Provenance docker (#452)

v1v · web-flow · commit d17142afa3af · 2024-04-26T10:29:34.000+02:00
* goreleaser: support multi-arch container image see https://goreleaser.com/customization/docker_manifest/\#docker-manifests * ci: store dist folder * provenance for docker images * add latest * fix multi-line images * use script * use script
diff --git a/.ci/get-docker-provenance.sh b/.ci/get-docker-provenance.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ ! -e dist/artifacts.json ] ; then
+    exit 1
+fi
+
+echo "Gather the container images generated and published with goreleaser"
+images=$(jq -r '[.[] | select (.type=="Published Docker Image") | select(.name|endswith("latest")|not)]' dist/artifacts.json)
+image_1=$(echo "$images" | jq -r '.[0].name')
+image_2=$(echo "$images" | jq -r '.[1].name')
+digest_1=$(echo "$images" | jq -r '.[0].extra.Digest')
+digest_2=$(echo "$images" | jq -r '.[1].extra.Digest')
+
+echo "Export github actions outputs"
+echo "name_1=$image_1"    >> "$GITHUB_OUTPUT"
+echo "name_2=$image_2"    >> "$GITHUB_OUTPUT"
+echo "digest_1=$digest_1" >> "$GITHUB_OUTPUT"
+echo "digest_2=$digest_2" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -47,11 +47,36 @@ jobs:
       - name: Release
         run: make release
 
+      # Store artifacts to help with troubleshooting
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: release
+          path: "dist/*.*"
+          retention-days: 5
+
       - name: generate build provenance (binaries)
         uses: github-early-access/generate-build-provenance@main
         with:
           subject-path: "${{ github.workspace }}/dist/*.*"
 
+      # See https://github.com/github-early-access/generate-build-provenance/issues/162
+      - name: container image digest
+        id: image
+        run: .ci/get-docker-provenance.sh
+
+      - name: generate build provenance (containers x86_64)
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-name: ${{ steps.image.outputs.name_1 }}
+          subject-digest: ${{ steps.image.outputs.digest_1 }}
+
+      - name: generate build provenance (containers arm64)
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-name: ${{ steps.image.outputs.name_2 }}
+          subject-digest: ${{ steps.image.outputs.digest_2 }}
+
       - name: GitHub Release
         run: make release-notes
         env:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -72,6 +72,16 @@ dockers:
       - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
       - "--label=org.opencontainers.image.version={{ .Version }}"
 
+docker_manifests:
+  - name_template: '{{ .Env.DOCKER_REGISTRY }}/{{ .Env.DOCKER_IMAGE_NAME }}:{{ trimprefix .Tag "v" }}'
+    image_templates:
+    - '{{ .Env.DOCKER_REGISTRY }}/{{ .Env.DOCKER_IMAGE_NAME }}-x86_64:{{ trimprefix .Tag "v" }}'
+    - '{{ .Env.DOCKER_REGISTRY }}/{{ .Env.DOCKER_IMAGE_NAME }}-arm64:{{ trimprefix .Tag "v" }}'
+  - name_template: '{{ .Env.DOCKER_REGISTRY }}/{{ .Env.DOCKER_IMAGE_NAME }}:latest'
+    image_templates:
+    - "{{ .Env.DOCKER_REGISTRY }}/{{ .Env.DOCKER_IMAGE_NAME }}-x86_64:latest"
+    - "{{ .Env.DOCKER_REGISTRY }}/{{ .Env.DOCKER_IMAGE_NAME }}-arm64:latest"
+
 publishers:
   - name: publish-aws
     cmd: ./.ci/publish-aws.sh
