Skip to content

Comments

ci: use docker github builder to build bin image#51838

Merged
vvoland merged 1 commit intomoby:masterfrom
crazy-max:docker-github-builder
Jan 12, 2026
Merged

ci: use docker github builder to build bin image#51838
vvoland merged 1 commit intomoby:masterfrom
crazy-max:docker-github-builder

Conversation

@crazy-max
Copy link
Member

relates to docker/github-builder#21

Use the Docker GitHub Builder to build the bin image. It keeps distribution across runners but also generates signed SLSA-compliant provenance attestations.

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@crazy-max crazy-max force-pushed the docker-github-builder branch from c015404 to e709f27 Compare January 11, 2026 14:00
@crazy-max crazy-max marked this pull request as ready for review January 11, 2026 14:19
timeout-minutes: 20 # guardrails timeout for the whole job
if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only')) }}
if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
uses: docker/github-builder-experimental/.github/workflows/bake.yml@7643588149117bf0ca3a906caa3968c70484027a
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will there eventually be tags for these?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes definitely when we hit GA, this is tracked in docker/github-builder#74

Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM

@vvoland ptal

@vvoland vvoland added this to the 29.2.0 milestone Jan 12, 2026
with:
permissions:
contents: read # same as global permission
id-token: write # for signing attestation(s) with GitHub OIDC Token
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did the signing require some OIDC setup on Docker Inc. side?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't, we just use it for signing. In the future we could also use it to login on Docker Hub but it's not GA yet. I started to experiment with it on staging with docker/login-action@master...crazy-max:docker-login-action:dockerhub-oidc and seems to work fine: docker/github-builder#6 (comment)

@vvoland vvoland merged commit 28c9d26 into moby:master Jan 12, 2026
180 checks passed
@crazy-max crazy-max deleted the docker-github-builder branch January 12, 2026 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants