ci: use docker github builder to build binaries and images#6388
ci: use docker github builder to build binaries and images#6388crazy-max merged 5 commits intomoby:masterfrom
Conversation
crazy-max
force-pushed
the
github-builder
branch
3 times, most recently
from
7aa4db6 to
162db6c
Compare
crazy-max
force-pushed
the
github-builder
branch
from
162db6c to
9bfce63
Compare
crazy-max
force-pushed
the
github-builder
branch
5 times, most recently
from
de8b0a1 to
89e97d4
Compare
crazy-max
force-pushed
the
github-builder
branch
from
89e97d4 to
ef013e1
Compare
| contents: read # same as global permission | ||
| id-token: write # for signing attestation(s) with GitHub OIDC Token | ||
| with: | ||
| runner: amd64 |
There was a problem hiding this comment.
Is there a need for this or is amd64 just faster?
There was a problem hiding this comment.
Not really a need but as we are doing cross compilation we can just use official GitHub-hosted runner and avoid relying on partner images: https://github.com/actions/partner-runner-images?tab=readme-ov-file#github-actions-partner-runner-images
| name: ${{ needs.binaries.outputs.artifact-name }} | ||
| - | ||
| name: Rename provenance and sbom | ||
| run: | |
There was a problem hiding this comment.
Not needed atm but eventually we should provide some examples for github builder users for verifying the signatures of these artifacts. Eg. if for any reason the signature is not valid, that should error before creating the release.
There was a problem hiding this comment.
Not needed atm but eventually we should provide some examples for github builder users for verifying the signatures of these artifacts.
They have an example in the usage section using the verify reusable workflow: https://github.com/docker/github-builder-experimental?tab=readme-ov-file#build-reusable-workflow
They also have the cosign verify commands as output so they can invoke them locally if they want to: https://github.com/docker/github-builder-experimental/blob/7643588149117bf0ca3a906caa3968c70484027a/.github/workflows/build.yml#L133-L135
Looks like this: https://github.com/docker/github-builder-experimental/actions/runs/20895583887/job/60033611659#step:2:24
We could also print cosign commands in the build summary, this is tracked in docker/github-builder#11
Eg. if for any reason the signature is not valid, that should error before creating the release.
We are also verifying the signature after signing blobs during build: https://github.com/docker/github-builder-experimental/blob/7643588149117bf0ca3a906caa3968c70484027a/.github/workflows/build.yml#L627-L630
Looks like this: https://github.com/docker/github-builder-experimental/actions/runs/20895583887/job/60033587793#step:12:62
There was a problem hiding this comment.
We are also verifying the signature after signing blobs during build:
Yes but this is in our controlled repository. If the app is pushing a release from their own CI workflow, then ideally, they first verify the artifacts themselves instead of just trusting that the remote builder did it. There is also a case that something malicious gained capability to write artifacts (or overwrite the artifacts created by docker builder) so this way we can check that these were indeed the artifacts from the trusted builder.
| INPUT_IMAGE-NAME: ${{ env.IMAGE_NAME }} | ||
| with: | ||
| script: | | ||
| const defaultBase = core.getInput('default-base'); |
There was a problem hiding this comment.
These kinds of big inline blocks could have a comment in the beginning explaining the intention of the script.
crazy-max
force-pushed
the
github-builder
branch
from
ef013e1 to
828faac
Compare
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
crazy-max
force-pushed
the
github-builder
branch
from
828faac to
085b403
Compare
| set: | | ||
| *.args.IMAGE_TARGET=${{ matrix.target }} | ||
| *.args.EXPORT_BASE=${{ matrix.base }} | ||
| *.args.BUILDKITD_TAGS=${{ matrix.buildTags }} |
There was a problem hiding this comment.
These set do not work as expected:
3 participants
docker/github-builder#21