From 3af9ceadd509d24e7110c5bb30890d17ea724585 Mon Sep 17 00:00:00 2001
From: Terin Stock <terinjokes@gmail.com>
Date: Fri, 17 May 2024 10:01:50 +0200
Subject: [PATCH] chore(docker): enable sbom and cache

Update the Docker publishing Action to enable SBOM and provenance
attestations to the published images, as well as enabling caching of
layers across runs.
---
 .github/workflows/docker.yaml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index f68fd01..2e3d75e 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -21,9 +21,30 @@ jobs:
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_TOKEN }}
+      - uses: actions/cache@v4
+        id: cache
+        with:
+          path: |
+            go-pkg-mod
+            root-cache-go-build
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - uses: reproducible-containers/buildkit-cache-dance@v3
+        with:
+          cache-map: |
+            {
+              "go-pkg-mod": "/go/pkg/mod",
+              "root-cache-go-build": "/root/.cache/go-build"
+            }
+          skip-extraction: ${{ steps.cache.outputs.cache-hit }}
       - uses: docker/build-push-action@v5
         with:
           file: ./cmd/controller/Dockerfile
           platforms: linux/amd64, linux/arm64
+          sbom: true
           tags: ${{ steps.docker-meta.outputs.tags }}
+          labels: ${{ steps.docker-meta.outputs.labels }}
           push: ${{ startsWith(github.ref, 'refs/tags/v') }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max