-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: migrate image building to buildx #724
feat: migrate image building to buildx #724
Conversation
97480a0
to
9df2387
Compare
c00d640
to
60a4fa9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some naming suggestions, which disambiguate the new usage.
Signed-off-by: Carlos Salas <carlos.salas@suse.com>
Signed-off-by: Carlos Salas <carlos.salas@suse.com>
60a4fa9
to
b6b1953
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small nit, otherwise LGTM
LGTM, a question though. Have you tested the published provenance with something like https://github.com/slsa-framework/slsa-verifier to check it still passes? It seems it is following a different format: docker/buildx#1741 |
Based on offline discussion, @alexander-demicev @Danil-Grigorev should we mark this with "DON'T Merge" until we are ready for buildx migration and to avoid accidental merge? |
@salasberryfin some context for you, we figured out that with docker buildx we can only sign manifest that references each architecture-specific image. Currently, we sign every image for every architecture and this seems more complicated with buildx |
What this PR does / why we need it:
A few notes on the changes required for moving to
buildx
for image building and provenance attestation (thanks @alexander-demicev for the help):Makefile
actions for single or multi-platform image building. Withbuildx
we move to a multi architecture image as we need to create the builder and its build capabilities (see https://docs.docker.com/reference/cli/docker/buildx/build/). The waybuildx build
command works, we create a single multi architecture image which is pushed to the specified registry. InMakefile
this corresponds to actiondocker-build-and-push
.buildx
and provenance attestation cannot be stored in the local registry, so we need to have an extra action that is platform-specific to which we can apply the--load
flag that stores the resulting image locally. This applies to some CI workflows (e.g. lint). InMakefile
this corresponds to actiondocker-build
.buildx build
accepts--attest type=provenance
as input parameter (see https://docs.docker.com/build/metadata/attestations/slsa-provenance/). After the image is built and pushed, provenance attestation can be validated via:This means we can get rid of the former provenance attestation GitHub Action.
buildx
includes different SHA256 values to identify each platform.Which issue(s) this PR fixes:
Fixes #683
Special notes for your reviewer:
Checklist: