./test/go/Dockerfile
target: ${{ matrix.target }}
outputs: ${{ matrix.output }}
attests: |
type=sbom
type=provenance,mode=max,builder-id=https://github.com/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}
cache-from: type=gha,scope=attests-${{ matrix.target }}
cache-to: type=gha,scope=attests-${{ matrix.target }},mode=max
-
name: Inspect image
if: matrix.target == 'image'
run: |
docker buildx imagetools inspect --format "{{json .}}" localhost:5000/name/app:latest | jq
-
name: Check output folder
if: matrix.target == 'binary'
run: |
tree /tmp/buildx-build
-
name: Print provenance
if: matrix.target == 'binary'
run: |
cat /tmp/buildx-build/provenance.json | jq
-
name: Print SBOM
if: matrix.target == 'binary'
run: |
cat /tmp/buildx-build/sbom.spdx.json | jq
multi: multi:
runs-on: ubuntu-latest runs-on: ubuntu-latest
strategy: strategy:

@ -191,9 +191,10 @@ Following inputs can be used as `step.with` keys
> ``` > ```
| Name | Type | Description | | Name | Type | Description |
|--------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |--------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `add-hosts` | List/CSV | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`) | | `add-hosts` | List/CSV | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`) |
| `allow` | List/CSV | List of [extra privileged entitlement](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow) (e.g., `network.host,security.insecure`) | | `allow` | List/CSV | List of [extra privileged entitlement](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow) (e.g., `network.host,security.insecure`) |
| `attests` | List | List of [attestation](https://docs.docker.com/build/attestations/) parameters (e.g., `type=sbom,generator=image`) |
| `builder` | String | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action) | | `builder` | String | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action) |
| `build-args` | List | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg) | | `build-args` | List | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg) |
| `build-contexts` | List | List of additional [build contexts](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context) (e.g., `name=path`) | | `build-contexts` | List | List of additional [build contexts](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context) (e.g., `name=path`) |
@ -209,8 +210,10 @@ Following inputs can be used as `step.with` keys
| `no-cache-filters` | List/CSV | Do not cache specified stages | | `no-cache-filters` | List/CSV | Do not cache specified stages |
| `outputs`¹ | List | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`) | | `outputs`¹ | List | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`) |
| `platforms` | List/CSV | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build | | `platforms` | List/CSV | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build |
| `provenance` | Bool/String | Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build (shorthand for `--attest=type=provenance`) |
| `pull` | Bool | Always attempt to pull all referenced images (default `false`) | | `pull` | Bool | Always attempt to pull all referenced images (default `false`) |
| `push` | Bool | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`) | | `push` | Bool | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`) |
| `sbom` | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`) |
| `secrets` | List | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`) | | `secrets` | List | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`) |
| `secret-files` | List | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`) | | `secret-files` | List | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`) |
| `shm-size` | String | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) | | `shm-size` | String | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) |

@ -13,6 +13,9 @@ inputs:
allow: allow:
description: "List of extra privileged entitlement (e.g., network.host,security.insecure)" description: "List of extra privileged entitlement (e.g., network.host,security.insecure)"
required: false required: false
attests:
description: "List of attestation parameters (e.g., type=sbom,generator=image)"
required: false
build-args: build-args:
description: "List of build-time variables" description: "List of build-time variables"
required: false required: false
@ -60,6 +63,9 @@ inputs:
platforms: platforms:
description: "List of target platforms for build" description: "List of target platforms for build"
required: false required: false
provenance:
description: "Generate provenance attestation for the build (shorthand for --attest=type=provenance)"
required: false
pull: pull:
description: "Always attempt to pull all referenced images" description: "Always attempt to pull all referenced images"
required: false required: false
@ -68,6 +74,9 @@ inputs:
description: "Push is a shorthand for --output=type=registry" description: "Push is a shorthand for --output=type=registry"
required: false required: false
default: 'false' default: 'false'
sbom:
description: "Generate SBOM attestation for the build (shorthand for --attest=type=sbom)"
required: false
secrets: secrets:
description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)" description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)"
required: false required: false

@ -13,6 +13,7 @@ let _defaultContext, _tmpDir: string;
export interface Inputs { export interface Inputs {
addHosts: string[]; addHosts: string[];
allow: string[]; allow: string[];
attests: string[];
buildArgs: string[]; buildArgs: string[];
buildContexts: string[]; buildContexts: string[];
builder: string; builder: string;
@ -28,8 +29,10 @@ export interface Inputs {
noCacheFilters: string[]; noCacheFilters: string[];
outputs: string[]; outputs: string[];
platforms: string[]; platforms: string[];
provenance: string;
pull: boolean; pull: boolean;
push: boolean; push: boolean;
sbom: string;
secrets: string[]; secrets: string[];
secretFiles: string[]; secretFiles: string[];
shmSize: string; shmSize: string;
@ -69,6 +72,7 @@ export async function getInputs(defaultContext: string): Promise<Inputs> {
return { return {
addHosts: await getInputList('add-hosts'), addHosts: await getInputList('add-hosts'),
allow: await getInputList('allow'), allow: await getInputList('allow'),
attests: await getInputList('attests', true),
buildArgs: await getInputList('build-args', true), buildArgs: await getInputList('build-args', true),
buildContexts: await getInputList('build-contexts', true), buildContexts: await getInputList('build-contexts', true),
builder: core.getInput('builder'), builder: core.getInput('builder'),
@ -84,8 +88,10 @@ export async function getInputs(defaultContext: string): Promise<Inputs> {
noCacheFilters: await getInputList('no-cache-filters'), noCacheFilters: await getInputList('no-cache-filters'),
outputs: await getInputList('outputs', true), outputs: await getInputList('outputs', true),
platforms: await getInputList('platforms'), platforms: await getInputList('platforms'),
provenance: core.getInput('provenance'),
pull: core.getBooleanInput('pull'), pull: core.getBooleanInput('pull'),
push: core.getBooleanInput('push'), push: core.getBooleanInput('push'),
sbom: core.getInput('sbom'),
secrets: await getInputList('secrets', true), secrets: await getInputList('secrets', true),
secretFiles: await getInputList('secret-files', true), secretFiles: await getInputList('secret-files', true),
shmSize: core.getInput('shm-size'), shmSize: core.getInput('shm-size'),
@ -115,6 +121,11 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, context: str
if (inputs.allow.length > 0) { if (inputs.allow.length > 0) {
args.push('--allow', inputs.allow.join(',')); args.push('--allow', inputs.allow.join(','));
} }
if (buildx.satisfies(buildxVersion, '>=0.10.0')) {
await asyncForEach(inputs.attests, async attest => {
args.push('--attest', attest);
});
}
await asyncForEach(inputs.buildArgs, async buildArg => { await asyncForEach(inputs.buildArgs, async buildArg => {
args.push('--build-arg', buildArg); args.push('--build-arg', buildArg);
}); });
@ -150,6 +161,14 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, context: str
if (inputs.platforms.length > 0) { if (inputs.platforms.length > 0) {
args.push('--platform', inputs.platforms.join(',')); args.push('--platform', inputs.platforms.join(','));
} }
if (buildx.satisfies(buildxVersion, '>=0.10.0')) {
if (inputs.provenance) {
args.push('--provenance', inputs.provenance);
}
if (inputs.sbom) {
args.push('--sbom', inputs.sbom);
}
}
await asyncForEach(inputs.secrets, async secret => { await asyncForEach(inputs.secrets, async secret => {
try { try {
args.push('--secret', await buildx.getSecretString(secret)); args.push('--secret', await buildx.getSecretString(secret));