Commite8d3caf

matifali

authored and

ThomasK33

committed

chore: enable SBOM and fix Docker multiarch manifests with attestations

- Enable SBOM and provenance attestations in Docker builds- Update build_docker_multiarch.sh to handle images with attestations- Fix issue with Docker manifest creation for images with multiple attestation manifests- Make Docker daemon config use containerd by default🤖 Generated with [Claude Code](https://claude.ai/code)Co-Authored-By: Claude <noreply@anthropic.com>Signed-off-by: Thomas Kosiewski <tk@coder.com>

1 parent5285c12 commite8d3cafCopy full SHA for e8d3caf

File tree

4 files changed

+24

-7

lines changed

.github/workflows
- release.yaml
dogfood/coder/files/etc/docker
- daemon.json
scripts
- build_docker.sh
- build_docker_multiarch.sh

4 files changed

+24

-7

lines changed

`‎.github/workflows/release.yaml`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -361,6 +361,7 @@ jobs:`
`361`	`361`	`file:scripts/Dockerfile.base`
`362`	`362`	`platforms:linux/amd64,linux/arm64,linux/arm/v7`
`363`	`363`	`provenance:true`
	`364`	`+sbom:true`
`364`	`365`	`pull:true`
`365`	`366`	`no-cache:true`
`366`	`367`	`push:true`

`‎dogfood/coder/files/etc/docker/daemon.json`

Lines changed: 4 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,6 @@`
`1`	`1`	`{`
`2`		`-"registry-mirrors": ["https://mirror.gcr.io"]`
	`2`	`+"registry-mirrors": ["https://mirror.gcr.io"],`
	`3`	`+"features": {`
	`4`	`+"containerd-snapshotter":true`
	`5`	`+}`
`3`	`6`	`}`

`‎scripts/build_docker.sh`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -136,10 +136,12 @@ fi`
`136`	`136`
`137`	`137`	`log"--- Building Docker image for$arch ($image_tag)"`
`138`	`138`
`139`		`-docker build \`
	`139`	`+dockerbuildxbuild \`
`140`	`140`	`--platform"$arch" \`
`141`	`141`	`--build-arg"BASE_IMAGE=$base_image" \`
`142`	`142`	`--build-arg"CODER_VERSION=$version" \`
	`143`	`+--provenancetrue \`
	`144`	`+--sbomtrue \`
`143`	`145`	`--no-cache \`
`144`	`146`	`--tag"$image_tag" \`
`145`	`147`	`-f Dockerfile \`

`‎scripts/build_docker_multiarch.sh`

Lines changed: 16 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -77,13 +77,24 @@ done`
`77`	`77`
`78`	`78`	`# Sadly, manifests don't seem to support labels.`
`79`	`79`	`log"--- Creating multi-arch Docker image ($target)"`
`80`		`-docker manifest create \`
`81`		`-"$target" \`
`82`		`-"${create_args[@]}"`
	`80`	`+`
	`81`	`+# Create a buildx builder instance if it doesn't exist`
	`82`	`+if! docker buildx inspect multiarch-builder&>/dev/null;then`
	`83`	`+ docker buildx create --name multiarch-builder --use`
	`84`	`+fi`
	`85`	`+`
	`86`	`+# Create manifest with buildx imagetools`
	`87`	`+log"--- Creating multi-arch manifest with attestations"`
	`88`	`+`
	`89`	`+# For images with attestations, we preserve the entire structure by using image tags directly,`
	`90`	`+# letting Docker handle retrieving both the architecture manifests and attestation manifests`
	`91`	`+docker buildx imagetools create --tag"$target""$@"`
`83`	`92`
`84`	`93`	`if [["$push"== 1 ]];then`
`85`		`-log"--- Pushing multi-arch Docker image ($target)"`
`86`		`-docker manifest push"$target"`
	`94`	`+ log"--- Verifying multi-arch Docker image ($target)"`
	`95`	`+# The manifest is already created and pushed when using buildx imagetools create`
	`96`	`+# We just need to verify it exists`
	`97`	`+ docker buildx imagetools inspect"$target"`
`87`	`98`	`fi`
`88`	`99`
`89`	`100`	`echo"$target"`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commite8d3caf

File tree

4 files changed

4 files changed

`‎.github/workflows/release.yaml`

`‎dogfood/coder/files/etc/docker/daemon.json`

`‎scripts/build_docker.sh`

`‎scripts/build_docker_multiarch.sh`

0 commit comments